Tue, 18 Mar 2008
Snakes! Snakes!
Some days... I wasted an hour or two today chasing what turned out to be a bug in Python. For a few reasons (lazyness mostly) we're still using Python 2.2 at work. I'd been having fun writing a test script (well, fun...) where I needed to do endianness conversion. Python thoughtfully provides access to the usual ntoh/hton functions, so that's what I used.
import socket aNumber = 0xFFFFFFFF print socket.ntohl(aNumber)
See, really easy. Except it doesn't work, at least not in Python 2.2. As it turns out Python insists on interpreting 'aNumber' as a singled long, which causes it to throw an OverflowError whenever you input (or end up) with something that has the MSB set.
As I couldn't easily upgrade Python I worked around it. I hope no children read this as this could scar them for life.
import socket def myntohl(input): if input & 0x80000000: input = input & 0x7FFFFFFF input = socket.ntohl(input) input = input | 0x80 else: input = socket.ntohl(input) return input
Don't worry, it's fixed from 2.3 onwards.
posted at: 21:34 | path: / | [ 0 comments ]
Sun, 09 Mar 2008
Speak of the devil...
Today I complained I hadn't seen Googles bot yet. They must have heard. A.B.C.D - - [08/Mar/2008:20:51:47 +0100] "GET /blog/ HTTP/1.1" 200 12557 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
He did follow the redirect from '/' to '/blog/'. It looks like that's the only link he followed though.
Perhaps that's because I'm an idiot and had a bad config for the blog. I run a test version on a local system, so I can play around with any changes I want to make. Those changes are tracked in a Mercurial repository, so if they're ok I can just push those to the server and update there. Unfortunately I also commited the config file changes I needed on the test setup to the live setup. As a result most links pointed to http://172.16.0.100 instead of to the real site. For obvious reasons that doesn't work too well for everyone but me.
It's a good thing no one reads this.
posted at: 01:09 | path: / | [ 0 comments ]
Sat, 08 Mar 2008
Strange visitors
I've been keeping an eye on my log files (which is easy considering I get about two hits a week) and I've seen some strange things:
-
A.B.C.D - - [08/Mar/2008:09:42:26 +0100] "GET /
HTTP/1.1" 301 313 "-" "Mozilla/4.0 (compatible; MSIE 5.5;
Windows 98)"
Is there really someone out there still using Windows 98? It's probably a spammer harvesting e-mail addresses or something. Similar entries occur a few times, always with the same behaviour. He requests '/', which sends a redirect to '/blog/' but never folows it.
-
A.B.C.D - - [06/Mar/2008:16:45:20 +0100] "GET
http://thecric.free.fr/AZenv/azenv.php HTTP/1.1" 404 293
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
A.B.C.D - - [05/Mar/2008:10:33:52 +0100] "GET
http://www.proxy.us.pl/azenv.php HTTP/1.1" 404 287 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
I don't get these at all. I'd guess it's scanning for PHP software with know security problems but the domains don't make sense. A quick dig tells me they exists, but point to a completely different IPs. The links exists but just returns some information about my HTTP request for it. Is there a DNS server returing wrong IPs or something?
-
A.B.C.D - - [04/Mar/2008:21:30:58 +0100] "GET
/robots.txt HTTP/1.0" 404 287 "-" "Mozilla/5.0 (compatible;
Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
Cool, I got indexed by Yahoo!. I've no idea where they got the URL for my site though. I submitted it to Google for indexing but I haven't seen their bot yet.
-
A.B.C.D - - [06/Mar/2008:23:54:00 +0100] "GET /
HTTP/1.1" 301 314 "-" "Mozilla/5.0 (Really Gmane.org's
favicon grabber)"
Another indexer. This one also didn't follow the 301. I have no idea why Gmane.org wants my favicon, or why they think I'd have one.
The mail server logs only have a few interesting things:
-
Feb 20 13:13:59 mars postfix/smtpd[3673]: connect from
D-C-B-A.dynamic.hinet.net[A.B.C.D]
Feb 20 13:14:00 mars postfix/smtpd[3673]: NOQUEUE: reject: RCPT from
D-C-B-A.dynamic.hinet.net[A.B.C.D]: 554 5.7.1
: Relay access denied; from= to= proto=SMTP helo= I only installed the mailserver on 2008-02-19, and I get the first spammer trying to use it as a relay the next day. The MX records have been published a little longer though. Most of the spam seems to come from residential IPs (cable/dsl lines). I guess blacklisting those can be quite effective if you're running a server with more traffic than mine.
-
Feb 20 19:13:56 mars postfix/smtpd[3730]: connect from
A-B-C-D-adsl-tpe.dynamic.so-net.net.tw[A-B-C-D]
Feb 20 19:13:56 mars postfix/smtpd[3730]: lost
connection after CONNECT from
A-B-C-D-adsl-tpe.dynamic.so-net.net.tw[A-B-C-D]
Feb 20 19:13:56 mars postfix/smtpd[3730]: disconnect
from
A-B-C-D-adsl-tpe.dynamic.so-net.net.tw[A-B-C-D]
I see quite a few of these. Someone tries to connect and then closes the connection. Again, quite probably spam zombies but I have no idea what they're trying to do.
If you offer a better explanation for any of these let me know.
posted at: 12:33 | path: / | [ 0 comments ]
Mon, 03 Mar 2008
Belgian geeks and the future of the internet.
I stumbled across Scapy a while ago. I've been looking for an good place to use it since. Today I gave up an just threw together a little script to test DNS names for IPv6 entries. The blogs on planet.grep.be seemed like a good place to start. After all, Belgium's foremost bloggers should be the first to support IPv6.
There are 69 blogs registered on planet.grep.be. Guess how many have an IPv6 address. Go on, I'll wait while you're counting. All done? You're wrong. It's one. One.
Congratulations to 2002:6f8:303:1::1. I'm disappointed in the rest of you. More in some than others.
posted at: 22:31 | path: / | [ 1 comments ]
Sun, 02 Mar 2008
Ethereal FSD
A while back I wrote a plugin for Ethereal Wireshark to analyze the FSD protocol.
If you don't know what FSD is you don't care about this.
Anyway, if you're interested you can get the mercurial repository or the tarball.
Feedback is welcome, as are patches.
posted at: 16:47 | path: /ivao | [ 1 comments ]
Frist posft!!
Just a placeholder until I'm calm or angry enough for a rant. That shouldn't take long...
posted at: 14:41 | path: / | [ 2 comments ]