Monday, November 29, 2004

Tracking down Spyware Spreaders;)

In a very fascinating article, this author provides a video (wmv format - ick) of live spyware installations through IE/Windows. The author reveals some interesting facts like pay-per-install rates and suggests a way of tracking these people down.

Yes, the author says that IE/WindowsXP-SP2 isn't vulnerable to what he's showing... provided the user is using all the security features.

And, of course... there are other examples of spyware that he didn't test.

But I think the article is interesting nonetheless...

What do you think?


This is what happens when put a machine open in the internet

Hey All ,

Just before i hit the sacks on a Sunday night aaha lemme call it MOnday morning , this is what i founf when i put a machine open on the internet which no DNS entry and ping blocked to the IP.

Luckily i have snort IDS running on the machine and the stats amaze me whenever i get back to them , believe me thats what i can say.

Now for testing purposes i am planning to set up honey pot and see if it really works out even if i am able to catch a amatuer it will be a big step for me in my work.

You can see more pics below.

Just to save on space i have converted the pic into gif format having a little take on the resolution but i guess thats fine.

Click on the image thumbnail below to view a enlarged image or click here.

SNort IDS Latest Stats ;)


Believe it or not

Just checking up a little on the snort finding its amazing.

The most no. of attacks around 100 in the past some hrs for a IP block for which ping is also blocked.

This is for MS SQL security hole in which the virus or the worm targets port 1434 but it is a UDP port. But this a Redhat Linux server so no worries :D.

You can find the bug here at nessus[cve][icat][bugtraq][snort] MS-SQL version overflow attempt .

I have picked up all these links from the snort logs and what nessus says is to close UDP port 1434 so thats what i am gonna do to the ACL on the router.

Just will wait a little more time to see how soon does this worm attack die down. I am on Linux as i said before so no worries and once this goes successful will be setting up nessus on one of the machines. Planning to start my own security consultancy and also give my CCISP exaam finally.

Working Smart
The alternative to working hard!

Friday, November 26, 2004

ACID (Analysis console for intrusion detection) Read ON

I had just opened the firewall to pass everthing and this is the output i get in 5 mins.

If the pic below does not display properly you can do so by clicking here

check the pic below :


Finally snort is up and running fully and planning to put in another LAN card to detect my local network virus activity.The only thing left is to get the GD library works which gives me a tough time alwayz.

More tweaking and screen shots and logs snips to follow on hopefully by the weekend.


Cyrus IMAP Server multiple remote vulnerabilities

Multiple venurabilities have been found in the Cyrus IMAP server.

Fot those who dunn know what is the Cyrus IMAP server a lill into on it below :

IMAP (Internet Message Access Protocol) is an Internet standards- track protocol for accessing messages (mail, bboards, news, etc). The Cyrus IMAP server differs from other IMAP server implementations in that it is generally intended to be run on sealed servers, where normal users are not permitted to log in. The mailbox database is stored in parts of the filesystem that are private to the Cyrus IMAP system. All user access to mail is through the IMAP, POP3, or KPOP protocols.

During an audit of imapd several vulnerabilities were discovered ranging from a standard stack overflow, over out of bounds heap corruptions, to a bug caused by the use of programming constructs that are undefined according to the C standard.

All these bugs can lead to remote execution of arbitrary code depending on the skills of the attacker.

The venrabilities are as below :

[01 - IMAPMAGICPLUS preauthentification overflow]

Affected Versions: 2.2.4 - 2.2.8

When the option imapmagicplus is activated on a server the PROXY and LOGIN commands suffer a standard stack overflow, because the username is not checked against a maximum length when it is copied into a temporary stack buffer. This bug is especially dangerous because it can be triggered before any kind of authentification took place.
[02 - PARTIAL command out of bounds memory corruption]

Affected Versions: <= 2.2.6 (because unexploitable in 2.2.7, 2.2.8)

Due to a bug within the argument parser of the partial command an argument like "body[p" will be wrongly detected as "body.peek". Because of this the bufferposition gets increased by 10 instead of 5 and could therefore point outside the allocated memory buffer for the rest of the parsing process. In imapd versions prior to 2.2.7 the handling of "body" or "bodypeek" arguments was broken so that the terminating ']' got overwritten by a '\0'. Combined the two problems allow a potential attacker to overwrite a single byte of malloc() control structures, which leads to remote code execution if the attacker successfully controls the heap layout.
[03 - FETCH command out of bounds memory corruption]

