ESX VMkernel doesn’t load 0xbad0013

After install process completes, on first boot of ESX system the following error messages appear:

VGA: 297: VGA start b8000 end c0000 mapped start c00b8000 char height 16

VGA: 397:

VGA: 425: 0

Console: switching to colour VMNIX-VGA 80×25

VGA: 465: 0

Console: switching to colour VGA+ 80×25

WARNING: Mod: 2434: Initialization of vmkernel failed, status 0xbad0013

Mod: 4406: Waiting for vmklogger to dump log buffer…

Warning: Mod: 4429: Dumping vmkernel log buffer (5162 bytes):

after the rest of the Service console loads it indicates that a critical error and that the vmkernel didn’t load

We’re running on an HP DL385 (dual opeteron at 2.6 GHz) running the VMware Starter edition off of an array.

Strange – the solution of the problem was just to put the DIMMs into the right place – the memory was placed incorrectly as we didn’t read the decals on the box. hehe…

Synchronizing with time server: [FAILED]

ntpd: Synchronizing with time server: [FAILED]
Starting ntpd: [ OK ]

When does it do the sync?

# Synchronize with servers if step-tickers exists

# or the -x option is used
echo -n $”$prog: Synchronizing with time server: ”
/usr/sbin/ntpdate $dropstr -s -b -p 8 $tickers 2>/dev/null >/dev/null
RETVAL=$?
[ $RETVAL -eq 0 ] && success || failure It does the sync when the /etc/ntp/step-tickers file is there. [[email protected] ~]#

cat /etc/ntp/step-tickers
time.vmware.com

Why would this happen? Strange stuff…

[[email protected] ~]# /etc/init.d/ntpd stop
Shutting down ntpd: [ OK ]
[[email protected] ~]# ntpdate time.vmware.com
28 Jun 10:49:44 ntpdate[25663]: step time server 10.16.12.148 offset 90.895171 sec

The ntpdate command doesn’t fail … wonder why… tail /var/log/messages shows:
Jun 28 10:52:31 localhost ntpd: ntpd shutdown failed
un 28 10:52:31 localhost ntpdate[26038]: can’t find host time.vmware.com
Jun 28 10:52:31 localhost ntpdate[26038]: no servers can be used, exiting
Jun 28 10:52:31 localhost ntpd: failed
Jun 28 10:52:31 localhost ntpd[26043]: ntpd [email protected] Wed Nov 17 15:43:55 EST 2004 (1)
Jun 28 10:52:32 localhost ntpd: ntpd startup succeeded

Can’t find host? Why’s that? Let’s try using the IP address instead of the name in the step-tickers file. Well, the IP address fixes it in Redhat Enterprise Linux 4, but I had this problem with ESX server (based on Redhat 7.2).

The problem was
[[email protected] ~]# file /etc/ntp/step-tickers
/etc/ntp/step-tickers: ASCII text, with CRLF line terminators The file was a DOS file. When the problem was in ESX, I was able to see the ^M character in /var/log/messages, so I was able to fix it after finding that. Fun stuff huh?

Living vs. Existing – Michael E. Gerber

“The difference between great people and everyone else is that

great people create their lives actively, while everyone else is

created by their lives, passively waiting to see where life takes

them next. The difference between the two is the difference between

living fully and just existing.”

– Michael E. Gerber

Interesting time issue …

Interesting Time issue in Linux.<-->

To complicate things a little, this was Redhat Enterprise Linux 4 update 2 in a VMware VM – reason why it makes it a little more complicated is because that there’s a time problem for Virtual Machines – in virtualization, you can’t afford to give the clock ticks that the older 2.6 kernels ask for (default 1000HZ). You can read more on it here: http://www.vmware.com/vmtn/resources/238.

So in this case, virtualization wasn’t the problem.

Here’s where I started:

ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime

date

Mon Feb 13 18:25:28 UTC 2006

ls -ld /etc/localtime

lrwxrwxrwx 1 root root 35 Feb 13 18:25 /etc/localtime -> /usr/share/zoneinfo/America/Chicago

cat /etc/sysconfig/clock

ZONE=”America/Chicago”

UTC=false

ARC=false

run hwclock – it just gives you the prompt back.

date -s “Feb 13 20:25:28 PST 2006”

run date and get

Mon Feb 13 04:25:28 UTC 2006

run setup – go through the options set it to America/Chicago and still … UTC … why!?

set:

export TZ=America/chicago

still … date shows UTC!

reboot the Vm, go into the bios … same thing …. why!!??

zdump -v America/Chicago … shows a bunch of bullshit – nothing that helps.

finally:

rpm -qf /usr/share/zoneinfo/America/Chicago

rpm –verify tzdata-2004e-2

S.5….T. /usr/share/zoneinfo/America/Chicago

S.5….T. /usr/share/zoneinfo/CST6CDT

S.5….T. /usr/share/zoneinfo/SystemV/CST6CDT

S.5….T. /usr/share/zoneinfo/US/Central

ahh … wonder how the files got changed. Anyways, it doesn’t matter.

reinstalled rpm

rpm –force -Uvh tzdata-2004e-2.noarch.rpm

Now run:

ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime

Now the date’s okay … cool deal!

