Archive for the ‘ Computer Security ’ Category

Web sites store information on local machines of site visitors using cookies. On subsequent visits, the browser sends the data from the cookies on the visitors machine to the web server, which might then use that information as a historical record of the users activity on the site – on the minimum the time the cookie was created, when it is set to expire and last access time or last time user visited site. Cookies are also used by sites to ‘remember’ user acitivity , say the shopping cart items or login/session information to address the shortcomings of the stateless HTTP protocol.

Most users think that only the sites they had directly visited store cookies on their computers, in reality the number is way higher than that. A single site you visit, usually has lots of links in it, especially ads, that store cookies in your computer. In this post, i will demonstrate how to list the list of all sites that left cookies in your computer, as well as extract additional information from the cookies. When i ran the script and did a count of the 10 top sites which left largest number of entries in the cookies sqlite DB, none of them except for one or two were sites I directly visited!

This Python script was written to extract cookies information on a Linux box running Firefox. The cookies information is stored as a sqlite file and thus you will need the sqlite3 python module to read the sqlite file.

The script takes the path to the cookies file as well as the path to the output file, it will write the output to this file. It will also dump the output to the screen.

root@dnetbook:/home/daniel/python# python cookie-fullpath output-file

root@dnetbook:/home/daniel/python# python /home/daniel/python/ $(find /home/daniel/ -type f -name 'cookies.sqlite' | head -1) /tmp/test.txt,Thu Feb 11 17:56:01 2016,Thu Apr 23 20:46:58 2015,Tue Feb 11 17:56:01 2014,Thu Feb 11 17:56:05 2016,Tue Apr 21 22:27:46 2015,Tue Feb 11 17:56:05 2014,Thu Feb 11 17:56:12 2016,Tue Apr 21 22:19:35 2015,Tue Feb 11 17:56:12 2014,Thu Aug 13 19:32:02 2015,Thu Apr 23 20:46:57 2015,Tue Feb 11 18:32:0

The output will be the domain name of the site, cookie expiry date, access time and creation time.

Code follows –

#!/usr/bin/env python

''' Given a location to firefox cookie sqlite file
    Write its date param - expiry, last accessed,
    Creation time to a file in plain text.
    python /home/daniel/python/ $(find /home/daniel/ -type f -name 'cookies.sqlite' | head -1) /tmp/test.txt 

import sys
import os
from datetime import datetime
import sqlite3

def Usage():
    print "{0} cookie-fullpath output-file".format(sys.argv[0])

if len(sys.argv)<3:

# Some dates in the cookies file might not be valid, or too big

# cookies file must be there, most often file name is cookies.sqlite
if not os.path.isfile(sqldb):

# a hack - to convert the epoch times to human readable format
def convert(epoch):
    if int(mydate)>MAXDATE:
    if len(epoch)>10:
    return x.ctime()

# Bind to the sqlite db and execute sql statements
    data=cur.execute('select * from moz_cookies')
except sqlite3.Error, e:
    print 'Error {0}:'.format(e.args[0])

# Dump results to a file
with open(destfile, 'w') as fp:
    for item in mydata:
        fp.writelines(urlname + ',' + expiry + ',' + accessed + ',' + created)

# Dump to stdout as well
with open(destfile) as fp:
    for line in fp:
        print line

TOP 10 sites with highest number of enties in the cookies file –

root@dnetbook:/home/daniel/python# awk -F, '{print $1}' /tmp/test.txt  | sort | uniq -c | sort -nr | head -10

View all posts in this blog –

Linux security tip of the day

Users accounts usually get created and removed on most Development or Production servers. It is not uncommon to simply delete the users and yet not either delete or change the ownership of all files and directories associate with that user or user/group id. Some of the files might not be in the home directory of that user, so it is a good idea to search the whole file system for any files not owned by non-existent user or group. This is a big security issue, as an account might be created in the future with the same user or group id of the deleted account and end up having complete ownership of the files which don’t belong to them.

