Nov 24, 2013

YouTube Full Screen Problem (video doesn't stretch)

Are you tired of seeing this shit on YouTube Full Screen Video?

When clicking on the fullscreen button, the video stretches to about 3/4 of the screen, and the rest is black, so it's not really full screen at all. The hiccup is just in the graphics, because the controls (X Y positions of the buttons) are correct - in the corner on the screen, not where they are displayed.

This problem occurs in Google Chrome, and it's a problem with the Flash Player. To fix it, you need to go to the URL chrome://plugins/ in Chrome, and disable this plugin:

Type:PPAPI (out-of-process)


Refresh the page and...

Et voilĂ !

Nov 20, 2013

Measuring RaspberryPI CPU, GPU temperature and CPU frequency on Raspbian Linux

We'll create bash script:
sudo nano

Paste this and save:
cpuTemp0=$(cat /sys/class/thermal/thermal_zone0/temp)
cpuTempM=$(($cpuTemp2 % $cpuTemp1))
cpuFreq=`cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq | sed 's/.\{3\}$//'`Mhz

echo CPU temp"="$cpuTemp1"."$cpuTempM"'C"
echo GPU $(/opt/vc/bin/vcgencmd measure_temp)
echo CPU frequency=$cpuFreq

Set permission and run it:
sudo chmod +x;./

Bash script domain expiration check tool Slovenian version

This script checks if domain has expired and also supports e-mail notice. 

Original script is from Matt (domain-check). I modifed already modified script from Vivek (

List of changes:

- Added support for Slovenian (.si) domains.

- Added VAR for "mail from:".
- Increased time between whois queries to 7 seconds (Slovenian whois only allows 10 queries per minute).
- Mail subject and mail data are translated to Slovene language.
- Changed default VAR path for mail (/bin/mail/ to /usr/bin/mail)

Get the script:
wget;mv domain-check;chmod +x

Usage: ./ [ -e email ] [ -x expir_days ] [ -q ] [ -a ] [ -h ]
          {[ -d domain_namee ]} || { -f domainfile}

  -a                                        : Send a warning message through email
  -d domain                            : Domain to analyze (interactive mode)
  -e email address                   : Email address to send expiration notices
  -f domain file                        : File with a list of domains
  -h                                         : Print this screen
  -s whois server                     : Whois sever to query for information
  -q                                         : Don't print anything on the console
  -x days                                 : Domain expiration interval (eg. if domain_date < days)

Check single domain:
./ -d

Check single domain and send e-mail notice if domain will expire in less than defined in WARNDAYS:

./ -a -d

You can also check multiple domains. Create a file domains.txt and add your domains like:

Check multiple domains:
./ -f domains.txt

Check multiple domains and send e-mail notice if any domain will expire in less than defined in WARNDAYS:

./ -a -f domains.txt

Set your own parameters from command line. Next command will check domains in domains.txt with expiration date less than 60 days and send e-mail notice to [email protected]

./ -a -f domains.txt -e [email protected] -x 60 

If you are going to use this script with cron, use -q option or change QUIET="FALSE" to QUIET="TRUE"

Let's say we want to run this script every day at 4 AM. Open crontab with crontab -e (Ubuntu) and add the following line:
0 4 * * * /path/to/your/script/ -q -a -f /path/to/your/list/domains.txt

Nov 15, 2013

Postfix SSL error when sending message in Thunderbird client

This is a repost from my old blog that is no longer available. (May 16th 2012)

I was trying to send an email with Thunderbird client and got SSL TLS error message. I instantly suspected my email server crashed, because I had to force reboot a day ago.

After tailing mail.log this error message appeared:

postfix/smtpd[1834]: warning: TLS library problem: 1834:error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter:s3_pkt.c:1093:SSL alert number 47:

When investigating further I found out mail server was fine, the main reason for this error was on guest machine (where thunderbird was installed - windows 7), it was Avast antivirus. Disabling and re-enabling it was the solution.

Nov 14, 2013

Encoding Web Shells in PNG IDAT chunks

Roses are red,
violets are blue,
images contain code,
you're hacked.

I've just had the privilege to have my mind blown, while reading this article:
Encoding Web Shells in PNG IDAT chunks. All credits go to Phil for this one, an IT consultant and hacker from down under. You should check out his other articles. Fascinating stuff.