Affected Versions: <= 2.2.8

The argument parser of the fetch command suffers a bug very similiar to the partial command problem. Arguments like "body[p", "binary[p" or "binary[p" will be wrongly detected and the bufferposition can point outside of the allocated buffer for the rest of the parsing process. When the parser triggers the PARSE_PARTIAL macro after such a malformed argument was received this can lead to a similiar one byte memory corruption and allows remote code execution, when the heap layout was successfully controlled by the attacker.
[04 - APPEND command uses undefined programming construct ]

Affected Version: 2.2.7, 2.2.8

To support MULTIAPPENDS the cmd_append handler uses the global stage array. This array is one of the things that gets destructed when the fatal() function is triggered. When the Cyrus IMAP code adds new entries to this array this is done with the help of the postfix increment operator in combination with memory allocation functions. The increment is performed on a global variable counting the number of allocated stages. Because the memory allocation function can fail and therefore internally call fatal() this construct is undefined arcording to ANSI C. This means that it is not clearly defined if the numstage counter is already increased when fatal() is called or not. While older gcc versions increase the counter after the memory allocation function has returned, on newer gcc versions (3.x) the counter gets actually increased before. In such a case the stage destructing process will try to free an uninitialised and maybe attacker supplied pointer. Which again could lead to remote code execution. (Because it is hard for an attacker to let the memory allocation functions fail in the right moment no PoC code for this problem was designed)

CVE Information

The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1011 to issue 01, the name CAN-2004-1012 to issue 02 and the name CAN-2004-1013 to issue 03.


It is strongly recommended to upgrade to the updated version of Cyrus IMAP Server as soon as possible because there is no workaround.

This venurability is picked up from the e-matter security and GLSA.


What am i posting so late in the night

Well been busy with studies ( For those who dunn know i am doing my CCNP :) )

I am also setting up snort an IDS and believe me the results are amazing.

Just posting a snip from the logs below. I have changed the ip address to hide identity .

[**] [1:2003:8] MS-SQL Worm propagation attempt [**]
[Classification: Misc Attack] [Priority: 2]
11/25-11:10:26.653596 W.X.Y.Z:4020 -> A.B.C.D:1434
UDP TTL:112 TOS:0x0 ID:30488 IpLen:20 DgmLen:404
Len: 376
[Xref => => => http://cv][Xref =>][Xref => http://www.securityfocus.

This is just a basic install of snort with latest rules , now what needs to be done is to start logging the events to mysql database and also install ACID to have a better view of logs.

WIll soon be posting the screen shots of the same and once i have fully gone thru snort will post on how i did it.


Wednesday, November 24, 2004

Memtest86 - A Stand-alone Memory Diagnostic

Found a cool tool to test the memory.

Memtest86 is thorough, stand alone memory test for x86 architecture computers. BIOS based memory tests are a quick, cursory check and often miss many of the failures that are detected by Memtest86.

Memtest86 is released under the terms of the Gnu Public License (GPL). Other than the provisions of the GNU public licence (GPL) there are no restrictions for use, private or commercial. Explicit permission for inclusion of Memtest86 in software compilations and publications is hereby granted.

The best part is it is available for both windows and Linux platforms and can also be booted off a LINUX or bootable floppy / CD.

Linux Installation is too simple and the steps are below :

To build Memtest86:
1) Review the Makefile and adjust options as needed.
2) Type "make"

This creates a file named "memtest.bin" which is a bootable image. This
image file may be copied to a floppy disk or lilo may be used to boot this
image from a hard disk partition.

To create a Memtest86 bootdisk
1) Insert a blank write enabled floppy disk.
2) As root, Type "make install"

To boot from a disk partition via lilo
1) Copy the image file to a permanent location (ie. /memtest).
2) Add an entry in the lilo config file (usually /etc/lilo.conf) to boot
memtest86. Only the image and label fields need to be specified.
The following is a sample lilo entry for booting memtest86:

image = /memtest
label = memtest

3) As root, type "lilo"

At the lilo prompt enter memtest to boot memtest86.

