http://www.claudiokuenzler.com Online portfolio of Claudio Kuenzler en-en http://www.claudiokuenzler.com/graph/content/rss.png http://www.claudiokuenzler.com http://www.claudiokuenzler.com/blog/229/debian-upgrade-lenny-to-squeeze-virtual-vps-server-xen-mysql-problems http://www.claudiokuenzler.com/blog/229/debian-upgrade-lenny-to-squeeze-virtual-vps-server-xen-mysql-problems As it was announced on December 6th 2011, support for Debian Lenny will end on February 6th 2012. This means, no future updates will be released for Lenny systems. Time to upgrade. The affected machine is a virtual machine (VPS) running as a Xen guest. Installed services are Apache2, MySQL, Nagios (compiled from source), PHP (compiled from source), OTRS (from source). Will everything go smooth? I was especially worried about the kernel part, as Xen guests have their kernel pushed from the Xen host. In the Debian Upgrade Guide it is mentioned to upgrade the kernel manually BEFORE having the automatic apt-get script updating udev... I will show my upgrade steps, based on the official Debian upgrading steps, and also what I did in case of problems. 1. Stop services. Nothing to comment here... 2. Backup! This is strongly encouraged. I backuped everything into /home/backup. Why? As mentioned in the Debian documentation, the /home directories won't be touched by the upgrade script. The backup of /etc/ is very important. Besides that applications and user data should be backed up as well (e.g. dump of database otrs in my case). 3. Verify that the system is up to date and that no packages are on hold. This would break the upgrade process. You can verify this by launching aptitude in the interactive mode and hit the key 'g'. If you get the message 'No packages are scheduled to be installed, removed, or upgraded.', then you're good to go.To check the system for... Sat, 04 Feb 2012 18:40:10 +0100 http://www.claudiokuenzler.com/blog/228/how-to-monitor-windows-citrix-active-disconnected-remote-sessions http://www.claudiokuenzler.com/blog/228/how-to-monitor-windows-citrix-active-disconnected-remote-sessions On Terminal Servers or Citrix servers the remote connection sessions are inevitable important. Therefore it is strongly recommend the number of the sessions, not only for licensing purposes but also to be aware when users don't log off their sessions correctly (and for other reasons of course). To monitor the current active sessions, there is already a plugin for Nagios which is called 'Count number of terminal server sessions'. This plugin (actually a Windows batch file) uses the command 'query session' to find users which have an active RDP-Session (found by rdp-tcp#). Unfortunately, this plugin doesn't output performance data and every Nagios administrator loves the graphs. But don't worry, it's very easy to add this. Another additional information I wanted to know through the plugin was not only the number of active connections, but also the number of disconnected sessions. Citrix admins might know that problematic.... As I mentioned, the plugin looks by default for the sessions with 'rdp-tcp#' mentioned. By changing this to 'ica-tcp#', Citrix sessions can be found as well. So here we go, this is the modified plugin: @ECHO OFFSET /a COUNTA=0SET /a COUNTD=0FOR /f amp;quot;TOKENS=1 DELIMS= amp;quot; %%G IN ('query session ^|find amp;quot;ica-tcp#amp;quot;') DO SET /a COUNTA+=1FOR /f amp;quot;TOKENS=1 DELIMS= amp;quot; %%G IN ('query session ^|find amp;quot;Discamp;quot;') DO SET /a COUNTD+=1 ECHO Active sessions = %COUNTA%, Disconnected Sessions = %COUNTD%... Tue, 31 Jan 2012 12:41:46 +0100 http://www.claudiokuenzler.com/blog/227/joomla-site-hacked-com_fabrik-file-upload-php-shell http://www.claudiokuenzler.com/blog/227/joomla-site-hacked-com_fabrik-file-upload-php-shell This month I've already had two cases where a Joomla website has been attacked and hacked.amp;nbsp; A security vulnerability was used to upload a PHP shell, which then was used to upload complete fake websites. These fake websites turned then out to be Phishing websites (what else...). This PayPal Phishing website has been uploaded through a PHP shell which itself was uploaded through a vulnerability in the Joomla module com_fabrik But how did the hacker upload the PHP shell? After checking and comparing both hack attempts two conclusions could be made:- The hack-attack was automated, both logs showed the EXACT same way of uploading the PHP shell, just from different IP addresses.