Tuesday, 16 May 2017

Guidance for WannaCrypt attacks - WINDOWS UPDATE LINKS

 Guidance for WannaCrypt attacks

Microsoft solution available to protect additional products

Today many of our customers around the world and the critical systems they depend on were victims of malicious “WannaCrypt” software. Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. 

Step 3: Select Appropriate   >> Operating System and download security  update .

Step 4: Install >> Restart the PC

Step 5:   How can you find out which Microsoft Patches are installed on the PC?

A.   In the Windows Start menu you select the "Run..." menu item and enter the command "cmd". 

B . In the DOS command window that opens you enter the command below:

wmic qfe list full /format:htable >C:\Temp\hotfixes.html

C .   Open Location C:\Temp\

D. Open hotfixes.html with chrome or else.

Thanks :-) !

WannaCry Ransomeware attack: From shut ATMs to Dance of Hillary videos. - NEWS TIME

WannaCry or WannaCrypt Ransomeware is all we see people talking about this week. The cyber attack which started affected computers last Friday continues to spread in full swing and despite there being a patch by Microsoft, thousands of computers remain affected. The ransomware gives the hackers access to the complete system with all data - and in order to once again access their computers, users are asked to pay $300 to $600 (between Rs 9,000 and Rs 38,000) worth bitcoins in ransom..

As with every new threat, WhatsApp spammers are having a field day. There have been multiple messages shared over the messaging app, warning users to stay safe. While most of the messages give users a gist of what the attack is all about and ask them to follow certain measures, many are off the mark and completely ridiculous. Apart from warning users about the possible threats, there are even other "sources of malware" listed in the messages which are completely fake and could mislead readers. Here's a list of all the fake messages circulating on WhatsApp:.

1. No money withdrawls:

While the message below does contain some true facts, most of it is misrepresented though. Over 150 countries have been affected, not merely 74. Also, banks are yet to issue an official statement regarding ATMs or other services.

Here's what one of the messages doing the rounds says: "Stay tunned with latest news for updates...Also keep antivirus ON and do not operate bank n shoping sites or pay utility through mobile hold on for today before doin anything.....Massive Ransomeware attack...Total 74 countries affected...Please do not open any email which has attachments with "tasksche.exe" file. Please send this important message to all your computer users ATM 's will be closed for next 2-3 days probably, due to ransomware cyber attack within India. So, if you need then please withdraw money today for rest of week atleast. Don't do any online transactions today. Please inform all contacts from your list not to open a video called the "Dance of the Hillary". It is a virus that formats your mobile. Beware it is very dangerous. Fwd this msg to as many as you can!.
Except africa all country's IT companies are hacked. Don't open any shopping carts today.

Please inform all contacts from your list not to open a video called the "Dance of the Hillary". It is a virus that formats your mobile. Beware it is very dangerous. They announced it today on BBC radio. Fwd this msg to as many as you can!".

2. Dance of Hillary:

The below message claiming a Dance of Hillary video file doing rounds is fake. The Dance of Hillary is simply a renaming of Dance of Pope virus that circulated on smartphones. Though it is always advisable to exercise caution before downloading any file, this time around, this warning is a fake.
"Please inform all contacts from your list not to open a video called the "Dance of the Hillary". It is a virus that formats your mobile. Beware it is very dangerous. They announced it today on BBC radio. Fwd this msg to as many as you can!.
Massive Ransomeware attack...Total 74 countries affected...Please do not open any email which has attachments with "tasksche.exe" file.
The messages above are the main ones doing rounds. There is also another message circulating which explains the new malware in detail and is pretty accurate in the description:.

"What is Ransomware?
And How to be aware!.
True Information Here,
Ransomware is a malicious software that encrypts the files and locks device, such a.
a computer, tablet or smartphone and then demands a ransom to unlock it. Recently, a.
dangerous ransomware named 'Wannacry' has been affecting the computers worldwide.
creating the biggest ransomware attack the world has ever seen. This has affected.

What is WannaCry Ransomware?.

WannaCry ransomware attacks windows based machines. It also goes by the name.
WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY.It leverages SMB exploit in.
Windows machines called EternalBlue to attack and inject the malware. All versions of.
windows before Windows 10 are vulneable to this attack if not patched for MS-17-010.
After a system is affected, it encrypts the files and shows a pop up with a countdown and.
instructions on how to pay the 300$ in bitcoins to decrypt and get back the original files. If.
the ransom is not paid in 3 days, the ransom amount increases to 600$ and threatens the.
user to wipe off all the data. It also installs DOUBLEPULSAR backdoor in the machine.

What can you do to prevent infection?.

It has released a Windows security patch MS17-010 for Winodws machines.
This needs to be applied immediately and urgently.

Use This link :

Remove Windows NT4, Windows 2000 and Windows XP-2003 from production.
Block ports 139, 445 and 3389 in firewall.
Avoid clicking on links or opening attachments or emails from people you don't.
know or companies you don't do business with.
SMB is enabled by default on Windows. Disable smb service on the machine by.
going to Settings > uncheck the settings > OK.

