Updates from Arif RSS
-
12:10:57 am on March 21, 2010 |
clrg status -vCluster Resource Groups === Group Name Node Name Suspended Status ---------- --------- --------- ------ cache1rg lb1 No Online cache2rg server1 No Online prirg lb1 No Online server1 No Offline mngrg testing2 No Online server1 No Offline lb1 No Offline
In our specific case of resource groups:
clrg status -v– gives the status of cluster
clrg offline mngrg– takes down the management gui.
clrg offline prirg– takes down the 3 lb’s (ucip, scap1, scap2).
clrg offline cache2rg cache1rg– takes down the terracotta instances.
-
12:03:24 am on March 21, 2010 |
Filter out initial SYN (flags 0x02) of TCP connection from specific source and destination:
tcp.flags == 0x02 and ip.src == 10.201.62.78 and ip.dst == 10.201.62.249A series of sync packets will appear as:
1 2 3 4 5 6 7
No. Time Source Destination Protocol Info 1 0.000000 10.201.62.78 10.201.62.249 TCP 53161 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 4 0.001124 10.201.62.78 10.201.62.249 TCP 53162 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 7 0.001556 10.201.62.78 10.201.62.249 TCP 53163 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 16 0.006334 10.201.62.78 10.201.62.249 TCP 53164 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 20 0.009590 10.201.62.78 10.201.62.249 TCP 53165 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 24 0.011687 10.201.62.78 10.201.62.249 TCP 53166 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0In the above specific case, multiple ports i.e. 53163, 53162, etc. is starting conversation with port 10010 by sending out sync packets.
-
10:34:14 am on March 17, 2010 |
$ sleep 120 && touch 120 & sleep 4 && touch 4So, how are those file
touchcomes up in sequence (watch the creation time)$ ls -l total 160 -rw-r--r-- 1 arif arif 0 2010-03-17 17:28 120 -rw-r--r-- 1 arif arif 0 2010-03-17 17:27 4 ...
-
08:59:05 am on March 1, 2010 |
WIth php5-snmp installed, tried snmpwalk through php:
1 2 3 4 5 6 7
<?php $a = snmpwalk("127.0.0.1", "public", ""); foreach ($a as $val) { echo "$val\n"; } ?>
-
08:56:29 am on March 1, 2010 |
Network map using nmap
$ nmap -O -sS -p 20-23,3300,80,443 ... Interesting ports on localhost (127.0.0.1): PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp closed ftp 22/tcp closed ssh 23/tcp closed telnet 80/tcp open http 443/tcp closed https 3300/tcp open unknown Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.17 - 2.6.25 Network Distance: 0 hops ...
I configured sshd to listen on port 3300, but nmap can’t resolve the type of service in the above sample. (It is found to be open but unknown service)
-
03:52:17 am on March 1, 2010 |
After installation in Ubuntu, snmp will run as follow:
$ ps -ef | grep snmp snmp 9879 1 0 09:58 ? 00:00:00 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1
Omitting 127.0.0.1 from
/etc/default/snmpd:8
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid'
will allow other host to listen to ours.
-
03:30:08 am on March 1, 2010 |
1 2
$first_ip=$_SERVER['REMOTE_ADDR']; $hostname=gethostbyaddr($first_ip);
For example
1 2 3 4 5
<?php $first_ip="192.168.1.17"; $hostname=gethostbyaddr($first_ip); echo $hostname; ?>
which in my current LAN will gives the output:
gungz-3c2d7c341.local
-
03:11:51 am on March 1, 2010 |
Angry IP Scan. Multi platform IP scanner in Java, and binaries in deb and rpm package for Linux. Windows version also available.
Basic theory on scanning is also presented there. Where there exist two scan:
- port scanners
- IP scanner
How?
- whether the host is up (alive, responding) or down (dead, not responding)
- average roundtrip time (of IP packets to the destination address and back) – the same value as shown by the ping program
- TTL (time to live) field value from the IP packet header, which can be used to find out the rough distance to the destination address (in number of routers the packet has traveled)
- host and domain name (by using a DNS reverse lookup)
- versions of particular services running on the host (e.g., “Apache 2.0.32 (Linux 2.6.9)” in case of a web server)
- open (responding) and filtered TCP and UDP port numbers
-
02:39:00 am on March 1, 2010 |
Port scanner class. An example of usage is as follow where my IP is 192.168.1.10. The upper range for scanning isn’t alive: 192.168.1.11. I hide warnings due to open socket failure which will happen because the IP isn’t alive.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
<?php ini_set( "display_errors", 0); require_once("scanner.class.php"); $ip_address1 = "192.168.1.10"; $ip_address2 = "192.168.1.11"; $my_scanner = new PortScanner($ip_address1, $ip_address2); $my_scanner->set_ports("80"); $results = $my_scanner->do_scan(); foreach($results as $ip=>$ip_results) { echo gethostbyaddr($ip)."\n<blockquote>\n"; foreach($ip_results as $port=>$port_results) { echo "\t".$port." : ".$port_results['pname']." : "; if ($port_results['status']==1){echo "open";} else {echo "closed";}echo "<br />\n"; } echo "</blockquote>\n\n"; } ?>
Results are as follow (it includes developerfusion.com port scan by default (?)):
developerfusion.com
15 : netstat : closed
16 : N/A : closed
17 : qotd : closed
18 : msp : closed
19 : chargen : closed
20 : ftp-data : closed
21 : ftp : closed
22 : ssh : closed
23 : telnet : closed
24 : N/A : closed
25 : smtp : open
80 : www : open
110 : pop3 : closed
3306 : mysql : closed
1337 : N/A : closed
666 : N/A : closedxp-racy.local
80 : www : open
192.168.1.11
80 : www : closed