centre{source}

We had a bit of a sticky situation here at the Centresource stomping grounds this past couple of weeks. We have a server with a multitude of environments served via our Apache webserver. It’s a fairly simple setup: we have a virtualhost devoted to development environments for all of our software developers, and then a plethora of virtualhosts for the various web-based applications we use: some home-brewed, some OSS web applications we use for various business functions (CMS, CRM, Groupware, etc..).

The mystery started when sessions started mysteriously expiring prematurely on two of our most popular web applications: DekkoTime, and our internal CRM/groupware application. It started about two weeks ago, with no discernable changes to our configuration that could be responsible.

So to understand what was necessary to track down this problem, we have to explore a little bit about how PHP session data storage and expiration works:

Continue reading "PHP Session Lifetime: An Adventure"...

So, the inspiration for writing this script was so that I could quickly and effortlessly visualize some of the stats from my webserver logs on the fly. The reason was that I have noticed a huge influx of comment-spam attempts on my personal blog, this blog, and the Nashville Metblog.

I have access to the logs on the first two, and it was obvious from casual inspection that each attempt was coming from a different IP and network: i.e., it is coming from a botnet. I suspected that the spam influx on all these hosts was from the same botnet, and it appears that I was right. Out of 3-400 unique IP addresses making the spam attempts on those first two sites, around 200 of them had hit both servers. And lest there was any doubt, compare these two graphs of the comment-spam attempts per hour:

Continue reading "Large Botnet Attack"...

I use command-line utilities to do data-mining on logs compulsively — often in sick and twisted ways. There are many times in which I perform a tortuous serious of grep/perl/awk commands which wind up being fed to “sort | uniq -c | sort -nr” or something similar.

Those of you familiar with those commands already know that the result is a list of unique values added up and displayed with a total, e.g.:

Continue reading "Simplegraph"...

My personal webserver has been getting slammed with requests for “/robots.txt”, by what appears to be a botnet — over 234 unique IP addresses so far, over the last week. But appearances can be deceiving. Here’s where things get weird: All of the IP addresses have reverse DNS that has “planetlab” in it, which even resolves backwards to the correct IP. A smattering of examples:

14.1.31.128.in-addr.arpa domain name pointer planetlab4.csail.mit.edu.
15.1.31.128.in-addr.arpa domain name pointer planetlab5.csail.mit.edu.
16.1.31.128.in-addr.arpa domain name pointer planetlab6.csail.mit.edu.
17.1.31.128.in-addr.arpa domain name pointer planetlab7.csail.mit.edu.
12.36.4.128.in-addr.arpa domain name pointer planetlab2.pc.cis.udel.edu.
143.6.42.128.in-addr.arpa domain name pointer ricepl-1.cs.rice.edu.
145.6.42.128.in-addr.arpa domain name pointer ricepl-3.cs.rice.edu.
200.67.59.128.in-addr.arpa domain name pointer planetlab1.comet.columbia.edu.
201.67.59.128.in-addr.arpa domain name pointer planetlab2.comet.columbia.edu.
202.67.59.128.in-addr.arpa domain name pointer planetlab3.comet.columbia.edu.

Continue reading "Odd Things"...

I would be trying out Opera 9 beta right about now, but it appears that the cookies bug described here has been made worse with Opera 9 Beta. The workaround no longer works at all.

I posted as much here. I’m hoping this gets fixed soon — I wasn’t surprised to see this in a technology preview, but it’s a little unnverving to see it in a beta. It’s a minor issue, but one that prevents me from trying it out.

Blue Security, the geniuses that made news a while back advertising their intent to create a network to DoS spammers, are back in the news again.

The reason is hardly surprising. Blue Security themselves were the result of a massive DoS attack. How did they respond? According to this NANOG post, by switching their DNS to their Typepad-hosted blog. So, rather than deal with the consequences of their abuse of the Internet, they made it someone else’s problem — namely Six Apart’s: you may have noticed that both Typepad and Livejournal were down yesterday as a result of the DoS.

Continue reading "Vigilantism"...

If you own a single slot CD-R, you may wonder how you’re supposed to burn copies of your disks and/or make exact images of your distributions. One popular way is to create an ‘Image’ of your CD-ROM in the format of an ISO. The ISO file is an actual image-copy of the CD-ROM - not the files itself. This may be hard to understand, but CD-ROM’s have more info associated with them other than the files that are stored on them. Special security, volume info, etc. - all stored at the low level of the CD-ROM. While all of this fascinating, it isn’t the point of my post :) If you need to burn an ISO, here is a great site that makes it super simple: Right click -> Copy Image to CD. That’s it! Thanks Alex Feinman.