L Mwangi labeneator
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Find your R home | |
| $ echo "R.home()" | Rscript /dev/stdin | |
| Loading required package: stats | |
| Loading required package: methods | |
| [1] "/usr/local/Cellar/r/3.0.1/R.framework/Resources" | |
| # Make sure that you have the MySQL home var in your Renviron |
labeneator
/ tests.r
Created
October 4, 2013 21:51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| > library("RMySQL") | |
| Attaching package: ‘RMySQL’ | |
| The following object is masked from ‘package:RSQLite’: | |
| dbBuildTableDefinition, isIdCurrent, safe.write | |
| > library("RMySQL") |
labeneator
/ load_data.sql
Created
October 10, 2013 13:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- Loads IPs as an unsgined int (create table :: ip int(10) unsigned NOT NULL) | |
| -- Trims out the zulu time timezone indicator 'Z' e.g. (2013-07-31T18:41:38Z,). | |
| -- See http://en.wikipedia.org/wiki/Coordinated_Universal_Time | |
| load data local infile 'xxxxx' | |
| into table blah | |
| fields terminated by ',' | |
| ignore 1 lines | |
| (a, @ip, b, @ts1, @ts2) | |
| set ip=inet_aton(@ip), | |
| ts1=replace(@ts1, 'Z', ''), |
labeneator
/ poke_loop_backed_fs.sh
Created
October 11, 2013 16:23
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Show the mountpoint for the loopbacked fs | |
| mount |grep zero; | |
| # Meminfo stats | |
| cat /proc/meminfo | egrep -i "dirty|cache"; | |
| # Give humans a chance to run dd in another window | |
| echo -e "\n**Sleeping for 10.. Waiting for I/O**\n"; | |
| sleep 10; |
labeneator
/ poke_loop_backed_fs_annotated.sh
Created
October 11, 2013 16:38
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Results for https://gist.github.com/labeneator/6937753 | |
| # Show the mountpoint for the loopbacked fs | |
| /tmp/zeros on /tmp/bah type ext2 (rw,loop=/dev/loop0) | |
| # Meminfo stats before ddd | |
| Cached: 1947592 kB | |
| SwapCached: 0 kB |
labeneator
/ blktrace.output
Created
October 11, 2013 16:40
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # printf "%10s %15s %5s %10s %5s %8s %5s %14s %8s %14s %5s\n" "Sequence" "Timestamp" "CPU" "Process" "PID" "devid" "RWBS" "Sector" "Blocks" "Bytes" "Action";./blktrace -d /dev/loop0 -o - | ./blkparse -i - -f "%10s %5T.%9t %5c %10C %5p %8D %5d %14S %8n %14N %2a\n" | |
| Sequence Timestamp CPU Process PID devid RWBS Sector Blocks Bytes Action | |
| 1 0.000000000 0 dd 32506 7,0 W 76 2 1024 Q | |
| 2 0.000006148 0 dd 32506 7,0 W 18 2 1024 Q | |
| 3 0.000007682 0 dd 32506 7,0 N 0 0 0 U | |
| 4 0.000023931 0 dd 32506 7,0 W 76 2 1024 Q | |
| 5 0.000025840 0 dd 32506 7,0 W 18 2 1024 Q | |
| 6 0.000026339 0 dd 32506 7,0 N 0 0 0 U | |
| 7 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /sbin/dumpe2fs /tmp/zeros | |
| dumpe2fs 1.39 (29-May-2006) | |
| Filesystem volume name: <none> | |
| Last mounted on: <not available> | |
| Filesystem UUID: 883f7cd8-c8cc-44cf-9e86-ba36519e4b49 | |
| Filesystem magic number: 0xEF53 | |
| Filesystem revision #: 1 (dynamic) | |
| Filesystem features: resize_inode dir_index filetype sparse_super | |
| Default mount options: (none) | |
| Filesystem state: not clean |
labeneator
/ gist:6938356
Created
October 11, 2013 17:02
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /sbin/debugfs /tmp/zeros | |
| debugfs 1.39 (29-May-2006) | |
| debugfs: ? | |
| Available debugfs requests: | |
| show_debugfs_params, params | |
| Show debugfs parameters | |
| open_filesys, open Open a filesystem | |
| close_filesys, close Close the filesystem | |
| feature, features Set/print superblock features |
labeneator
/ gist:7192880
Last active
December 26, 2015 18:09
Backdoor. Doing too much work in the ISR
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Oct 28 10:43:47 debian kernel: [269087.601151] pkt_len: 13, ipv4, hdr_len: 5 | |
| Oct 28 10:43:47 debian kernel: [269087.601154] s_ip: 192.168.127.108, | |
| Oct 28 10:43:47 debian kernel: [269087.601155] data: touch /tmp/x, | |
| Oct 28 10:43:47 debian kernel: [269087.601156] About to run: touch /tmp/x, | |
| Oct 28 10:43:47 debian kernel: [269087.601801] Modules linked in: backdoor_buggy(O) vboxsf(O) ppdev lp bnep rfcomm bluetooth rfkill uinput nfsd nfs nfs_acl auth_rpcgss fscache lockd sunrpc ext2 loop joydev iTCO_wdt iTCO_vendor_support psmouse pcspkr serio_raw evdev rng_core usbhid hid i2c_piix4 i2c_core snd_intel8x0 snd_ac97_codec snd_pcm snd_page_alloc snd_timer snd soundcore ac97_bus parport_pc battery processor parport vboxguest(O) thermal_sys ac button power_supply ext4 crc16 jbd2 mbcache dm_mod sg sd_mod sr_mod crc_t10dif cdrom ata_generic ata_piix ahci libahci ohci_hcd ehci_hcd libata usbcore e1000 usb_common scsi_mod [last unloaded: scsi_wait_scan] | |
| Oct 28 10:43:47 debian kernel: [269087.601847] Pid: 7862, comm: sendip |
labeneator
/ bugg_code.c
Created
October 28, 2013 08:53
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| lmwangi@debian:~/backdoor$ gdb backdoor_buggy.ko | |
| GNU gdb (GDB) 7.4.1-debian | |
| Copyright (C) 2012 Free Software Foundation, Inc. | |
| License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> | |
| This is free software: you are free to change and redistribute it. | |
| There is NO WARRANTY, to the extent permitted by law. Type "show copying" | |
| and "show warranty" for details. | |
| This GDB was configured as "x86_64-linux-gnu". | |
| For bug reporting instructions, please see: | |
| <http://www.gnu.org/software/gdb/bugs/>... |