Trojan Win32.Murlo - last 2007 fake trojan from Zlob family?

Trojan Win32.Murlo - we believe it's the last imaginary trojan horse generated by IEDefender and FilesSecure misleading programs. They show Trojan Win32.Murlo detection reports as their scan results to scare users and force to purchase "full" versions of this dummy anti-spywares.

Trojan.Win32.Murlo is a relentless malware infection that is the latest of the rogue anti-spyware programs on the net today. Initially, Trojan.Win32.Murlo will present a pop up box alerting the user to the following message:
“Critical System Error! Your computer was infected by Trojan.Win32.Murlo It’s dangerous for your system, some files can be lost and your browser can be slow! Click OK to download the antispyware program to clean your computer! (Recommended)”
The incessant pop-ups that Trojan.Win32.Murlo presents advertise for IEDefender which is a fake spyware application that causes even more damage to your system. Ultimately and like many other rogue anti-spyware infections, Trojan.Win32.Murlo tries to convince the user into purchasing a license for IEDefender and will not let up until you do. If you have the Trojan.Win32.Murlo infection on your PC, follow the link below for removal of this infection.
www.spywarenotice.com

Manual removal instructions for Win32.Murlo are the same as for Trojan.win32.BHO.aqz
You can remove Trojan Win32.Murlo and all other spyware using Spyware Doctor Premium anti-spyware with 100% free scan.

Trojan Win32.Murlo Removal Tool -Spyware Doctor

Trojan - Win32/Qoologic - new imaginary trojan from FilesSecure

Trojan - Win32/Qoologic - critical system error is a fake message generated by FilesSecure rogue to trick users into buying it's full version.

Trojan - Win32/Qoologic is an imaginary Trojan name used to threaten and trick users into buying the rogue anti-spyware application Files Secure . The user gets infected after downloading the video codec that infects the computer with a nasty Trojan. This Trojan then displays false warning messages stating "Your PC is infected by Trojan - Win32/Qoologic" and recommends to download the program (most probably Files Secure), which will "remove" this parasite. However, in real Files Secure will not fix your PC but might actually expose you to more security threats.
www.spywareremove.com

You can remover this dangerous parasite using Spyware Doctor spyware remover with free scan. Also you can try to use manual removal instructions (at your own risk).

Spyware Doctor antispyware will remove Qoologic trojan and FilesSecure infection

Manual removal instructions - the same as for Trojan.win32.BHO.aqz.

Trojan.win32.BHO.aqz Removal - Trojan.win32.BHO variants

Trojan.win32.BHO.aqz (and variants) is a real trojan horse that often installs malicious toolbars using browser security backdoors. But some programs (IeDefender, Files Secure) displays Trojan.win32.BHO.aqz fake detection message as their scan\detection result. Trojan.win32.BHO.aqz may be also distributed by a new bogus codec.
You can repair your computer manually, but this may mean searching your PC’s folders and registry for hours for Trojan.win32.BHO.aqz hidden files. To save time, you can automatically scan your PC with Spyware Doctor for Trojan.win32.BHO.aqz and other spyware parasites.

Trojan.win32.BHO variants:
Trojan.Win32.BHO.zn
Trojan.win32.BHO.aqz
Trojan.win32.BHO.bfs
Trojan.Win32.BHO.hn
Trojan.Win32.BHO.g
Trojan.Win32.BHO.r
Trojan.Win32.BHO.abo
Trojan.win32.bho.hj
Trojan.Win32.BHO.ab
Trojan.Win32.BHO.bd
Trojan.Win32.BHO.DBU
Trojan.Win32.BHO.yr
Trojan.Win32.BHO.kd

Trojan.win32.BHO manual removal instructions:
Remove Trojan.win32.BHO.aqz registry values:
670ADC7B-89DC-4F88-98CC-2E3B
CF85F140
7E24E909-FB8A-4837-9DF7-05E7587CB26C
c4545fc9-26d0-4ccf-b4fb-728aed895dbd
E856E05E-1B91-4339-9EFC-9A3308CB5491
B3E45A9B-7756-46A2-AB14-90175CD374F9
BBB05D9E-0297-404D-A6BF-D8F2876B84A6
F9EAAA11-DF98-4615-A2C7-7D03C86A6BE9
69B98C68-D2B8-4A4E-9CB7-E85B6F3A7014
A8565FBC-8D53-4D4F-9BB0-CBC68A22B126
43BA0532-0D69-458A-8C71-AD0F6AE70D19
62EA9201-8CC7-4199-AC30-7744F836322E
b166be07-30a4-4d38-b781-44528a630706
D17CFF74-A19C-4C36-821A-E074E4F889CA
202EBB90-ABD4-46CC-BB5A-4F0ECC67B331
15EB9F40-D775-4463-B75B-8687B3C66BB7
6D64B03B-3B93-4AF2-BFC6-01264A4C7F2A
6A719349-BDF5-4268-9019-4ACA0C2562D2

Unregister and remove Trojan.win32.BHO.aqz dll's:
mscfg32.dll
windivx.dll
websrc32.dll
mlljh.dll
cjvy.dll
gqagksr.dll
esent9.dll
ttvbonvgl.dll
ssqppol.dll
pmspl.dll
urqnomm.dll
msvideo.dll
ecxwp.dll
stream32a.dll
vtssp.dll

Remove Trojan.win32.BHO.aqz using Spyware Doctor with free scan

Leosrv toolbar - another Zlob BHO

Leosrv toolbar - is another Zlob related Browser helper object that may damage your computer and compromise your privacy and security. It is recomended to remove this malware from your PC.

To remove Leosrv toolbar manually unregister this registry subkeys:

HKCR\CLSID\{14E52265-CCA3-4F78-A21B-88F4EE6E78C1}
HKCR\Interface\{6E9078DA-0C69-47B0-9637-2734104BD217}
HKCR\TypeLib\{5328D226-7057-4B06-9E4A-7829BFA7CA78}
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{14E52265-CCA3-4F78-A21B-88F4EE6E78C1}
HKCR\leosrv.ToolBar.1\CLSID
{14E52265-CCA3-4F78-A21B-88F4EE6E78C1}
HKCR\leosrv.bkwo\CLSID
{14E52265-CCA3-4F78-A21B-88F4EE6E78C1}
HKCR\leosrv.ToolBar.1
HKCR\leosrv.bkwo

Use Spyware Doctor antispyware to remove Leosrv toolbar automatically:

Leosrv toolbar remover with free scan

The Leosrv Toolbar is another clone of all the previous Zlob virus toolbars. Same function as the previously named The Voipwet Toolbar. Common distribution method of The Leosrv Toolbar is by the Smart Video Codec trojan. The Leosrv Toolbar displays fakes alerts, warnings and links to rogue anti-spyware products. Four icons and text are present within The Leosrv Toolbar – Remove Popups, Scan Spyware, Security Test, & Spam Protection. All icons lead to rogue security products.

www.spywarenotice.com

Ubuntu Bashing Continued

It has been a while since I upgraded and subsequently wrote about my experience of upgrading Ubuntu 7.04 to Ubuntu 7.10. I gave Ubuntu 7.10 the good old college try, but have to report that I am now back to my FreeBSD Laptop.

