My Cheat Sheets

Securing JBoss AS From Remote Exploit

This morning i got a call from office telling that she can't accessing our ERP application. After some checking i found that there are something wrong with Jboss AS. There are some unrecognized .war files on deploy dir. The .war files only contain one .jsp file with similar code. The results from web search lead me to this website. The code was same, and obviously we were the victim.

It was exploiting standard and unsecured jmx console on jboss (i'm still using jboss v4.0.2), well.. that was entirely my fault wasn't to prioritize securing jmx and web console on production server. The code on .jsp was intended to open a console (cmd on windows or sh on linux) and fortunately the jboss service was executed by user 'jboss' not 'root' (you can imagine what happen if it was root).

This 'accident' forcing me to take time (mine and users) to apply jboss security. First step is i opening bookmark list on my browser (believe me or not i was bookmarking an some articles about securing jboss a couple months ago) and start to apply them. Here are the links : SecuringTheJMXConsole - Jboss Comunity and JBoss Application Server Security Vulnerability Notice.

Now some security was applied, and i need to test it right? download the exploit code and put it into linux box because it wrote using perl and i don't have perl on my windows. First i try the exploit to jboss on my development server which using standard/unsecured version and the exploit was working, this proofing that the exploit is wasn't defect. Then i try it to jboss on production server which the jmx and web concole already secured, and failed while complaining can't upload the file.

For now the jboss is secure from the exploit while i still need to explore other posibilities.

Update: April 1, 2011

Days after implementing secure jmx and web console, i'm not found any alien .war file any more. But netstat result mention some unknown irc connections.
Then i take these step:

1. Run a full scan and found 3 infected files:



ieh: Trojan.Perl.Shellbot-2

.X-un1x: Trojan.Perl.Shellbot-2

xh: Linux.Rst

and remove them.

2. I also checking /tmp and removing some suspicious files/folders which is owned by jboss and nothing to do with currently deployed legit applications (i.e: hibernate cache files).

3. Kill all process by PID shown from netstat (i use -p option to show pid).

4. Re-check all process which is owned by jboss except one which running Jboss Server.

5. Check again netstat to make sure there are no more unwanted connections.

WAR File Auto Deployer

Ok, here its scripts for auto deploying war file, so i don't have to wait all the employees logged out before i can bring down the server ;)

1) create a file with name '/erp/scripts/war-deployer.sh'



#!/bin/bash

#

# WAR File Deployer Script

# description: Its simply stop service, backup file, replace file, and start the service again.

#



WAR_FILE="erp.war"

DIST_DIR="/erp/readyToDeploy"

DEPLOY_DIR="/usr/jboss/server/default/deploy"



# stop jboss server

/sbin/service jbossd stop



# backup

BACKUP_FILE="/erp/backup/$WAR_FILE-"`date +%F_%H-%M`".bak"

echo "Creating backup file $BACKUP_FILE ..."

/bin/cp "$DEPLOY_DIR/$WAR_FILE" "$BACKUP_FILE"



# replace

echo "Replacing $DIST_DIR/$WAR_FILE with $DEPLOY_DIR/$WAR_FILE"

/bin/cp "$DIST_DIR/$WAR_FILE" "$DEPLOY_DIR/$WAR_FILE"



# start jboss server

/sbin/service jbossd start

2) Then assign it in crontab:
run command crontab -e to insert job to be executed tonight into crontab. Then add following line:



05 22 7 3 * /erp/scripts/war-deployer.sh

It will execute script /erp/scripts/war-deployer.sh on 07 March 2011 22:05

3) Done! and let see if it will do the job :p

By given method above, all i need to do is put new erp.war file on distribution directory and change Day-of-month and Month field on crontab every time i need to update the application.
Btw, it will work great too if i have fixed schedule to update the app. consider this cycle: develop/bug fix > test > distribute it by put war file on dist directory and forget the 'deploy' part... ;)

read more about cron on : http://en.wikipedia.org/wiki/Cron.

update[March 26, 2011]
- fixed script (variable $DIST_FILE -> $DIST_DIR).
- crontab entry (year removed, and change ? with *).