If you encounter build problems a binary image has been included (precomp.bin).
To create a boot-disk with this pre-built image do the following:
1) Insert a blank write enabled floppy disk.
2) Type "make install-precomp"

You can get it here


Visa scammers hit UK phones

This is how bloody social engineers exploit the knowledge gap among the ppl who do not understand the niti grities of how the credit card works.

Read an extract from the securityfocus website.

Credit card fraudsters are trying to fleece UK punters by tricking them into revealing card security information over the phone. The fraudsters, posing as representatives of Visa, are already is possession of card numbers and are after the CVV numbers (commonly printed on the signature panel on the back of the card) often needed to make purchases online.

Scammers claim that they are phoning about a suspicious transaction. They confirm that the holder has not made the transaction and say that a credit will be made to their account. At no point do they ask users for their account number. Instead they ask holders for their CVV number to "verify that you are in possession of the card".

You can read more on it here

Hopefully this will help all of us to deal with bloody social engineers in our respective countries.


Tuesday, November 23, 2004

zdnet reviews 7 tool bars from 7 search engines

I completly agree to what they have to say as stated below :

If you're still going to the Google or Yahoo home page to do Web searches, you're missing half the fun--and you're unnecessarily exerting your fingers. Toolbar plug-ins for Microsoft Internet Explorer--and now Firefox--make it easy and fast to look up Web references without having to type in another URL.

You can read the full report on the zdnet site here

Monday, November 22, 2004

Going further with the DNS installation

Windows Installation

The windows installation is pretty simple.

For one reason or another you insist to run BIND on windows. Well that's perfectly acceptable! Download the BIND executeable linked from the previous post and install it to the default directory.

Under Windows XP, %WINDIR% is 'C:\WINDOWS'
Under Windows NT/2K/2K3, %WINDIR% is 'C:\WINNT'


In this directory you have all of the BIND executeables. Here's a description of the executeables I'm going to bother mentioning:

named.exe - This is the BIND server program
rndc.exe - This program can be used to manage the server
named-checkzone.exe - This program can be used to check the syntax for zone files
named-checkconf.exe - This program can be used to check the syntax for config files


In this directory you have all the configuration files and zone files.

Starting and stoping the server under WIndows

start the server

Windows: Control Panel->Administrative Tools->Services->ISC BIND->Start

stop the server

Windows: Control Panel->Administrative Tools->Services->ISC BIND->Stop
DOS: %WINDIR%\SYSTEM32\dns\bin>rndc.exe stop

reload config

Windows: Control Panel->Administrative Tools->Services->ISC BIND->Restart
DOS: %WINDIR%\SYSTEM32\dns\bin>rndc.exe reload

If you try to start the server and it says the application terminated unexpectedly or something, check the error logs like this:

Windows: Control Panel->Administrative Tools->Event Viewer->Application Log
DOS: %WINDIR%\SYSTEM32\dns\bin>named.exe -g

If you did fail to start the server, it means named.conf has a syntax error someplace. Either try to figure it out yourself, or show me the logs using the DOS method.

What i have encountered in WIndows is problem in starting it with the user ID named so i started it under my id and i have admin priv so it works fine for me. :)

The best way to check is
c:\windows\SYSTEM32\dns\bin>named.exe -g
since i use Windows XP.

Linux Installation

Under Linux it is always advisable to run under the chroot shell .

you mebe a Linux Geek or a Linux newbie but it is a great initiaive to install bind under linux. More likely your Linux distro would have bind installed or you can just grab an RPM to install it or what ever method you prefer.The idea is to get a stable release and then a proper config of the named.conf file.

You can download it from here or here

The most likely case is that you have the BIND package installed and likely location for the files is :

Most likely location for the BIND files:

/usr/bin/named - BIND server process
/usr/bin/rndc - BIND management tool
/var/named/ - Location of zone files
/etc/named.conf - BIND configuration file

Even if those aren't the right locations, you can find a file by entering the following commands:
updatedb - update the locate database
locate rndc - example to look for a file
or find / -name rdnc -print (it will take a little more time if you don't wanna do an updatedb)

To start named you enter the following command:

named -u named

The "-u named" part makes sure it is running as the "named" user cause if you started it as root, you'd be in serious trouble if a exploit was discovered for your version of bind. Oh btw, don't know what version you're running? Do the following command:

dig @ version.bind txt ch

Yep, the whole world can ask your server what version of BIND it is. You can change that, but changing the displayed version is not covered by this basic tutorial. You can always ask me how though. To test to see if named is successfully running you can also do the above command. It'll say there was a timout or something.

