Monthly Archives: September 2014

Steps to install apache-solr under tomcat6 on Amazon Ec2 Linux AMI

Ensure Java 1.7 is installed and is default selected JAVA_HOME or install

Coldfusion CFIDE bitcoin mining exploit – URL attack vectors

Coldfusion CFIDE bitcoin mining exploit – PHP involved…

 An additional file related to the compromise found at /CFIDE/updates.cfm

Coldfusion CFIDE bitcoin mining exploit?

Just found the following 2 new directories on multiple windows server 2003 installations of coldfusion 9:

{wwwroot}/CFIDE/m32 3/13/2014

contains:
libcurl-4.dll
libwinpthread-1.dll
m32.exe
zlib1.dll

and

{wwwroot}/CFIDE/m64 3/17/2014

contains:
libcurl-4.dll
libwinpthread-1.dll
m64.exe
zlib1.dll

When running m32.exe it appears that it’s some type of wrapper for a bitcoin mining operation:


C:\Inetpub\wwwroot\CFIDE\m32>m32.exe
m32.exe: no URL supplied
Try `minerd --help' for more information.

C:\Inetpub\wwwroot\CFIDE\m32>minerd --help
'minerd' is not recognized as an internal or external command,
operable program or batch file.

C:\Inetpub\wwwroot\CFIDE\m32>m32.exe minerd --help
Usage: minerd [OPTIONS]
Options:
-a, --algo=ALGO specify the algorithm to use
scrypt scrypt(1024, 1, 1) (default)
sha256d SHA-256d
-o, --url=URL URL of mining server
-O, --userpass=U:P username:password pair for mining server
-u, --user=USERNAME username for mining server
-p, --pass=PASSWORD password for mining server
--cert=FILE certificate for mining server using SSL
-x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy
-t, --threads=N number of miner threads (default: number of processors)
-r, --retries=N number of times to retry if a network call fails
(default: retry indefinitely)
-R, --retry-pause=N time to pause between retries, in seconds (default: 30)
-T, --timeout=N network timeout, in seconds (default: 270)
-s, --scantime=N upper bound on time spent scanning current work when
long polling is unavailable, in seconds (default: 5)
--no-longpoll disable X-Long-Polling support
--no-stratum disable X-Stratum support
-q, --quiet disable per-thread hashmeter output
-D, --debug enable debug output
-P, --protocol-dump verbose dump of protocol-level activities
--benchmark run in offline benchmark mode
-c, --config=FILE load a JSON-format configuration file
-V, --version display version information and exit
-h, --help display this help text and exit

C:\Inetpub\wwwroot\CFIDE\m32>m32.exe minerd -V
cpuminer 2.3.3
libcurl/7.35.0 zlib/1.2.8


I cannot find any information about this and have no idea how these files got on the servers – we were cryptojacked. For now I’m relocating them for further investigation as the processes were being launched through Jrun…

Steps to install apache-solr under tomcat6 on CentOS 6.2

Steps to install apache-solr under tomcat6 on CentOS 6.2

1. cd /usr/local/src
2. mkdir RPMS
3. cd RPMS
4. wget http://mirrors.dotsrc.org/jpackage/6.0/generic/free/RPMS/jpackage-release-6-3.jpp6.noarch.rpm
5. yum localinstall jpackage-release-6-3.jpp6.noarch.rpm
6. yum install tomcat6
7. wget ftp://ftp.pbone.net/mirror/www.jpackage.org/jpackage/5.0/generic/free/RPMS/jakarta-poi-3.2-1.jpp5.noarch.rpm
8. yum localinstall jakarta-poi-3.2-1.jpp5.noarch.rpm
9. yum install ant
10. chkconfig –level 3 tomcat6 on
11. chkconfig –level 4 tomcat6 on
12. chkconfig –level 5 tomcat6 on
13. chkconfig –level 6 tomcat6 on
14. cd /usr/share
15. wget http://mirrors.sonic.net/apache/lucene/solr/3.6.0/apache-solr-3.6.0.tgz
16. tar xzvf apache-solr-3.6.0.tgz
17. vi /usr/share/tomcat6/conf/Catalina/localhost/solr-example.xml

<?xml version="1.0" encoding="utf-8"?>
<Context docBase="/usr/share/apache-solr-3.6.0/example/solr/solr.war" debug="0"
crossContext="true">
<Environment name="solr/home" type="java.lang.String" value="/usr/share/apache-s
olr-3.6.0/example/solr" override="true" />
</Context>

18 chmod -R a+rwx /usr/share/apache-solr-3.6.0/example 
19 service tomcat6 stop
20 service tomcat6 start
21 http://servername.com:8080/solr-example/admin

Done.