Handling Timestamp '0000-00-00 00:00:00' in jdbc

here i found quick ref to resolve SQLException when Timestamp value is '0000-00-00 00:00:00', link

Summary

In hibernate.cfg.xml:
<property name="hibernate.connection.zeroDateTimeBehavior">convertToNull</property>

In hibernate.properties:
hibernate.connection.zeroDateTimeBehavior=convertToNull

In mysql-ds.xml file for JBOSS:
<connection-property name="zeroDateTimeBehavior">convertToNull</connection-property>

In JDBC URL:
jdbc:mysql://yourserver:3306/yourdatabase?zeroDateTimeBehavior=convertToNull

Replikasi MySQL Database

Dengan adanya kebutuhan untuk membuat pelaporan yang komplek tanpa membebani kenerja aplikasi utama maka saya merencanakan membuat modul tambahan khusus untuk sistem pelaporan. Aplikasi ini akan dibuat terpisah dengan menggunakan database replika dari database yang digunakan oleh aplikasi utama. Berdasarkan referensi mysql tentang replikasi dan howtos ini dan ini kelihatannya akan cukup mudah implementasi replika database tersebut, ok waktunya praktek.. wish me luck..

HOWTO: Download package dependencies for offline installation

Hari ini kebetulan ada waktu untuk mempelajari instalasi OpenOffice.org3 dengan menggunakan bantuan buku + cd info linux extra no.01/2009, isinya full tentang OOo3.
Skip dulu yang lainnya, langsung ke installasi! di buku itu dijelaskan step-by-step installasi pada Windows, OSX, dan Linux (Ubuntu 8.10, untuk distro lainnya hanya sekilas saja). Langsung coba install di XP, lancar, seperti biasa aja tinggal klik next terus :), berikutnya install di OSX, nah kalo ini saya ga punya jd skip aja deh.
Berikutnya adalah ubuntu, kebetulan versi-nya sama dengan ubuntu di komp yang sedang saya gunakan. Tapi maklum karena ini komp bekas pegangan orang lain dan baru bbrp hari saya pakai jadi ngga tau apakah OOo yang ada jalan atau tidak (kemungkinan besar sih tidak) karena ternyata tidak jre atau jdk yang terinstall. Itu pun baru saya ketahui pada saat install OOo3 tiba-tiba muncul message "javaldx: Could not find a Java Runtime Environment!". Setelah saya cek pada synaptic pkg manager, memang pkg jre atau jdk memang tidak terinstall... duh. Ternyata cd info linux tidak menyertakan jre. Memang ga susah sih, kita tinggal pake synaptic untuk download dan install jre/jdk nya (soalnya saya ga pegang cd ubuntu-nya :( ), tapi ada bbrp komp dengan os ubuntu yang akan di-upgrade OOo-nya. Setelah googling dikit saya nemu cara untuk mendownload package beserta dependencies-nya, sehingga saya bisa download pkg jre untuk dipajang di server files dan tidak perlu dowload jre setiap install jre.

Restore MySQL Database Using Java

Restoring MySQL database from a backup file (SQL File).


import java.io.FileInputStream;
import java.io.OutputStream;

public class MySQLBackupUtil {

  private static void restore(String host, String port, String user,
      String password, String db, String sqlFile) throws Exception {
    int BUFFER = 10485760;

    String cmd = "mysql --host=" + host;
    if (port != null && port.length() > 0)
      cmd += " --port=" + port;
    cmd += " --user=" + user;
    if (password != null && password.length() > 0)
      cmd += " --password=" + password;
    cmd += " " + db;

    Process run = Runtime.getRuntime().exec(cmd);
    FileInputStream fis = new FileInputStream(sqlFile);
    OutputStream out = run.getOutputStream();
    byte[] buf = new byte[BUFFER];
    int len;
    while ((len = fis.read(buf)) >= 0)
      out.write(buf, 0, len);

    fis.close();
    out.close();
  }

  public static void main(String[] args) {
    try {
      String sqlFile = "D:\\APP\\workspace\\chunkcode\\dbtest.sql";
      restore("localhost", "3306", "root", "", "dbtest", sqlFile);
    } catch (Exception e) {
      e.printStackTrace();
    }