Use this Link  :

Make sure your software is up-to-date.
Have a pop-up blocker running on your web browser.
Install a good antivirus and a good antiransomware product for better security.

File Names:

Please Read Me!.txt (Older variant).
[0-9]{15}.bat #regex

All must be aware of Massive Ransomeware attack.....Please do not open any email which has attachments with tasksche.exe. file... Pl spread across all possible groups and branches... Not to open email attachments from unknown sources and update AV patch urgently.

What's Next ? -  No news regarding this so don't worry .  :-P !

Monday, 15 May 2017

Multiple IHS in front of WebSphere® Application Server. (On Single Install).

Step 1:  Login to IBM WAS console.

Screenshot 1:

Step 2: Click on servers > server types > Web server

Already on  one webserver on Port 443 & 80 is working.

Screenshot 2 :

Step 3: To Create a New webserver   [ NEW_webserver  ]  in mycase .

Click on New..

Screenshot 3 :

Step 4: Provide a server name  > Next .

Screenshot 4:

Step 5: Default IHS selected  > Next .

Screenshot 5:

Step 6: Provide NEW port no [ 5080 for http ] in mycase  >> Next

Screenshot 6:

Step 7: Review Summary >> Finish .

Screenshot 7:

Step 8: Click on Review.

Screenshot 8:

Step 9: Select Synchronize changes with Nodes >> Save >> OK .

Screenshot 9:

Step 10 : Now we have created the NEW_webserver , with status stopped.

Screenshot 10 :

Step 11 : Copy the working http.conf with [ NEWhttp.conf ]  in my case.

Screenshot 11:

Step 12 : Open the Newhttp.conf  and make changes.

1 >> PID File Location

2 >> Error logs location.
 3 >> Access logs location.
4 >> Servername
5 >> Listen Address From (:80 ) and ( :443 )  to  (5080) and (50443)  in mycase.
6 >> Virtual host port and ipaddress.
7 >> New Webserver Plugin file location.

Screenshot 12-1 :

Screenshot 12-1 :

Step 13 : Use Diff command to check the Diffrence between them.

Screenshot 13:

Step 14: Make a new folder of NEWlogs on IHS home .

Screenshot 14:

Step 15 : go to Webserver > NEW_webserver >> Configuration file name > Apply > Review > Synchronize changes with Nodes > Save.

Change the paramerts from console also.

Screenshot 15:

Step 16 : Changes in log file from console >>  Apply > Review > Synchronize changes with Nodes > Save.

Screenshot 16-1:

Screenshot 16-2:

Step 17 : Review Virtual Hosts from Console >>

Screenshot 17:

Step 18 : Add Virtual Hosts  from Console .

Environment > Virtual Hosts > default_host > Host Aliases

Screenshot 18-1 :

Screenshot 18-2 : Add a new Virtual Hosts Port : (5080) and  (50443)

Step 19: Add 5080 and 50443  >> >>  Apply > Review > Synchronize changes with Nodes > Save.

Screenshot 19 -1:

Screenshot 19-2:

Step 20: Review host entries.

Screenshot 20:

Step 21: Select  Enterprise Applications > calendar_war > Virtual hosts > select default_host > OK.

Screenshot 21:

Step 22 : Now Start the NEW_webserver from shell.

Screenshot 22:

Step 23: Generate and Propagate plugins from console.

Screenshot 23:

Step 24 : Manage the deployed application from console.

Screenshot 24:

 Clear the logs and  Restart the Application.

Step 25 : Check the IHS at port 5080 

Screenshot 25:

Step 26 : Check the calendar.war Application at port 5080 

Screenshot 26:

Step 27 : Check the IHS at port 50443 

Screenshot 27:

Step 28 : Check the calendar.war Application at port 50443 

Screenshot 28-1:

Screenshot 28-2:

Thanks :-)  Middleware Team  :-) !

Sunday, 14 May 2017

How to Analyze - JVM logs (SystemOut.log, SystemErr.log & startServer.log) of WebSphere® Application Server.

Example SystemOut.log

[1/20/17 21:02:46:527 GMT+05:30] 00000001 ManagerAdmin  I   TRAS0017I: The startup trace state is *=info.
[1/20/17 21:02:46:539 GMT+05:30] 00000001 ManagerAdmin  I   TRAS0111I: The message IDs that are in use are deprecated
[1/20/17 21:02:46:657 GMT+05:30] 00000001 ModelMgr      I   WSVR0800I: Initializing core configuration models
[1/20/17 21:02:47:351 GMT+05:30] 00000001 ComponentMeta I   WSVR0179I: The runtime provisioning feature is disabled. All components will be
[1/20/17 21:02:47:943 GMT+05:30] 00000001 AdminInitiali A   ADMN0015I: The administration service is initialized.
[1/20/17 21:02:49:880 GMT+05:30] 00000001 PluginConfigS I   PLGC0057I: The plug-in configuration service started successfully.
[1/20/17 21:02:50:061 GMT+05:30] 00000001 SSLComponentI I   CWPKI0001I: SSL service is initializing the configuration
[1/20/17 21:02:50:110 GMT+05:30] 00000001 FIPSManager   I   CWPKI0044I: FIPS security mode is : No FIPS property found. 
[1/20/17 21:02:50:124 GMT+05:30] 00000001 WSKeyStore    W   CWPKI0041W: One or more key stores are using the default password.
[1/20/17 21:02:50:187 GMT+05:30] 00000001 SSLConfigMana I   CWPKI0027I: Disabling default hostname verification for HTTPS URL connections.

