2009/02/25

deleting a large number of files

I normally use the following to delete a large number of files residing in a directory as there is an upper limit rm can handle:

#find . -name * | xargs rm

Sometimes, if the number of file is so huge, the above might not 100 % workable. I have to give myself a backup option:

#find . -type f -exec rm {} \;

Not easy to remember the syntax but I need to memorize it for system administration.

2009/02/20

IIS Server Probe

I saw these lines on my server log:

/samples/winnt/system32/cmd.exe?/c+dir HTTP Response 302
/scripts/winnt/system32/cmd.exe?/c+dir HTTP Response 302
/cgi-bin/winnt/system32/cmd.exe?/c+dir HTTP Response 302
/vti_bin/winnt/system32/cmd.exe?/c+dir HTTP Response 302
/samples/winnt/system32/cmd.exe?/c+dir HTTP Response 302
/vti_cnf/winnt/system32/cmd.exe?/c+dir HTTP Response 302
/vti_bin/winnt/system32/cmd.exe?/c+dir HTTP Response 302

Apparently, a bad guy was trying to probe on old vulnerabilities of IIS. The bad guy was not very professional. He should have performed web server OS fingerprinting before launching the probe.

2009/02/15

Iridium satellite crash


I feel sad about one of the operating Iridium satellites crashed by an malfunctioning Russian satellite. Back in 1999, I worked with Iridium LLC, HKTI and Hong Kong Police to facilitate Iridium users in Hong Kong could make emergency calls with the telephone numbers of "112","999" and "852 999".

Lets hope countries which have the technical capability to fire rockets (USA, China and India etc) could mobilize space craft to clear away orbital debris even though this has no commercial profit.

2009/02/12

DNS DDoS attacks

Great ! I had the chance to see DNS DDoS taking place.



A zombie was using faked source IP address 89.149.221.182 to query the NS of root domain. The hidden attacker was trying to find a open recursive resolver to flood packets to the victim with IP address 89.149.221.182. My resolver has open recursive prohibited so the requests were denied. Actually, if the target resolver had open recursive not closed, for each query packet with 45 bytes, it returned an answer with about 400 bytes. Hence the amplification factor is great, almost 10 times.

Though the action taking place was harmless to my server and the loading was light, yet it generated about 10k lines everyday in log file. I have to use iptables to block udp with packet length 45 bytes which is the exact packet size of performing ns query on root domain, syntax as below:

#iptables -I INPUT -p udp --dport 53 -m length --length 45 -j DROP
Bingo, it blocks as expected.

2009/02/11

.hk and .cn ccTLD servers

There are now 11 DNS servers for the .hk ccTLD which are placed in HK, Taiwan, Australia and USA. We still have 2 more servers to use before resorting to anycast technology for developing .hk server instances in other places.

Due to the increased business communications between HK and China and considering that Hong Kong is part of China, it will be beneficial to both HK and China if one set of .hk ccTLD DNS be located in mainland China. Likewise, HK can consider to host one set of .cn ccTLD server. At present, there are 6 sets of .cn ccTLD DNS in mainland China so at least there is a chance of setting up .cn ccTLD DNS in HK.

I have made the proposal to HKIRC.

2009/02/05

What should be removed from a PC motherboard

Some thoughts on what should be removed from a modern day PC motherboard:

1. Parallel printer port - printers are now driven by USB.

2. RS232 com port - we are in a broadband era, not more dial-up modem in use.

3. Game port - I have never used it before.

4. Floppy disk controller - 1.44 MB floppy disk can't even store one single file.

After removing all these redundant interfaces and circuitries, can we expect the prices of motherboards to drop. Not quite.

2009/02/02

Google marked all sites as dangerous

Google marked all sites as dangerous on 31 January for 40 minutes. The processes of why this happened is explained below :

1. Google maintains a list of known malicious sites
2. Somebody entered the URL “/” on that list
3. The list was pushed to all of Google's servers between 6:27 and 6:40 a.m.
4. Because / is found in any URL, all websites were flagged as potentially dangerous

Google made a critical flaw. Noting that human mistakes are unavoidable, Google should have performed health check of the new list in a test environment before updating to all production servers.

Did Google learn a proper lesson about “change control” ?

2009/02/01

PC still running Windows XP SP1

I always have the idea that office PCs or home PCs should be patched with Service Pack 3. I was wrong. Yesterday, I sat inside an Internet cafe and the PC that I used was running XP with Service Pack 1 (SP1). SP1 was released in September 2002. That said, patches had not been applied in the past 6 years.

Next time, when I go to that cafe again, I will not use the free PCs provided to check email.

\