  }
}

Extracting Zip File Using Java

Extract a zip file to a directory:


import java.io.*;
import java.util.zip.*;

public class Unzip {
public static void unzipTo(String zipName, String dirName) throws Exception {
  final int BUFFER = 2048;
  File dir = new File(dirName);
  if (!dir.exists())
    dir.mkdir();

  if (!dirName.endsWith("\\") && !dirName.endsWith("/")) {
    dirName += "/";
  }
  BufferedOutputStream dest = null;
  FileInputStream fis = new FileInputStream(zipName);
  CheckedInputStream checksum = new CheckedInputStream(fis, new Adler32());
  ZipInputStream zis = new ZipInputStream(new BufferedInputStream(
      checksum));

  ZipEntry entry;
  while ((entry = zis.getNextEntry()) != null) {
    System.out.println("Extracting: " + entry + " to " + dirName
        + entry.getName());
    int count;
    byte data[] = new byte[BUFFER];
    // write the files to the disk
    FileOutputStream fos = new FileOutputStream(dirName
        + entry.getName());
    dest = new BufferedOutputStream(fos, BUFFER);
    while ((count = zis.read(data, 0, BUFFER)) != -1) {
      dest.write(data, 0, count);
    }
    dest.flush();
    dest.close();
  }
  zis.close();
  System.out.println("Checksum: " + checksum.getChecksum().getValue());
}

public static final void main(String[] args) {
  try {
    String targetDir = "D:\\APP\\workspace\\chunkcode\\tmp";
    String zipFile = "D:/APP/workspace/chunkcode/test.zip";
    unzipTo(zipFile, targetDir);
  } catch (Exception e) {
    e.printStackTrace();
  }
}
}

The code is based from this article.