  •   Time Stamp: The first part of the log message in sample code is  [1/20/17 21:02:46:527 GMT+05:30]. It is the time stamp when the message was written. The time stamp is formatted using the locale of the process and it is 24 hour time stamp with milli-second precision

  •   Thread ID : The next part in the log message is 00000012 /0000003c , which represents the thread id. The thread ID is an eight-character hexadecimal value that is generated from the hash code of the thread that issued the message

  • Short name : The short name is the abbreviated name of the component that issued the message. This name is typically the class name of a WAS component and would be some other identifier for the application. here ThreadPoolMgr , FileRepositor , TCPPort etc

  •  Event Type: The event type is a one character field that indicates the type of the message. The possible values are :- 

  •  F- Fatal message
  •  E- Error message
  • W- Warning message
  •  A- Audit message
  •  I- Informational message
  •  C- Configuration message
  •  D- detail message
  •  O- Messages that are written directly to System.out by an application or server component
  •  R- Messages that are written directly to System.err by the user application or internal component.

  •   Message identifier (TCPC0003E/WSVR0626W/ADMR0010I): The message identifier is a string that is nine characters in length and is in the form CCCC1234X. The first four characters indicate the WAS component that issues the message. The next four characters indicate the specific message that component is issuing. The last character indicates the severity of the message. Its value is either I- informational, W- Warning or E error.

  •   Message: The message is the data that is logged to the SystemOut.log by the component.

Thanks.. :-) !

Wednesday, 10 May 2017

Create a certificate request (.csr) using command line (WebSphere® Application Server)

Step 1: To create key database file 

     Go to location /IBMIHS/HTTPServer/bin { IHS bin }

Command : 

./gskcmd -keydb -create -db samplecert.kdb -pw 123456 -type cms  -expire 120 -stash samplecert.sth

Syntax :  <ihsinst>/bin/gskcmd -keydb -create -db <filename> -pw <password> -type
          <cms | jks | jceks | pks12> -expire <days> -stash <filename_of_key_database>.sth

Screenshot 1:

Reference Link :

Step 2:  Create a certificate request  ( .CSR )

Command :

./gskcmd -certreq -create -db samplecert.kdb -pw 123456 -dn CN=*,O=MB,L=MUM,ST=Maha,C=IN  -label samplecertificate   -san_dnsname -san_emailaddr   -san_ipaddr  -sig_alg SHA1WithRSA   -size 2048    -file samplecert.csr

Syntax :  <ihsroot>/bin/gskcapicmd -certreq -create -db <database> -pw <password> \
         -dn <distinguished name> -label <labelname> -size  <size> -file <outputfilename>

Screenshot 2:

Refrence Link :

Step 3: Now view the created .csr file details.

Command : cat samplecert.csr


[root@localhost bin]# cat samplecert.csr
-----END NEW CERTIFICATE REQUEST-----[root@localhost bin]#
[root@localhost bin]#

Screenshot 3:

Step 4: Review the csr file details by using csr decoder websites.

            Copy and Paste Certificate Signing Request (CSR)    


Screenshot 4:

Thanks :-) !

Creating a self-Signed certificate using command line (WebSphere® Application Server)

Step 1: To create key database file 

 Go to location /IBMIHS/HTTPServer/bin { IHS bin }

Commmand :

./gskcmd -keydb -create -db samplecert.kdb -pw 123456 -type cms  -expire 120 -stash samplecert.sth

Syntax :  <ihsinst>/bin/gskcmd -keydb -create -db <filename> -pw <password> -type
          <cms | jks | jceks | pks12> -expire <days> -stash <filename_of_key_database>.sth

Screenshot 1:

Reference Link :

Step 2: Creating a self-signed certificate.

Commmand :

./gskcmd -cert -create -db samplecert.kdb -pw 123456 -size 2048 -dn CN=*,O=MB,L=MUM,ST=Maha,C=IN  -label samplecertificate -default_cert yes  -expire 365  -san_dnsname -san_emailaddr   -san_ipaddr  -sig_alg SHA1WithRSA   -ca true

Syntax :   gskcmd -cert -create -db <filename> -pw <password> -size <2048 | 1024 | 512> -dn <distinguished_name>
          -label label> -default_cert <yes | no> - expire <days> -san dnsname <DNS name value>[,<DNS name value>]
          -san emailaddr <email address value>[,<email address value>]
          -san ipaddr <IP address value>[,<IP address value>][-ca <true | false>]

Screenshot 2:

Refrence Link :

Step 3: To check the .kdb using ikeyman tool through GUI.

Screenshot 3:

Next topic : Create-certificate-request

Thanks :-) !