If BIND didn't successfully start, you can always do the following command to see what's up:

named -u named -g

Basically you're starting BIND in the console. It will either shut down due to errors, or you have to press CTRL+C to terminate it. Fix any errors you see

Want BIND to start with your system? Well, it's probably already doing so, but you can check to make sure in the following file. This is accurate on redhat 9.0. It may be different on your system:

vi /etc/rc.d/init.d/named
vi /etc/sysconfig/named

You have to get init to start if for you so do it through /etc/rc.d/rc file also.

I am tired now and have a lot of work after some time so will soon be porting more after some time.


DNS server how-to and what servers are available

Just before i post on how to do the mail setups here what a lot of ppl have been asking me on a how-to on DNS server setup.

A lagre part of the tuto is picked up from silent rage i am too lazy to wirte ;).

We all have heard on bind being the most popular DNS server called bind, we'll lately for testing i have implemeted it on my machine :)

ok so lets go on with the theroy as usual to begin with :

The common choices for the DNS servers are :



BIND is the most popular DNS server software out there. It is free and open source. Its strong point is an excellent implementation of DNS standards. This makes it highly interoperable with other dns servers and provides features not found in any other dns server. Unfortunately, it has a notorious past of being insecure - so make sure you always have the latest version and learn how to secure it. Easy to manage once you get the hang of things, this server has a high learning curve.

It can be downloaded from here

Select the version you wanna install and then go for it.

Microsoft DNS Server

Compared to BIND, MS DNS is a newcomer to the field but growing in popularity quickly since being integrated into Windows 2003 Server. It is a lot more user friendly than other types of DNS servers, and yet has a well rounded feature set as is common with microsoft software. It is commonly used with Active Directory so that AD can do dynamic management your zones. MS DNS + AD is known to cause all sorts of difficult problems to work out. The only exploit I know of in MS DNS's past is a DoS vulnerability. A patch is available if your server is vulnerable.

Simple DNS

In the multitude of the less popular servers, this is the only one that stands out to me. It is designed for easy setup and configuration. This is not free however, but you can try it before you buy. I actually don't know much about it. You should use one of the above servers instead. Free is the way to be.


I might not be exagarrating but whole of internet works on bind implementation on Linux / UNIX or mebe it would be better to say UNIX / Linux

BIND usually comes with linux. See comments about BIND above.

djbdns - tinydns + dnscache

The djbdns suite is in aggressive competition with BIND, but for various reasons will never be as popular. djb software is famous for being ultra secure and having great performance advantages over competitor software. While they say it is easier to setup than BIND, it has a rather cryptic dns file format which isn't meant to be user friendly. Also, while it does have a fair feature set, it just doesn't do as much as BIND. It also ignores the DNS standards wherever it can get away with it - all in the name of efficiency and security. tinydns is the domain hosting server, while dnscache is the caching server.


I always recommend BIND for hosting domains on either windows or linux.

If you are looking to run a caching server only, then I recommend dnscache by djb for the far superior performance benefits. Once, I've been hired to write a resolver application cause BIND was choking on the zillions of requests by a web crawling script. It was choking despite all the BIND configuration optimizations I suggested to the guy. So if you're an ISP, or you otherwise place high demands on your dns resolver, dnscache is the better choice over BIND. Shoot, even if you're just a regular joe user, dnscache is preferred for being an easily configured light-weight resolver.

I have not worked with djbdns but thats what silent rage has got to say on it.

They mebe a lot more DNS server i may have missed out but the listed on are most commonly used but i have not come across an implementation of djbdns (that does not say that it is not used or popular). These are just my views which i express on my blog :)

Soon on how to install DNS server or should i say bind on windows and Linux and then defining zone.

