Zeta Blog

Friday, June 01, 2007

SWF Phishing

The other day a phishing email was forwarded to me for analysis. I figured it would be a good exercise and a little bit of fun to decode the phisher’s methods. First the email was sent as an account verification.

***********************************************

---------- Forwarded message ----------
From: National Credit Union Administration
Date: May 28, 2007 4:30 AM
Subject: NCUA Account Review Department !
To:

Account Info Verification

Dear FCU holder account,

As part of our security measures, we regularly screen activity in Federal Credit Unions (FCU) network.
We recently noticed the following issue on your account: A recent review of your account determined that we require some additional information from you in order to provide you with secure service. Case ID Number: PP-065-617-349 For your protection, we have limited access to your account until additional security measures can be completed. We apologize for any inconvenience this may cause. Please log in to your FCU account to restore your access as soon as possible.

You must click the link below and fill in the form on the following page to complete the verification process.

Click here to update your account
Link = “http://host106-213-static.49-88-b.business.telecomitalia.it/icons/nfl/ncuaclients.html”

In accordance with NCUA User Agreement, your account access will remain limited until the issue has been resolved. Unfortunately, if access to your account remains limited for an extended period of time, it may result in further limitations or eventual account closure. We encourage you to log in to your FCU account as soon as possible to help avoid this. We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account.

We apologize for any inconvenience.

*************************************************

Obviously this link is bad. Lets see what lies in “ncuaclients.html”.

#wget http://host106-213-static.49-88-b.business.telecomitalia.it/icons/nfl/ncuaclients.html

# strings ncuaclients.html


html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
head>
meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
title>National Union Credit Administration - Security Form
/head>
body bgcolor="#ffffff">
!--url's used in the movie-->
a href="http://www.ncua.gov/index.html">
a href="http://search.ncua.gov/">
a href="http://www.ncua.gov/privacy.html">
a href="Http://www.ncua.gov/siteoutline.html">
a href="http://www.ncua.gov/AboutNcua/ncua_directory.html">
a href="http://www.ncua.gov/AboutNCUA/Index.htm">
a href="http://www.ncua.gov/NCUABoard/index.htm">
a href="http://www.accessacrossamerica.gov/">
a href="http://www.ncua.gov/FinancialEducation/index.htm">
a href="http://www.ncua.gov/Express/Index.htm">
a href="http://www.ncua.gov/data/FOMIA/NCUAgovLink.htm">
a href="http://www.ncua.gov/IndexNCUSIFQuery.htm">
a href="http://www.ncua.gov/IndexCorpQuery.htm">
a href="http://www.ncua.gov/data/IndexDownloadData.htm">
a href="http://www.ncua.gov/administrative_orders/Index.htm">
a href="http://www.ncua.gov/ALManagementInvest/Index.htm">
a href="http://www.ncua.gov/AssetMgmtCent/Index.htm">
a href="http://www.ncua.gov/CLF/index.htm">
a href="http://www.ncua.gov/CorporateCU/index.htm">
……(removed)…….
a href="http://webapps.ncua.gov/customquery/">
a href="http://www.ncua.gov/RSS/WhatIsRSS.htm">
!--text used in the movie-->
!--
* First Name :
* Last Name :
* Date of Birth :
* Mother Maiden Name :
* Address :
* City :
* State :
* Phone Number :
* Bank Name :
* Credit/Debit Card Number :
* Expiration Date :
* Cvv :
* Social Security Number :
* PIN:
E-mail Address:
* Denotes required field
!-- saved from url=(0013)about:internet -->
….removed…..
param name="movie" value="ncuaclients.swf" />

It looks like the page is pulling data right from www.ncua.gov and using a file called “ncuaclients.swf”. The HTML page calls the SWF file which presents the user with a series of forms which the user is prompted to enter personal data. After pulling down the SWF file I installed a group of SWF utilities via the FreeBSD ports system called “swftools”. Included in these are “swfstrings” and “swfdump”. Suspecting that the SWF file is the culprit and the attacker would be using a POST method to obtain the data I used:

#swfdump -atpd ncuaclients.swf | grep POST”

