While setting up a new ossec cluster I encountered the following error when trying to restart ossec on the client server using /var/ossec/bin/agent_control 001 :

ossec-execd(1103): ERROR: Unable to open file '/var/ossec/etc/shared/ar.conf'.
ossec-execd(1311): ERROR: Invalid command name 'restart-ossec0' provided.

The issue is a problem with ownership on the ar.conf file. By default ossec installs it with root:root permissions but it needs to be root:ossec.

#chown root:ossec /var/ossec/etc/shared/ar.conf

Security researchers at DefenseCode uncovered a 0day exploit within the linksys firmware. They have only tested it on the WRT54GL but believe other models will be vulnerable. At the moment only security researchers appear to have the exploit code. Per defensecode's vulnerability disclosure policy they are going to release the full details of the attack on January 25th.

Securelist has a very interesting post about a malware campaign that has existed under the radar for at least 5 years. More will be coming out in the next few days.

http://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanc...

A new exploit in java has been made public, details can be found here: http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-d...

It appears the exploit has been around for at least some time as two different exploit kits already include it. At the moment the only fix is to disable java. If you need java I would suggest running it on a specific browser used only for that, ideally within a virtual machine.

If you are using internet explorer beware of the current 0-day exploit that is being actively exploited. There is also a metasploit tool that allows users to exploit the vulnerability.

It appears that dropbox has had at least part of the Dropbox user database stolen. Many users with unique email addresses created only for dropbox have reported spam. Krebs has a good post on it over here along with a few relavent links to the dropbox forum and twitter.

http://krebsonsecurity.com/2012/07/spammers-target-dropbox-users/

Encryption is vital to any website that takes information that should not be viewable by others. Ecommerce sites are one of the more obvious places for SSL but login pages should be and many contact forms would ideally be encrypted.

A decent check of your website to make sure that SSL is properly configured can be found here: https://www.ssllabs.com/ssltest/

Enjoy!

The following error was encountered while trying to get libvirtd running:

libvirt version: 0.9.10, package: 21.el6_3.1 (CentOS BuildSystem , 2012-07-03-16:15:49, c6b8.bsys.dev.centos.org)
error : virNetServerMDNSStart:460 : internal error Failed to create mDNS client: Daemon not running

Note that I had to check /var/log/libvirt/libvirt.log as a service libvirtd start looked fine, a restarted was failing on stopping it.

The issue comes from avahi not running. Go ahead and install it and get messagebus running via:

If you are running Parallels Plesk control panel (both linux and windows) check out this article: http://krebsonsecurity.com/2012/07/plesk-0day-for-sale-as-thousands-of-s...

Plesk reports that patching can help it but some are reporting that even patched servers may be vulnerable to this exploit. The most common attack seems to be uploading an iframe that can be then used to distribute malware to people surfing the site.

Well its about that time...time for a new page! I have done a complete revamp of the backend and have everything up to the latest and greatest versions. The last few years have gone by in the blink of an eye, now after changing jobs I have a bit more time and plan to use some of that time to rejuvenate the site.

Enjoy your visit! =-)

-John
"eth00"

This error I got when trying to install icinga-web on a cents 5 server.

[Wed May 25 20:54:02 2011] [fatal] Uncaught AppKitPHPError: PHP Error mkdir() [function.mkdir]: File exists (/usr/local/icinga-web/app/cache/config/compile.xml_development__033d402eaeb08f42e4e3d5f8474e444805e2c7c6.php:1327) (/usr/local/icinga-web/app/modules/AppKit/lib/logging/AppKitExceptionHandler.class.php:20)

The following is an error encountered after setting up ossec as an agent:

ossec-agentd: INFO: Trying to connect to server (10.0.0.2:1514).
ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.0.0.2'.

Make sure that the ossec server is running, has no firewall, and the IP for it is correct.

The following is an error I got after starting ossec as an agent that is supposed to connect back to a central server:

#/var/ossec/bin/ossec-control start
Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)...
Started ossec-execd...
ossec-agentd(1402): ERROR: Authentication key file '/var/ossec/etc/client.keys' not found.
ossec-agentd(1750): ERROR: No remote connection configured. Exiting.
ossec-agentd(4109): ERROR: Unable to start without auth keys. Exiting.

If you get the following while trying to source compile Unreal 3.2:

This is an error that is generally observed in the servers messages log (even though it is related to php)

suhosin[32269]: ALERT - script tried to increase memory_limit to 536870912 bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '/home/user/file.php', line 5)

The solution is to raise the memory_limit in the php.ini

This is an error that I received while working on a server that has suhosin.

suhosin[35486]: ALERT - configured POST variable limit exceeded - dropped variable 'check_agentID[63]' (attacker '10.0.02', file '/home/user/public_html/somefile.php')

The problem solution was pretty simple and just required allowing a longer request length for suhosin. Put the following in the php.ini:

php_admin_value suhosin.request.max_vars 500
php_admin_value suhosin.post.max_vars 500

Here is an error that is seemingly simple but has a few more then just the obvious answers.

sendmail[4980]: p9JHuBGv004978: to=, ctladdr= (0/0), delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=120427, relay=mx1.domain.com. [10.0.0.2], dsn=5.6.0, stat=Data format error
sendmail[4980]: p9JHuBGv004978: p9JHuBGv004980: DSN: Data format error

Here is an error I encountered in the messages log related to clam.

ERROR: NotifyClamd: No communication socket specified in /etc/clamd.conf
ERROR: Can't send to clamd: Socket operation on non-socket

If you have clamd running on your system then the issue is that clamd is having issues. If you do not run clamd then you need to disable NotifyClamd in /etc/freshclam.conf.