The primary issues that I had with Ubuntu 7.10 had to deal with wireless networking. The connection speed would never exceed 23mbps and even when the driver stated that it was connected at 23mbps I could not achieve throughput of more than 5mbps, even with the laptop sitting 5' from the AP. The second, and most irritating, issue with the wireless networking setup of Ubuntu 7.10 was the consistent disconnects and intermittent reconnects. Often it would not reconnect and I would have to reboot and piss with it for 30 minutes before it would inexplicably reconnect. Of course this started to remind me of M$ reboots and I had to immediately remediate the situation with ufs and FreeBSD!


At first I thought that this was potentially related to the Broadcom 43XX chipset in the test laptop. I then tested with different Intel (non proprietary) wireless cards and different APs. An additional reason that I tested with different access points was due to the range limitation that I was experiencing with Ubuntu 7.10. I was only able to get to roughly 30' from the AP before I would lose signal.

The combination of these three wireless issues, in addition to the upgrade pain, led me to flatten the system and slap FreeBSD 6.2 REL onto it. That said, I am now back into my comfort zone of *BSD. I will also say that I have loaded the Broadcom 43xx windows driver using ndis and that I now have full 54mbps connectivity and a range of greater than 50' from the same APs that I had less than 30' with Ubuntu 7.10.

So, to conclude and finish this mild rant, I think that the new Ubuntu 7.10 is a decent distro overall "for the click brigade" but I also think that more time should have been put into the guts as opposed to the shininess of the whole thing. Of course, if you read some of my previous postings about the shininess setup issues that I experienced out of the box with Ubuntu 7.10....then perhaps they should have put more time into that as well.

Previous articles:
Ubuntu 7.04 to 7.10 Upgrade Notes Pt. 1
Ubuntu Upgrade to 7.10 Strike 2
Ubuntu Upgrade....or not (with compiz)

Cheers,
JJC

VirusProtect review. How to remove VirusProtect infection?

This summary is not available. Please click here to view the post.

Trojan.Win32.LinkReplacer - new fake trojan

Trojan.Win32.LinkReplacer is the latest warning message to be displayed via the IE Defender rogue anti-spyware. Trojan.Win32.LinkReplacer - is threat that replaced Trojan.Win32.Obfuscated and Trojan.win.32.agent.akk.

The manual removal process is the same as Trojan.Win32.Obfuscated (previous post)
We recomend to use automatical removal tool (Spyware Doctor) - legistimate and powerful spyware cleaner. It will easily remove Trojan.Win32.LinkReplacer and other threats.

Trojan.Win32.LinkReplacer Automatical Remover

InProtect Update...

And a few operational notes....

We are working hard to get out the next RC for your scanning pleasure. In the meantime, please continue the use and bug reporting, it's been great thus far!

Now, as to a big bug and how to properly handle it. In previous versions of InProtect you were able to control the number of scans with the max_scans value in the Nessus Servers configuration dialogue. Unfortunately with the modification of the nessus_run.pl script to streamline the scanning process, the max_scans variable does not properly control the actual scans being processed by the scanner. A simple example is as follows;

Lets say you schedule a scan with 60 hosts (IP Addresses) to be scanned and have limited in the Nessus Scanner Max_Scans setting a maximum of 10 concurrent scans on said server. When this scheduled scan starts to run it will start out with 10 scans, once those begin to complete it will immediately say that it's running 20 scans then 30 and so on.

To remediate this issue, you need to do a couple of things...first lets go ahead and kill our sched.pl process so that we can clean up the database (if you still show multiple scans running and none are actually running "ps -auxxx | grep nessus"). Once this is complete, go ahead and look in your Inprotect database under the nessus_scan table for any record with a value of 'R' in the status field ( select * from nessus_scan where status='R';". If you find that you do have records with 'R' as their status, you need to set them as 'C' "UPDATE`inprotect`.`nessus_scan` SET `status` = 'C' WHERE `status` = 'R' ; ", you will also need to reset the current_scans value in the nessus_servers table "UPDATE `inprotect`.`nessus_servers` SET `current_scans` = '0';". After completing these steps you can now start your sched.pl up again. As another note, you may want to set all of the status values to 'C' just to clean up that table, once you restart sched.pl it will clean out all of the 'C' status scans and set their main schedule back to a scheduled status.

Now that we have cleaned up the remnants of the aforementioned bug, lets go ahead and talk about the current workaround. This workaround is fairly straightforward and consists of two simple modifications to your scan profile and your nessus server settings. First, let's get into the InProtect GUI and select Settings -> Nessus Servers -> Edit, at this point we will be modifying the value for Max number of hosts to scan and setting it to an extremely high number such as 10000 or more.


The next part of this workaround is to define the maximum hosts that will be scanned in the actual scan profile. This will tell the nessusd server itself how many scans that it is allowed to run at the same time. Select Settings -> Nessus Scan Profiles -> Edit your existing default profile -> Preferences, under the serverprefs section are the options max_checks and max_hosts. The max_checks value defines the number of test to be run concurrently against a single hosts and the max_hosts defines the maximum concurrent number of hosts that the nessusd server will scan. As you can see by the below image, I have set my default values to 4 checks and 10 hosts.


Regards,
JJC

Trojan.Win32.Obfuscated Removal

Trojan.Win32.Obfuscated new dangerous trojan horse that may compromise your privacy and security.