In layman's terms, let's say you have a web page that allows user upload of images. You're feeling pretty safe about it, because when the image is uploaded, you immediately open and manipulate it in GD, a PHP image library, before you save it on the server. If you can't open the file, it's not a valid image. That should destroy all malicious code stored within the image, right?

That's right. It should.

But what if an image appears normal, and after you resize it in GD, a PHP shell appears out of thin air?

An image that contains a PHP shell "<?=$_GET[0]($_POST[1]);?>" when resized to 32x32 with GD.

There's no way around it. You can't really prevent it. And to make things worse, you're not even checking the file extension.

If you reverse the process of how the image is generated, you can encode all sorts of data in the image. When the image is then manipulated with GD, it produces plain text data within the image.
Sounds simple enough, but there are a few hoops one needs to jump through, to engineer such an image.
First, PHP code must be compressed, then reverse the PNG filtering process and finally embedding the data as raw pixels.

Depending on what the server does with this image, there are a few more tricks to be done.
If the file is resized with imagecopyresampled(), the payload needs to be encoded in a series of rectangles or squares.

Et voilĂ ! Your PHP shell.

Oh sh*t!
But what can I do about it?

Like I said, not much. Without getting in too much detail on how this sorcery is done (you can check the source article for that), all you can do is focus on the prerequisites that enable this hack to work. Just uploading the image is, thankfully, not enough.

If you're a developer, don't be stupid. Don't do stupid things. Validate user input. Sanitize data. Have total control over how and where the files get saved. Triple check file and directory permissions and file extensions. There are many image hosting services and with the cloud becoming more and more popular, there are things like Amazon S3 you can use, to host data on third party.

Also, having total control over the file extension is not foolproof. You see, if your script contains a Local File Inclusion vulnerability (LFI) as well as user image upload, then my friend, I have bad news for you.
An attacker can just as well exploit the LFI with the path to the .png on the server.

Oh, you have all your include()-s and require()-s prefixed and suffixed? Tell me all about it! But while you're at it, have a look at this stackexchange debate. [*sound of explosion*]

If you're a user innocently hosting your web page somewhere, you can hope that your hosting provider has tight security, but also check file and directory permissions. Anything that isn't specificaly meant for upload, shouldn't have write access for apache. That typically means 644 or -rw-r--r--, for you. If you have .htaccess enabled, you can disable PHP execution on directories with user upload. See how below. Make sure it's not writable by anyone else.

If you're a sysadmin, you can expect your users to run all kinds of outdated opensourcy mumbo jumbo, which is like magnets for abusers. But you can't just mess with their files and do as you please. You've g0t r00t, and that's your real power. Figure out which directories can be written to by the web server, and stop PHP execution on these directories.
For example, Wordpress:

<Directory /home/test/www/wordpress/wp-includes>
php_flag engine off

<Directory /home/test/www/wordpress/wp-content/uploads>
php_flag engine off

Even though these directories contain PHP scripts, they're never called directly by URL. They are require()-d or include()-d by index.php originally. However, this raises another issue - source code disclosure, if done sloppy. The example above is quick and dirty. Yes, sloppy. Do some work.
Also, you can use a Web Application Firewall, like mod_security or things like that. Unfortunately, they wouldn't help in this my-png-is-a-shell situation. But they can solve a lot of other potential problems.

Well thanks, Jean! You've *really* helped me out with this information! ...NOT!

I've said it once, I've said it twice, I'll say it again.
There is no standard solution for this.
You're gonna have to find every hole through which an attacker can crawl through, fix every sensitive information disclosure (don't display error messages on the page, don't display source code - with php_flag engine off it will be displayed!). Don't be sloppy, don't be stupid.

Feeling safe yet?
If not, you can give us a call, and we can do some penetration testing for you.

Convert coordinates to street address (reverse geocoding) via Google Maps API

Because most articles on this topic are quite outdated, here is a quick tip on how to do reverse geocoding with the help of Google Maps API v3.

In fact, you don't even need an API, this can be done manually via browser, or by fetching the url with some script and parsing the result.

The link is in this format:[LAT,LON]&sensor=true


The result can be in JSON or XML format.