MIME Type Quick Reference

MIME Type	File Extension
application/SLA	stl
application/STEP	step
application/STEP	stp
application/acad	dwg
application/andrew-inset	ez
application/clariscad	ccad
application/drafting	drw
application/dsptype	tsp
application/dxf	dxf
application/excel	xls
application/i-deas	unv
application/java-archive	jar
application/mac-binhex40	hqx
application/mac-compactpro	cpt
application/vnd.ms-powerpoint	pot
application/vnd.ms-powerpoint	pps
application/vnd.ms-powerpoint	ppt
application/vnd.ms-powerpoint	ppz
application/msword	doc
application/octet-stream	bin
application/octet-stream	style
application/octet-stream	dms
application/octet-stream	exe
application/octet-stream	lha
application/octet-stream	lzh
application/oda	oda
application/ogg	ogg
application/ogg	ogm
application/pdf	pdf
application/pgp	pgp
application/postscript	ai
application/postscript	eps
application/postscript	ps
application/pro_eng	prt
application/rtf	rtf
application/set	set
application/smil	smi
application/smil	smil
application/solids	sol
application/vda	vda
application/vnd.mif	mif
application/vnd.ms-excel	xlc
application/vnd.ms-excel	xll
application/vnd.ms-excel	xlm
application/vnd.ms-excel	xls
application/vnd.ms-excel	xlw
application/vnd.rim.cod	cod
application/x-arj-compressed	arj
application/x-bcpio	bcpio
application/x-cdlink	vcd
application/x-chess-pgn	pgn
application/x-cpio	cpio
application/x-csh	csh
application/x-debian-package	deb
application/x-director	dcr
application/x-director	dir
application/x-director	dxr
application/x-dvi	dvi
application/x-freelance	pre
application/x-futuresplash	spl
application/x-gtar	gtar
application/x-gunzip	gz
application/x-gzip	gz
application/x-hdf	hdf
application/x-ipix	ipx
application/x-ipscript	ips
application/x-javascript	js
application/x-koan	skd
application/x-koan	skm
application/x-koan	skp
application/x-koan	skt
application/x-latex	latex
application/x-lisp	lsp
application/x-lotusscreencam	scm
application/x-mif	mif
application/x-msdos-program	bat
application/x-msdos-program	com
application/x-msdos-program	exe
application/x-netcdf	cdf
application/x-netcdf	nc
application/x-perl	pl
application/x-perl	pm
application/x-rar-compressed	rar
application/x-sh	sh
application/x-shar	shar
application/x-shockwave-flash	swf
application/x-stuffit	sit
application/x-sv4cpio	sv4cpio
application/x-sv4crc	sv4crc
application/x-tar-gz	tar.gz
application/x-tar-gz	tgz
application/x-tar	tar
application/x-tcl	tcl
application/x-tex	tex
application/x-texinfo	texi
application/x-texinfo	texinfo
application/x-troff-man	man
application/x-troff-me	me
application/x-troff-ms	ms
application/x-troff	roff
application/x-troff	t
application/x-troff	tr
application/x-ustar	ustar
application/x-wais-source	src
application/x-zip-compressed	zip
application/zip	zip
audio/TSP-audio	tsi
audio/basic	au
audio/basic	snd
audio/midi	kar
audio/midi	mid
audio/midi	midi
audio/mpeg	mp2
audio/mpeg	mp3
audio/mpeg	mpga
audio/ulaw	au
audio/x-aiff	aif
audio/x-aiff	aifc
audio/x-aiff	aiff
audio/x-mpegurl	m3u
audio/x-ms-wax	wax
audio/x-ms-wma	wma
audio/x-pn-realaudio-plugin	rpm
audio/x-pn-realaudio	ram
audio/x-pn-realaudio	rm
audio/x-realaudio	ra
audio/x-wav	wav
chemical/x-pdb	pdb
chemical/x-pdb	xyz
image/cmu-raster	ras
image/gif	gif
image/ief	ief
image/jpeg	jpe
image/jpeg	jpeg
image/jpeg	jpg
image/png	png
image/tiff	tif tiff
image/tiff	tif
image/tiff	tiff
image/x-cmu-raster	ras
image/x-portable-anymap	pnm
image/x-portable-bitmap	pbm
image/x-portable-graymap	pgm
image/x-portable-pixmap	ppm
image/x-rgb	rgb
image/x-xbitmap	xbm
image/x-xpixmap	xpm
image/x-xwindowdump	xwd
model/iges	iges
model/iges	igs
model/mesh	mesh
model/mesh	msh
model/mesh	silo
model/vrml	vrml
model/vrml	wrl
text/css	css
text/html	htm
text/html	html htm
text/html	html
text/plain	asc txt
text/plain	asc
text/plain	c
text/plain	cc
text/plain	f90
text/plain	f
text/plain	h
text/plain	hh
text/plain	m
text/plain	txt
text/richtext	rtx
text/rtf	rtf
text/sgml	sgm
text/sgml	sgml
text/tab-separated-values	tsv
text/vnd.sun.j2me.app-descriptor	jad
text/x-setext	etx
text/xml	xml
video/dl	dl
video/fli	fli
video/flv	flv
video/gl	gl
video/mpeg	mp2
video/mp4	mp4
video/mpeg	mpe
video/mpeg	mpeg
video/mpeg	mpg
video/quicktime	mov
video/quicktime	qt
video/vnd.vivo	viv
video/vnd.vivo	vivo
video/x-fli	fli
video/x-ms-asf	asf
video/x-ms-asx	asx
video/x-ms-wmv	wmv
video/x-ms-wmx	wmx
video/x-ms-wvx	wvx
video/x-msvideo	avi
video/x-sgi-movie	movie
www/mime	mime
x-conference/x-cooltalk	ice
x-world/x-vrml	vrm
x-world/x-vrml	vrml
vnd.openxmlformats-officedocument.spreadsheetml.sheet	xlsx
application/vnd.openxmlformats-officedocument.wordprocessingml.document	docx

[Update 2019-05-13]
-add: docx, & xlsx.