"Trojan.Win32.Obfuscated is a relentless malware infection that is the latest of the rogue anti-spyware programs on the net today. Initially, Trojan.Win32.Obfuscated will present a pop up box alerting the user to the following message: “Your browser was infected by Trojan.Win32.Obfuscated.gx You need to clean your system immediately, in other case it can be crashed soon! Click OK to download the high-tech anti spyware protection software! (Recommended)” The incessant pop-ups that Trojan.Win32.Obfuscated presents advertise for IEDefender which is a fake spyware application that causes even more damage to your system. Ultimately and like many other rogue anti-spyware infections, Trojan.Win32.Obfuscated tries to convince the user into purchasing a license for IEDefender and will not let up until you do. If you have the Trojan.Win32.Obfuscated infection on your PC, follow the link below for removal of this infection."
www.spywarenotice.com

Automatical Removal Tool:

Spyware Doctor with 100 free scan

Manual Removal Instructions:
Remove Win32.Obfuscated Registry entires:
7df5417b22988d88e8080a44392ade95
cbdc7b3033e82c2065a1b48061b2ca01
6d3c4dbecf4aaf1ae826a0a7edde5951
e05997f932f826f0271cf32d00bbd3be
c18c3b4771120703624baaf835feecd8
9ceecf911241c9890541167edf53739f
40613dee6ad5fec910606c25b25262fd
3ba096caa45ab117721e725079cc53a1
bb5be1c92c299a1c6bcfe67655b0a0c7
9a9f57899a28547b04fc2da3700c95cf
7a329404de21925daacbbbee093ff6dc
7d4b39e4cab018496e2fe9bf9c3234b2
69c9be662f7f284aae171adeb136cb24
1bc5752bd72f44f004d9f061dd7f9e00
bcf3a381bbe26d9c1ec24bac8b18f567
8266c79a434aed795a5f3f7abb0aff0d
696ce23305a35bb118afc42d58845791
2982068d063848ddb0b8029750411a84
fe6e6a62a572e84e9eaee12eb3ee8a2b
1057a2dcd13130963be0a51c41dc4d1c
396955766b2e512bc3545a24bc485dbe
5f9523529ce2cac480acbda2b8bf4e1e


Delete Win32.Obfuscated files and unregister dll's:
mlljh.dll
ibpmxtbv.dll
ljjhedc.dll
cabvie.dll
windivx.dll
ddayv.dll
vkcxxfvi.dll
ssqpo.dll
stream32a.dll
vipextqtr.dll
ecxwp.dll
gebca.dll
ddcdedd.dll
advpac.dll
tdlRMS.dll
lcxmehhg.dll
hdbxuqje.dll
mljge.dll
ddcbyvt.dll
advrepkon.dll
ddccd.dll
sgqddvym.dll
pofwjina.dll
bkfgnqhm.dll
orkbobob.dll
tuvttrr.dll
cpwvehup.dll
enhtb.dll

managing snort rulesets cont...

I need to amend my previous posting about the usage of Oinkmaster to automate and manage your Snort rules. I had added in the simple script a command that updates the sid-msg.map in a fairly unclean way. There is, infact, included within the /contrib of Oinkmaster a nifty little script called create-sidmap.pl. This script reads all of the rules from the rules path that you specify and generates sid-msg.map output that can be redirected into a clean sid-msg.map file.

The location in my original posting that should be changed is highlighted here:

secure2# vi /usr/local/bin/autooinkall.sh
#! /bin/sh
#
# simple script to run oinkmaster and obtain bleeding threat updates
# in addition to the regular snort.org updates
#
/usr/local/bin/oinkmaster -o /usr/local/etc/snort/rules/
/usr/local/bin/oinkmaster -C /usr/local/etc/oinkmaster-bleeding.conf -o /usr/local/etc/snort/rules/
cat /usr/local/etc/snort/rules/bleeding-sid-msg.map >> /usr/local/etc/snort/rules/sid-msg.map
/bin/kill -HUP `cat /var/run/snort_em1.pid`
/bin/kill -HUP `cat /var/run/by.pid`

This should be changed to /path/to/your/create-sidmap.pl /path/to/rules/ > /usr/local/etc/snort/rules/sid-msg.map so that the whole thing looks like the following:

secure2# vi /usr/local/bin/autooinkall.sh
#! /bin/sh
#
# simple script to run oinkmaster and obtain bleeding threat updates
# in addition to the regular snort.org updates
#
/usr/local/bin/oinkmaster -o /usr/local/etc/snort/rules/
/usr/local/bin/oinkmaster -C /usr/local/etc/oinkmaster-bleeding.conf -o /usr/local/etc/snort/rules/
/usr/lobal/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/rules/sid-msg.map
/bin/kill -HUP `cat /var/run/snort_em1.pid`
/bin/kill -HUP `cat /var/run/by.pid`

Regards,
JJC

BestSellerAntiVirus - AvSystemCare twin

"BestSellerAntivirus is a rogue anti-spyware program that can get inside your computer through a trojan without you being aware of it. BestSellerAntivirus can be also installed manually from www.bestsellerantivirus.com. Once inside your system, BestSellerAntivirus will show fake security messages that your computer system is in danger and will ask you to download and pay for the full BestSellerAntivirus version in order to eliminate the threat. BestSellerAntivirus can secretly install other spyware applications to steal your personal data ant track computer activity."
Fix slow computer

BestSellerAntiVirus and AVSystemCare have the same interface

You can easily remove BestSellerAntiVirus using XoftSpy SE anti-spyware from Paretologic.
Download the latest version of Spyware Doctor for free right now. Within just a few minutes you will be able to completely clean your computer of BestSellerAntiVirus and other threats! Your computer will be clean and will run alot faster - Your Privacy will be Protected!

BestSellerAntivirus Removal Tool with FREE scan

How to Remove Webpagesupdates.com (Zlob) hijacker

Webpagesupdates.com is a dangerous hijacker which is comes from Trojan.Zlob spyware. These kind of hijackers displays a fake warning message such as, W32.Myzor.fk@yf warning message to purchase the paid version of rogue security applications (for example; VirusProtectPro, MalwareBurn, VirusRanger and so on.,). Once the Trojan.Zlob installed, it drops many spyware applications to hijacked your homepage. Not only this, It also displays fake flashing warning alerts on your system tray.

You can easily remove Webpagesupdates.com hijacker using Spyware Doctor anti-spyware with free scan.

Webpagesupdates.com Windows XP Variant


Webpagesupdates.com Windows Vista Variant


Webpagesupdates.com Removal Tool

Trojan.win.32.agent.akk Removal.

Trojan.win.32.agent.akk is a new fake spyware detection from Zlob trojan family.
If your computer is infected with this crap your privacy and secuirity may be in danger!
Trojan.win.32.agent.akk will try to install another misleading application - IEDefender rogue antispyware. It will generate fake spyware detection reports forcing users to buy IEDefender "full version".