- The vulnerability must come from a module called com_fabrik which allows to upload CSV files. A forged CSV file must have been uploaded or the upload form was 'tricked' to upload a non-csv file. Here some lines from the log: 41.233.160.99 - - [02/Jan/2012:01:27:31 +0100] amp;quot;GET /index.php?option=com_fabrikamp;amp;c=importamp;amp;view=importamp;amp;filetype=csvamp;amp;tableid=1 HTTP/1.1amp;quot; 200 9297 amp;quot;-amp;quot; amp;quot;Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0amp;quot; 41.233.160.99 - - [02/Jan/2012:01:27:50 +0100] amp;quot;POST /index.php?option=com_fabrik HTTP/1.1amp;quot; 303 - amp;quot;http://www.example.com/... Thu, 26 Jan 2012 15:58:45 +0100 http://www.claudiokuenzler.com/blog/226/performance-data-added-to-volumes-check-equallogic http://www.claudiokuenzler.com/blog/226/performance-data-added-to-volumes-check-equallogic Another update has been made on the Nagios/Monitoring plugin/script check_equallogic. The volume names no longer show up with quotes in the output (amp;quot;vol1amp;quot; appears now simply as vol1) and performance data was added to the output, so graphs can be created for all discovered volumes. As always, feedback is welcome!... Wed, 25 Jan 2012 15:33:44 +0100 http://www.claudiokuenzler.com/blog/225/check_equallogic-bugfix-in-volumes-check http://www.claudiokuenzler.com/blog/225/check_equallogic-bugfix-in-volumes-check There has been a small bugfix in the Nagios/Monitoring plugin check_equallogic. The 'volumes' check had an error in the logic how to handle the volumes, once the system-volumes were successfully ignored. This could cause that some volumes were not taken in account at the output. The new version (20120123) has fixed this issue. Please use the newest version from now on. Existing versions should be replaced. Thanks to Laurent Colonges for his patience and for the tests with the new version.... Mon, 23 Jan 2012 12:59:16 +0100 http://www.claudiokuenzler.com/blog/224/nagios-plugin-check_procs-add-performance-data-perfdata-output-nagiosgraph http://www.claudiokuenzler.com/blog/224/nagios-plugin-check_procs-add-performance-data-perfdata-output-nagiosgraph To my very big surprise one of the oldest original Nagios plugins (check_procs) doesn't seem to have performance data integrated in the output. Here's a typical launch of the plugin on the command line, done with two different versions: # ./check_procs --versioncheck_procs v2019 (nagios-plugins 1.4.13)# ./check_procs -w 150 -c 300PROCS OK: 97 processes# ./check_procs --versioncheck_procs v1.4.15 (nagios-plugins 1.4.15)# ./check_procs -w 150 -c 300PROCS OK: 110 processes None of them show the perfdata, which is followed after a pipe character (|) after the output. To create graphics with Nagiosgraph, at least some output in the perfdata 'field' is necessary. A quick research on the Nagios Plugin Sourceforce page shows that several patches have already been supplied to add perfdata to this plugin. The first was submitted in 2005, the newest as of now just a month ago in December 2011. But bummer, they never made it into the plugin. So that means that the good Nagios admin has to take matters in his own hands. I show you now in a step-by-step tutorial how you can enable perfdata yourself, and this is very easy, believe me! 1. First download the Nagios plugin source file from the SourceForge website. 