ANSI Characters

update: [2013-01-20] just posted about how to use it on HTML

ANSI	Character
33	!
34	"
35	#
36	$
37	%
38	&
39	'
40	(
41	)
42	*
43	+
44	,
45	-
46	.
47	/
48	0
49	1
50	2
51	3
52	4
53	5
54	6
55	7
56	8
57	9
58	:
59	;
60	<
61	=
62	>
63	?
64	@
65	A
66	B
67	C
68	D
69	E
70	F
71	G
72	H
73	I
74	J
75	K
76	L
77	M
78	N
79	O
80	P
81	Q
82	R
83	S
84	T
85	U
86	V
87	W
88	X
89	Y
90	Z
91	[
92	\
93	]
94	^
95	_
96	`
97	a
98	b
99	c
100	d
101	e
102	f
103	g
104	h
105	i
106	j
107	k
108	l
109	m
110	n
111	o
112	p
113	q
114	r
115	s
116	t
117	u
118	v
119	w
120	x
121	y
122	z
123	{
124	\|
125	}
126	~
128	€
138	Š
145	‘
146	’
161	¡
162	¢
163	£
164	¤
165	¥
166	¦
167	§
168	¨
169	©
170	ª
171	«
172	¬
173
174	®
175	¯
176	°
177	±
178	²
179	³
180	´
181	µ
182	¶
183	·
184	¸
185	¹
186	º
187	»
188	¼
189	½
190	¾
191	¿
192	À
193	Á
194	Â
195	Ã
196	Ä
197	Å
198	Æ
199	Ç
200	È
201	É
202	Ê
203	Ë
204	Ì
205	Í
206	Î
207	Ï
208	Ð
209	Ñ
210	Ò
211	Ó
212	Ô
213	Õ
214	Ö
215	×
216	Ø
217	Ù
218	Ú
219	Û
220	Ü
221	Ý
222	Þ
223	ß
224	à
225	á
226	â
227	ã
228	ä
229	å
230	æ
231	ç
232	è
233	é
234	ê
235	ë
236	ì
237	í
238	î
239	ï
240	ð
241	ñ
242	ò
243	ó
244	ô
245	õ
246	ö
247	÷
248	ø
249	ù
250	ú
251	û
252	ü
253	ý
254	þ
255	ÿ

HTML Characters

Character	Code
space
"	"
&	&
<	<
>	>
©	©
^®	<SUP>®</SUP>
^TM	<FONT ><SUP>TM</SUP></FONT>
´	´
«	«
»	»
¡	¡
¿	¿
À	À
à	à
Á	Á
á	á
Â	Â
â	â
Ã	Ã
ã	ã
Ä	Ä
ä	ä
Å	Å
å	å
Æ	Æ
æ	æ
Ç	Ç
ç	ç
Ð	Ð
ð	ð
È	È
è	è
É	É
é	é
Ê	Ê
ê	ê
Ë	Ë
ë	ë
Ì	Ì
ì	ì
Í	Í
í	í
Î	Î
î	î
Ï	Ï
ï	ï
Ñ	Ñ
ñ	ñ
Ò	Ò
ò	ò
Ó	Ó
ó	ó
Ô	Ô
ô	ô
Õ	Õ
õ	õ
Ö	Ö
ö	ö
Ø	Ø
ø	ø
Ù	Ù
ù	ù
Ú	Ú
ú	ú
Û	Û
û	û
Ü	Ü
ü	ü
Ý	Ý
ý	ý
ÿ	ÿ
Þ	Þ
þ	þ
ß	ß
§	§
¶	¶
µ	µ
¦	¦
±	±
·	·
¨	¨
¸	¸
ª	ª
º	º
¬	¬

¯	¯
°	°
¹	¹
²	²
³	³
¼	¼
½	½
¾	¾
×	×
÷	÷
¢	¢
£	£
¤	¤
¥	¥

update 2013-03-25

Character	Code	Description
‘	‘	left single quote
’	’	right single quote
‚	&sbquo;	single low-9 quote
“	“	left double quote
”	”	right double quote
„	&bdquo;	double low-9 quote
†	&dagger;	dagger
‡	&Dagger;	double dagger
‰	&permil;	per mill sign
‹	&lsaquo;	single left-pointing angle quote
›	&rsaquo;	single right-pointing angle quote
♠	&spades;	black spade suit
♣	&clubs;	black club suit
♥	&hearts;	black heart suit
♦	&diams;	black diamond suit
‾	&oline;	overline, = spacing overscore
←	←	leftward arrow
↑	↑	upward arrow
→	→	rightward arrow
↓	↓	downward arrow
™	™	trademark sign