You can remove it using Spyware Doctor spyware remover with 100% free scan!

Voipwet Toolbar - new Browser Helper Object affilated with Zlob.Trojan

The Voipwet Toolbar is another clone of all the previous Zlob virus toolbars. Same function as the previously named The Hdtip Toolbar. Common distribution method of The Voipwet Toolbar is by the Rich Video Codec trojan. The Voipwet Toolbar displays fakes alerts, warnings and links to rogue anti-spyware products. Four icons and text are present within The Voipwet Toolbar – Remove Popups, Scan Spyware, Security Test, & Spam Protection. All icons lead to rogue security products.
Another common symptom of The Voipwet Toolbar is a thin yellow bar that appends itself to the top of the search results page. The message: “Warning: possible spyware or adware infection! Click here to scan your computer for spyware and adware…” The Voipwet Toolbar will also drop voip.wet.dll into the system registry"
SpywareNotice

Download Spyware Doctor anti-spyware with 100 % free scan to get rid of Voipwet Toolbar

Voipwet Toolbar Removal Tool

AntiSpy Pro - new IEDefender!? AntiSpyPro removal tool

( http://www.antispy-pro.com/ )

If your computer is already infected with this parasite - Spyware Doctor with absolutely free scan. It can easily remove AntiSpy Pro from your system!

Information from AntiSpy Pro web-site:

"AntiSpy Pro was designed from the core as a single, highly-optimized engine that works as a unified Anti-Threat system to protect against a broad spectrum of malware. Viruses, worms, spyware, and other malicious attacks, which are constantly evolving. We detect tomorrow's threats in real-time, by analyzing code execution for malicious intent - keeping you ahead of the malware-writers."

Remember that AntiSpy Pro is a dangerous rogue anti-spyware. It can damage your computer!
Never download this malware!
MalwareBytes security specialist say that AntiSpyPro has or soon will replace IEDefender.

HeX 1.0.1R LiveUSB Image

After receiving numerous requests to create a HeX Live USB Key Image, I have completed it. This image includes all of the standard tools that you will find on HeX and is writable; so you can update things (signatures etc), make changes and so on.

To use this tool, simply download it from the below location, decompress it and use dd to place it onto your USB Key. If you are not familiar with the dd syntax it's quite simple really; dd if=/path/to/extracted/hex-i386-1.0.1.usb.img of=/dev/da0 (your USB device). Note, that you should not dd this to a mounted partition, it will not work. You need to dd onto a USB Key that you don't mind losing the data on, because this will overwrite everything on that key. You can create a small partition after the dd (this of course assumes that you know how to do this, leaving the existing partition in-place) and have that to write data to etc...

This image does require a minimum 2G key (actually uses 1.75G), and has no minimum memory requirements (other than standard fbsd and X requirements).

https://secure.redsphereglobal.com/data/tools/security/live/hex-i386-1.0.1.usb.img.gz
http://secure.redsphereglobal.com:8080/data/tools/security/live/hex-i386-1.0.1.usb.img.gz
MD5 (hex-i386-1.0.1.usb.img.gz) = cd7489ba0a2a1fe824d286c72eee6842
SHA256 (hex-i386-1.0.1.usb.img.gz) = ffbb428145e0184d3848e45afee0d10ba41a4d9177688db10befc943dd4058f5

Please test this out and let me know how it works for you, or let the entire team at rawpacket.org know.

Regards,
JJC

Awola - new rogue software!

Awola Anti-Spyware 6.0
"is a new rogue anti-spyware that can be dangerous for your security and privacy. Awola claims to purchase itself in order to remove reported spyware and adware. But in real Awola produce false positives, it have no spyware detection and removal engine. Awola is a representative of badware family. It can bypass antiviruses and install other spyware to track users activity, save keystrokes and then generate targeted advertisments (pop up's, browser hijackers). Never download Awola, it's useless for spyware removal."
Fix computer problem - technical details
Spyware Doctor with free scan can easily remove Awola crap.

DrProtection old-new misleading software

Famous interface+new engine = DrProtection 2.1

"DrProtection is a misleading application that may give exaggerated reports of threats on the computer. "
Symantec
"DrProtection 2.1 is a latest clone of well known DrAntispy rogue antispyware. It generates false positives to trick users into buying full commercial version of this useless program..."
Fix Computer Problem
---
Removal tool with free scan - Spyware Doctor can easily remove DrProtection

Adware.BndDrive infection - how to remove

Adware.BndDrive is a new adware program that will install meileading browser helper object and show "Internet Speed Monitor" popups.
Download Spyware Doctor with free scan to get rid of this malware.

beta.openpacket.org updates

Several updates have been made to the http://beta.openpacket.org:8080 site, please stop by and help us continue to test the site.

Cheers,
JJC

InProtect Beta 0.80.2

In the interest of continuing a good thing (although this post is a bit late), we have released a new bugfix version of InProtect 0.80.x. This version is 0.80.2 and can be found at our sourceforge download location.

We hope to have an official release out on or about the new year and are working hard to meet this deadline. I would like to thank all of the users for their feedback and continued support of this project. It is always refreshing and energizing when there is good positive community usage and feedback!

As always, I invite you to join us in freenode or arcnet in #inprotect to tell us about your experiences, issues, bugs and the like.

Regards,
JJC

FreeBSD jabberd port mysql bug

As a quick post (esp since I have not been posting much lately) I recently ran into another issue with jabberd on freebsd. I say another, if you will remember a previous post concerning sasl - http://global-security.blogspot.com/2007/08/pidgin-on-linux-w-jabberd2-on.html.

This has more to do with cleaning up some of the errors that seem to exist in the mysql schema. Specifically, if you install jabberd2 from the ports tree "/usr/ports/net-im/jabberd" and configure it to use mysql as it's storage engine, you will receive several errors in your stdout our log files (depending on your configuration). These errors are generated when a users status changes, i.e. login, logout, away etc... I have included a quick snapshot of the errors below.