2. Untar/Unzip the file, I'm doing this in /tmp: /tmp # tar -xfz nagios-plugins-1.4.15.tar.gz 3. Change dir into the newly created folder: /tmp # cd nagios-plugins-1.4.15 4. Open the check_procs source file which is called 'check_procs.c' an... Wed, 18 Jan 2012 16:54:09 +0100 http://www.claudiokuenzler.com/blog/223/project-new-website-election-frischer-wind-im-thurgau http://www.claudiokuenzler.com/blog/223/project-new-website-election-frischer-wind-im-thurgau I'm currently working on a new website for my father, who will be a candidate for the local parliament in the canton (state) of Thurgau in Switzerland. The main goal is to deliver some basic information of the political views and ideas but it shouldn't be a amp;quot;boringamp;quot; website with tons of text which nobody's gonna read. We came up with the idea of using a dynamic Gallery Slideshow which doesn't require Flash, so it will also be working on mobile devices. This way impressions can be given to the visitor through pictures and some text as descriptions. The technical solution for this gallery is a JavaScript solution called fadeslideshow. The gallery doesn't need interaction, automatically changes pictures (fade-effect) and shows an embedded description in a layer above the image. Here are two other pictures showing the general design of the website and the navigation, which uses CSS3 for the effects: The website will be available soon on http://www.frischer-wind-im-thurgau.ch. ... Sat, 14 Jan 2012 16:34:26 +0100 http://www.claudiokuenzler.com/blog/222/bugfix-in-check_equallogic-temp-info-one-controller http://www.claudiokuenzler.com/blog/222/bugfix-in-check_equallogic-temp-info-one-controller A new version of the monitoring plugin check_equallogic has been released yesterday. Two bugs were fixed in the 'temp' and 'info' checks which occured, if only one controller was working (discovered by Laurent Colonges). The new version (20120104) is since yesterday evening available for download on the plugin page. ... Thu, 05 Jan 2012 11:47:51 +0100 http://www.claudiokuenzler.com/blog/221/perl-warning-setting-locale-failed-check-locale-settings http://www.claudiokuenzler.com/blog/221/perl-warning-setting-locale-failed-check-locale-settings On a Debian Lenny server I changed the default locale from en_US.UTF-8 to en_US.ISO-8859-15 to be able to edit some files with European Umlauts.amp;nbsp; The setting has changed on the fly and I was able to view and edit such files perfectly with vim. But some scripts couldn't find that new locale, as they showed perl errors like this: perl: warning: Setting locale failed.perl: warning: Please check that your locale settings:amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp; LANGUAGE = (unset),amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp; LC_ALL = (unset),amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp; LANG = amp;quot;en_US.ISO-8859-15amp;quot;amp;nbsp;amp;nbsp;amp;nbsp; are supported and installed on your system.perl: warning: Falling back to the standard locale (amp;quot;Camp;quot;).locale: Cannot set LC_CTYPE to default locale: No such file or directorylocale: Cannot set LC_MESSAGES to default locale: No such file or directorylocale: Cannot set LC_ALL to default locale: No such file or directory This error comes from the command update-locale and as it points out, the file or directory for the defined locale couldn't be found. It can be resolved by installing the package locales-all (by default only 'locales' is installed) which downloads additional locale files. The command update-locale worked fine just after.... Mon, 02 Jan 2012 15:38:47 +0100 http://www.claudiokuenzler.com/blog/220/roundcube-0.7-php-error-failed-to-load-plugin-file-permissions http://www.claudiokuenzler.com/blog/220/roundcube-0.7-php-error-failed-to-load-plugin-file-permissions On a new Roundcube (0.7) installation I recently did, something strange has happened: The defined plugins were not loaded and the error log was full with errors like these: PHP Error: Failed to load plugin file /var/www/roundcube/plugins/lang_sel/lang_sel.php in /var/www/roundcube-0.7/program/include/rcube_plugin_api.php on line 196 (GET /)PHP Error: Failed to load plugin file /var/www/roundcube/plugins/authenticate_by_confixx_email/authenticate_by_confixx_email.php in /var/www/roundcube-0.7/program/include/rcube_plugin_api.php on line 196 (GET /)PHP Error: Failed to load plugin file /var/www/roundcube/plugins/persistent_login/persistent_login.php in /var/www/roundcube-0.7/program/include/rcube_plugin_api.php on line 196 (GET /) At the begin I thought it could be a problem with the path, but it was correct (roundcube is a symlink to roundcube-0.7). Even by manually changing the vhost this didn't change the problem.Another fact is that I use the exact same installation with the same configuration and plugins on another host, but one which is running on PHP 5.2.x. Even by googling for this problem didn't find any clues, most of the hints were due to wrong paths or include path definitions. But then it hit me! Just out of the blue I thought, what the heck, I check the permissions again and look at that: /var/www/roundcube/plugins # lltotal 128Kdrwxr-xr-x 4amp;nbsp; 501amp;nbsp;amp;nbsp; 80 4.0K Dec 22 10:20 acldrwxr-xr-x 2amp;nbsp; 501amp;nbsp;amp;nbsp; 80 4.0K De... Thu, 29 Dec 2011 14:13:48 +0100 http://www.claudiokuenzler.com/blog/219/nagios-check-mysql-slave-replication-io-running http://www.claudiokuenzler.com/blog/219/nagios-check-mysql-slave-replication-io-running Marc Féret informed me (already a while ago) that the Nagios plugin check_mysql_slavestatus, which is used to check the status of MySQL replication, doesn't check the value of 'Slave IO Running'. In some circumstances it is possible that 'Slave SQL Running' is set to Yes (which is checked by the plugin) but 'Slave IO Running' is set to No or NULL. To prevent this situation, he contributed another check to the plugin, which does the check for 'Slave IO Running'. The new version (2011122700) has been released. Thanks, Marc!... Tue, 27 Dec 2011 13:37:52 +0100 http://www.claudiokuenzler.com/blog/218/how-to-forward-usb-devices-over-network-to-virtual-machines http://www.claudiokuenzler.com/blog/218/how-to-forward-usb-devices-over-network-to-virtual-machines In the past weeks I came across several applications which needed a USB dongle as hardware license. The problem with virtualization is that such dongles can't be simply plugged to the physical host - what happens when the machines moves (vmotion)? One of the possible solutions is to forward the USB device via IP. That successfully works with a Digi AnywhereUSB 5, a 5-port USB hub which forwards attached USB devices to one remote host. Yes, only one remote host. And that causes a problem of course. The goal should be to have a USB forwarding machine which can handle different USB devices and forward them to different hosts. Luckily Digi has also a bigger horse in the race: Digi AnywhereUSB/14, a 14-port USB hub: This horse eats more (= pricey) but it is much more powerful as well. It has the possibility to define so-called groups to which one or several of the 14 ports can be assigned (image left): The software on the remote host (the virtual machine) can then be configured to connect to a defined Group Number (image right). As soon as the software then connects to the IP-USB-Hub, it takes ownership of all USB devices attached to the defined group.So far I've tested it with two virtual machines, both accessing each one USB device: VM1-amp;gt;Group1-amp;gt;Port1, VM2-amp;gt;Group2-amp;gt;Port2. Works like a charm! There was one minor issue though. Once the software on the VM successfully connected to the AnywhereUSB device, Windows could... Wed, 21 Dec 2011 16:47:34 +0100 http://www.claudiokuenzler.com/blog/217/dell-openmanage-offline-bundle-now-supports-esxi-5.0 http://www.claudiokuenzler.com/blog/217/dell-openmanage-offline-bundle-now-supports-esxi-5.0 As previously written on November 8th, Dell's Open Manage Offline Bundle didn't work with ESXi 5.0. Symptoms were that not all hardware information was shown in vSphere client and that the Nagios plugin check_esxi_hardware didn't work at all. Now this issue is solved. Dell released a new version of the Offline Bundle for ESXi 5.0 (6.5.0-542970) which was installed and tested by fellow check_esxi_hardware plugin users Pascal Saul and Dave Stevens. The plugin works now fine again with this release. Dell also upgraded their tech note on this issue by now using the following words: Dell OpenManageamp;nbsp;Server Administratoramp;nbsp;agent officially supports vSphere v5.0 / ESXi 5amp;nbsp;as of December 2011, starting with OMSA 6.5 A02. The new Offline Bundle can be downloaded from the following URL (as of right now, the file couldn't be