Solution – search ‘un-owned’ files and either change their ownership to ‘root:root’ or move them to some backup storage.

[root@danasmera ~]# declare -a no_user_files
[root@kauai ~]# for myfile in $(egrep '(ext2|ext3|ext4)' /etc/fstab | awk '{print $2}')
find $myfile -xdev \( -type f -o -type d \) -nouser -print

[root@danasmera ~]#for myfile in ${no_user_files[@]}; do chown  root:root $myfile;done

Follow similar steps for files/directories owned by non-existent domains.

[root@danasmera ~]# declare -a no_group_files
[root@danasmera ~]# for myfile in $(egrep '(ext2|ext3|ext4)' /etc/fstab | awk '{print $2}')
find $myfile -xdev \( -type f -o -type d \) -nogroup -print

[root@danasmera ~]#for myfile in ${no_group_files[@]}; do chown  root:root $myfile;done

For more information on hardening your Operating system or application, go to the Center for Internet Security website, an download the freely available Benchmarks. The Benchmarks are ‘scorable’, easy to follow steps by step instructions on how to secure you box.

Problem: every time a user logs in, they get “Could not chdir to home directory….Permission denied” error, although they can login to the system and change to their home directories without any problem.

Cause in this particular case: The system had a separate LVM partition for /home, and the partition crashed at one point, and was gone for good. I had to create a new LVM for the /home directory, and apparently SELinux doesn’t seem to like the security context as shown below.

-See the error below

[ ~]$ ssh daniel@localhost
daniel@localhost's password:
Last login: Wed Dec 11 09:48:56 2013 from localhost.localdomain
Could not chdir to home directory /home/daniel: Permission denied

-No login or changing to home directory issue here.

[ /]$ cd /home/daniel/
[ ~]$ pwd

-SELinux is enabled and in enforcing mode

[ ~]$ sudo sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

-Let us set SELinux into permissive mode to see if that is the cause.

[ ~]# setenforce 0
[ ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

[ ~]$ ssh daniel@localhost
daniel@localhost's password:
Last login: Wed Dec 11 09:50:11 2013 from localhost.localdomain

(No error message anymore!)..Now let us try to resolve the SELinux issue

-Let us display the security context for home

[ ~]# ls -dZ /home
drwxr-xr-x. root root system_u:object_r:file_t:s0      /home

-Time to restore to default SELinux security context

[ ~]# restorecon -v /home
restorecon reset /home context system_u:object_r:file_t:s0->system_u:object_r:home_root_t:s0

-Let us enable SELinux

[ ~]# setenforce 1

-Error message disappears!

[ ~]$ ssh daniel@localhost
daniel@localhost's password:
Last login: Wed Dec 11 09:52:11 2013 from localhost.localdomain

View all posts in this blog –

You are being watched!

According to its website, Carrier IQ claims that its software is deployed in more than 141 millions handsets. Many of the major carriers and handset makers preinstall Carrier IQ on the handsets they sell, including AT&T, T-mobile, Apple, HTC etc. The software is nothing different from a rootkit, it records all keystrokes you make on your handset, the sites you visit, the sms messages you send and receive, and many more.

For more info –

Imperva ( ) isolated the four most prevalent Web application attacks:

1. Directory traversal = 37%
2. cross site scripting =36%
3. SQL injection =23%
4. Remote file include =4%


Unblocking a host

Is your firewall blocking connection from a host and still you want to unblock the IP address of the remote host? Here is one way of doing it:

1. Do a listing of firewall rules and grep the IP (eg.
$ /sbin/iptables -L INPUT -n –line-numbers | grep

-write down the line number.
-If the chain name is different or user defined, replace “INPUT” by the relevant chain name such as OUTPUT.

2. Delete the line number (eg. for line number 99 and chain INPUT)

$/sbin/iptables -D INPUT 99

@credit to: