Gimli's Nipple

There’s been lots of talk how to properly install SSL certificates on a Subsonic Media Server. Here’s the best (if you’re running Ubuntu):

Stop the Subsonic service if it’s running.

service subsonic stop

Concatenate the issued certificate with the bundled intermediate and root certificates.

cat commercial.crt gd_bundle.crt >> cert-chain.txt

Put everything (including your private key) into a PKCS12 file.

openssl pkcs12 -export -inkey commercial.key -in cert-chain.txt -out cert-chain.pkcs12

Import into Java keystore.

keytool -importkeystore -srckeystore cert-chain.pkcs12 -srcstoretype PKCS12 -destkeystore subsonic.keystore

Update the Subsonic keystore.

jar uf /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar subsonic.keystore

Walla. If done right, this should take less than 5 minutes. Obviously, this assumes you’re running Ubuntu 12 LTS, you have an already issued SSL cert and you openjdk is installed.

Ah yes. The release of a brand, spankin’ new version of Ubuntu Server promised greater performance, more security and promises never to crash. Cool. So sit back and dig the scene with a gangsta lean as our “do-release-upgrade” performs its magic. Twenty minutes later, we’re running the latest and greatest. And…. our Time Machine backups are broke. Again. Ugh…. why oh why don’t we just run Debian and do a source install of Netatalk? Enuf bullshit. Quick fix is to add this line at the bottom of /etc/netatalk/AppleVolumes.default:

- -tcp -noddp -uamlist uams_guest.so,uams_dhx2_passwd.so -nosavepassword -setuplog “default log_info /var/log/afpd.log” -mimicmodel RackMac

Restart Netatalk, and you should be good to go. Thanks wesg on ubuntuforums and this post.

You once fat-fingered your login name to a web site and now Firefox suggests the typo every single time in the auto-complete dropdown. So annoying! But the Captain’s Universe web site has a quick tip on how to delete the bad suggestions:

Just start to type in into the form field until the grey dropdown appears, then use the cursor keys to move to the entry to be deleted and press the SHIFT key and the delete key. Voila!

Thank goodness I’ll never choose “gian” as my login name again. — Gina Trapani

Trojan-Downloader:OSX/Flashback.I

Detection Names: Exploit:Java/Flashback.I, Trojan-Downloader:OSX/Flashback.I, Trojan:OSX/Flashback.I, Backdoor:OSX/Flashback.I
Category: Malware
Type: Trojan-Downloader
Platform: OSX
Summary
Trojan-Downloader:OSX/Flashback.I connects to a remote site to download its payload; on successful infection, the malware modifies targeted webpages displayed in the web browser.
Disinfection

Manual Removal

Caution: Manual disinfection is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance. F-Secure customers may also contact our Support.

Manual Removal Instructions

1. Run the following command in Terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

2. Take note of the value, DYLD_INSERT_LIBRARIES
3. Proceed to step 8 if you got the following error message:

“The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”

4. Otherwise, run the following command in Terminal:

grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%

5. Take note of the value after “__ldpath__”
6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):

sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment

sudo chmod 644 /Applications/Safari.app/Contents/Info.plist

7. Delete the files obtained in steps 2 and 5
8. Run the following command in Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:

“The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”

10. Otherwise, run the following command in Terminal:

grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%

11. Take note of the value after “__ldpath__”
12. Run the following commands in Terminal:

defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

launchctl unsetenv DYLD_INSERT_LIBRARIES

13. Finally, delete the files obtained in steps 9 and 11.

Note:

Some Flashback variants include additional components, which require additional steps to remove. Please refer to our Trojan-Downloader:OSX/Flashback.K description for additional information and removal instructions.
Additional Details

Trojan-Downloader:OSX/Flashback.I is dropped by malicious Java applets that exploit the known CVE-2011-3544 vulnerability.