found on the Dell download website):ftp://ftp.dell.com/FOLDER00197341M/1/OM-SrvAdmin-Dell-Web-6.5.0-542907.VIB-ESX50i_A02.zip... Mon, 19 Dec 2011 13:29:07 +0100 http://www.claudiokuenzler.com/blog/216/confixx-3.3.9-undefined-variable-deprecated-errors-login-fails http://www.claudiokuenzler.com/blog/216/confixx-3.3.9-undefined-variable-deprecated-errors-login-fails I just made a test upgrade of Confixx from version 3.3.8 to 3.3.9. The update itself went smooth, but as soon as I tried to log in to the Confixx UI, it hit me: Notice: Undefined variable: db_link_identifier in /var/www/confixx/html/include/mysql_client_encoding.php on line 13 Deprecated: Function session_is_registered() is deprecated in /var/www/confixx/html/sessions.inc.php on line 41 Deprecated: Function session_is_registered() is deprecated in /var/www/confixx/html/sessions.inc.php on line 47 Deprecated: Function session_is_registered() is deprecated in /var/www/confixx/html/sessions.inc.php on line 52 Deprecated: Function session_is_registered() is deprecated in /var/www/confixx/html/admin/auth.php on line 151 Notice: Undefined variable: ret_path in /var/www/confixx/html/admin/auth.php on line 270 These errors come from the PHP code from certain Confixx files which use old ways of declaring a variable.To solve these problems, you have to open the following files:/var/www/confixx/html/include/class.Mysql.php/var/www/confixx/html/admin/auth.ph Remove the ampersand (amp;amp;) sign from all variable declarations: = amp;amp; After this change and by setting display_errors to Off, the warnings will disappear and the login will work again.... Thu, 15 Dec 2011 21:30:13 +0100 http://www.claudiokuenzler.com/blog/215/Apache2-php-module-compare-speed-performance-comparison-fast-cgi http://www.claudiokuenzler.com/blog/215/Apache2-php-module-compare-speed-performance-comparison-fast-cgi Almost every system admin is aware of the different possibilities how to install PHP. Besides already pre-packaged versions on Linux distros there are even more ways to install PHP from source packages. The biggest discussion on the Internet is if PHP should be installed as a direct Apache Module (mod_php) or if it should be launched as a CGI process (php-cgi binary called by an Apache Module). Depending on the importance of the web server or on the personal opinion of another system admin in his blog or in a forum post, the 'perfect' solution varies. I've read hundreds of posts that mod_php should not be used for security reasons but then using PHP with the php-cgi as FastCGI process was called to be slow. Unfortunately I haven't found real proof (in numbers) of all the descriptions, so I decided to run some tests on a new physical machine, without any active websites. This testing took me some weeks, mainly the preparation of the different possibilities of implementing PHP as some of them are rather complex. The testing setupThe performance of the target web server is checked by using the utility 'httperf', which simulates parallel access of the target website. The target server runs Apache2-mpm-worker.The target website is a single PHP page with MySQL connections.The target website is accessed with a rate of 50 requests/second which should simulate a real web hosting environment (50 concurrent users). The target server runs PHP 5.3.8, compiled exactly the same wa... Sun, 04 Dec 2011 14:26:48 +0100 http://www.claudiokuenzler.com/blog/214/end-of-life-of-simm-card-unable-to-connect-to-network-milestone http://www.claudiokuenzler.com/blog/214/end-of-life-of-simm-card-unable-to-connect-to-network-milestone I've been asking myself the same question over the last years: Does this chip last forever? Since yesterday, November 30th 2011, I have certainty: No. My SIMM card, received on July 27th 2002, died yesterday after a long life of 9 years, 4 months and 5 days or 3414 days. It lasted four different mobile phones and was in use every day since. Unfortunately new Smartphones (here my Motorola Milestone running Android Gingerbread) don't seem to find defects in SIMM cards. The only hint was given to me by suddenly losing network connectivity and messages like amp;quot;unable