Nov 26 14:48:48 secure2 jabberd/sm[1629]: mysql: sql delete failed: Table 'jabberd2.status' doesn't exist
Nov 26 14:50:26 secure2 jabberd/sm[1629]: mysql: sql delete failed: Unknown column 'collection-owner' in 'where clause'
Nov 26 14:51:10 secure2 jabberd/sm[1629]: mysql: sql select failed: Unknown column 'object-sequence' in 'order clause'
Nov 26 14:51:10 secure2 jabberd/sm[1629]: mysql: sql insert failed: Unknown column 'status' in 'field list'
Nov 26 14:52:17 secure2 jabberd/sm[1629]: mysql: sql insert failed: Unknown column 'show' in 'field list'
Nov 26 14:52:58 secure2 jabberd/sm[1629]: mysql: sql insert failed: Unknown column 'last-login' in 'field list'
Nov 26 14:55:46 secure2 jabberd/sm[1629]: mysql: sql insert failed: Unknown column 'last-logout' in 'field list'
Nov 26 14:59:46 secure2 jabberd/c2s[1631]: [7] [192.168.1.2, port=3746] disconnect jid=user@test.com/Home, packets: 15
Nov 26 14:59:46 secure2 jabberd/sm[1629]: session ended: jid=user@test.com/Home
Nov 26 15:00:05 secure2 jabberd/c2s[1631]: [7] [192.168.1.2, port=3932] connect
Nov 26 15:00:05 secure2 jabberd/c2s[1631]: [7] SASL authentication succeeded: mechanism=DIGEST-MD5; authzid=user@test.com
Nov 26 15:00:05 secure2 jabberd/c2s[1631]: [7] bound: jid=user@test.com/Home
Nov 26 15:00:05 secure2 jabberd/c2s[1631]: [7] requesting session: jid=user@test.com/Home
Nov 26 15:00:05 secure2 jabberd/sm[1629]: session started: jid=user@test.com/Home

To remediate this, simply run the following against your jabberd2 mysql database:

CREATE TABLE `status` (
`collection-owner` varchar(256),
`object-sequence` bigint,
`status` text NOT NULL,
`show` text,
`last-login` int DEFAULT '0',
`last-logout` int DEFAULT '0',
PRIMARY KEY (`collection-owner`));

This will get ya going, I'm not gonna go into what's wrong with the script that is included in the jabberd2 install, I think that it's pretty straight forward.

Also note, I will try to post more regularly now but it's been a hectic few weeks for me (new job, family visiting etc...)

Cheers,
JJC

New Zlob hijacker - www.safetyonlinepage.com

Screenshot

www.safetyonlinepage.com - new crap from Trojan.Zlob-x.a

"SafetyOnlinePage.com is the latest browser hijacker that results from Zlob trojan infection. SafetyOnlinePage.com generates fake warnings about Myzor.fk@yf infection detected on your computer forcing user to purchase the paid version of rogue anti-spyware programs (VirusHeal, AntiVirGear, VirusProtect and others). SafetyOnlinePage.com may download and install additional spyware to track keystrokes, steal passwords and banking accounts. SafetyOnlinePage.com show deceptive pop-up ads that may appear as regular Windows tray baloon notifications"

www.safetyonlinepage.com technical details
www.safetyonlinepage.com removal tool (Spyware Doctor)

DeusCleaner - aggresive pop ups. New misleading software

This application scans the system for privacy violations such as Internet cache files. The application frequently displays pop-up windows such as the above pay-for prompt. This prompt is also displayed after restarting the computer. The user must purchase the full version of the application to repair any violations it finds.
Technical details from Symantec
DeusCleaner Remover (Spyware Doctor)

ErrorInspector new rogue

New misleading soft:
"ErrorInspector is a new rogue anti-spyware that gives exaggarated reports about spyware detections and other security risks. ErrorInspector can be installed through system security holes or by trojan (usually Looksky or Zlob). This nasty application may steal your private data and download other spywares. ErrorInspector uses aggresive advertising in order to lure you to use its fake anti-spyware program."
Technical details

Zlob-x.a pop ups - new infection

Zlobbers developed new tactic, this parasite promote IEDefender:
"Trojan.Zlob-x.a displays an error message integrated in Google search results..."
Details on: Fix Computer Problem
and BleepingComputer forums

IEDefender fraud

The IE Defender infection is a Browser Helper Object installed in your Internet Explorer browser that hijacks searches you input into the Google and Yahoo search engines. These hijacked searches will state that you are infected and that you need to install the IE Defender rogue anti-spyware program. You will also receive popups that state you are infected when browsing the web. The reality is that all of these messages and alerts are fake and should be ignored.
Bleepeingcomputer forums - here you can find free removal instructions!
Download Spyware Doctor spyware remover - it will remove IEDefender automaticaly.

InProtect 0.80.1 Beta

Fixed a few of the issues that everyone was experiencing... also updated the following:

• clean install - fixed bad syntax issues
• clean install - set proper version in db
• clean install - changed admin to Admin in user group data (Admin is the original user for conformity)
• upgrade - set proper version in db
• upgrade - changed admin to Admin in user group data (Admin is the original installed user and this setting must match the current user so that proper access is given to Admin)

Also added note that Admin password is "admin" in INSTALL, this is changed as of versions 0.80.x

new tarball can be found here:

https://secure.redsphereglobal.com/data/tools/inprotect/inprotect-0.80.1.tar.gz
https://secure.redsphereglobal.com/data/tools/inprotect/inprotect-0.80.1.tar.gz.md5
https://secure.redsphereglobal.com/data/tools/inprotect/inprotect-0.80.1.tar.gz.sha256

We should have the sourceforge project site updated with this tarball at some point tomorrow. I will also be following up with upgrade instructions tomorrow, as the current instructions do not include details of upgrading to 0.80.x.

Cheers,
JJC

InProtect 0.80.0 Beta *fixed clean install sql*

My apologies for the issues that people have been experiencing with the new Beta of InProtect, but please remember that this is the purpose of a beta.

I appreciate all of the feedback in IRC and comments on this blog. Below is the URL to a version of InProtect with a cleaned up clean install sql script. Note that you may still have issues with the actual install script (not the .sql) and I am working on that right now, hopefully will have that out shortly for you.

InProtect 0.80.0 Beta **FIXED**
MD5
SHA256

Regards,
JJC

InProtect 0.80.0 Beta Released!

So we have *finally* managed to get the 0.80.0 Beta out the door, unfortunately the new packaged does not include any of the new info for the install or upgrade (there are twelve of us working on this). I'll be covering some of these topics in follow up articles over the next day or so.

Get the InProtect 0.80.0 Beta Here!

For now, let's talk about some of the major changes that we have incorporated into this version.

