I accidentally left elasticsearch exposed to the web.
Somebody tried to execute a search that includes the following script:
String str = \"\";
BufferedReader br = new BufferedReader(newInputStreamReader(
Runtime.getRuntime().exec(\"/etc/init.d/iptables stop\").getInputStream()));
StringBuilder sb = new StringBuilder();
while((str = br.readLine()) != null){ sb.append(str); }
sb.toString();
"}}}}
It looks like they tried to disable the firewall on the machine, and sent back the result of the command.
If found the query because it caused the following Exception:
java.lang.IllegalStateException: source and source_content_type parameters are required
Should I assume the system has been compromised, or is this a sign that the attack has been thwarted?
You shouldn't assume that has been compromised, but you definitely should remove the full access from every host, and after that, dig into the elasticsearch server to search for active connections or signs of any compromised file.
If you use the ELK on AWS they don't store other stuff on the machine, but if is a standalone installation from the ELK stack and if you store other stuff on the server, you should check if everything is still there.
Related
I have an azure function that runs off of a queue trigger. The repository has method to grab the connection string from the ConnectionStrings collection.
return System.Configuration.ConfigurationManager.ConnectionStrings["MyDataBase"].ToString();
This works great for the most part but I see intermittently that this returns a null exception error.
Is there a way I can make this more robust?
Do azure functions sometimes fail to get the settings?
Should I store the setting in a different section?
I also want to say that this runs thousands of times a day but I see this popup about a 100 times.
Runtime version: 1.0.12299.0
Are you reading the configuration for every function call? You should consider reading it once (e.g. using a Lazy<string> and static) and reusing it for all function invocations.
Maybe there is a concurrency issue when multiple threads access the code. Putting a lock around the code could help as well. ConfigurationManager.ConnectionStrings should be tread-safe, but maybe it isn't in the V1 runtime.
A similar problem was posted here, but this concerned app settings and not connection strings. I don't think using CloudConfigurationManager should be the correct solution.
You can also try putting the connection string into the app settings, unless you are using Entity Framework.
Connection strings should only be used with a function app if you are using entity framework. For other scenarios use App Settings. Click to learn more.
(via Azure Portal)
Not sure if this applies to the V1 runtime as well.
The solution was to add a private static string for the connection string. Then only read from the configuration if it fails. I then added a retry that paused half a second. This basically removed this from happening.
private static string connectionString = String.Empty;
private string getConnectionString(int retryCount)
{
if (String.IsNullOrEmpty(connectionString))
{
if (System.Configuration.ConfigurationManager.ConnectionStrings["MyEntity"] != null)
{
connectionString = System.Configuration.ConfigurationManager.ConnectionStrings["MyEntity"].ToString();
}
else
{
if (retryCount > 2)
{
throw new Exception("Failed to Get Connection String From Application Settings");
}
retryCount++;
getConnectionString(retryCount);
}
}
return connectionString;
}
I don't know if this perfect but it works. I went from seeing this exception 30 times a day to none.
We have been trying to use a SqlConnection within a TransactionScope. When we build the site and try this database call we run into an error:
A transport-level error has occurred when receiving results from the server. (provider: TCP Provider, error: 0 - An existing connection was forcibly closed by the remote host.)
The error involved occurs on the line cnn.Open().
using (var scope = new TransactionScope())
using (var cnn = new SqlConnection(connectionString))
{
cnn.Open();
int result = cnn.QuerySingle<int>("SELECT 1");
Console.WriteLine(result);
}
We created a console application to figure out what was wrong and discovered that by changing our connection string keyword 'Pooling' from 'false' to 'true' allows this to run in the console application and successfully return our result.
We made the same change to our site connection string, the same error as before returns.
Is there any reason this code is not working?
I was under the assumption that the web.config was law, as viewing the file through the Kudu service showed my expected connection string, but apparently this isn't the case in Azure.
I discovered that Azure Publish Profile is overriding our web.config connection string, this override still contained 'Pooling=false'.
Removing this now allows our code to run as intended.
