A bit about CPUs & Registers

Posted by mark on July 14, 2011 No comments

So I have been learning a little about smashing the stack, CPU registers, etc. Can’t say I’m even close to becoming an expert, but thought I would put up some notes anyways. There are a number of general purpose registers, and the first four we are starting with are EAX, ECX, EDX and EBX. The names of each of these registers are as follows:

EAX = Accumulator

ECX = Counter

EDX = Data

EBX = Base

These have a variety of purposes but are mainly used to act as temporary variables for the CPU when it is executing machine instructions. The second four general purpose registers are ESP, EBP, ESI and EDI(these are sometimes known as pointers and indexes).

ESP = Stack Pointer

EBP = Base Pointer

ESI = Source Index

EDI = Destination Index

The first two(ESP, EBP) are called pointers because they store 32-bit addresses which essentially point to a location in memory. The last two registers(ESI, EDI) are technically pointers too. Commonly used to point to the source and destination when data needs to be read from or written to. There are some Load and Store Instructions that use these registers.

EIP = Instruction Pointer

The EIP points to the current instruction the processor is reading, or put more technically, it contains a memory address that points to the current instruction(in the main() in a C app for example) I get the feeling from my limited reading so far that the EIP is very important when looking into exploitation, and will be looked at a lot when debugging.

The EFLAGS register consists of several bit flags that are used for comparisons and memory segmentation.

The smallest amount that can be stored in memory is 1 bit, which can be represented as either a 1 or a 0. When you put 4 bits together, it is called a nibble, and this can represent values from 0000 to 1111. When you put two nibbles or 8 bits together you get a byte, which can represent values from 0 to (2^8 -1) which is 0 – 255 in decimal.

When you put two bytes together you get a WORD, which can represent values from 0 to (2^16 -1) or 0 – 65,535 in decimal. If you put two WORDs together you get a Double WORD or DWORD, which can represent values from 0 to (2^32 -1) or in decimal 0 – 4,294,967,297.

IPTables Summary

Posted by mark on July 11, 2011 No comments

What is IPTables? By definition it is a packet selection system that has been built on top of the Netfilter framework, so essentially IPTables is just a front end to the very powerful Netfilter. All IPTables does is allow you to make use of the Netfilter framework without having to do your own Kernel hacking – it lets you insert, update, list rules and create chains, etc. Essentially its a user friendly way of creating firewall rulesets by inserting kernel modules that perform certain actions on packets based on whether the packets meet certain criteria.

Netfilter on the other hand is the power behind IPTables. Netfilter framework is compiled into the kernel, and essentially it inserts a bunch of hooks in the kernel protocol stacks for IPv4, IPv6 and DECNET. That way when a packet passes through the Kernel, the Netfilter hook always gets called, and then actions can be taken if need be.

A table is an IPTables construct that delineates broad categories of functionality, such as packet filtering or Network Address Translation. There are four tables: filter, nat, mangle and raw.

Filtering rules are applied to the filter table, NAT rules are applied to the nat table, specialized rules that alter packet data are applied to the mangle table, and rules that should function independently of the Netfilter connection-tracking subsystem are applied to the raw table.

Each table has its own set of built in chains, but user-defined chains can also be created so that the user can build a set of rules that is related by a common tag. The most important built-in chains as far as I’m concerned are the INPUT, OUTPUT, and FORWARD chains in the filter table.

- The INPUT chain is traversed by packets that are destined for the local linux system after a routing calculation is made within the kernel(ie. Packet destined for the local socket).

- The OUTPUT chain is reserved for packets that are generated by the linux system itself.

- The FORWARD chain governs packets that are routed through the linux system.

Two additional chains that are important for any serious iptables deployment are the PREROUTING and POSTROUTING chains in the nat table, which are used to modify packet headers before and after an IP routing calculation is made within the kernel.

An iptables match is a condition that must be met by a packet in order for iptables to process the packet according to the action specified by the rule target. For example, to apply a rule only to TCP packets, you can use the –protocol match.

Important matches:

–source (-s)

–destination (-d)

–protocol (-p)

–in-interface (-i)

–out-interface (-o)

–state

–string

–comment

iptables supports a set of targets that trigger an action when a packet matches a rule. The most important targets I use are:

ACCEPT – Allows a packet through the firewall

DROP – Discards packet as though it was never received

LOG – Logs packet to syslog

REJECT – This drops a packet but then sends a response back to the source(eg. RST)

RETURN – Continues processing the packet so that it can be matched to other rules within the chain.

More IPTables coming soon!

Extended Exim logging on cPanel

Posted by mark on July 11, 2011 No comments
Exim’s logging isn’t too detailed by default, and in case of e-mail deliverability issues, provides insufficient information for proper diagnostics. So how do we extend Exim’s logging on cPanel systems?

 

This is a pure WHM action, so log into WHM as root, and navigate to Main >> Service Configuration >> Exim Configuration Editor

 

Scroll down to the bottom of the screen and enter the advanced editor mode by clicking on the Advanced Editor button.

 

When the Advanced Editor opens, put the following line into the first, topmost text box:

log_selector = +all -ident_timeout -host_lookup_failed -lost_incoming_connection

This will enable all extended logging attributes (+all), excluding the several ones that aren’t important but would fill logs with the excessive data (-ident_timeout -host_lookup_failed -lost_incoming_connection). While we are here, we will also close one security hole in Exim, that can enable a 3rd party to perform unauthorized relaying if left open.

 

If the following lines aren’t already in the first, topmost text box, add them as follows:

 

hostlist relay_hosts = 127.0.0.1

 

hostlist relay_from_hosts = 127.0.0.1
hostlist auth_relay_hosts = *

 

 

Scroll down to the bottom of the screen, and press the Save button. This will save your changes and restart Exim. Watch the output on the screen which, amongst other things, must read that Exim configuratin has passed test ie. that it is syntactically correct:

 

Configuration file passes test!  New configuration file was installed.
and that Exim was successfully restarted:
Exim MTA…
Waiting for exim to restart…………..finished.
exim (/usr/sbin/exim -bd -q60m) running as mailnull with PID 26404
exim started ok
…Done

But Wait! We are not done yet! Now navigate to Main >> Server Configuration >> Tweak Settings and make sure that Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required) is turned ON. If it isn’t, turn it on by clicking on the little checkbox at the right end of the aforementioned line, scroll down to the bottom of the screen and press Save.

 

Done, we have expanded the Exim’s logging facilities (and message headers for all future messages) and implemented the anti-relay protection.

 

Now, tailing Exim’s main log in shell using the command

 

tail -f /var/log/exim_mainlog

 

We will notice that logs have started to provide much more extensive information.

 

Quick Rundown of Linux Partitioning

Posted by mark on July 11, 2011 No comments

I have just put together a quick overview of the general partitioning information you will need when installing linux on your PC/server. Hope it helps if your just beginning :)

/ the root partition/volume is identified by a forward slash(/). All other directories are attached to this parent directory. It is somewhat equivalent to the system drive(C:\) in Windows.

/boot This contains almost everything required for the boot process. It stores data that is used before the kernel begins executing other programs. I usually set my boot partition to about 100MB in size.

/usr This is usually where all program files reside, somewhat like C:\Program Files on Windows.

/home This is where, by default all user home directories are stored. Somewhat equivalent to C:\Documents and Settings on Windows.

/var Logs are generally stored here so it’s a good idea to have a separate partition for /var so that log files don’t and can’t fill up all the space on your system.

/tmp This is where temporary files go, and its writable by any user – keep this on a separate partition to avoid malicious users filling it up with data, and make the partition NOEXEC if possible.

SWAP This is pretty much the same as the virtual memory feature on Windows. For a System with 1-4GB of RAM I usually allocate 2GB SWAP, whilst 4GB+ I usually allocate 4GB SWAP.

Hope this helps with any confusion you may have, and by the way – if your not sure what file system to use I usually recommend ext3. It’s a lot easier to troubleshoot and work with than Logical Volumes.

