Bash Code Injection Vulnerability aka ShellShock

September 28th, 2014

A recently discovered vulnerability in bash left many servers open to exploit.

There are many resources on the subject.

I ran into a problem where the vendors were not releasing updates for bash on RHEL4 / CentOS 4 boxes, with good reason, since RHEL 4 has been EOL from March 2012.

Unfortunately the fact that an OS is EOL does not solve the problems that arise in cases like these.

Many people have valid reasons for running outdated and unsupported OSes.

In any event, I needed a fix for the problem.

Attached you will find my source RPM for RHEL4 / CentOS4 systems that you can use to compile a patched version of bash.

I’ve included the patches for both CVE-2014-6271 and CVE-2014-7169.

For more details please see: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169)

Download Patched Source RPM: bash-3.0-27.3.src.rpm

MySQL 5.1.x on Plesk 8.3 and later

August 3rd, 2010

I have upgraded MySQL to version 5.1.48 on a number of CentOS based servers running different versions of Plesk. The versions of Plesk ranged from 8.3.0 all the way to 9.3.0.

IMPORTANT: After the upgrade, run

mysql_upgrade ––user=admin ––password=`cat /etc/psa/.psa.shadow`

to ensure all the required tables for MySQL 5.1.x gets created.

I also recommend running a

mysqlcheck ––optimize ––user=admin ––password=`cat /etc/psa/.psa.shadow` ––all-databases

to optimise all databases for MySQL 5.1.x after the upgrade completes.

It goes without saying, but it is a VERY GOOD IDEA, to backup /var/lib/mysql, before you start with the upgrade process.

Please note that since MySQL 5.0.12, MySQL adheres to the SQL:2003 standard. This may potentially break some SQL statements that appears to be valid SQL statements and that worked perfectly in MySQL 4.x.

Lastly, I picked up one error with one database on one server, so far:

When clients try to access their database via “DB WebAdmin” in the Plesk control panel:

MySQL said: Documentation
Non-static method PMA_Config::isHttps() should not be called statically

The fix is simple and published at the following URLs:

Courier-IMAP 4.x and later with Plesk 8.3

August 3rd, 2010

I have not confirmed this problem in any version other than Plesk 8.3.0, simply because I have not had the time. :(

According to the Parallels forums and documentation, you should be able to upgrade the version of Courier-IMAP running on the server to any later version.

I however attempted to upgrade to Courier-IMAP 4.7.0 and 4.8.0 using authlib 0.6.3 with no success.

Then I read the following entry in the Courier-IMAP Changelog:

2004-11-05 Mr. Sam

* pop3dserver.c (main): Authenticated address is in AUTHENTICATED,
not AUTHADDR, now.

It would appear that this one change, breaks the authpsa authentication module so that one can not implement later versions of Courier-IMAP on Plesk 8.3.0, since authpsa expects the authentication information in the AUTHADDR shell variable.

Courier-IMAP 3.0.8 on CentOS with Plesk

August 3rd, 2010

I ran into a problem where I wanted to recompile Courier-IMAP so that it can work with Plesk 8.3 on my CentOS server.

After a lot of searching to locate which is now a very outdated version of Courier-IMAP, I bumped into a problem during the recompiling of Courier-IMAP.

The error I received was:
In file included from authstaticlistsearch.c:9:
/usr/include/stdio.h:385: error: syntax error before ‘&&’ token

A bit of Googling lead me to a February 2005 post on the atmail website, which I repeat below for ease of reference:

Patching Courier-IMAP for Fedora/Redhat non-RPM in

This article applies to @Mail Server installations only.

Description: The standard Courier-IMAP 3.0.8 distribution will not build on stock Fedora/Redhat systems. Compilation fails while building the authlib library, usually with an error message like:

In file included from authstaticlistsearch.c:9:
/usr/include/stdio.h:385: error: syntax error before ‘&&’ token

A review of the stdio.h file shows that no ‘&&’ symbols appears on or near line 385.