This blog post explains more:
"When this code runs on a developer’s local machine, the value returned will be the one from the web.config file. However when this code runs in Windows Azure Web Sites, the value returned will instead be overridden with the value entered in the portal"
I can't get SqlDataProvider to work when executed in a fsx script which is running in an Azure Web Site.
I have started from the samples that Tomas Petrecek has here: https://github.com/tpetricek/Dojo-Suave-FsHome.
In short it is a FSX script that is executed using the IIS httpPlatformHandler so that all http requests to my Azure Web site is forwarded to my F# script.
The F# Script use Suave to handle the requests.
When I tried adding some database access to my HTTP handlers I got into problems.
The problematic code looks like this:
[<Literal>]
let connStr = "Server=(localdb)\\v11.0;Initial Catalog=My_Database;Integrated Security=true;"
[<Literal>]
let resolutionFolder = __SOURCE_DIRECTORY__
FSharp.Data.Sql.Common.QueryEvents.SqlQueryEvent |> Event.add (printfn "Executing SQL: %s")
// the following line fails when executing in azure
type db = SqlDataProvider<connStr, Common.DatabaseProviderTypes.MSSQLSERVER, ResolutionPath = resolutionFolder>
let saveData someDataToSave =
let ctx = db.GetDataContext(Environment.GetEnvironmentVariable("SQLAZURECONNSTR_QUERIES"))
.....
/// code using the context here
This works just fine when I run it locally, but when I deploy it to the azure site it will fail at the line where the type dbis created.
The error message is (line 70 is the line that has the type db = ...:
D:\home\site\wwwroot\app.fsx(70,11): error FS3033: The type provider
'FSharp.Data.Sql.SqlTypeProvider' reported an error: A network-related
or instance-specific error occurred while establishing a connection to
SQL Server. The server was not found or was not accessible. Verify
that the instance name is correct and that SQL Server is configured to
allow remote connections. (provider: SQL Network Interfaces, error: 52
- Unable to locate a Local Database Runtime installation. Verify that SQL Server Express is properly installed and that the Local Database
Runtime feature is enabled.)
The design-time database in the connStr is not available in the azure site, but I thought this is why we have the GetDataContext overload that takes a connection string to be used at run-time?
Is it because it is running as a script and not as compiled code that it is trying to access the database when creating the TypeProvider?
If yes, does it mean that my only option is to compile and provide the database code as a compiled assembly that I load and use in my Suave FSX script?
Reading the connection string from a config file does not work very well as this is in a azure site. I really need to get the connection string from an environment variable (which is set in the azure management interface).
Hmm, this is a bit unfortunate - as #Fyodor mentioned in the comments, the problem is that the script-based deployment to Azure actually compiles the script on the Azure machine - and so you need to have a statically-resolved connection string that works on Azure.
There are two options:
Use compiled project instead. If you compile your F# code locally and deploy the compiled code to Azure it will work. Sadly, there are no good samples for that.
Do some clever trick to make the connection string accessible to the script at compile time.
Send a PR to the SQL provider so that you can give it the name of an environment variable and it reads the connection string from there.
I think (3) would actually be quite nice and useful feature.
I'm not necessarily sure what the best way to do (2) would be. But I think you might be able to modify app.azure.fsx so that it creates a file (say connection.fsx) that contains something like:
module Connection
let [<Literal>] ConnString = "<Contents of SQLAZURECONNSTR_QUERIES>"
Then app.fsx could load this script and use Connection.ConnString in the argument of SQL type provider.
My computer is connected to a domain, but when I go to create a public queue:
MessageQueue.Create(#".\testqueue");
I get this error:
A workgroup installation computer does
not support the operation.
Why might MSMQ think I'm on a workgroup computer?
I know this is late, and there is already an accepted answer, but I just had this issue and it was resolved by changing the format of the queue string.
When my queue name was this, I got the workgroup error:
".\QueueName"
When I changed it to a more formal version, there was no error and sending to the queue worked:
"FormatName:DIRECT=OS:ComputerName\private$\QueueName"
Just in case someone else comes across this post, now they have something else to try...