And the following ouput was produced:

…..(removed…..
String:"Washington" String:"West " String:"Wisconsin" String:"Wyoming" String:"LoadVars" String:"this" String:"submitBtn" String:"onRelease" String:"" String:"alert_txt" String:"Please complete all fields before submitting form." String:"sendForm"
( 13 bytes) action: Push Lookup:47 ("POST") Lookup:48 ("_self") Lookup:49 ("done.php") int:3 Lookup:0 ("gatherForm")
-=> 5f 74 78 74 00 50 4f 53 54 00 5f 73 65 6c 66 00 _txt.POST._self.

Here we can see a POST method to a document on the local server named done.php. It is in this PHP file that the attacker stores their phished information.

Wednesday, May 30, 2007

Snort Stats

While spending my time as an IDS analyst, one of the major issues we had was insuring that the IDS sensors were seeing traffic, or were seeing the right amount of traffic. I currently do not do full time IDS anymore, but I still have that problem in the back of my mind. This led me to start experimenting with the timestats option in Snort. You can enable this at compile time with the "--enable-timestats" switch.

By default it dumps Snort's hourly stats to the console. To keep all the stats in an archival state, I send all Snort output to a file I call "stats" in my Snort log directory. I do this at the command line as I am only running Snort on my home system.

./snort -c ../etc/snort.conf -l /snort -i fxp1 -X -m 022 >& /log/snort/stats

This process works well for my home net however, on a production box this would be in a startup script and the output could be sent to some sort of database.

Every hour Snort will log its stats to the file. This can then be viewed by the analyst to ensure that there are no deviations in traffic visibility.

# tail -n 23 stats
Hourly Statistics Report

Packet analysis time averages:

Packets Received per hour is: 12763
Packets Received per minute is: 212
Packets Received per second is: 3
Packets Dropped in the last hour: 0

Packet Breakdown by Protocol:

TCP: 9206 (72.136%)
UDP: 751 (5.885%)
ICMP: 653 (5.117%)
ARP: 364 (2.852%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
FRAG: 0 (0.000%)
OTHER: 1788 (14.010%) DISCARD: 0 (0.000%)

As you can see the majority of this traffic is TCP and a fair amount of packets were seen in the last hour in total(Remember this is a home network!). If my span port were mis-configured or removed, this would be reflected in the above totals helping the analyst to diagnose the problem.

Thursday, March 01, 2007

Don't Use Telnet!

Today I got my first hit of the Solaris exploit (Worm?) on my honeypot. Both my Bleeding rules and my normal Snort registered rules fired on this single inbound packet.

# less alert | grep -A 4 -B 2 192.18.17.206
[**] [1:2003411:5] BLEEDING-EDGE EXPLOIT Solaris telnet USER environment vuln Attack inbound [**]
[Classification: Attempted User Privilege Gain] [Priority: 1]
03/01-13:44:29.556771 192.18.17.206:1134 -> 192.168.0.34:23
TCP TTL:46 TOS:0x0 ID:52835 IpLen:20 DgmLen:86 DF
***AP*** Seq: 0xED89493C Ack: 0x9D57147C Win: 0xC4E0 TcpLen: 20
[Xref => http://isc.sans.org/diary.html?n&storyid=2220][Xref => http://riosec.com/solaris-telnet-0-day]

[**] [1:10136:3] TELNET Solaris login environment variable authentication bypass attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
03/01-13:44:29.556771 192.18.17.206:1134 -> 192.168.0.34:23
TCP TTL:46 TOS:0x0 ID:52835 IpLen:20 DgmLen:86 DF
***AP*** Seq: 0xED89493C Ack: 0x9D57147C Win: 0xC4E0 TcpLen: 20
[Xref => http://www.securityfocus.com/bid/22512]

The below packet is the culprit:

# tcpdump -vvnnXs 1514 -r ../snort/snort.log.1172706692 port 23 | less
reading from file ../snort/snort.log.1172706692, link-type EN10MB (Ethernet)
13:44:29.556771 IP (tos 0x0, ttl 46, id 52835, offset 0, flags [DF], proto: TCP (6), length: 86) 192.18.17.206.1134 > 192.168.0.34.23: P, cksum 0x0fed (correct), 3985197372
:3985197418(46) ack 2639729788 win 50400 [telnet WILL NAWS, SB NAWS IS 0x50 0 0x19 SE, WILL TERMINAL TYPE, SB TERMINAL TYPE IS 0x76 0x74 0x31 0x30 0x30 SE, WILL NEW-ENVIRON,
SB NEW-ENVIRON IS 0 0x55 0x53 0x45 0x52 0x1 0x2d 0x66 0x61 0x64 0x6d SE]
0x0000: 4500 0056 ce63 4000 2e06 eb93 c012 11ce E..V.c@.........
0x0010: c0a8 0022 046e 0017 ed89 493c 9d57 147c ...".n....I<.W.| 0x0020: 5018 c4e0 0fed 0000 fffb 1fff fa1f 0050 P..............P 0x0030: 0019 fff0 fffb 18ff fa18 0076 7431 3030 ...........vt100 0x0040: fff0 fffb 27ff fa27 0000 5553 4552 012d ....'..'..USER.-
0x0050: 6661 646d fff0 fadm..

And flow data:

# tcpflow -cr honeytrap_00023_20070301125318 port 23
192.018.017.206.01134-192.168.000.034.00023: ...
192.018.017.206.01134-192.168.000.034.00023: .......P...........vt100....'..'..USER.-fadm..
192.168.000.034.00023-192.018.017.206.01134:

192.168.000.034.00023-192.018.017.206.01134:

It is quite easy to see the -f and the login "adm". This is consistent with MITRE's description:

"The telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client "-f" sequences as valid requests for the login program to skip authentication, which allows remote attackers to log into certain accounts"

Ref: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882

Thursday, February 22, 2007

Bot C&C

The other day I browsed to a site hosting unknown malware on my home VM host as part of an investigation. Fortunately for me I also run Snort and tshark on my home network 24/7 to fully understand and capture everything that traverses my home systems. This came in very handy the other day, and I thought I would document my network investigation procedure for others to use and follow. Let me preface this with the fact that I subscribe fully to Richard Bejtlich's NSM principals. I capture both alert data and full content data for intrusion analysis. The alert data is Snort w/ both registered and bleeding rules, and the full content data is tshark running some simple BPF's at the command line logging to a "ring buffer" of ten 100M files.

This all started when I was investigating a suspicious website in my VM system. After browsing to the site, I immediately went to my IDS data to determine what happened. Snort gave me the following alert:

1 [**] [1:2404000:602] BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) [**]

This was promising. Pulling the full alert from snort an analyst can see the connection attempt to 6667 on host 161.53.178.240:

# cat alert | grep -A 5 "C&C"
[**] [1:2404000:602] BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) [**]
[Classification: A Network Trojan was detected] [Priority: 1]
02/21-10:17:54.366236 192.168.0.31:2253 -> 161.53.178.240:6667
TCP TTL:128 TOS:0x0 ID:13198 IpLen:20 DgmLen:48 DF
******S* Seq: 0xCA53141F Ack: 0x0 Win: 0xFC00 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

A quick look at the rule shows that this IP is included in the bleeding botcc "DROP" rules:

alert ip $HOME_NET any -> [121.6.201.216,125.250.188.204,130.233.48.242,130.243.52.250,132.205.87.223,
140.115.182.242,140.123.227.100,140.131.142.236,142.231.68.25,143.225.92.103,
143.248.138.213,143.248.4.136,143.248.52.33,143.248.62.116,149.9.1.16,
151.1.191.184,154.20.114.95,161.184.175.95,161.53.178.240,163.19.35.2,
163.20.97.131,163.25.97.83,168.187.115.136,168.187.62.190,172.212.55.194,
190.49.108.103,192.116.231.44,193.109.122.67,193.109.122.77,193.13.137.194,
193.163.220.3,193.164.131.50,194.109.11.65,194.109.129.220,194.109.64.131,
194.14.236.50,194.146.226.245,194.159.164.195,194.242.45.151,194.68.45.50,
195.101.94.137,195.111.64.195,195.144.12.5,195.225.204.134,195.226.51.77,
195.47.220.2,195.50.191.12,195.68.206.250,195.68.221.221,200.31.43.33,
200.80.43.9,200.95.144.26,201.45.127.125,202.133.108.11,202.134.0.13,
202.143.132.82,202.222.19.53,202.54.38.12,202.71.144.176,
202.8.87.197] any (msg:"BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405000; rev:602; fwsam: dst, 30 days;)

