hints and notes for the mac os x folks
You are currently browsing the archive for the Unix Notes category.
perl -pe 'use MIME::Base64; $_=MIME::Base64::encode($_);'
perl -pe 'use MIME::Base64; $_=MIME::Base64::decode($_);'
That’s the piece I needed this morning. I found all sorts of entertaining things.
Some of them are vaguely in my memory. Most not, since I started before bash.
For Jan – edit command lines in the EDITOR
found in the mac os X system admin list
Just wanted to say thanks to Michael Wise for taking time out today
and providing me with a great set of forensic tools and techniques
for locating message queue IDs, and using postcat on the queue to
view actual messages/headers. Now I can start the real investigation.
Haven’t found the offending script yet, but am getting closer.
Notes from my conversation with Michael, for the archives:
* First, find suspicious looking lines in /var/log/mail.log
* Look for the smtp ID, such as: postfix/smtp[25897]
* Grep for other instances of that ID in the log: grep 25897
mail.log
* From there, youÂ’ll be able to see postfix queue IDs, such as
159A347C89C
* You can use this queue ID to find deferred messages in the
postfix queue
* cd /var/spool/postfix/
* Find where in the queue directory hierarchy this message
lives: find . -name 159A347C89C
* The messages are stored in a format not easily readable. To
make them readable, use the postcat command, e.g. postcat deferred/E/
E9B8F4F0E7C
* Now you can see the real message, with all of its headers,
which should give you a lot more info about its origins. You can see
whether it came from outside, or if it comes from a process ID, there
should be some indication. If user is www, you know itÂ’s coming from
a web script.
* To delete a message from the queue, use e.g.: postsuper -d
E9B8F4F0E7C Do not use the path with this command – just the queue ID.
Other tools:
Monitor incoming network connections, filtering out legit traffic on
port 80:
netstat -na | grep EST
netstat -na | grep EST | grep -v ‘\.80 ‘
netstat -na | grep EST | grep ‘\.25 ‘
To find files or dirs owned by www (that might be illegitimate):
find / -user www -ls
In case attacker named directories with spaces or other weird chars
in them:
find / -user www -ls | cat -vet -
(take your cat to the vet – itÂ’s sick)
Thanks also to others who responded on this.
Best,
Scot
–
Scot Hacker, Webmaster
Graduate School of Journalism
UC Berkeley
http://journalism.berkeley.edu
Readline shortcuts
GNU Readline is the library used to make advanced command-line wizardry convenient and conistent across a multitude of command-line applications. These programs include bash, bc, ftp, gnuplot, gpg, ksh, mysql, psql, python, smbclient and xmllint.
The cheatsheet at the right contains a summary of many of the useful line editing command shortcuts which are available in all applications that use libreadline.
sudo dd if=/dev/rdisk0 of=/dev/rdisk1 bs=131072
Learn 10 good UNIX usage habits
Adopt 10 good habits that improve your UNIX® command line efficiency — and break away from bad usage patterns in the process. This article takes you step-by-step through several good, but too often neglected, techniques for command-line operations. Learn about common errors and how to overcome them, so you can learn exactly why these UNIX habits are worth picking up.
I still don’t like what xargs does
sed one-liners are here
sed FAQ is here
I wanted to change all occurrences of PRIVATE to NJPRIVATE in a bunch of files. It’s a simple command in sed, but what about replacing the file? output to temporary, then copy? yes, but.
the PERL solution is
perl -pi -e 's/PRIVATE/NJPRIVATE/' `grep -l PRIVATE *.php`
the magic is
-p loop and swallow the files, and print default.
-i edit the files in-place
-e do the command
solution found at Debian Administration
So, I got my PHP 5 to work, and talk to MySQL.
I wonder if Netjuke works? Nope. Not at all.
Everywhere I read I see that Netjuke is not supported and will never work on PHP 5. Use Jinzora they say. Uck – that wasn’t fun.
Simply put. Fix “play.php” to only output one header at a time. Search for the header() call. It’s pretty obvious.
Change the test in the config.inc.php for
`PRIVATE == true`
to be something like
`NJPRIVATE == true`
Fix every file that has a
`define(“PRIVATE”, true/false)`
to be a
`define(“NJPRIVATE”, true/false)`
private is a reserved word in PHP 5.
That’s all it took. All of about 30 minutes once I decided to ignore all of the advice on the web.
Classic maintenance programming attack.
10.3.9 – no help beyond 4.3.11 from Marc Liyanage.
Apple’s 4.4 is of no help – no GD support, missing other things – PEAR, XML things, etc.
How do I make a compatible build?
Start with Apple’s configure command (use phpinfo() on a standard installation). It *will* screw up your system files nicely, so make sure you know what each of the files and directories means! I didn’t. I have an interesting mix of system/local files now.
Add extensions as needed. Test ./configure each time, and you might as well re-build each time.
Decide where to get libraries. I finally decided to use darwinports for the non-Apple standards. Look out for X11 when not installed!!!!
Use the built-in GD ‘–with-gd’ – no path. darwinports gd has issues (won’t build).
I wound up with this
configure –prefix=/usr –mandir=/usr/share/man –infodir=/usr/share/info –with-apxs –with-ldap=/usr –with-kerberos=/usr –enable-cli –with-zlib-dir=/usr –enable-trans-sid –with-xml –enable-exif –enable-ftp –enable-mbstring –enable-mbregex –enable-dbx –enable-sockets –with-iodbc=/usr –with-curl=/opt/local –with-config-file-path=/etc –sysconfdir=/private/etc –with-pear –with-mysql=/usr/local/mysql –with-openssl=/usr –with-gd –with-png=/opt/local –with-jpeg=/opt/local –with-expat=/opt/local –with-gettext=/opt/local –with-dom=/opt/local –with-dom-xslt=/opt/local –with-xslt-sablot=/opt/local –enable-xslt –with-xmlrpc –enable-wddx
I still need to figure out about IMAP support.
macosxhints.com – Modify cursor movement keys in Terminal
The defacto standard in Terminal’s shells is meta-b (backward) and meta-f (forward) for word-by-word movement. In every other Cocoa app, however, it’s Option-left arrow and Option-right arrow. I wanted Terminal to behave the same way.
configure.env-append LD=g++ CC=g++
darwinports
need to add that line after configure.args – elsewise it never loads
spent all day trying to figure this out
pdb2csv csv2pdb