Redirects: Difference between the 301 and 302

Posted by mark on July 11, 2011 No comments

I see a lot of customers ask what the difference is between a 301 permanent redirection and a 302 temporary redirection. Both redirections are available to be used from a cPanel control panel and it can be confusing as to which one is the right choice. Use of common logic leads most people to believe that a temporary(302) redirection only lasts for a set period of time, and that after the period of time has expired the redirection no longer exists – this is entirely incorrect, so no if you have setup a temporary redirection you don’t have to worry about it disappearing one day.

Honestly I have never come across a situation where a 302 redirection is needed – how often is it that you only need to move a page temporarily? For me that has been never, most times I use a redirect is when I don’t need to see the old page whatsoever. So for the sake of simplicity, and if you don’t want to find out how it all works and the reasons behind my recommendations then you can stop reading here and just remember to use 301(Permanent) redirections whenever you need one.

Whenever you visit a page on a website, the web server generates a HTTP status code. This status code is usually 200 which means that file was found and served to the client without error. The only difference between a temporary and a permanent redirection is the HTTP status code which is generated by the web server, a permanent redirection generates a 301 status code and a temporary redirection generates a 302 status code. A 301 redirect is permanent, they mean that the original page has moved and they inform any search engine or user agent(browser) that comes to the page to update the URL in their database. A 302 redirect on the other hand informs the search engine or user agent(browser) that the requested resource resides temporarily in another location, but it can still be found at the requested URI.

These codes actually affect how search engines treat your site and in turn how they index your site. Incorrect codes can actually cause a search engine such as Google to index your site in a negative way, so it is important that you get it right. Not only do these codes tell search engines how to treat the site, they can also cause your web browser to treat your site in different ways.

Have you ever tried implementing a redirect via the control panel or through .htaccess and even after changing the redirect or removing it, it still doesn’t change in your browser even after multiple refreshes? Usually when this happens you need to close your browser and re-open it again. In most cases the reason this occurs is because you have implemented a permanent redirect and your browser has read the status code(301) and from then on whenever you visit the original location, your browser doesn’t even check the files it just goes straight to the redirects destination. Why does it do this? Because the browser knows that the redirection is permanent hence the redirection shouldn’t ever change, so there is no need for it to even request the original file from the web server, it knows it will only get redirected anyway. Closing and reopening your browser should rectify the problem because the browsers cache is cleared, so the next time you put in the URL of the original resource your browser will actually request the file.

I generally advise that if you are going to setup a redirect, you should use a 301 redirect. This is because of how a 301 redirect affects search engines as opposed to 302 redirects. There are a few reasons that make a 302 redirect a bad choice when it comes to search engines, these are:

-          302 redirects are commonly used by spammers to get more of their domains up in search engine results. Hence Google and other search engines don’t like this redirection technique, and it can really hurt your page rank.

-          A page redirected to by a 302 has to generate it’s own popularity, whereas with 301 redirects your URLs maintain their link popularity. If you set up a 302 redirect, Google and other search engines that determine popularity ratings automatically assume that the link is eventually going to be taken down. Because after all, it’s only a temporary redirect. So the new page doesn’t have any of the link popularity associated with the old page. It has to generate that popularity on its own.

For more reasons you should research the topic more thoroughly – it’s beyond the scope of this tutorial to provide every reason why I don’t recommend 302 redirects. Hope I’ve helped!

Landing Page 101

Posted by mark on November 8, 2010 No comments

I have been doing a bit of research into landing pages lately, and I thought I would put together my landing page 101 – a beginners guide to the essentials parts of a landing page. Obviously there is a lot more to landing pages than what I can mention here in a blog post(I still have a few more books to read on the topic!) – however I’ll do my best to give you the essentials so you can make your own successful landing page.

- Define the pages conversion activity.(What is the page meant to convert the viewer to? Make sure you define it so you have a clear goal from the outset)

- Find out what your visitors are looking for and what offers work(Do your market research)

- Do not be generic or broad. Landing pages need to have a single specific goal – if you try sell more than one thing you will distract the potential customer.