TIll then work hard and take care


Hey all Just found a new editor to post at

It can publish for a number of sites and can be found here

A lill what the author says about it

Post and Publish on Blogger,
b2, MovableType, Nucleus,
BigBlogTool, BlogWorks XML
Blogalia, Drupal, Xoops,
E-Xoops, Upsaid, PostNuke,
TheBlog, Blog-City, blojsom,
Roller Weblogger, Domino,
LiveJournal, EraBlog.NET,
pMachine, TypePad
and YACS blogs
» Edit Posts and Templates
» Save Posts locally for
further publishing
» Import Text files
» Add links and images
» Format text font and alignment
» Multiple accounts and blogs
» Post preview
» Colorized HTML code
» HTML tags menu
» Find/Replace option
» Post to many blogs
» Ping to Weblogs.Com
» Title and Category Fields New!
» Spell Checking New!
» File and Image Upload New!
» Custom Tags Menu New!
» Toolbar Icons Skin New!
» Supports Windows XP New!
» Easy Account Configuration New!

Lets see how good it is and if this post succeds i will post today with the ISC Bind installation procedure today ;)

Monday, November 15, 2004

Samba Venurability

Happy Diwali to all My readers once again.

All of us are using samba or mebe tried it some time or the other. A venurability was pointed out by iDEFENSE to samba. The attacker could cause high CPU loads (processing) causing a denial of service to the users.

The affected versions are Samba 3.0.x <= 3.0.7.

Developers at samba suggest to upgrade to the latest version ASAP and to those who cannot do it for the time being samba has suggested some recomendations as below.

  • Limiting the number of concurrent connections
  • Using host based protection
  • Using interface protection
  • Using a firewall
  • Using a IPC$ share deny

If you wanna know more on how to do it you can either ping me :D or check out the well documented samba web page here.

The source of this info was Gentoo Security Advisory #GLSA 200411-21 / samba and the samba release on the website.


Saturday, November 13, 2004

Continuing my own tests on the prev posts

Just out of curosity on search for 'more evil than Satan' on or i did not find a single search result pointing to google. Well what do you ppl say is the tweak in code rectified or it was never there.

Just a more detialed read at the article found a screen shot to display the same , looks like the folks are smart there :D

The image can be seen at vnunet website by clicking here

I hold no responsibility for the image link above, If some one finds it objecting pls email me and i will remove it .


MSN search brands Google more evil than Satan

Found this nice article while reading the news on vnunet.

The beta version of MSN's search tool has sparked controversy less than a week after its launch when sharp-eyed users noticed that a search for 'more evil than Satan' brings back Google's homepage as the top match.
Duncan Parry, creative director at, a firm which specialises in helping business customers optimise their search engine rankings, told that he suspected foul play.

You can read more on it here.

Looks like one giant taking on the other, no offences meant to any one of them.

Nitin :)

Ten SP2 flaws leave XP users open to hackers

Yipes Microsoft XP SP2 has some flaws too . Microsoft Surely is gonna come out with patches for it.

Security researchers claimed today that millions of Microsoft customers are at risk from 10 serious security vulnerabilities uncovered in Windows XP patched with Service Pack 2 (SP2).

By exploiting all the vulnerabilities discovered in SP2 by security firm Finjan, attackers could "silently and remotely" take over an SP2 machine when the user simply browses a web page.

Finjan claimed that hackers could also switch between Internet Explorer security zones to obtain rights of local zone Internet Explorer users.

This could make it possible to elevate the privilege level of mobile code downloaded from the internet, thereby allowing the remote code to read, write and execute files on the user's hard drive.

According to Finjan, hackers could also bypass XP SP2's notification mechanism on the download and execution of .exe files, and therefore download files without any warning or notification.

you can read more on it at ittoolbox site here.

Friday, November 12, 2004

Happy Diwali

Happy Diwali to all my freinds , fella bloggers and all the ppl who hit the site ;)

For those not from India , Diwali is one of the biggest festivals in India also know as the festival of lights and crackers for the kids.

A breif on the diwali celebration in India can be read here and some significance on Diwali here.

Nitin :-).

What kind of blogger are you?

Want to find out? Take this simple Quiz. I liked it.

I was stated as a Link Blogger. Now whatever that means! :D

Below are the results for those who wanna take a shot at the test ;).

You Are a Link Blogger!

Your blog is more about cool links than thougtful posts.
Better to be entertaining and breif than longwinded and boring!

What kind of blogger are you?

Tuesday, November 09, 2004

Sir Andrew Tanenbaum

I guess all of us the so called techies have grown up reading some book or the other by rightfully called Sir Andrew Tanenbaum.

In fact i had read his books on OS and Computer networks during my college days which got my basics cleared.

To those who have not heard of him (Grrrrr) heres his small intro Andrew Tanenbaum, the author of the Minix microkernel. Minix was used by Linus Torvalds as he began to write the Linux operating system.

Here is where i came across his refrence :)

You can read it here

Google sites plagued by phishing opportunities

A young Italian computer scientist has discovered another phishing opportunity on one of Google's web sites. This bug affects the domain, which Google use to serve their text and image based adverts.

The discovery comes only days after a similar bug was found with the Google Desktop search tool. As Google spread their technology over a greater number of application areas, the possibility for error increases; which could explain the recent stream of discoveries as they fall victim to public scrutiny.

The latest cross site scripting opportunity exploits a flaw in the User Feedback section of Google's advertising system. This allows an attacker to inject their own content onto the page, which could lead to fraudulent activity or phishing. An attacker can exploit this vulnerability to affect any browser which has JavaScript enabled, including Microsoft Internet Explorer and Mozilla Firefox.

Everyone makes mistakes as the increase integration products to why blame Microsoft ;)

This was pointed out by netcraft and more about it can be found here.

Coming soon the DNS architecture for mailing system

Will be posting on the DNS setup for mails and much more as time permits in my Diwali Vacations. :)

Till then work easy and work Smart


sed 's/e/a/g' my-grammer

FireFox 1.0 Released Finally

Hey Folks, November 9 has arrived and with it comes Firefox 1.0. According to its home page, Firefox empowers you to browse faster, more safely, and more efficiently than with any other browser. I'm New Here, but this Firefox does sound very promising!

I was early to get a preview thanks to the bandwidth at my disposal ;)

To all who cannot reach the moxilla website here is a direct link to my downlaod the most awaited browser here

Here is the snapshot of the about page just in case :))

OpenSSL, Groff: Insecure tempfile handling Venurability

OpenSSL is a part of every Sysad's life.

Here is a venurability that Gentoo Linux has published in case you use the Groff util.

groffer, included in the Groff package, and the der_chop script, included in the OpenSSL package, are both vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the utility.

OpenSSL is a toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols as well as a general-purpose cryptography library. It includes the der_chop script, which is used to convert DER-encoded certificates to PEM format. Groff (GNU Troff) is a typesetting package which reads plain text mixed with formatting commands and produces formatted output. It includes groffer, a command used to display groff files and man pages on X and tty.

Groffer and der_chop script creat files in world writable dir with predictable names.

So if u are a *root* user the attacker could create symlinks and modify files with your permissions.

Gentoo advices to upgrade the Groffer package and OpenSSL package

Upgrade Gropher

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/groff-1.19.1-r2"

Upgrade OpenSSL

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.7d-r2"

The venurability listing can be found here.

How to redirect an HTTP connection to HTTPS for Outlook Web Access clients

A lot of companies in India or i would say big time corporates use the Microsoft Exchange server for their in-house mail services.

The big issue is that when the excutives have to check mail outside the company they are stumped cause they cannot use their Microsoft Outlook as they would generally do so in the Office and the reson for this is the ports are not opened due to security reasons. A solution to this would be to use the RSA token to get the person on VPN

The other way is to use the outlook web based interface.

I found a good how-to while surfing the Microsoft website on how to use the connection with SSL rather than on port 80.

You can access it at Microsoft Site here

[OT] Microsoft pays $ 536 million to Novell

Wow this is interesting. In an out of court settlement Redmond based software gaint Microsoft paid Utah based Linux giant Novell USD 536 million to fend off the anti trust case filed by Novell related to Novell's NetWare operating system.

Microsoft has been paying big bucks to companies in out of court settlements to shun away those big business tricks they do to kill other competing products.

