Friday, May 25, 2012

Remove backdoor



>netstat -ao  (locate reference to unknow addres, for example
    ovh.net

>taskkill /pid pid

remove from register with regedit

aditional if your clock doesn't work

net stop w32time
w32tm /unregister [ignore error message]
w32tm /unregister [enter a second time]
w32tm /register
reg add hklm\system\currentcontrolset\services\w32time\parameters\ /v NtpServer /t reg_sz /d time.nist.gov /f
net start w32time
w32tm /resync

The default polling time for updating the clock's time is only once every 7 days. This is why the clock gets off by so much (e.g. seconds if not many minutes) until it's the 7th day for your clock to automatically update again. Only then is the clock accurate, but it immediately starts losing time again until it updates in 7 more days. The sources for updating the clock are deadly accurate (NIST = National Institute of Standards and Technology), but the problem is that it doesn't update itself often enough. Here's the fix:

On the XP system change the update (polling time) intervals by doing the following:

1. Type “regedit” in Run located in Start
2. Navigate to the following key in the left pane:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpC lient.
3. In the right pane, double click the entry called SpecialPollInterval.
4. In the Base section of the Edit DWord Value dialog box, click the Decimal option button.
5. Enter the desired interval in seconds (3600 = 1 hour, 1800 = 30 minutes, 86400 = 24 hours, and so forth).
6. Click OK and close the registry editor.


(Originally set at 604,800 seconds, which equals 7 days, or once every week. I have set mine to 1,800 seconds, which updates my clock once every 30 minutes. My clock is never more than a few seconds off...

Linux get quota by folder



if you get "Disk quota exceeded", then you like know what happened with your folders


$find . -type f | cut -d "/" -f 2 | sort | uniq -c | sort -n


$du
$df

woks too

references:
[1] http://www.codecoffee.com/tipsforlinux/articles/22.html

Wednesday, May 16, 2012

Making sniffer using libpcap




[0] http://www.tcpdump.org/pcap.html
[1] http://www.joshuarobinson.net/docs/libpcap_offline.html
[2] http://yuba.stanford.edu/~casado/pcap/section1.html
[3] http://www.winpcap.org/docs/docs_40_2/html/group__wpcapsamps.html
[4] http://www.linuxquestions.org/questions/programming-9/undefined-reference-to-functions-from-pcap-h-319252/

package samples
[5] http://wiki.wireshark.org/SampleCaptures



Tutorial how to
[1] http://www.linuxforu.com/2011/02/capturing-packets-c-program-libpcap/


More
http://www.tcpdump.org/pcap.html
http://networksecurity.org.ua/0596007949/networkst-chp-10-sect-2.html
http://www.tcpdump.org/pcap/pcap.html
http://commons.oreilly.com/wiki/index.php/Network_Security_Tools/Modifying_and_Hacking_Security_Tools/Writing_Network_Sniffers
 http://eecs.wsu.edu/~sshaikot/docs/lbpcap/
http://www.eecis.udel.edu/~sunshine/expcs/code/pcap_packet_read.c


Source:
[1] http://code.google.com/p/chengchuntu1/source/checkout
[2] http://sock-raw.org/papers/syn_scanner





Ubuntu Forware port 80

  #!/bin/bash iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8069 iptables -t nat -A PREROUTING -i eth0 -p tc...