I got the same problem and solved it by changing it to #".\private$\QueueName"
Being part of a domain is a pre-cursor for installing MSMQ in AD-integrated mode.
It doesn't guarantee MSMQ IS installed in AD-integrated mode.
MSMQ will install in workgroup mode if:
AD integration was not selected as a setup option
AD integration was selected but failed to initialise; check event logs
Yes, the workgroup name is confusing in a domain member situation.
I was facing the same problem, take a look at solution below. I don't know the reason but creating queue in this manner works perfectly.
private MessageQueue messageQueue;
public const string DEFAULT_QUEUE_NAME = "newQueue";
public const string QUEUENAME_PREFIX = ".\\Private$\\";
public static string QueueName
{
get
{
string result = string.Format("{0}{1}", QUEUENAME_PREFIX, DEFAULT_QUEUE_NAME);
return result;
}
}
public void SendMessage()
{
string queuePath = QueueName;
MessageQueue messageQueue = MessageQueue.Create(queuePath);
messageQueue.Send("msg");
}
you can create queue for receiving message in the same manner.
Adding for documentation purpose... I was getting error "A workgroup installation computer does not support the operation" while trying to access transactional dead letter queue and it was due to not specifying the machine name. I was using period to denote computer name. e.g. "FORMATNAME:DIRECT=OS:.\SYSTEM$;DEADXACT". It does not work even with using complete format name. Problem solved after replacing the period with computer name. Below is the working code.
using (var queue = new MessageQueue($#"FORMATNAME:DIRECT=OS:{Environment.MachineName}\SYSTEM$;DEADXACT"))
{
queue.Purge();
}
It is possible that MSMQ installed in your machine as a guest user or another user so remove it from machine and install it with administrative permission.
On the server I was having trouble running MSMQ and getting different kinds of errors, including the error asked in the question.
A workgroup installation computer does not support the operation
What worked for me was not fiddling with Server Manager, but reinstalling MSMQ using Powershell.
Remove-WindowsFeature Msmq; Add-WindowsFeature MsMq
These two cmdlets can be run in a Powershell console running as Administrator. At least it fixed the error for me, but this will install the entire Msmq feature, including subfeatures.
i got this error while debugging a web site from visual studio (2015).
restarting the iisexpress solved this...
I am attempting to obtain a data feed from yahoo finance. I am doing this with the following code:
System.Net.WebRequest request = System.Net.WebRequest.Create(http://download.finance.yahoo.com/download/quotes.csv?format=sl&ext=.csv&symbols=^ftse,^ftmc,^ftas,^ftt1x,^dJA);
request.UseDefaultCredentials = true;
// set properties of the request
using (System.Net.WebResponse response = request.GetResponse())
{
using (System.IO.StreamReader reader = new System.IO.StreamReader(response.GetResponseStream()))
{
return reader.ReadToEnd();
}
}
I have placed this code into a console application and, using Console.WriteLine on the output I receive the information I require. I have used the 'Run as..' command to execute this using a specific domain account.
When I use this code from within a Page load I receive the following error message "No connection could be made because the target machine actively refused it 76.13.114.90:80".
This seems to suggest that the call is reaching yahoo (is this true?) and that there is something missing.
This would suggest there is an identity difference in the calls between the console application and application pool.
Environment is: Windows Server 2003, IIS 6.0, .net 4.0
"Target machine actively refused it" indicates that the TCP connection itself is not succeeding. This could be due to the fact that the Proxy settings when run under IIS are not the same as those that apply when you run in the console.
You can fix this by setting a WebProxy on your request, that points to the proxy server being used in the environment.
Yes, an active refusal is indication that the target machine is receiving the request and the information in the headers is either incorrect or insufficient to process the request. It is entirely possible that if you had to run this call using a "run as" command in console that the application pool's identity user does not have the appropriate permission or username. You can attempt to change the identity user to this specific domain account to see if that alleviates the problem, but you may have to isolate this particular function into its own application pool in order to protect the rest of the website from having this specification.