Author: Michael Blood
Owning Your Application Take Possession
Owning Your Application Take Possession
If you are a manager whose business relies on a website, apps or other software in order to function, the location and ownership of those assets (your application) is important.
- The manager does not the access to the source, and they must to request it from the original developer
- The manager is not familiar with where the source is or which components used to make it run
- The manager does not know how to confirm whether they have all of the information they need
In general, many client rely on a third party to maintain possession of their Intellectual Property to be able to give us access.
In order for your business to have true ownership of your assets, you need to be able to “WITHOUT HELP FROM YOUR EXISTING PROVIDERS” switch your providers.
A provider is your current website host, your application developer, the vendors that provide you services.
I have a bunch of scenarios which highlight the needs a company for full ownership.
- Any one person is hit by a bus! – This is a favorite, if your company is not able to get access to your application source, website, software or other assets without a one person, you do not have possession. Most of the time this happens when a freelancer or small company built your application, you have confirmed that the application is working, but you have not had it transferred to you. You still must call your provider any time you need work.
- If the building where our applications server blew up, we will have to rebuild – keep backups, and make sure you can access them
- You know you have multiple servers or components, but you are not sure how they connect and you will need to make a couple calls to get that information.
- Your current developer is heading out of town and you need us to talk to them to understand the application in case something happens while they are gone.
In each of these cases, you would be able to remove these as issues if you had full knowledge of your systems. Even better, you had documents which you could point at, which had all of the knowledge in them. This is really emergency preparedness for your application.
If you need help collecting, identifying, documenting and truly owning your application, Matraex can help you with that – 208.344.1115
—
Website Performance Assessment Tool Store Compare Page Speed Size Grade
Webpage performance is important and there are a plethora of tools out there that allow you to see your website’s performance.
The tools give a large amount of information and website owners can use that information to make assessments and improvements.
As we use these tools to help our clients improve the performance of their websites, we found a couple of needs:
- We needed a tool to quickly compare the results between changes
- We needed somewhere we could go to quickly lookup results next time that we evaluated the performance
So, we built the Website Performance Assessment Tool (matraex.com/website-performance).
This tool allows us to 1) Enter a web page url 2) Link to two third party performance tools(pingdom,PageSpeed) 3) Enter the results and 4) Save
The numeric results are then stored in a table and as we make changes we can see how performance improves.
With a couple of enhancements (the ability to track multiple urls and an improved User Interface) we decided to make this tool public and encourage others to use it.
The primary benefits we see are:
- The ability for non technical users to track their site performance
- Website owners can track and evaluate changes made by their website developer
- Website developers and website owners can use the tool to communicate performance expectations and results
Here is one example of how it can work:
- A website owner opens the website assessment performance tool and enters their website url
- They use the quick links to generate metrics for a Performance Grade, Number of Requests, Load time, Page size and a Desktop and Mobile Grade
- They enter the metrics into the tool and click Save
- They notice that the total Load time is more than 4 seconds so they ask their website developer to improve the results.
- Specifically they describe they want:
- the Load Time to decrease to less than 2 seconds and
- the Desktop and Mobile Grade should improve to better than 85% each
- The developer makes changes and tells the owner the changes are complete.
- The owner opens the Performance Tool and re enters the metrics and evaluates whether it is true.
- One month later the owner comes back to the tool and checks again and can see the history and whether performance has degraded.
COMMANDDUMP – installing wpscan penetration tool on a clean ubuntu 14.04 server
COMMANDDUMP – installing wpscan penetration tool on a clean ubuntu 14.04 server
WPScan (http://wpscan.org/) has instructions for installing on Ubuntu 14.04, however when attempting to install it on a clean 14.04 there were several missing dependencies.