Gui:

• Completely revamped menu system, access control driven.
• User customizable dashboard.
• Html and PDF report formats match.
• Exportable xls reports.
• Cleaned up excessive and unneeded sql queries to enhance speed.
• Role-Based permissions.
• Exception list for hosts.
• Host specific lookup capabilities.
• Cleaner interface.
  

Database:

• All passwords are encrypted using user definable cryptographic standards such as blowfish.
• Sensitive data is encrypted.
  
• Database structure modified to allow for role-based permissions.
• Database structure modified to enhance and improve large query response (including indexing).
  

Engine:

• Max server scans are now run in a single session rather than multiple individual sessions, this reduces the load on both the nessus scanner and the InProtect console server.
• Encryption and decryption functions added for sensitive data.
• Multiple unneeded queries removed to enhance performance.
• Query function creation and destruction cleaned up to enhance performance.

That is basically a quick run-through of the new features (there are more.. but these are the big ones IMHO). There are a few additional perl libraries that are not yet mentioned in the documentation contained in the 0.80.0 tarball but are required in addition too those mentioned in the documentation, I'll list them here for you.

New Perl libraries:

• Crypt::CBC
• MIME::Base64
• IO::Socket
• POSIX
• Socket

This should be some good info to get you started for now, but as I said earlier, I will be posting some additional information (detailed info) for new installs and upgrades over the next few days. I will also try to update the official wiki and FAQ with these instructions.

So, for now feel free to download and play with it, let me know what you think, I can usually be found in #inprotect on freenode.

Cheers,
JJC

MySpace accont pwnage!

As the title indicates and as I have wanted to write about for some time now, ever since I noticed that the MySpace login page is not protected by any type of encryption, this posting is about sniffing MySpace passwords off of your network...

To test this theory, and have a little fun, I used snort to sniff some packets off of a ToR (The Onion Router) system that I built specifically for this purpose. The results below are fairly self-evident, though the names, dates, and locations have been changed to protect the guilty ^_^. As we can see from the below highlighted output, the username is j00r_myspace_pwned@hotmail.com and their password is password12345. I am both surprised and not surprised to see this on the internet today.

POST /index.cfm?fuseaction=login.process HTTP/1.1
Host: secure.myspace.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8) Gecko/20071008 Firefox/2.0.0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.myspace.com/
Cookie: MSCulture=IP=10.10.10.10&IPCulture=en-US&PreferredCulture=en-US&Country=US&timeZone=0&ForcedExpiration=633298319485005304&USRLOC=QXJlYUNvZGU9MjA3JkNpdHk9Q2FtZGVuJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT01MDAmTGF0aXR1ZGU9NDQuMjI1MyZMb25naXR1ZGU9LTY5LjA5MjMmUG9zdGFsQ29kZT0mUmVnaW9uTmFtZT1NRQ%3D%3D; SessionDDF1=933aa40e14c3e8ee00fd99a3ab029eea43bb704eb259248a

Content-Type: application/x-www-form-urlencoded
Content-Length: 586

__VIEWSTATE=%2FwEPDwUKMTI3ODg2ODMzM2QYAQUeX19Db250cm9sc1JlcXV
pcmVQb3N0QmFja0tleV9fFgIFMGN0bDAwJE1haW4kU3BsYXNoRGlzcGxheSRjdGw
wMCRSZW1lbWJlcl9DaGVja2JveAUwY3RsMDAkTWFpbiRTcGxhc2hEaXNwbGF5JG
N0bDAwJExvZ2luX0ltYWdlQnV0dG9u&NextPage=&ctl00%24Main%24Splash
Display%24ctl00%24Email_Textbox=j00r_myspace_pwned%40hotmail.com
&ctl00%24Main%24SplashDisplay%24ctl00%24Password_Textbox=password12345&ctl00%24Main%24SplashDisplay
%24ctl00%24Login_ImageButton.x=26&ctl00%24Main%24SplashDisplay%24ctl00%24Login_ImageButton.y=14&ctl00%24
Main%24SplashDisplay%24ctl00%24nexturl=&ctl00%24Main%24SplashDisplay%24ctl00%24apikey=
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 214
Content-Type: text/html; charset=utf-8
Location: http://login.myspace.com/index.cfm?fuseaction=ad&MyToken=2d99f690-abae-4839-97dd-64b48d1edd52
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
Set-Cookie: MYUSERINFO=; domain=.myspace.com; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: MYUSERINFO=; domain=myspace.com; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: USER=; domain=.myspace.com; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: USER=; domain=myspace.com; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: MYUSERINFO=MIICtQYKKwYBBAGCN1gDlqCCAqUwggKhBgorBgEEAYI3WAMBoIICkTCCAo0CAwIAAQICZgMCAgDABAjl8wldaxuF7AQQzm1U8TfL0hIgLZm%2f%2baYNBwSCAmDFTCkutM5yyyvSN8vTANn5kgTYOPD3DWWxRcRQEx2ehj0nYpz3kqS0jJaAnb1PD7auiaNq8XMaipcAFbJbzntSKmLEwK7H%2brQknmAbEpo4YP3ofM9GcZb5ZYWzN2hj%2bclZDsJ4M%2fEPlqDElkLW7cWbUGcP2KMMcd%2bxJDxL3tcHHNaZymfryqMHpEibZtUEs%2bvHjbbQ8pcVNm%2bFyfO8yfnIJ20BCwebS7ZiseN0D0I8yWuZRwULf
7HTAYB8jdhQyx49ULlkCUT4DL0iORqNL8Q3CvSdRwS7zT7cyBNC%2fg6%2b0Hy1D4NGHQcSzIXJ2tGg2%2bz5kCDPrARZVK5qgsSbI90ouN5LKu4kPLDd7w9%2fHtsFo%2ft%2bP4h4k%2fMq57s%2fuPPkM4J4h7ewHwEIVzv4lnk39l7QTthhroMwi9Qn196c%2fDNByifjkOAocz09n%2fB4t%2bzycg7B8VyIlY1P%2f29syvz%2ft5NbkbyYbAu6Sfz0%2biNM%2fjuqEFHAY1dGU6W%2btR8GD%2bGvsWttdb8kPXKL4x6HpIr1QyGIwk0SZEDr2oMzZjcQegezv3loAV9JivU8HmYaaibwLMJUVIPv6uvvr1slqJ%2f7dmG6hjFeEDjb4uEvrYfZrV0R75JQPd3W6MXjciL%2bRW3YDuK
XGghi9I70PnpFuWeEkzE11U2IkyX3jb6GP4uOAl4KEZtQoF8LSsezdXPjlBP%2f1Q0upnPXJTzy0RNTfZZ0bdOuqnC13%2fNXIL96aZKgo0KVILrKN7E2uJYGkavoYyeK7Efolb%2f%2fgLSrX%2bUoicGc2oLceCWhrVxXdZAVt%2b0c7YNUTQ%3d%3d; domain=.myspace.com; path=/; HttpOnly
Set-Cookie: MSCulture=IP=10.10.10.10&IPCulture=en-US&PreferredCulture=en-US&Country=US&timeZone=0&ForcedExpiration=633298319485005304&USRLOC=QXJlYUNvZGU9MjA3JkNpdHk9Q2FtZGVuJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT01MDAmTGF0aXR1ZGU9NDQuMjI1MyZMb25naXR1ZGU9LTY5LjA5MjMmUG9zdGFsQ29kZT0mUmVnaW9uTmFtZT1NRQ==; domain=.myspace.com; expires=Mon, 12-Nov-2007 12:00:36 GMT; path=/
Set-Cookie: LASTUSERCLICK=%7bts+'2007-11-05+04%3a00%3a36'%7d; domain=.myspace.com; path=/
Set-Cookie: GADC=EUD=0:0:YTVkMTA4OTQ5ZDg5ZWI0OekNaTFtgDI_S7P6H2jrQzkk4nPuDPBbmATsWT8Cbo-Vd3Hgs227A2MQcf3dzClR3nwSH5PPEg8uiygF6KzHRgPJYhvfCX0YsIcKZKOEwjO3; domain=.myspace.com; expires=Fri, 05-Nov-2027 11:00:36 GMT; path=/
Set-Cookie: SplashDisplayName=j00r_myspace_pwned; domain=.myspace.com; path=/
Set-Cookie: D
ERDB=ZG9tYWluPS5teXNwYWNlLmNvbSZ0bGQ9Y29tJnNtb2tlcj0yJnNleHByZWY9MSZ1dHlwZT0yJnJlbGlnaW9uaWQ9MCZyZWdpb249MjAmcG9zdGFsY29kZT0wNDU3MiZtYXJpdGFsc3RhdHVzPU0maW5jb21laWQ9MCZoZWlnaHQ9MTcxJmdlbmRlcj1NJmZyaWVuZHM9MSZldGhuaWNpZD04JmFnZT0zMCZib2R5dHlwZWlkPTYmY2hpbGRyZW5pZD00JmNvdW50cnk9VVMmZGF0aW5nPTAmZHJpbmtlcj0xJmVkdWNhdGlvbmlkPTEmcmVsYXRpb25zaGlwcz0wJm5ldHdvcmtpbmc9MCZkaXNwbGF5bmFtZT1KZXJlbXkmZnJpZW5kaWRfaW50PTE0MzE0MDkxNyZpcGFkZHJlc3M9JzY
5LjM5LjExMC4yNycmc2NobD0wJnNjaGw9MCZzY2hsPTAmZ3JwPTAmZ3JwPTAmZ3JwPTAmY3VsdHVzZXJwcmVmPTEwMzM=; domain=.myspace.com; path=/
Set-Cookie: MSCulture=IP=10.10.10.10&IPCulture=en-US&PreferredCulture=en-US&Country=US&timeZone=0&ForcedExpiration=633298319485005304&USRLOC=QXJlYUNvZGU9MjA3JkNpdHk9Q2FtZGVuJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT01MDAmTGF0aXR1ZGU9NDQuMjI1MyZMb25naXR1ZGU9LTY5LjA5MjMmUG9zdGFsQ29kZT0mUmVnaW9uTmFtZT1NRQ==; domain=.myspace.com; expires=Mon, 12-Nov-2007 12:00:36 GMT; path=/
Set-Cookie: Login=; domain=.myspace.com; path=/
X-Server: ce28ca171d6578a0dad1823b61ec8978cabea8d4955341dd
Date: Mon, 05 Nov 2007 12:00:36 GMT

I am surprised because I know that MySpace receives a large amount of traffic and has quite the large user base, I would therefore think that they would provide SSL/TLS transport as a minimum to protect the authentication information of their user base. But I am also not surprised by the fact that this is yet another blaring sign pointing to the fact that many organizations, engineers and so on do not take security seriously, nor do they develop with security as even so much as an afterthought.

I also find it quite humorous that they actually have "Safety Tips" on their site. Probably the most humerus of which is their sixth tip on that page: "Don’t get hooked by a phishing scam. Phishing is a method used by fraudsters to try to get your personal information, such as your username and password, by pretending to be a site you trust. Click here to learn more." I suppose that they are right though...I mean, why submit your information to a phishing site/scam when they can just sniff your traffic and own your account!

Of course gaining access to the users account is only the beginning, this opens up the door to a whole realm of possibilities, given the fact that *most* users will use the exact same password for all of their accounts. Or they will at least use a basic derrivation of that password, an example would be adding a different number to the end in each instance i.e. password1, password2, password3. Compromising the email account associated with the MySpace account also makes it extremely easy to gain additional information about an individual and ultimately be able to steal various types of sensitive information or even to further breach their resources (corporate accounts and the like).

With the use of ToR and various anonymizers growing every day, and the level of expertise / knowledge of the basic ToR user not being that of a security minded individual, it is surprisingly easy to grab a number of MySpace user accounts in short-order. During my testing period (roughly two weeks) of running a ToR server and sniffing for the magic MySpace packet, I was able to build a database of over 20 accounts and their associated passwords. Conceivably I could create a network of ToR servers and be able to easily own accounts at a fairly rapid rate.

All of this said, I strongly urge MySpace to purchase an SSL cert or two and use them, if nothing more than for the login process "This is what google does with gmail, a user browses to http://gmail.google.com and to logon is redirected to the https:// site, after authentication they are directed back to the http:// site".

For fun, I have included below a snort rule that should catch the magic MySpace packet ;-), this is from bleedingthreats.net.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Myspace Login Attempt"; flow:established,to_server; content:"login.myspace.com"; uricontent:"/index.cfm?fuseaction=login"; classtype:policy-violation; sid:2002872; rev:2;)

I would like to thank Jeff for sending me some of his pcap data for analysis!

Cheers,
JJC

Coming Soon - InProtect 0.80.0 Beta

I am excited to announce that we are on track for a beta/alpha release of InProtect 0.80.0 this coming week. You will see a great deal of enhancements in this version, including cleaner reports and graphs, user customizable dashboard, more efficient scan scheduler and controller...and much more!