Coldfusion – Running the Application server separate from the Webserver with a Windows OS

Steps to create distributed coldfusion application server tied to a seperate IIS 
webserver:

Install and configure CF9 standalone application server on application server 
machine.

Install CF9 application server on webserver and configure it to use IIS, then 
stop and disable all codfusion services using the services
administration tool.

On the Application server open the file 
C:\ColdFusion9\runtime\lib\security.properties and Add the internal and external 
IP addresses
of the webserver here:
jrun.trusted.hosts=000.000.000.000,123.123.123.123

On the application server open the file 
C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\jrun.xml
Locate the configuration section for class=”jrun.servlet.jrpp.JRunProxyService” name=”ProxyService”>

Ensure that the following attribute is false:
false

Ensure that the port attribute is set to 51011:
51011

On both servers open the file
C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\jndi.properties and ensure that the value of java.naming.provider.url is set to localhost:2932
java.naming.provider.url=localhost:2932

Restart Coldfusion services on the application server.

Run the following program AS ADMINISTRATOR on the webserver:
C:\ColdFusion9\runtime\bin\wsconfig.exe

Remove the localhost connector and quit then run iisreset from an administrator
command prompt.

Run the following program AS ADMINISTRATOR on the webserver:
C:\ColdFusion9\runtime\bin\wsconfig.exe

Click Add and put the ip address of the application server under JRUN host and
check the box:
Configure web server for coldfusion 9 applications

Select OK and quit then run iisreset from an administrator command prompt.

Ports 51011 and 2932 must be open between both servers.

Getting Your Windows Movie Maker WMV Movies Onto Your iPhone

I recently made a photo montage of my trip to China that I wanted to get onto my iPhone and through much trial and error, was finally successful. I had over 900 hi-res digital photos that I wanted to include in the video and I wanted pans, zooms, and smooth transitions. And I wanted music. I used Photo Story 3 (free from microsoft), Windows Movie Maker (free from MS), iTunes, (free from Apple), and the Adobe Media Encoder (not free from Adobe). Photo Story 3 allows for only up 300 pictures, so first I created 3 movies comprising all 900 photos and chose no soundtrack. PS3 generated nice wmv files for those, which I imported into movie maker then added fade transitions between them and a soundtrack. Then I published from moviemaker a few different ways: one was using a dvd target becuase I wanted a dvd of the movie as well and another was targeting a windows mobile device. The mobile device target generated a 640×480 WMV file. I then used the Media encoder to try and convert it to a .mp4 file using the H.264 format and Apple iPod Video Large preset. This created the file but is was horrible. Choppy, terribly jerky, and not at all passable. So I tried something else.

I converted the wmv file using the media encoder into Quicktime format using the NTSC_DV preset. It generated a huge file, but the playback was great. I then added this file into iTunes and used iTunes to convert to mp4 by right clicking and selecting “Convert to iPhone”. I added the resulting movie to my iPhone and it plays back flawlessly.

Implementing Compact Privacy Policies Under IIS

We have a client who runs an ecommerce package called asp.net storefront (we are in the process of moving them to AbleCommerce) A few weeks back, they began to hear customers complaining that they could not add items to their cart, or items in the cart would disappear. I traced this down to a cookie issue and updated default security settings in IE. The default security for the internet zone in IE 7 is not to accept cookies from sites that do not have a Compact Privacy Policy.

This is basically a set of files conforming to the W3C p3p standard and consists of the following:

p3p.xml – this is a policy reference file and it should live in a directory named W3c at the root of the server.
clientname.p3p – (or .xml, as we’ll see later) this is the xml privacy policy
clientname.htm – this is the html privacy policy
clientname.txt – this is the compact policy file that is used to generate http headers

All of these files can be generated using a p3p tool from IBM: http://alphaworks.ibm.com/tech/p3peditor

A couple of caveats:
1. the compact policy file generated by the tool for the http headers only contains this:
CP=”CAO DSP CURa ADMa DEVa TAIa CONa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA”

the full header should look like this:

P3P: policyref=”http://www.CLIENT.com/w3c/p3p.xml”, CP=”CAO DSP CURa ADMa DEVa TAIa CONa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA”

2. When generating the actual policy file, the tool wants to save a file with a .p3p file extention, which is fine if you add the mimtype .p3p text/xml into iis and restart your server. But if you don’t want to restart your server, you can just save it with an .xml file extension.