According to a Novell press release, today's settlement is "related to Novell's NetWare operating system". It's actually around a specific product, NDS for Windows NT, which Novell introduced several years ago, and which Microsoft effectively killed. NDS for NT was a gateway that allowed users to keep password and user management on their existing Novell servers. When Microsoft introduced cryptographic signing of key system DLLs in Windows 2000, which it says it did for security reasons, it was no longer possible for Novell to maintain the product.

You can read more on it at

Friday, November 05, 2004

libxml2 Venurability

This for my Developer friends.


libxml2 contains multiple buffer overflows which could lead to the execution of arbitrary code.

Impact Information


libxml2 is an XML parsing library written in C.


Multiple buffer overflows have been detected in the nanoftp and nanohttp modules. These modules are responsible for parsing URLs with ftp information, and resolving names via DNS.


An attacker could exploit an application that uses libxml2 by forcing it to parse a specially-crafted XML file, potentially causing remote execution of arbitrary code.

Resolution Information


There is no known workaround at this time.


All libxml2 users should upgrade to the latest version:

If you are using Gentoo you can do it like

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.6.15"

This venurability was posted by Gentoo at Gentoo Linux Security Advisory

Coming back to setting MX records in DNS for mail server

A quick look at the MX records for one of the websites say

redhat guys if you find the info here i cannot post pls dunn feel offended and mail me and i will remove it from here :)

Server: Mydns.server
Address: A.B.C.D

> set querytype=MX
Server: Mydns.server
Address: A.B.C.D

Non-authoritative answer: MX preference = 10, mail exchanger = MX preference = 20, mail exchanger = MX preference = 10, mail exchanger = nameserver = nameserver = nameserver = internet address = internet address = internet address = internet address = internet address = internet address =

Redhat uses 3 MX records namely (Priority 10) (Priority 20) (Priority 10)

You can read their IP's in the DNS O/P above.

Any smtp deamon would first try and contact the mail server with a lower priority and then if it is not available a mail server with higher priority.

You can also do a DNS Round robin for other each MX record.

If there are MX records of equal priority then it is upto the smtp server to pick up on one of the records, there is no rule for this selection of atleast i know in the config files. :)

Next time on i will try and make a Dummy company ABC chemicals and then post a dummy snip from its .zone file for MX records.

Have a great weekend and remember dunn work the weekend.

Nitin :)

Linux cluster companies attract new funds

Reflecting the growing popularity of Linux clusters for high-performance technical computing, two specialists have garnered new investments.

San Francisco-based Penguin Computing raised $10 million, while Linux Networx in Salt Lake City received a $40 million investment. Both companies will use the funds to develop new technology and expand into new markets, they said in announcements Thursday.

Both companies specialize in groups of lower-end Linux servers linked into a high-performance computing cluster. The technology is gaining prominence in industry, academia and government labs, and clusters accounted for nearly half the entries on the most recent list of the world's 500 fastest computers.

Oak Investment Partners led Linux Networx' investment round and new investor Tudor Ventures participated. Ed Glassmeyer, Oak's founding general partner, will join the company's board.

You can read more on it here

Tuesday, November 02, 2004

Tweaking the DNS to suit your MTA requirements

Hi everyone and Good Morning to the ppl living on this part of the world.

COuld not post yesterday been a lot busssyyyy.

A lot off people ask me whether i have set up sendmail , qmail , Cyrus IMAPD, but no one has got an answer to the question that after i set up any of the following services how would the world or say any other mta in the world know that i have a mail server sitting at IP a.b.c.d to aceept mails for my domain say

This is done through the use of MX records in the zone file of your public DNS server.

Another qusetion is if my mail server is down how would i receive mails . Can i specify a back for it.

The answer is yes you can do that by giving priorities in the MX records.

Last but not the least if i have no MX records in my files would the mails still reach me.

YES in most MTA's if they do not find a MX record they will assume that the IP for the domain is same as the mail server IP.

Will soon be posting snippets from the file as to how to put entries for the MX records.

Till then happy and smart and cool working ;)

Nitin :)

Monday, November 01, 2004

Next Series of Posts on MTA's function

Next series of posts would be on functioning of mta and picking up qmail in detail and then try and slowly move on to antispam etc. My major source of qmail knowledge come form website.

The first post should come in by tonight.

Till then take care and work smart and easyyyy.....

Nitin :-).