I immediately went to my full content data. Noticing from the alert, this fired at 02/21-10:17:54 I searched through my "ring buffer" capture files and found honeytrap_00013_20070221091354. This file states that the capture started at approx. 9:13 on 02.21 2007. Parsing the data with capinfos I got the full start and stop time for this file:

#capinfos honeytrap_00013_20070221091354
File name: honeytrap_00013_20070221091354
File type: Wireshark/tcpdump/... - libpcap
Number of packets: 259439
File size: 102401487 bytes
Data size: 98250439 bytes
Capture duration: 23117.468285 seconds
Start time: Wed Feb 21 09:13:54 2007
End time: Wed Feb 21 15:39:12 2007
Data rate: 4250.05 bytes/s
Data rate: 34000.41 bits/s
Average packet size: 378.70 bytes

The target time frame for the alert falls within this capture file. To find out what type of connection was made from this malware I parsed the file with tcpdump:

# tcpdump -vvnnXs 1514 -r honeytrap_00013_20070221091354 host 161.53.178.240
reading from file honeytrap_00013_20070221091354, link-type EN10MB (Ethernet)
10:17:54.366236 IP (tos 0x0, ttl 128, id 13198, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.0.31.2253 > 161.53.178.240.6667: S, cksum 0x70e6 (correct), 3394442271:3394442271(0) win 64512
0x0000: 4500 0030 338e 4000 8006 b24c c0a8 001f E..03.@....L....
0x0010: a135 b2f0 08cd 1a0b ca53 141f 0000 0000 .5.......S......
0x0020: 7002 fc00 70e6 0000 0204 05b4 0101 0402 p...p...........
10:17:57.287574 IP (tos 0x0, ttl 128, id 13283, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.0.31.2253 > 161.53.178.240.6667: S, cksum 0x70e6 (correct), 3394442271:3394442271(0) win 64512
0x0000: 4500 0030 33e3 4000 8006 b1f7 c0a8 001f E..03.@.........
0x0010: a135 b2f0 08cd 1a0b ca53 141f 0000 0000 .5.......S......
0x0020: 7002 fc00 70e6 0000 0204 05b4 0101 0402 p...p...........
10:18:03.306453 IP (tos 0x0, ttl 128, id 13383, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.0.31.2253 > 161.53.178.240.6667: S, cksum 0x70e6 (correct), 3394442271:3394442271(0) win 64512
0x0000: 4500 0030 3447 4000 8006 b193 c0a8 001f E..04G@.........
0x0010: a135 b2f0 08cd 1a0b ca53 141f 0000 0000 .5.......S......
0x0020: 7002 fc00 70e6 0000 0204 05b4 0101 0402 p...p...........

From this output one can determine that the infected host only attempted outbound connections to the IRC server but received no responses as this is full content data. From the analysts point of view the bleeding snort rule sets discovered the C&C connection attempt without any data being transferred based soly on the IP. The full content data backed up the fact that the host was compromised and allows the analysts to determine that no data was exfiltrated. From this point the system can be taken off line and restored with known good media.

I used this scenario to illustrate how simply collecting just alert and full packet capture data allows security analysts to fully understand mostly everything that happens on their network.

Monday, January 22, 2007

Great Success!!!!!!

Ok I know I haven’t been posting much lately about packets I have captured but it not like I have built a fan base yet. I have succeeded in one of my goals however, using honeytrap to capture packets for the security community. Recently port 20000 was reported as on the rise by Dshield and SANS had a call for packets. Being that honeytrap is listening on all ports all of the time I was able to filter all my pcap data for that port and submit full packet captures from established sessions. I know it’s not much, but it is a step in the direction I was hoping to take with this project. Hopefully I can continue to keep on top of the SANS postings and keep submitting packets.