I have included a "teaser" screenshot below. Note that the latest code is always available from the InProtect Sourceforge SVN repo (but that should be considered "alpha" only)...since we are consistently making changes, fixes, tests and updates...

I am also entertaining the idea of replacing / augmenting the nmap functionality with unicornscan (sice unicorns are fast! <3 Unicorns), let me know what your thoughts / concerns / comments are.


Cheers,
JJC

Nessus 3.06 on Ubuntu 7.10 _Gutsy Gibbon_

Post upgrading to Gutsy Gibbon on one of my test systems I needed to install an application that I regularly use (Nessus). To install this I downloaded the standard Nessus 3.0.6 deb package from nessus.org and attempted install via the package manager. The installation attempt produced the following Error: Dependency is not satisfied: libssl0.9.7. Normally I wouldn't write about this, but given the fact that I noticed several locations on the internet (various forums and blogs) about this issue being unresolved for many users I figured I would post what worked for me.

The first thing that I did was install libssl-dev "sudo apt-get install libssl-dev". After installing libssl-dev I again attempted to install the Nessus 3.0.6 deb package and received the same error " Error: Dependency is not satisfied: libssl0.9.7". My next step was to download libssl0.9.7_0.9.7g-5ubuntu1.1_i386.deb directly from packages.ubuntu.com and install this deb package. That's what did the trick, Nessus is now up and running and everyone (me) is happy.

Cheers,
JJC

HeX-VA (Virtual Security Appliance)

I am pleased to announce the release of the HeX Virtual Appliance!

To facilitate quick and easy use of the tools that are built into the HeX Live CD, we have installed the Live CD on four Virtual Machines to create four Security Virtual Appliance Images. These images are intended to aide in the rapid deployment and usability of the HeX Live Toolkit and we are dubbing it HeX-VA. The images are designed for use with Parallels, Qemu, VMware and Virtualbox virtualization technologies. If you have any problems using these images or have any suggestions, please feel free to contact us or stop by #rawpacket on freenode.

Thanks to geek00l for the screenshots and continued hard work on this project! I have included the US Mirrors below for your downloading pleasure. If you are not US based, there are other Malaysian mirrors listed on the official rawpacket.org site under the Virtual Appliance project section.

HeX-Paralleles | md5 | sha256
HeX-Qemu | md5 | sha256
HeX-VMware | md5 |sha256
HeX-Virtualbox | md5 |sha256

I'll be posting some detailed directions shortly on the usage of NTop and some specifics on tuning it for your environment (by request).

Cheers,
JJC

Screenshots of various HeX-VAs:

HeX 1.0.1 Release (Bug Fixes)

So, due to several flaws that people were experiencing with HeX 1.0R we are releasing an updated version (1.0.1). The fixes in this version include increased bootup speed; during the extraction and loading of the data into mfs /var, the IO process of several different system types was causing an apparent system hang, this has been resolved.

Another major issue that was occurring was with the msfweb not loading properly or not functioning when loaded. It turns out that this was actually a firefox related issue; deleting ~/.mozill/firefox and using the global Firefox configuration fixed the problem (note that this also fixed javascript issues in ntop and darkstat).

As geek00l says, we are "shamelessly" releasing this fixed version. As always please give it a roll and let us know if you experience any issues. You can report bugs using our Trac interface, the Mailing List or via IRC in #rawpacket on freenode.

Download URLs:

• hex-i386-1.0.1.iso
• hex-i386-1.0.1.iso.md5
• hex-i386-1.0.1.iso.sha256

Cheers,
JJC

Openpacket.org Beta

The openpacket.org beta site is live (and has been for a while, but I did not think to post about it) :-\

This site is the brainchild of Richard Bejtlich who announced the beta at http://openpacket.blogspot.com. Please swing by and drop some pcap data or just some comments / requests.

The site is located at http://beta.openpacket.org:8080

Cheers,
JJC

InProtect, on track for alpha release

...We hope to have an alpha/beta release of the upcoming InProtect 0.80.0 within two weeks.

Good positive progress has been made tuning all of the elements of the engine itself for improved performance in lowering the overall load of the scheduling engine itself. We are currently working on migration scripts for users using both the 0.22.5 and 0.22.5JC versions.

You will see some big database changes and enhancements to the GUI in the form of role-based permissions, a per-user customizable dashboard at login, cleaned up table indexes and optimized queries and much much more.

Cheers,
JJC

Ubuntu Upgrade...or not (with compiz)

Perhaps it was a lack of patience on my part, or poor forward planning on Ubuntu's part, but I could no longer continue to attempt upgrading after what was likely the 30th failed attempt. As a result of this upgrade attempt outcome I decided to backup the /home/* directories and perform a clean install.

As one would expect the standard install succeeded with no problem. The expected options were available from custom partitioning to setting initial user and permissions during the installation. The only real issue that I had was with the "seamless" compiz implementation that I had heard so much about.

For this installation I used an HP laptop that I have, this laptop contains an ATI X series video card and therefore supports 3D acceleration. I was disappointed that the compiz (3D) desktop acceleration did not work out of the box, so here is what I did to make it work: Initially I simply tried to enable Extra effects after enabling the proprietary video card. This only produced the error "Composite extension not found"...after enabling in xorg.conf (as described below) I received the fairly generic error "Unable to enable visual effects" or similar... So here are my steps to enable compiz on Ubuntu 7.10 with ATI drivers (what worked for me)

• Enable all of the repos that have proprietary software and the like System -> Administration -> Software Sources.
• Enable the proprietary video card driver from the Restricted Drivers Manager.
• Make sure composite extensions are enabled : vi /etc/X11/xorg.conf

Section "Extensions"
Option "Composite" "1"
EndSection

• Install xserver-xgl "sudo apt-get install xserver-xgl
• Install compizconfig-settings-manager "sudo apt-get install compizconfig-settings-manager" *this is not a requirement but gives you a level of customization that is nice.
• Restart X
• Try it out System -> Preferences -> Appearance -> Visual Affects (select what you want here...I used Extra then Custom from the last apt-get install)

Everything else worked nicely, enabled the proprietary fwcutter for my wireless card and it worked, no more mucking with it as in previous versions, very nice!

All in all, I give this version a Thumbs Up despite the upgrade mess, seems more stable so far and clean.

Hope this helps someone out :-)

Cheers,
JJC