(In Ubuntu 14.04 the default is ruby1.8 so the commands I added address this)
So I came up with the following commanddump required to install – this works as of 1/19/2016
sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev build-essential libgmp-dev #remove this package ruby-dev which links to an old package sudo apt-get install ril1.9.1 sudo apt-get install ruby1.9.1-dev #thanks stackoverflow gem install addressable -v '2.4.0' #checkpoint you should receive a 'Successfully installed addressable-2.4.0 gem install ffi -v '1.9.10#checkpoint you may need to install some ruby gems filesgit clone https://github.com/wpscanteam/wpscan.git cd wpscan sudo gem install bundler && bundle install --without testsudo gem install bundler && bundle install --without test
By the way, kudos to this guy (@_FireFart_) for getting his username displayed every time someone updates this awesome software
root@server:# ruby wpscan.rb --update
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[i] Updating the Database ...
Remove Atlassian Stash from an Ubuntu system – CommandDump
Remove Atlassian Stash from an Ubuntu system – CommandDump
To remove atlassian stash from an Ubuntu system (in my case I needed a clean clone of a system similar to a system we Atlassian Stash on)
This assumes that you are using the default install and home locations , you may have to change the paths for your system (be careful, you dont want to accidentally do this if you need the information)
sudo service stop atlstash sudo rm /var/atlassian/stash -rf sudo rm /opt/atlassian/stash -rf sudo update-rc.d -f atlstash remove rm /etc/init.d/atlstash
Grep command to find all PHP shortcode entries
Grep command to find all PHP shortcode entries
As PHP files are moved from one server to the other, occassionally we find a situateion where PHP was developed on a server that allowed shortcodes “<?” which does not use the longer “<?php” if this happens, the PHP code does not execute and shows the code that would have executed, on the output of the page.
When this happens I have found that using a simple command I can identify all of the places that use the short code
grep -n '<?[^p=]' *.php
Installing Roundcube 1.1.4 on Postgres 9.3 – invalid identities table
Installing Roundcube 1.1.4 on Postgres 9.3 – invalid identities table
When installing roundcube 1.1.4 on postgres 9.3 the installer script showed that the identities table could not be upgraded correctly.
I looked more deeply by looking at the sql statement that creates the identities table and I see the following definition
CREATE TABLE `identities` ( `identity_id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT, `user_id` int(10) UNSIGNED NOT NULL, `changed` datetime NOT NULL DEFAULT '1000-01-01 00:00:00', `del` tinyint(1) NOT NULL DEFAULT '0', `standard` tinyint(1) NOT NULL DEFAULT '0', `name` varchar(128) NOT NULL, `organization` varchar(128) NOT NULL DEFAULT '', `email` varchar(128) NOT NULL, `reply-to` varchar(128) NOT NULL DEFAULT '', `bcc` varchar(128) NOT NULL DEFAULT '', `signature` text, `html_signature` tinyint(1) NOT NULL DEFAULT '0', PRIMARY KEY(`identity_id`), CONSTRAINT `user_id_fk_identities` FOREIGN KEY (`user_id`) REFERENCES `users`(`user_id`) ON DELETE CASCADE ON UPDATE CASCADE, INDEX `user_identities_index` (`user_id`, `del`), INDEX `email_identities_index` (`email`, `del`) ) /*!40000 ENGINE=INNODB */ /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */;
when I look at the database table that I am upgrading from I can see that their is no column for ‘changed’, so when I try to add it\
postgres=# alter table identities add column changed datetime not null default '1000-01-01 00:00:00'; ERROR: type "datetime" does not exist LINE 1: alter table identities add column changed datetime not null ...
It fails so I try again and replace datetime with the timestamp column and it succeeds
postgres=# alter table identities add column changed timestamp not null default '1000-01-01 00:00:00'; RESULT OK
COMMAND DUMP – upgrading a standard proftpd install to TLS
COMMAND DUMP – upgrading a standard proftpd install to TLS
upgrade a basic proftpd install to support FTPS with these commands
cd /etc/proftpd mkdir -p ssl openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem chmod 600 ssl/proftpd.*
Follow the prompts to put in your valid organization name
Then open the conf file #vi proftpd.conf and add the following (if the <IfModule mod_tls.c> directive already exist, replace the contents with the contenst below)
<IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log #TLSProtocol TLSv1.2 TLSCipherSuite AES128+EECDH:AES128+EDH TLSOptions NoCertRequest AllowClientRenegotiations TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem TLSVerifyClient off TLSRequired on RequireValidShell no </IfModule>
Restart proftpd
/etc/init.d/proftpd stop /etc/init.d/proftpd start
Your can test this by running the following command to make sure that you can connect using the certificate
openssl s_client -connect 127.0.0.1:21 -starttls ftp
COMMANDDUMP – Upgrading from PHP 5.3 to 5.6 on Ubuntu 14.04
COMMANDDUMP – Upgrading from PHP 5.3 to 5.6 on Ubuntu 14.04
When upgrading from PHP version 5.3 to 5.6 there are several things to worry about. On a shared system with multiple sites which do not make use of a common unit testing or library, these tools and commands could be useful to find issues. (this would also work from 5.4 or from 5.5 to 5.6)
COMMAND DUMP of things I ran.