JSON example result:
   "results" : [
         "address_components" : [
               "long_name" : "51",
               "short_name" : "51",
               "types" : [ "street_number" ]
               "long_name" : "Kolodvorska cesta",
               "short_name" : "Kolodvorska cesta",
               "types" : [ "route" ]
               "long_name" : "Pivka",
               "short_name" : "Pivka",
               "types" : [ "locality", "political" ]
               "long_name" : "Slovenia",
               "short_name" : "SI",
               "types" : [ "country", "political" ]
               "long_name" : "6257",
               "short_name" : "6257",
               "types" : [ "postal_code" ]
               "long_name" : "Pivka",
               "short_name" : "Pivka",
               "types" : [ "postal_town" ]
         "formatted_address" : "Kolodvorska cesta 51, 6257 Pivka, Slovenia",

Nov 10, 2013

PhpSysInfo loading slow on RaspberryPI (Linux Raspbian + Nginx + PHP5-fpm)

Default installation of PhpSysInfo on RaspberryPI takes a long time to load due some missing programs and hardware components.

My system info:

Hardware: RaspberryPI Model B with 512MB RAM
OS: Raspbian GNU/Linux 7
Nginx version: 1.2.1-2.2+wheezy1
PHP version: 5.4.4-14+deb7u5
PhpSysInfo version: 3.0.17-1

Enable debug mode in /etc/phpsysinfo/config.php

define('PSI_DEBUG', true);

Open http://yoursitephpsysinfo/xml.php

I found the following errors:

<Error Function="find_program(lsb_release)">
program not found on the machine ./xml.php on line 45 ./includes/output/ on line 138 in function run() ./includes/xml/ on line 456 in function getXml() ./includes/xml/ on line 435 in function _buildXml() ./includes/os/ on line 70 in function getSys() ./includes/os/ on line 576 in function build() ./includes/os/ on line 527 in function _distro() ./includes/ on line 117 in function executeProgram( "lsb_release", "-a 2>/dev/null", "", true )
<Error Function="/usr/bin/lspci">
pcilib: Cannot open /proc/bus/pci lspci: Cannot find any working access method. Return value: 1 ./xml.php on line 45 ./includes/output/ on line 138 in function run() ./includes/xml/ on line 456 in function getXml() ./includes/xml/ on line 435 in function _buildXml() ./includes/os/ on line 70 in function getSys() ./includes/os/ on line 583 in function build() ./includes/os/ on line 306 in function _pci() ./includes/ on line 36 in function lspci() ./includes/ on line 142 in function executeProgram( "lspci", "", "", true )
<Error Function="find_program(lsscsi)">
program not found on the machine ./xml.php on line 45 ./includes/output/ on line 138 in function run() ./includes/xml/ on line 456 in function getXml() ./includes/xml/ on line 435 in function _buildXml() ./includes/os/ on line 70 in function getSys() ./includes/os/ on line 585 in function build() ./includes/os/ on line 367 in function _scsi() ./includes/ on line 117 in function executeProgram( "lsscsi", "-c", "", true )
<Error Function="file_exists(/proc/scsi/scsi)">
the file does not exist on your machine ./xml.php on line 45 ./includes/output/ on line 138 in function run() ./includes/xml/ on line 456 in function getXml() ./includes/xml/ on line 435 in function _buildXml() ./includes/os/ on line 70 in function getSys() ./includes/os/ on line 585 in function build() ./includes/os/ on line 367 in function _scsi() ./includes/ on line 191 in function rfts( "/proc/scsi/scsi", "", 0, 4096, true )

First, third and fourth error are because some programs are not present on the system, let's install them.

sudo apt-get install lsb-release lsscsi -y

Second error is due missing PCI bus on raspberryPI.

# lspci
pcilib: Cannot open /proc/bus/pci
lspci: Cannot find any working access method.

We can't do anything about that but disable that function in PhpSysInfo PHP code. Open the file /your/path/to/phpsyinfo/includes/ and find the lspci function.