On execution, the malware will prompt the unsuspecting user for the administrator password. Whether or not the user inputs the administrator password, the malware will attempt to infect the system, though entering the password will affect how the infection is done.

If infection is successful, the malware will modify the contents of certain webpages displayed by web browsers; the specific webpages targeted and changes made are determined based on configuration information retrieved by the malware from a remote server.

Installation

On execution, the malware checks if the following path exists in the system:

/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app

If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.

Downloading the Payload

The malware connects to the following URL to download its payload:

h t t p : / / 95.215.63.38/counter/%encoded_data%

Where decoded data follows this format:

%hardware_UUID|%machine_architecture%|%kernel_version%|%encoded_data2%|
%architecture_of_malware_process%|%current_hardware_type_of_system%|%is_user_daemon%

%encoded_data2% is the MD5 hash of the following:

%hardware_UUID%Jiangxi

%is_user_daemon% is “1″ if the process is running as the first OS X user account or daemon “0″ otherwise

The filename and actual content of the payload depends on reply of the remote host. The reply is compressed and encrypted but the actual content follows this format:

%encoded_filename%|%encoded_binary1_content%|%encoded_payload_config%| %encoded_binary2_content%|%encoded_png_content%

Where:

Binary 1

Binary1 is more or less the malware’s main component. In the sample that we analyzed, it hijacks CFReadStreamRead and CFWriteStreamWrite by creating an interposition to these functions. The malware modifies contents returned or send by these APIs. It targets the contents of specific webpages, as determined by config information returned by the remote host.

Binary 2

Binary2 is basically a filter component that will load binary1 only into a targeted process. This is to avoid crashing incompatible applications and raising the user’s suspicions. In the sample that we analyzed, it targets the Safari web browser.

Infection

Only after downloading the payload does Flashback.I proceed with infecting the machine. To do so, the malware prompts for the administrator password, as in the following screenshot:

Trojan-Downloader:OSX/Flashback.I prompt

The icon indicated by the red box in the screenshot is the PNG content returned by the remote host. This is dropped to the location ‘/tmp/.i.png’ on the system. Since this image is controlled by the remote host, it can be changed any time the author deems necessary.

Whether or not the user inputs their administrator password at the prompt determines the type of infection the malware subsequently performs:

Infection Type 1

If the user inputs their administrator password, the malware will create the following files:

/Applications/Safari.app/Contents/Resources/.%decoded_filename%.png – contains %decoded_binary1_contents% and %decoded_payload_config%
/Applications/Safari.app/Contents/Resources/.%decoded_filename%.xsl – contains %decoded_binary2_contents%

The malware then creates a launch point, inserting the following line into “/Applications/Safari.app/Contents/Info.plist”:

LSEnvironmentDYLD_INSERT_LIBRARIES
/Applications/Safari.app/Contents/Resources/.%decoded_filename%.xsl

This in effect will inject binary2 into Safari when the browser is launched.

If the malware was able to infect the system this way, it reports success to the following URL:

h t t p ://95.215.63.38/stat_d/

If it failed to infect the system, the malware reports to the following URL:

h t t p ://95.215.63.38/stat_n/

Infection Type 2

In cases where the user did not input their administrator password, the malware checks if the following path exists in the system:

/Applications/Microsoft Word.app
/Applications/Microsoft Office 2008
/Applications/Microsoft Office 2011
/Applications/Skype.app

If any of these are found, the malware again skips the rest of its routine and proceeds to delete itself, presumably to avoid infecting a system that has an incompatible application installed.

If none of the incompatible applications are found, the malware will create the following files:

~/Library/Application Support/.%decoded_filename%.tmp – contains %decoded_binary1_contents% and %decoded_payload_config%
/Users/Shared/.libgmalloc.dylib – contains %decoded_binary2_contents%

The malware then creates a launch point by creating “~/.MacOSX/environment.plist”, containing the following lines:

DYLD_INSERT_LIBRARIES
/Users/Shared/.libgmalloc.dylib

This in effect will inject binary2 into every application launched by the infected user.