Solution: The courier-imap/authlib directory contains a file named ‘debug.h’ to support the debugging of authentication attempts against the Courier IMAP server. This file contains a C preprocessor macro named ‘dprintf’ that conflicts with the ‘dprintf’ function defined in glibc’s ‘stdio.h’. This conflict isn’t a problem so long as ‘#include ‘ appears before ‘#include “debug.h”‘ in the authlib source files. Unfortunately, this is not the case for files ‘authstaticlistsearch.c’, ‘authmoduser3.c’, ‘mod.h’, ‘authtest.c’, ‘debug.c’, and ‘authdaemon.c’.

To fix this problem, open these files in a text editor and move the ‘#include “debug.h”‘ line so that it is the last include directive. Make sure that you do not paste it into a ‘#if … #endif’ block. Once you have made these changes, the build process should succeed.

Weak password spammers via Plesk.

March 1st, 2010

Allowing users to change their own passwords makes life easy for the support staff but a nightmare for the system administrators.

Users will change their passwords to very weak passwords, like: password, qwerty, 12345, 123456, etc.

With such weak passwords one often run into a situation where a spammer probes an email account and guesses the correct password, there by allowing them to send out masses of spam via the account.

Sometimes the spammer makes use of CRAM-MD5 SMTP AUTHENTICATION to send out the email. In these cases, it is quite difficult to determine which email address was compromised.

It is however possible to figure it out with some detective work.

First, we will look at the qmail queue, usually the remote one, since spammer tend to send the spam out on the internet. We will then identify some of the spam emails and then proceed to evaluate each of them.

You will need to view the content of the email. I like to use qmqtool on Plesk qmail-based servers. qmqtool is a powerful and simple companion tool for qmail.

Make a note of the IP addresses from where the spammer is connecting to your server. In all likelihood, this will be from a botnet or compromise ISP network. We will call all these IPs the origin IPs. There could be a lot of them, and they could be from all over or from a few subnets. The principal for detection says the same, you may just need to repeat it a few more times.

With the origin IPs, start logging the spammer’s traffic as follows:

tcpdump -s 0 -w spam-packets.log port 25 \
and host <origin IP>


tcpdump -s 0 -w spam-packets.log port 25 \
and net <origin IP> mask

The above command will dump all the traffic between your server’s port 25 and the origin IP or network to a file called, spam-packets.log. The -s 0 switch tells tcpdump to dump the full packet to the file.

Once you have captured sufficient packets, firewall all the origin IPs and/or networks.

Now the hard work starts.

We now need to analyse the captured packets.

The easiest way is to use the following command:

tcpdump -r spam-packets.log -vvv -XX -A | less

The command will playback all the captured packets in a human readable format, well sort of readable.

Now, try to isolate one of the flows. I found it the easiest to select the flow by the remote source port.

tcpdump -r attack-packets.log -vvv -XX -A \
port <remote_source_port> | less

We now need to find a challenge and response pair in the protocol code.

The easiest is to search for “334 ” in the output, “334 ” is followed by a random 56 byte string. This 56 byte string is the challenge. See the example below:

334 PDIyNTk3LjEyNjczNzUxODdAaGF5ZXMuaG9zdDRhZnJpY2EuY29tPg==

The next packet should be another 56 byte random string, the response, being sent back from the remote to the server, as in the example below:


Now using the challenge an response that you have located above in the data stream, you will be able to locate the email address causing the problem.

webmailmng Strange error

January 16th, 2010

After applying hotfix 1 for Plesk 9.2.3, we started experiencing strange problems with webmail, in our case atmail, but it may apply to horde as well, on the server.

A typical example of an error would be:

Unable to get options for atmail webmail

Looking at the files installed by the hotfix, you will notice that the hotfix installs a new copy of:


which is why the problem starts.

There is a BUG in the newer /usr/local/psa/admin/sbin/webmailmng

Instead of trying to access the config files in


the new version now looks for a config file in


My quick workaround is to simply, make /etc/psa-webmail/atmail/ a symbolic link to /etc/psa/webmail/atmail/ which seems to temporarily solve the problem.

The permanent fix is apparently to upgrade to Plesk 9.3.0, which was available at the time of writing.

Auto reboot on kernel panic

January 11th, 2010

I ran into a machine that for some unexplained reason would hit a kernel bug and then get a kernel panic.

This usually left the machine in an usable state, requiring a reboot.

After some googling, I found an answer.

Kudos to Vivek Gite from for his post

Below are the important bits:

Edit /etc/sysctl.conf file

# vi /etc/sysctl.conf

The arguments below, instructs the kernel to reboot 10 seconds after a kernel panic occurs

kernel.panic = 10

It is of course possible to make the 10 seconds as long as you need.

Save the file and apply the setting.

# sysctl -p

Strange MySQL error

December 2nd, 2009

While upgrading to Plesk 9.2.3 on one of my non-production servers, the Plesk upgrade process failed with the following error:

MySQL query failed: Got error -1 from storage engine

I was stumped by this error initially, since searching on the Plesk forums and Google, did not really yield any results.

I finally stumbled across a post by Derick Ng on Planet CakePHP, in which the same problem was described. Kudos to the poster for making the information available.

Bottom line is that I used the non-production server to do an InnoDB database recovery and the MySQL server was still setting the InnoDB engine into recovery mode. While the InnoDB engine is in recovery mode, you can not add data to the InnoDB tables.

Check for innodb_force_recovery in your my.cnf

vi Reference Card

December 2nd, 2009

This is a vi cheat sheet, showing most of the common vi functions. I found myself every now and again forgetting some of the common functions that I do not use every day. This document, which is copyrighted by its author, helped me out a few times.

Get the vi Reference Sheet.

Duplicate RPM entries

November 9th, 2009

I was seeing duplicate RPM entries for almost all the installed RPMs on my new x86_64 server running CentOS 5.3

After a bit of reading I found out that it is due to the i386 and x86_64 libraries being installed on my 64-bit machine.

A little more reading later and I found the solution, which is simply to specify a different query format for RPM

vi /etc/rpm/macros

%_query_all_fmt %%{name}-%%{version}-%%{release}.%%{arch}

Plesk 9.2.x & tomcat5

September 12th, 2009

The startup scripts for tomcat5 on Plesk 9.2.x for Linux is broken on both 32-bit and 64-bit platforms, at very least for CentOS 5.

The fix is trivial.

Set the JAVA_HOME variable in the /etc/tomcat5/tomcat5.conf file as well as the /etc/sysconfig/tomcat5 file.

Apply the following fix to the /usr/bin/dtomcat5 script.

Around line 67 of the file it should read:

if [ -z “$CATALINA_HOME” ]; then

Change the above code, by adding one line, so it reads as follows:

if [ -z “$CATALINA_HOME” ]; then
    . “${TOMCAT_CFG}”

Testing the change can be achieved by running the following command:

tomcat5 version

It should produce output similar to the information below:

Using CATALINA_BASE: /usr/share/tomcat5
Using CATALINA_HOME: /usr/share/tomcat5
Using CATALINA_TMPDIR: /usr/share/tomcat5/temp
Server version: Apache Tomcat/5.5.23
Server built: Jul 27 2009 05:24:08
Server number:
OS Name: Linux
OS Version: 2.6.18-128.7.1.el5
Architecture: amd64
JVM Version: 1.6.0-b09
JVM Vendor: Sun Microsystems Inc.

Strange FrontPageAlias() problem on Plesk ….

December 17th, 2008

The FrontPage hit counter for a site was not working. I kept on getting the following error in the log file of a domain that has FrontPage enabled:

Incorrect permissions on webroot “/var/www/vhosts/” and webroot’s _vti_pvt directory in FrontPageAlias().

Changing to the website’s httpdocs directory and running the command below, fixed the problem.

chgrp psaserv _vti_pvt

Thank you goes to zymsys

Redirecting outgoing traffic ….

December 15th, 2008

It may become necessary to redirect some outgoing traffic to a different IP address from time to time ….

Recently the route to a mail server became unreachable from our mail server and we had to route traffic via an alternative relay server.

I achieved this using the trusty old iptables.

Here is the rule:

iptables -t nat -A OUTPUT -d <OriginalDestinationIPAaddress> -p tcp –dport <OriginalDestinationPort> -j DNAT –to-destination &ltNewDestinationIPAddress>:<NewDestinationPort>

sqlite version 2.8.x and PHP 5.2.x

August 21st, 2008

It seems straight forward if you read the PHP manual …. just do a pecl install sqlite …. but most things in live is not that simple. :( The above command gave me the following error:

../SQLite-1.0.3/sqlite.c:56: error:
‘BYREF_NONE’ undeclared here (not in a function)
../SQLite-1.0.3/sqlite.c:56: error:
‘BYREF_FORCE’ undeclared here (not in a function)
../SQLite-1.0.3/sqlite.c:125: warning:
initialization from incompatible pointer type
../SQLite-1.0.3/sqlite.c:126: warning:
initialization from incompatible pointer type
make: *** [sqlite.lo] Error 1
ERROR: `make’ failed

Thanks to a post I found on, I can post the solution below:

PHP 5 is compiled with “–without sqlite”.

Start with installing php-pecl-sqlite

$ pear download sqlite
$ wget -q

then unpacked and began to compile it

$ tar zxvf SQLite-1.0.3.tgz
$ cd SQLite-1.0.3
$ phpize
$ ./configure
$ make

make failed here with some offset error

edit sqlite.c, comment out the following line:
/* static unsigned char arg3_force_ref[] = {3, BYREF_NONE, BYREF_NONE, BYREF_FORCE }; */

And then change these lines

function_entry sqlite_functions[] = {
PHP_FE(sqlite_open, arg3_force_ref)
PHP_FE(sqlite_popen, arg3_force_ref)
function_entry sqlite_functions[] = {
PHP_FE(sqlite_open, third_arg_force_ref)
PHP_FE(sqlite_popen, third_arg_force_ref)

$ make
$ make install
$ service httpd restart

Ubuntu 8.04 Hardy and the HP LaserJet 1020

May 10th, 2008

I installed a copy of Ubuntu 8.04 tonight. It is a lovely piece of software to say the least. Almost everything worked out-of-the-box. Unfortunately it did not want to print to my HP LJ 1020. Luckily a search on Google quickly revealed a solution:

On Hardy Heron isn’t more necessary to install the drivers from since that the it installs the correct drivers and hp programs. It’s only necessary to download the printer’s firmware since that Ubuntu can’t delivery it cause of license and/or patent restriction. At terminal and as root (or using sudo), just type:

# hp-setup (as root)


$ sudo hp-setup (as sudoer)

and follow-up the wizard. It’s straightforward. :)

A big thank you goes to Danpros for the info in this post.

Law of Logical Argument

May 8th, 2008

I was reading an article on some site and read the following phrase. I thought it is so appropriate that I had to include it in my blog.

Law of Logical Argument:
Anything is possible if you don’t know what you are talking about.

PHP 5.2.5 and Plesk 8.1.x and Plesk 8.2.x …

December 10th, 2007

Oops, the latest version of PHP breaks a few things on Plesk 8.1.x and Plesk 8.2.x installations. It propably affects other installations as well, but I stopped testing since I was only interested in Plesk 8.2.x and later.

According to atomicrocketturtle the problem will be fixed in Plesk 8.3. We will just have to wait and see.

On rackerhacker‘s blog I found a very elegant solution to the problem that was provided by Kevin M.

I repeat the entry from rackerhacker‘s blog:

There’s a few issues with PHP 5.2.5 and the version of Horde that is bundled with Plesk 8.1.x and 8.2.x. The PHP include paths that appear in the Apache configuration generated by Plesk conflict with the PHP installation, and that causes the Horde webmail interface to segmentation fault.

To fix the problem, create a file called /etc/httpd/conf.d/zz050a_horde_php_workaround.conf and put the following inside it:

<DirectoryMatch /usr/share/psa-horde>
php_admin_value include_path "/usr/share/psa-horde/lib:/usr/share/psa-horde:/usr/share/psa-horde/pear:."

Reload the Apache configuration and your Horde installation should work properly with PHP 5.2.5.

Freeing some file descriptors in Plesk 8.2.0 and later …

December 10th, 2007

Finally, SWSoft has come to the party and added piped logging into the Plesk configuration. This is simply fantastic since it has enabled me to run many more websites on a shared hosting server. Yay!!

To enable piped Apache logs, do the following:

# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa -e "replace into misc (param,val) values ('apache_pipelog', 'true');"
# /usr/local/psa/admin/sbin/websrvmng -v -a

A big “thank you” goes to Racker Hacker for this piece of information.

WAP access

December 1st, 2007

You are welcome to access this blog via your WAP browser on your cellphone.

The WAP URL is: (This link will not work in a normal non-WAP enabled browser.)

Urrgghh …. FrontPage!

December 1st, 2007

10 December 2007: I have not been able to get this solution to work at all, even though mod_frontpage is compiled against Apache 2.2.

20 December 2007: I have found enough time to spend hours on debugging the problem and I have successfully been able to get mod_frontpage working on my CentOS 5 server running Plesk 8.2.1 and Apache 2.2. I have updated the article below where needed.

As most of you are aware, Microsoft FrontPage (FP) has long ago reached its end-of-life. Microsoft no longer distributes FrontPage or FrontPage Server Extensions (FPSE). Now, this may be all well enough and most us understand why. The problem unfortunately lies with the user base. Many people still use and rely on the old outdated versions of Microsoft FrontPage.

SWSoft stopped shipping FPSE as of Plesk version 8.1.0. The last version of FPSE that I could locate was in version 8.0.1 of Plesk.

Version 8.0.1 was also never released for CentOS5 or Red Hat Enterprise Linux 5 (RHEL5), which means that there are effectively no RPMs for FPSE, that was compiled against Apache 2.2.x.

This effectively meant that you had to search for an OLD copy of fp50.lin.tar.gz and compile it yourself. Not the most ideal solution.

Enter, crash. crash provided the solution to the problem on SWSoft’s forum. I will be repeating most of crash’s post below.

You will need one of the older SWSoft FPSE RPM’s. I used frontpage-5.0-72psa.centos4.2 and frontpage-5.0-72psa.rhel4. The RPMs are located in the Plesk 8.0.1 .tar.gz file, in the ./opt/fp directory.

You will need to install one of the above RPM’s onto your system.

Once installed, do the following:

cd ~
mkdir frontpage-5.0
cd frontpage-5.0
cp -afr /usr/local/frontage .
cd ..
tar -cvf frontpage-5.0.tgz ./frontpage-5.0/

You should now have a frontpage-5.0.tgz file, that will be used.

crash provided the following patches to have mod_frontpage compile against Apache 2.2.x. (The patches should allow you to compile mod_frontpage against Apache 2.0.x or Apache 2.2.x [There are a few tiny differences])

Download the patches: FrontPage Server Extension Patches for CentOS5 and Apache 2.2.x (The file was updated on 20 December 2007)

You need to have the httpd-devel RPM installed. yum install httpd-devel, will usually be sufficient.

Now do the following:

cd /usr/src/redhat
tar zxvf mod_frontpage-patches.tgz
rpmbuild -bb frontpage.spec

If all goes well, the RPM build process should complete without any errors and you will have a brand new RPM to install FPSE with on CentOS5/RHEL5.

Credit to crash’s post. I discovered a few bugs in the patches originally provided by crash.

A few tips:

  1. If you installed the SWSoft RPM, you need to remove the mod_frontpage entry from the LoadModules section in the /etc/httpd/conf/httpd.conf file. If you do not Apache will complain that mod_frontpage is already loaded when you restart Apache.
  2. I have commented out the last 3 lines from /etc/httpd/conf.d/mod_frontpage.conf. Plesk already caters for this in the httpd.include file in each vhost.
  3. FrontPage Administration Pages only work in Internet Explorer, or at least for me.
  4. The FrontPage Server Extensions are EXTREMELY sensitive to file permissions.