     * parsing the output of lspci command
     * @return Array
    public static function lspci()
        $arrResults = array();
        if (CommonFunctions::executeProgram("lspci", "", $strBuf, PSI_DEBUG)) {
            $arrLines = preg_split("/\n/", $strBuf, -1, PREG_SPLIT_NO_EMPTY);
            foreach ($arrLines as $strLine) {
                list($strAddr, $strName) = preg_split('/ /', trim($strLine), 2);
                $strName = preg_replace('/\(.*\)/', '', $strName);
                $dev = new HWDevice();
                $arrResults[] = $dev;
        return $arrResults;

Change the code above to match the one bellow:

     * parsing the output of lspci command
     * @return Array
    public static function lspci()
        return array();
            $arrResults = array();
        if (CommonFunctions::executeProgram("lspci", "", $strBuf, PSI_DEBUG)) {
            $arrLines = preg_split("/\n/", $strBuf, -1, PREG_SPLIT_NO_EMPTY);
            foreach ($arrLines as $strLine) {
                list($strAddr, $strName) = preg_split('/ /', trim($strLine), 2);
                $strName = preg_replace('/\(.*\)/', '', $strName);
                $dev = new HWDevice();
                $arrResults[] = $dev;
        return $arrResults;

Disable debug mode in phpsysinfo config, save, reload, drink beer.

Nov 8, 2013

Ubuntu Fail2ban fails to parse Apache access.log

I was trying to setup Fail2ban to block Wordpress login bruteforce attacks, but Fail2ban somehow failed to parse access.log

When parsing log file with command:
fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-wp-login.conf
CPU rises to 100% usage until I kill the process. I made a quick fix - workaround with redirecting needed content from access.log to another log file.

My setup is as follows:

OS: Ubuntu Server 12.04 LTS
Fail2ban: 0.8.6-3wheezy2build0.12.04.1
Python: 2.7.3-0ubuntu2.2

Fail2ban configuration:

# Fail2Ban configuration file
# Author: Cyril Jaquier
# $Revision$
# Option:  loglevel
# Notes.:  Set the log level output.
#          1 = ERROR
#          2 = WARN
#          3 = INFO
#          4 = DEBUG
# Values:  NUM  Default:  3
loglevel = 4
# Option:  logtarget
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#          Only one log target can be specified.
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
logtarget = /var/log/fail2ban.log
# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
#         not remove this file when Fail2ban runs. It will not be possible to
#         communicate with the server afterwards.
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
socket = /var/run/fail2ban/fail2ban.sock
We add new entry for Wordpress

Add configuration to /etc/fail2ban/jail.conf
enabled  = true
port     = http,https
filter   = apache-wp-login
logpath  = /var/log/apache2/apache-wp-login.log
maxretry = 3
findtime = 60
Now me make new filter for Wordpress. Some servers logs are in different format so we have to make different regex entries. These are two most common configurations:

Log format example 1: - - [08/Nov/2013:13:20:46 +0100] "POST /en/wp-login.php HTTP/1.1" 200 1784 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1623.0 Safari/537.36"
Log format example 2: - - [08/Nov/2013:13:40:12 +0000] "POST /wp-login.php HTTP/1.1" 200 1756 "" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0"
Create /etc/fail2ban/filter.d/apache-wp-login.conf

For log format example 1 use:
failregex = ^[^\:]+\:80 <HOST> .* "POST
ignoreregex =
ATTENTION! Don't apply this filter to default access.log, it would block all POST request, not only Wordpress. Only use it with modified log file we will create bellow.

For log format example 2 use:
failregex = <HOST>.*] "POST /wp-login.php
ATTENTION! Don't apply this filter to log format example 1, it would block your own server, because <HOST> regex would match your domain (

Now we create new log file for parsing (/var/log/apache2/apache-wp-login.log). We only want to filter out POST requests for wp-login.php and write them to new log file called apache-wp-login.log.
tail --follow=name /var/log/apache2/access.log | grep --line-buffered wp-login.php > /var/log/apache2/apache-wp-login.log &
Add this command to /etc/rc.local so it would run at reboot:
#!/bin/sh -e
# rc.local
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
# In order to enable or disable this script just change the execution
# bits.
# By default this script does nothing.

# Fail2ban Wordpress Login
tail -f /var/log/apache2/access.log | grep --line-buffered wp-login.php > /var/log/apache2/apache-wp-login.log &

exit 0
Restart Fail2ban and you're done.
/etc/init.d/fail2ban restart