to connect to networkamp;quot;. So at the begin I thought my phone (the software) has a problem: But fortunately there is older technology available. I still have the original phone I received together with the SIMM card (a Sony Ericsson T68i) and here the SIMM failure is clearly shown on the display: Anyhow, it's impressive how long it lasted. ... Thu, 01 Dec 2011 12:18:41 +0100 http://www.claudiokuenzler.com/blog/213/bugfix-in-check_kav.bat-mulitple-checks-being-used-by-another-process http://www.claudiokuenzler.com/blog/213/bugfix-in-check_kav.bat-mulitple-checks-being-used-by-another-process If there are multiple checks which check_KAV.bat has to handle at the same time, the batch file will fail, because the temporary files are already opened by another process. The following error is in such cases shown as Nagios output: The process cannot access the file because it is being used by another process. I've made a small bugfix so multiple checks can be done at the same time: The modified batch file can be downloaded here -amp;gt; check_KAV_sqlinst.bat.... Tue, 29 Nov 2011 09:06:29 +0100 http://www.claudiokuenzler.com/blog/212/nagios-check-Kaspersky-Server-License-Windows-Server-SQL http://www.claudiokuenzler.com/blog/212/nagios-check-Kaspersky-Server-License-Windows-Server-SQL On Nagios Exchange there's a cool plugin which can be launched on the Kaspersky Server to check for several things, for example the expiration date of the license: check_KAV.bat by Olivier Mazan.There is only one problem: It doesn't work.Note: It didn't work under a Windows 2003 Server (32bit) with SQL Express 2005 and special instance name. Maybe the original script, which was written back in 2009, worked then and maybe under another environment. Let's start the troubleshooting! Ready? Go! Round 1 The batch script, once defined in NSClient++ was launched from the Nagios server by using check_nrpe. First argument is the number 6 (check license). In the NSClient++ command definition I hard coded the very first argument which is usually the hostname to check, I set the same host (kavserver): /usr/local/nagios/libexec # ./check_nrpe -H kavserver -t 30 -c check_kav -a 6 7 14Licence has expiredKAV - Expiration Time : ve/at/SQLamp;nbsp; at Client]LCRITICAL As one can see, the plugin outputs strange information. Looks like Windows batch is trying to tell 'verify at SQL at Client' .... What actually happens in the batch file is the following command (by taking in account all the variables for the specific check): C:\amp;gt;OSQL -E -Q amp;quot;SELECT tmExpirationTime FROM KAV.dbo.apphostskeys,KAV.dbo.hostsamp;quot;[SQL Native Client]Named Pipes Provider: Could not open a connection to SQL Server [2].[SQL Native Client]Login timeout expired[SQL Native Clien... Mon, 28 Nov 2011 15:45:09 +0100 http://www.claudiokuenzler.com/blog/211/mac-os-x-snow-leopard-ntfs-read-write-external-disk http://www.claudiokuenzler.com/blog/211/mac-os-x-snow-leopard-ntfs-read-write-external-disk Note: This has been successfully tested on a Mac OS X 10.6.8 (Snow Leopard). Mac OS X doesn't detect NTFS formatted external disks by default. However, it is possible to install some (open source) drivers to read the content of an external disk, and it's even possible to write on a NTFS partition! First you need to install MacFUSE: http://code.google.com/p/macfuse/downloads/list Second you need to install Tuxera NTFS for Mac: http://www.tuxera.com/products/tuxera-ntfs-for-mac/ After a reboot, the attached external disk (NTFS formatted) will be detected by your Mac and it is even possible to write data on it.... Sat, 26 Nov 2011 00:03:20 +0100 http://www.claudiokuenzler.com/blog/210/check_esx3.pl-error-server-version-unavailable-lwp-ssl http://www.claudiokuenzler.com/blog/210/check_esx3.pl-error-server-version-unavailable-lwp-ssl For years now I've been using OP5's great plugin 'check_esx3.pl' which makes use of the VMware vSphere Perl API to check ESX/i servers. Now I've set it up on a complete new Nagios system and also with the newest vSphere Perl API (version 5.0 build 422456). The installation of the API requires a lot of Perl modules to be pre-installed, some in a newer version than the one already installed on the OS (here SLES11SP1). Once all requirements and the API were installed, I launched the plugin to see the following error: /usr/local/nagios/libexec # ./check_esx3.pl -H MYESX -u MYUSER -p MYPASS -l cpu -s usageCHECK_ESX3.PL CRITICAL - Server version unavailable at 'https://MYESX:443/sdk/vimService.wsdl' at /usr/lib/perl5/5.10.0/VMware/VICommon.pm line 545. At the begin I thought there might be a compatibility problem between the Perl API 5.0 and the ESX server which runs on 4.1, but after a short research, the problem comes from the Perl module LWP, as MWalker describes it on this page. The solution to this problem is to add a parameter to check_esx3.pl to tell LWP that the self-signed SSL certificate (as they are by default on ESX/i servers) can be ignored: #!/usr/bin/perl -w$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;## Nagios plugin to monitor vmware esx servers## License: GPL Right after saving the modification, the plugin ran fine: /usr/local/nagios/libexec # ./check_esx3.pl -H MYESX -u MYUSER -p MYPASS -l cpu -s usageCHECK_ESX3.PL OK - cpu usage=9.02 % | cpu_u... Fri, 25 Nov 2011 11:39:18 +0100 http://www.claudiokuenzler.com/blog/209/nagios-plugin-to-check-windows-network-usage-traffic-bandwidth http://www.claudiokuenzler.com/blog/209/nagios-plugin-to-check-windows-network-usage-traffic-bandwidth As previously already mentioned, I was working on a new plugin to monitor Windows network usage/traffic/bandwidth. Well, actually it is more a wrapper than a plugin because it makes use of check_nt, which itself is already a plugin. The main purpose of check_win_net_usage is certainly to be able to create graphics where incoming and outgoing network traffic are shown (in one and the same graph). More details, documentation and download can be found on the page of check_win_net_usage. ... Tue, 22 Nov 2011 19:57:01 +0100 http://www.claudiokuenzler.com/blog/208/sles11-failed-dependency-install-db-devel-missing-not-found-rpm http://www.claudiokuenzler.com/blog/208/sles11-failed-dependency-install-db-devel-missing-not-found-rpm If one wants to install the package apache2-devel on a SLES 11 SP1 machine, SLES will ask you for a dependency called 'db-devel': amp;nbsp;/tmp/apache # rpm -ivh *error: Failed dependencies:amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp; db-devel is needed by libapr-util1-devel-1.3.4-12.20.2.x86_64amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp; libexpat-devel is needed by libapr-util1-devel-1.3.4-12.20.2.x86_64 There is just one problem though: There is no such called rpm (at least not in SLES11, in older versions this existed)! Well the problem is quickly solved in case one is aware what 'db' stands for: It is a short name for the Berkeley DB, which in SLES11 received a new name: libdb-4_5-devel. # rpm -ivh libdb-4_5-devel-4.5.20-95.39.x86_64.rpmPreparing...amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp; ########################################### [100%]amp;nbsp;amp;nbsp; 1:libdb-4_5-develamp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp; ########################################### [100%] Once libdb-*-devel and libexpat-devel were installed, the apache packages (including apache2-devel) were successfully installed.... Mon, 21 Nov 2011 16:48:59 +0100 http://www.claudiokuenzler.com/blog/207/windows-network-traffic-monitoring-with-nagios http://www.claudiokuenzler.com/blog/207/windows-network-traffic-monitoring-with-nagios Today I was looking for a method to monitor the incoming and outgoing traffic on Windows servers with Nagios. An online search didn't find a lot of information or existing solutions so I dug into the documentation of NSClient++ (which is my favorite add-on to monitor Windows hosts in Nagios) and the following solution does the job: /usr/local/nagios/libexec # ./check_nt -H mywindows -p 12489 -v COUNTER -l amp;quot;\\Network Interface(VMware Accelerated AMD PCNet Adapter)\\Bytes Received/secamp;quot;,amp;quot;Bytes_in/s %0.famp;quot; Bytes_in/s 10164 | 'Bytes_in/s %0.f'=10163.700000%;0.000000;0.000000; Important here is to understand how this works. I'll try to explain, so read carefully: That we use the COUNTER check option of NSClient++ is ovious (-v COUNTER) but the important part comes now.The COUNTER check uses the internal Windows performance counters to query them and get the current value. There are a lot, but what we're interested in is the performance object called 'Network Interface'. COUNTER -l amp;quot;\\Network Interface It is important to select the correct network interface. Every existing interface on the server is represented as an 'instance'. If you don't know the instance/interface name of your network interface, take a look at the HINT section below. An instance can be selected by putting it into brackets right after the performance object: COUNTER -l amp;quot;\\Network Interface(VMware Accelerated AMD PCNet Adapter) The next ... Wed, 16 Nov 2011 16:06:16 +0100 http://www.claudiokuenzler.com/blog/206/another-timthumb-wordpress-hack-external-upload-httpd-process http://www.claudiokuenzler.com/blog/206/another-timthumb-wordpress-hack-external-upload-httpd-process I already wrote an article this week about the timthumb.php vulnerability which allows hackers to upload and execute files via Wordpress blogs. Last time the hack took me by surprise, this time I was prepared. I set up a special monitoring for new processes and tonight the trap worked. At 20:06 a fake process was launched by www-data: # ps auxf | grep wwwrootamp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp; 16995amp;nbsp; 0.0amp;nbsp; 0.0amp;nbsp; 87856amp;nbsp;amp;nbsp; 716 pts/0amp;nbsp;amp;nbsp;amp;nbsp; S+amp;nbsp;amp;nbsp; 21:00amp;nbsp;amp;nbsp; 0:00amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp; \_ grep wwwwww-dataamp;nbsp; 7170amp;nbsp; 0.0amp;nbsp; 0.9 225316 40088 ?amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp; Samp;nbsp;amp;nbsp;amp;nbsp; 14:06amp;nbsp;amp;nbsp; 0:00amp;nbsp; \_ /usr/sbin/apache2 -k startwww-data 29483 14.5 10.4 1049984 419648 ?amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp; Slamp;nbsp;amp;nbsp; 17:37amp;nbsp; 29:36amp;nbsp; \_ /usr/sbin/apache2 -k startwww-dataamp;nbsp; 2594 14.3amp;nbsp; 9.0 1022848 366568 ?amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp; Slamp;nbsp;amp;nbsp; 18:30amp;nbsp; 21:24amp;nbsp; \_ /usr/sbin/apache2 -k startwww-dataamp;nbsp; 6318 11.5amp;nbsp; 9.0 1088992 364764 ?amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp;amp;nbsp; Slamp;nbsp;amp;nbsp; 19:13amp;nbsp; 12:19amp;nbsp; \_ /usr/sbin/ap... Sat, 12 Nov 2011 23:57:27 +0100 http://www.claudiokuenzler.com/blog/205/wordpress-timthumb-hack-vulnerability http://www.claudiokuenzler.com/blog/205/wordpress-timthumb-hack-vulnerability And the cat and mouse game goes on and on... As I already wrote in another post 'On a hacker's trail', it's always the same story: Admin (tries) to secure system as much as possible, hackers (might) come in, admin finds hacker and fixes vulnerability, hackers (might) find other vulnerabilities.... and so on. At least it keeps me busy ;-). This time I stumbled over a Wordpress hack which is known since August 2011 (after some research I found that information). The first hint were exceptionally many POST entries in the access log file of a virtual host. So I checked which files were created via browser (therefore uid of Apache): # for file in $(find . -user www-data | grep .php)amp;gt; doamp;gt; ls -l $fileamp;gt; done-rw-r--r-- 1 www-data www-data 431 2011-08-06 10:41 ./critics/wp-admin/upd.php-rw-r--r-- 1 www-data www-data 4 2011-08-05 17:45 ./critics/wp-content/themes/InReview/cache/external_9cb702aa084691e66c789c1e98d6233a.php-rw-r--r-- 1 www-data www-data 431 2011-08-06 10:41 ./critics/wp-content/upd.php-rw-r--r-- 1 www-data www-data 1.6K 2011-08-21 19:39 ./photo/wp-content/themes/DeepFocus2.7/cache/external_ed59d62e1b1e2167275feed65b374079.php-rw-r--r-- 1 www-data www-data 887 2011-10-07 20:04 ./photo/wp-content/themes/DeepFocus/cache/a31844cea72ed6c9f90b56b039bbf3f5.php-rw-r--r-- 1 www-data www-data 15K 2011-07-20 10:59 ./photo/wp-content/w3-total-cache-config.php There were some more files but I left out session files. After taking a closer look at some... Wed, 09 Nov 2011 19:50:44 +0100