For this infection type, the malware reports the successful infection to the following URL:

h t t p : / / 95.215.63.38/stat_u/

Drive wearing on any SSD based drive will always be a ghost in the back of your mind. Here are some recommendations and tips for a long lifespan and optimal performance. Basically, what is needed is to eliminate the HDD optimizations within Vista (that cause lots of small file writes like superfetch and prefetch), things like background HDD defragmentation (that causes lots of small file write drive activity). In short (and this is for Vista and Windows 7):

• Drive indexing disabled. (useless for SSD anyway, because access times are so low).
• Prefetch disabled.
• Superfetch disabled
• Defrag disabled.

So make sure you disable prefetchers. Also, especially with Vista and windows 7, make sure you disable defragmentation on the SSD disk. You do not have a mechanical drive anymore so it is not needed, let alone you do not want defragmentation to wear out your drive, and Vista does this automatically when your PC is in idle (picking it’s nose).

Don’t get me wrong though, you could do a defrag without any problems, you just do not want that to be regular.

For Superfetch/prefetchers and other services, at command prompt just type: services

Use Windows 7 / Vista’s services to disable them. To disable defragmentation:

Windows 7 and Vista Automatic Defrag:

1. Click Start
2. Click Control Panel
3. Select the Control Panel Home
4. Click System and Maintenance
5. Under the Administrative Tools section at the bottom, click Defragment your hard drive
6. You may need to grant permission to open the disk defragmenter
7. Click or unclick Run automatically (disable) depending if you want this feature enabled or disabled.
8. Click OK

OR alternatively at the Vista start prompt just type : dfrgui

Now over time your SSD will get a little fragmented but it’s NAND flash and there’s no mechanical head moving back and forth to access that data so just leave it disabled.

Windows 7 and the SSD TRIM feature

Windows 7 and Windows Server 2008 R2 support the TRIM function, which the OSs use when they detect that a file is being deleted from an SSD.

When the OS deletes a file on an SSD, it updates the file system but also tells the SSD via the TRIM command which pages should be deleted. At the time of the delete, the SSD can read the block into memory, erase the block, and write back only pages with data in them. The delete is slower, but you get no performance degradation for writes because the pages are already empty, and write performance is generally what you care about.

Note that the firmware in the SSD has to support TRIM.

TRIM only improves performance when you delete files. If you are overwriting an existing file, TRIM doesn’t help and you’ll get the same write performance degradation as without TRIM. In AHCI mode TRIM is activated automatically.

Enable AHCI

The last and great tip we want to give you to gain a little extra performance boost is that you should enable AHCI mode. AHCI mode can help out greatly in performance for SSDs. Now, if you swap out an HDD for an SSD with the operating system and THEN enable AHCI in the BIOS, you’ll likely get a boot error / BSOD.

The common question is, is there a solution for this ?
To answer that question (and as we do safely with all modern chipsets) there is a way to safely enable AHCI mode. Here we go:

1. Startup “Regedit”
2. Open HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlset / Services
3. Open msahci
4. In the right field left click on “start” and go to Modify
5. In the value Data field enter “0″ and click “ok”
6. exit “Regedit”
7. Reboot Rig and enter BIOS (typically hold “Delete” key while Booting)

In your BIOS select “Integrated Peripherals” and OnChip PATA/SATA Devices. Now change SATA Mode from IDE to AHCI.

You now boot into Windows 7 or Vista, and the OS will recognize AHCI and install the devices. Now the system needs one more reboot and voilla… enjoy the improved SSD performance.

To execute any linux command in background we use nohup as follows:

But the problem with scp command is that it prompts for the password (if password authentication is used). So to make scp execute as a background process do this:

Then press ctrl + z which will temporarily suspend the command, then enter the command:

This will start executing the command in backgroud

Originally published here