Removing Version Information From Services

http://www.security-forums.com/viewtopi … ht=#129555
Displaying service version information might look cool, but it is definately not a good idea. There are numerous malicious folks out there that will use this version information to search for the proper exploits to gain access to your machine. Retrieving version information for a running service is very simple. A simple telnet to the service will do the trick. Try it out on your local SMTP server. Wait for a zero-day exploit for that specific service and *bang* you own it…. or you are owned. Without the service version information, the bad guy can only guess, and will have to try multiple times, possibly revealing himself. This, in a way, will buy time and prevent certain bad things from happening, but it doesn’t say you no longer require to update the services when they are vulnerable. This document describe the modifications which need to be made to remove version information from services like OpenSSH, sendmail, etc. Some of these require simple modifications to a configuration-file, while others need to have some source-code modified. It will focus on the following services: * OpenSSH (ssh)
* Sendmail (smtp)
* UW ipopd imapd (pop2, pop3 and imap)
* Apache 1.3 (http/https)
* Apache 2.0 (http/https)
* PHP4
* mod_ssl (https)
* Bahamut IRCd Possibly more will be added. If you feel something is missing or you have any other useful additions to this document, just drop me a line. OpenSSH
Modifying the version of this open source SSH implementation has become quite simple. Within the source-tree of OpenSSH locate the following file:
Code: openssh-3.x/version.h
This will say something like this:
Code: #define SSH_VERSION “OpenSSH_3.x” This value be changed into anything of your liking:
Code: #define SSH_VERSION “SSH_x.x” Recompile and reinstall the binaries, making proper precautions not to lock yourself out if logged through the service you want to upgrade. Telnet to the port 22 to check out your brand new banner.
Sendmail
Sendmail doesn’t require no modifications to source-code whatsoever. A facility for modifying the banner is present in the configuration-file (sendmail.cf). Open the file /etc/mail/sendmail.cf (or another location, depending on your distribution or how you installed it). There is a good chance the option is already in there, but commented out:
Code: #O SmtpGreetingMessage=$j Sendmail 9.x.x / 8.x.x; $b The $j will be repaced by the status-code and server identification (i.e. “220 smtp.domain.com ESMTP”). Some mail-clients require this; a server-error might occur otherwise. The $b will be replace by the built-date. You could change this to:
Code: O SmtpGreetingMessage=$j Mailserver; Thu, 1 Jan 1970 01:00:00 Restart the sendmail daemons and you are ready to go. Telnet to port 25 to see your new banner.
UW ipopd / imapd
These are part of PINE, and deliver POP2, POP3 and IMAP services. To strip version information from these, the source-code needs to be modified. Within the PINE source-tree locate the following files:
Code: pine4.xx/imap/ipopd/ipop2d.c
pine4.xx/imap/ipopd/ipop3d.c
pine4.xx/imap/imapd/imapd.c Modifying these is quite straight-forward. In all these files there is a line which says:
Code: char *version = “2003.xx”; This can be changed into anything you want:
Code: char *version = “a.b”; Recompile and install the binaries into their required location and you are ready to go. Note that these services could be in use, so the operating system might refuse to overwrite them. Kill the services and retry.
Apache 1.3
For Apache 1.3.x you need to locate the following file within the Apache source-tree:
Code: apache-1.3.x/src/include/httpd.h In that file, locate the lines that say something like this:
Code: #define SERVER_BASEPRODUCT “Apache”
#define SERVER_BASEREVISION “1.3.29” This can be changed into anything you want:
Code: #define AP_SERVER_BASEPRODUCT “Webserver”
#define SERVER_BASEREVISION “a.b.c” Recompile the server and install the binaries. Note that, for different modules that add version information (like PHP and mod_perl) you have to modify those as well. Look below for how to remove it from PHP4.
Apache 2.0
For Apache 2.0.x you need to locate the following file within the Apache source-tree:
Code: httpd-2.0.x/httpd/include/ap_release.h In that file, locate the lines that say:
Code: #define AP_SERVER_BASEPRODUCT “Apache”
#define AP_SERVER_MAJORVERSION “2”
#define AP_SERVER_MINORVERSION “0”
#define AP_SERVER_PATCHLEVEL “47” Modify these into anything you want.
Code: #define AP_SERVER_BASEPRODUCT “Webserver”
#define AP_SERVER_MAJORVERSION “a”
#define AP_SERVER_MINORVERSION “b”
#define AP_SERVER_PATCHLEVEL “c” Recompile the server and install the binaries. Telnet to port 80 to do a simple GET / request to see your brand new service banner.
PHP4
Changing the version information for PHP4 requires modifications to source-code as well. If you have not yet compiled it, skip some paragraphs. If you have already configured and compiled it, locate the following file:
Code: php-4.x.x/main/php_version.h
Locate the line:
Code: #define PHP_MAJOR_VERSION 4
#define PHP_MINOR_VERSION 3
#define PHP_RELEASE_VERSION 5
#define PHP_EXTRA_VERSION “”
#define PHP_VERSION “4.3.5”
The MAJOR, MINOR and RELEASE are numbers. Too bad. Modify it to something like this:
Code: #define PHP_MAJOR_VERSION 4
#define PHP_MINOR_VERSION 0
#define PHP_RELEASE_VERSION 0
#define PHP_EXTRA_VERSION “”
#define PHP_VERSION “4.X.X”
Remove the following files:
Code: main/main.o
main/main.lo
sapi/sapi_apache.lo
sapi/sapi_apache.o
sapi/php_apache.lo
sapi/php_apache.o
sapi/mod_php4.lo
libs/libphp4.so
libs/libphp4.a
libphp4.a
Do a make install-sapi. This will re-compile the necessary stuff and install it. If you have not yet compiled PHP4, within the PHP4 source-tree locate the following file:
Code: php-4.x.x/configure.in
Locate the following lines:
Code: MAJOR_VERSION=4
MINOR_VERSION=2
RELEASE_VERSION=5
EXTRA_VERSION=”RC1″
VERSION=”$MAJOR_VERSION.$MINOR_VERSION.$RELEASE_VERSION$EXTRA_VERSION”
The problem here is the versions are numbers, not strings. Only the VERSION string is. It could however be changed to something like this:
Code: MAJOR_VERSION=4
MINOR_VERSION=0
RELEASE_VERSION=0
EXTRA_VERSION=””
VERSION=”4.X.X”
Compile and install as regular and your new banner will be in effect. mod_ssl
Just like PHP4, mod_ssl also adds some version information to the Webserver banner. Also, if you have version-patched Apache, the configure script that came with mod_ssl will fail, because the version-check fails. It will output an error like ‘This was meant for Apache 1.3.29, but you have got Apache a.b.c.”. To fix this, open the `configure’ script and search for APV a couple of times. When you see the ‘This was meant for Apache 1.3.29’ error, you are there. Just above the “if” insert the following line:
Code: APV=”1.3.29″ This will fool mod_ssl into thinking it’s ok, and apply the patches. OK, on to removing version information from mod_ssl. After applying the patches to the Apache source-tree, locate the following file:
Code: apache-1.3.x/src/modules/ssl/Makefile Look for these lines:
Code: SSL_VERSION=-DMOD_SSL_VERSION=\”2.8.15\” Modify them to something like this:
Code: SSL_VERSION=-DMOD_SSL_VERSION=\”2.x.x\” -DSSL_PRODUCT_NAME=\”SSL\” -DSSL_PRODUCT_VERSION=\”a.b.c\” Then, locate this file:
Code: apache-1.3.x/src/modules/ssl/ssl_util_ssl.h Locate these lines:
Code: #define SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
#define SSL_LIBRARY_NAME “OpenSSL”
#define SSL_LIBRARY_TEXT OPENSSL_VERSION_NUMBER Change them into something like this:
Code: #define SSL_LIBRARY_NAME “SSL”
#define SSL_LIBRARY_TEXT “SSL/x.x.x” Do a make all in the src/modules/ssl directory to compile only mod_ssl. Install the binaries by copying libssl.so into your ${APACHEROOT}/libexec directory. Then, restart your webserver for the new banner to take effect. Check ‘m out with a simple GET / request..
Bahamut IRCd
To remove the version information from the Bahamut IRC daemon, within the source-tree, locate the following file:
Code: src/s_user.c Locate the line that uses the RPL_YOURHOST define in the sendto_one( )-call (somewhere around line 855/860). The RPL_YOURHOST is a define defining a formatting string that says something like “Hi there, . This machine is running Code: sendto_one(sptr, rpl_str(RPL_YOURHOST), me.name, nick, get_client_name(&me, TRUE), version ); ..into something like this:
Code: sendto_one(sptr, rpl_str(RPL_YOURHOST), me.name, nick, get_client_name(&me, TRUE), “ircd-1.X” ); Edit
2004-04-27; Updated stuff for Apache 1.3.29 / PHP 4.3.5, and removed some typo’s.
2003-11-16; Added the Bahamut IRC daemon hack.
2003-10-05; Added a *working* PHP4 hack.
2003-10-05; Added mod_ssl hack.
_________________
It was fun while it lasted…. Last edited by hugo on Tue Apr 27, 2004 11:59 am; edited 3 times in total
Back to top
View user’s profile Send private message
Dunceor
Frequent Member
Frequent Member
Joined: 05 Sep 2003
Posts: 219
Location: Sweden Offline PostPosted: Sun Oct 05, 2003 6:51 pm Post subject: Reply with quote
Well it’s always good to do more stuff so crackers get it tougher to get into your system but some people think that it’s enough just to change the banner of the program and they are safe. dont go down that line..
Security by obscurity is a bad thing. Otherwise a good text…. /me goes and change some banners…
_________________
http://www.puffy.nu/~dunceor
Back to top
View user’s profile Send private message Visit poster’s website
Weaver
Regular Member
Regular Member
Joined: 04 Jan 2003
Posts: 80
Location: WI, USA Offline PostPosted: Wed Oct 08, 2003 11:31 pm Post subject: Reply with quote
I noticed you didn’t have one for qmail… Props to DJB for a great MTA. -Weaver
_________________
“Great spirits have always encountered violent opposition from mediocre minds.”
Back to top
View user’s profile Send private message AIM Address
fsb
Frequent Member
Frequent Member
Joined: 08 May 2003
Posts: 117
Offline PostPosted: Thu Oct 09, 2003 1:39 am Post subject: Reply with quote
I wish I had read that when removing the banners from my server a few months ago. It would have saved hours of cursing. Thanks all the same Hugo, I knew there was a reason you had root on my box.
Back to top
View user’s profile Send private message
z0ulsh1ne
Just Arrived
Just Arrived
Joined: 03 Jul 2003
Posts: 2
Offline PostPosted: Tue Oct 28, 2003 12:12 am Post subject: Reply with quote
Hi there,
I have tried changing the banner of my proftpd with:
ServerIdent on “Welcome home”
or
ServerIdent off
in my /etc/proftpd.conf – works both fine.
When i connect it shows no more proftp information.
But nmaping still says:
21/tcp open ftp ProFTPD 1.2.8
I know nmap does more tests on a server than just looking at the banner, but how could I hide my version from nmap? nice day
z0ulsh1ne ps: wow what a board, reading reading reading learning Very Happy
Back to top
View user’s profile Send private message
ICQ Number
Sgt_B
Trusted SFDC Member
Trusted SFDC Member
Joined: 28 Oct 2002
Posts: 1120
Location: Chicago,IL US Offline PostPosted: Tue Oct 28, 2003 5:18 pm Post subject: Reply with quote
Good read hugo! Thanks! Smile There’s another way to modify Apache banner’s w/o editing source code. Some of you may be uncomfortable editing source code, or don’t have the time or window of opportunity to recompile. In this case you could use the ServerTokens directive in httpd.conf. While this method is very useful it is not as good as hugo’s. Using ServerTokens at its “highest” setting will still show the server type during a banner grab (Apache). This may be acceptable since it also removes any mod banners as well. Still, for full obscurity, you may want to use hugo’s suggestion (combined with ServerTokens maybe?)
Quote: ServerTokens directive
Syntax: ServerTokens Minimal|ProductOnly|OS|Full
Default: ServerTokens Full
Context: server config
Status: core
Compatibility: ServerTokens is only available in Apache 1.3 and later; the ProductOnly keyword is only available in versions later than 1.3.12
This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules. ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/1.3.0
ServerTokens OS
Server sends (e.g.): Server: Apache/1.3.0 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2
This setting applies to the entire server, and cannot be enabled or disabled on a virtualhost-by-virtualhost basis. http://httpd.apache.org/docs/mod/core.html#servertokens
_________________
“All that is necessary for the triumph of evil is that good men do nothing.” –Edmund Burke (1729 – 1797)
Back to top
View user’s profile Send private message Send e-mail
vlad902
Frequent Member
Frequent Member
Joined: 04 Jan 2003
Posts: 162
Offline PostPosted: Tue Oct 28, 2003 8:03 pm Post subject: Reply with quote
FYI for postfix in main.cf it has a line like: $smptd_banner = $mydomain ESMTP $mailversion (or something like that). So I’d just change it to: $smptd_banner = $mydomain SMTP Sendmail 1.7.4 (Windows 98^H^H2000) Laughing Laughing
Back to top
View user’s profile Send private message
uslacker99
Just Arrived
Just Arrived
Joined: 30 Sep 2004
Posts: 1
Online PostPosted: Thu Sep 30, 2004 8:56 am Post subject: sendmail version –> greeting may not be enough Reply with quote Edit/Delete this post Delete this post
If you’re really paranoid, you will want to:
cat /dev/null /etc/mail/sendmail.hf
or to whatever file your helpfile is set to in /etc/mail/sendmail.cf. That way, when someone connects to your server and types help, he doesn’t see your version.]]>