- Eliminate unneeded elements.(Try reduce the amount of distractions you have on the page – the goal after all is simply to get that click through to conversion)

- Match the ad creative. (Make sure you can truly provide what you say you can)

- Make it easy to convert! Make it easy for the customer to signup, or buy your product – making it too hard will only cause them to bow out half way through.

- Lead the eye along the page towards conversion exit.

- Optimize your forms so that users can easily tab between fields.

- Use headers, sub-header and bullet lists.

- Choose a font thats easy on the eyes.

- Testimonials are important(and don’t fake them!)

- Build trust(this can be done through testimonials and other methods) – trust is very important in order to get the conversion.

Once you have finished your landing page, take a look at it and ask yourself these questions:

- Is the page focused?
- Does the message match the advertisement?
- Have distractions been reduced?
- Are there enough conversion exits?
- Does the page enhance your brand?

If you have anything to add to this – leave a comment and I’ll gladly add it.

All the best,

Mark

Don’t buy web hosting unless it meets these 5 criteria

Posted by mark on October 30, 2010 No comments

I recently spent a while shopping around for different web hosting companies. I did a lot of research and have been through a fair few. I finally found a host and I thought I would share with you what I have learnt. The web hosting company I chose is Site5 – I have been hosting there for about a year now, and I couldn’t be happier. So here’s my criteria as to what makes a good host:

24/7 Support

Many hosts say they offer 24/7 support, and even if they do actually have 24/7 support staff, quite often there still isn’t enough staff available for you to actually receive true 24/7 support. I live in Australia, so when I’m awake, the US is asleep, so I really get to know whether support is really available 24/7 or not. The key to good web hosting is having good support – even if you only need their help once a month, you don’t want to be waiting half a day each time to hear back from your host, as a lot of time gets wasted. Choose a host who you can be sure offers 24/7 support, with response times under 15 minutes. The host I am currently with often averages around 7-10 minute response times, and usually I have a resolution in under half an hour. Considering I run a bunch of different sites and am always short of time, it really helps.

Decent Speeds and Uptime

You don’t want to be paying for hosting which never seems to work, and when it does, it crawls – that goes without saying. However its not always as easy as it sounds to find a host which meets these requirements. Between overloaded servers and bad upstream connectivity, speeds are usually quite slow and unstable on shared hosting. Once again, I really notice this being in Australia, so even if you are in the US, you need to think about if people outside the US are visiting your site – this is especially important if your site sells a product or has a lot of multimedia. For example, some hosts gave good speeds to my customers in the US but not to me or my customers here in Australia, which wasn’t good. What you want is a host who can deliver great speeds in the US, and above average speeds everywhere else . Once I found a host which provided this, my sales and web traffic sharply increased.

Moneyback Guarantee

This goes without saying but believe it or not, not all hosts offer it, and those that do, don’t always honor it. I don’t need to explain in detail how that you don’t want to see your hard earned money go to waste, and neither do I. Make sure you choose a host that offers a decent money back guarantee that lasts for at least 30 days.

Free Migration

If you already have a site hosted with another provider and you are wanting to change hosts, it can be incredibly hard moving a bunch of sites across if you don’t have a site who can do it for you. Before you sign up, make sure you check with your prospective new host that they can pull across your old sites. In my case I simply took a backup of my old sites and uploaded the backup to Site5′s server at which point their support staff restored the backups for  me and I was up and running in no time.

Skinned cPanel

Most hosts offer cPanel, it’s nothing special. The interface for cPanel however is counterintuitive and really doesn’t work that well. If your host can offer a more intuative and easy to use skin for their cPanel interface then it can really help you get things done a lot faster, and means you aren’t going to have to send support a ticket everytime you can’t work out how to do something.

Well there you have it. My five criteria that a web hosting company must meet in order to get my sale. If you have any questions or comments of your own, feel free to add them in the comments box below. Happy Hosting!

468x60-1