Create a file call 5.4.php.searchterms
#echo import_request_variables >> upgrade.php.searchterms
#echo session_is_registered >> upgrade.php.searchterms
#echo session_register >> upgrade.php.searchterms
#echo session_unregister >> upgrade.php.searchterms
#echo define_syslog_variables >> upgrade.php.searchterms
#echo register_globals >> upgrade.php.searchterms
#echo sqlite >> upgrade.php.searchterms
#echo php_logo_guid >> upgrade.php.searchterms
#echo php_egg_logo_guid >> upgrade.php.searchterms
#echo php_real_logo_guid >> upgrade.php.searchterms
#echo zend_logo_guid >> upgrade.php.searchterms
#echo register_long_arrays >> upgrade.php.searchterms
#find -type f -name ‘*.php’ -exec grep -f upgrade.php.searchterms {} \; -ls
Check the version of your server
#lsb_release -a
#dpkg -l |grep php|grep apache
#php -v
#apache2ctl -vV
To upgrade from ubuntu 14.04 LTS you have to get php 5.6 from another repository as it is not includedin the default repos
apt-get -y update
apt-get install -y software-properties-common
add-apt-repository ppa:ondrej/php5-5.6 -y
apt-get -y update
apt-get -y install php5 php5-cli php5-common php5-curl php5-gd php5-imap php5-json php5-mysql php5-readline
You will be prompted when installing the latest version of PHP5 whether you want to keep the old or new version of PHP5.ini I chosed to install the pakage maintainer’s version, then I compare the two and update the new one with the differences. The following command makes it easy to compare by removing all of the commented lines from the diff against the backed up file
cd /etc/php5/apache2 diff <(grep -v '^\s*;' php.ini|awk '$1 != ""') <(grep -v '^\s*;' php.ini.ucf-old|awk '$1 != ""')|more
I also updated the php.ini date.timezone setting to my area due to this php.net post
date.timezone = America/Boise /etc/init.d/apache2 reload
mysql database dump restore – awk script create one script per table
mysql database dump restore – awk script create one script per table
I have used the following scripts to take a huge mysql dump scripts, with multiple databases and multiple tables, and use it to create one single script file for creating each table and for inserting the records into that table.
This script allows one to create a single large dump file for all databases on a server, yet when it comes time that some incremental restore is needed, the large dump file can be quickly stripped into files that can be used to restore a smaller incremental change.
Current Database: `49erstrivia`
awk 'BEGIN{ TABLE="table_not_set"}
{
if($1=="--" && /Current Database:/)
{
CURRENTDB=$NF;
gsub("`","",CURRENTDB);
inserted=false;
print CURRENTDB;
}
if($1=="CREATE" && $2=="TABLE")
{
TABLE=$3
gsub("`","",TABLE)
inserted=false
}
if($1!="INSERT")
{
if(!inserted)
{
print $0 > "mysql."CURRENTDB"."TABLE".beforeinsert";
}
else
{
print $0 > "mysql."CURRENTDB"."TABLE".afterinsert";
}
}
else
{
print $0 > "mysql."CURRENTDB"."TABLE".insert";
inserted=true
}
}
'
Matraex Inc – Hiring Inside Sales
Matraex Inc – Hiring Inside Sales
Matraex Inc is hiring an inside sales professional. We are looking to fill this position immediately upon finding the correct person.
View more on our careers page