Tuesday, January 02, 2007

HONEYTRAP Gotcha!

I decided to install honeytrap on a Linux laptop and open it up to the world via the DMZ option on my D-Link router. I started with Fedora Core 5 running on a 1Ghz Sony Vaio laptop with 256 Mbs of RAM. I started by locking down the host OS.

root@localhost# chkconfig –list | awk ‘/3:on/ {print $1}’

root@localhost# chkconfig service name off ; turn off service for run level 3

root@localhost# service service name stop ; stop the service

This first command will show you a list of services running on the host. To determine which service to turn off, refer to the internet. For all my purposes, I just wanted SSH running on port 2929 so I turned off any service that listens on any other port.

The first thing I did was to download honeytrap from “http://honeytrap.sourceforge.net/start.html” and compile the sources. I decided to compile with the pcap monitoring switch, however after running it and researching on the web, I found out that with the pcap option honeytrap drops the first packet and only establishes a socket with the second packet on that same port. As much of the activity I see on my FIOS connection is one off scanning and probing, this option was surely not for me.

To alleviate this problem I compiled honeytrap with the IPQ option. This uses iptables to send the initial SYN to honeytrap therefore dynamically creating a socket with the first connection attempt. I did this with the following configure switches:

root@localhost# ./configure –with-ipq-mon

I immediately got the error:

checking for libipq.h... no

I attempted to pull down the iptables sources, however these did not include “libipq.h”. After some searching I found on rpmfind, “iptables-devel-1.2.9-10.rpm”. installing this I got a dependency error for “iptables-1.2.9”. Not too discouraged, I downloaded and compiled iptables-1.2.9 and installed the devel RPM with the –nodeps switch. After installing these dependencies, I issued a:

root@localhost# find / -name libipq.h

/usr/include/libipq.h

Halleluiah!!

Now I move back to the honeytrap directory and issue:

root@localhost# ./make clean

root@localhost# ./configure –with-ipq-mon

root@localhost# make

root@localhost# make install

Now to make sure it ignored SSH port 2929, appended:

include = /etc/honeytrap/ports.conf

In the /etc/honeytrap/honeytrap.conf file and created a /etc/honeytrap/ports.conf file with the following:

port=2929,ignore

Load the IPQ module:

root@localhost# modprobe ip_queue

Issue “lsmod” command to ensure that the ip_queue module is loaded

Issue the following command to enable iptables to forward SYN’s to honeytrap:

iptables -A INPUT –i eth0 –p tcp -–syn –m state -–state NEW –j QUEUE

Once in place I envoke honeytrap:

root@localhost# ./honeytrap –u eon –g eon –D

[2006-10-07 21:02:47] ----Trapping attacks via IPQ. ----

AT LAST!!!!!!!

This runs honeytrap with a non-root user and group and the –D flag tells honeytrap not to go into daemon mode.

On another host I have tshark runnig to capture traffic off of a switch span port:

root@localhost# tshark –w log dir -a filesize:50000 –b files:5 –i interface –f filter expression

This allows for 5 rotating 50Mb files in your log directory.

With this I can easily monitor connection attempts and capture the full payload of any inbound connection attempt to my Honeytrap.

Now I sit and wait for the interesting traffic. Being a packet monkey, I will post any interesting findings/packets to this blog.

Thursday, August 10, 2006

Clearing Unallocated Space on Windows

The other day I came across a very interesting tool while researching ways to clear unallocated space on a Windows machine. This process is very well documented for *nix machines using "dd" and "/dev/zero", however I was unaware of a similar process for Windows based OS's. The tool in question is included in Windows XP and is called "cipher.exe". This tool has many uses as the following output shows:

C:\Documents and Settings\Administrator>cipher /?
Displays or alters the encryption of directories [files] on NTFS partitions.

CIPHER [/E | /D] [/S:dir] [/A] [/I] [/F] [/Q] [/H] [/K] [pathname [...]]

CIPHER /W:directory

CIPHER /X[:efsfile] [filename]

/E Encrypts the specified directories. Directories will be marked
so that files added afterward will be encrypted.
/D Decrypts the specified directories. Directories will be marked
so that files added afterward will not be encrypted.
/S Performs the specified operation on directories in the given
directory and all subdirectories.
/A Operation for files as well as directories. The encrypted file
could become decrypted when it is modified if the parent directory
is not encrypted. It is recommended that you encrypt the file and
the parent directory.
/I Continues performing the specified operation even after errors
have occurred. By default, CIPHER stops when an error is
encountered.
/F Forces the encryption operation on all specified objects, even
those which are already encrypted. Already-encrypted objects
are skipped by default.
/Q Reports only the most essential information.
/H Displays files with the hidden or system attributes. These
files are omitted by default.
/K Create new file encryption key for the user running CIPHER. If this
option is chosen, all the other options will be ignored.
/W Removes data from available unused disk space on the entire
volume. If this option is chosen, all other options are ignored.
The directory specified can be anywhere in a local volume. If it
is a mount point or points to a directory in another volume, the
data on that volume will be removed.
/X Backup EFS certificate and keys into file filename. If efsfile is
provided, the current user's certificate(s) used to encrypt the
file will be backed up. Otherwise, the user's current EFS
certificate and keys will be backed up.

dir A directory path.
pathname Specifies a pattern, file or directory.
efsfile An encrypted file path.

Used without parameters, CIPHER displays the encryption state of
the current directory and any files it contains. You may use multiple
directory names and wildcards. You must put spaces between multiple
parameters.

Now the point of interest to me lies in the "/W" option. This if specified, will clear data on any unused portions of the disk specified. I figured I would give this a try on a Windows 2000 Pro laptop.

C:\Documents and Settings\Administrator>cipher /W:c:To remove as much data as possible, please close all other applications while
running CIPHER /W.
Writing 0x00
................................................................................
....................
Writing 0xFF
................................................................................
....................
Writing Random Numbers
................................................................................
....................

C:\Documents and Settings\Administrator>

It's done, and it was painless. All unallocated space on the hard drive was overwritten by zeros, then ones and then random numbers. On a drive that had 4 gigs of free space, it took less than 20 minutes. Now if anyone gets a hold of this hard drive, it would not be possible to recover deleted files. This type of action can be scheduled on windows boxes to be run periodically. In an age of mobile computing, this type of extra security measure can be invaluable.

Friday, June 30, 2006

FreeBSD Customized Shell Prompt

This posting is to track my progress with customizing my shell prompt. From time to time I like to delve into some aspect of my computer and do as much with it as I can. My favorite OS is FreeBSD, and as such I find myself using the C Shell quite often. I also spend a lot of time in the command line. This being said, I have had the need to know a little about my environment while I work. Prompted by a very lavish and colorful BASH prompt from a friend of mine, I set out to customize my C Shell to fit my personal needs.

I started by figuring out what information I wanted in my prompt. The list looked something like this:

1-current user and host
2-date
3-time
4-current directory

On top of this, based on my friends prompt, I wanted this information above my cursor so as not to waste space for long directories. I have seen prompts like this on many flavors of Linux, however FreeBSD does not come like this by default.

My first attempt looked something like this:

%vi .cshrc

....
set prompt = '%n@%m:%/%# '
....

which looked something like this: eon@ZETA:/home/eon>

Next I added a Grey color to my prompt:

eon@Zeta:/home/eon>vi .cshrc
....
set prompt = '%{\033[37m%}%n@%m:%/%# '
....

Next I applied these changes to my root account, making the prompt red. Note: This line must be added to the end of the .cshrc script.

set prompt = '%{\033[31m%}%n@%m:%/%# '

Making my regular user Grey and my root account red is an easy way to determine what user I am. On many occasions I have been on my BSD laptop and sshed into my home box and issued a "init 0" command to shut my Laptop down inadvertently bringing down my server at home. Smart ay! This way I make my root user on my home box red so I know when I am sshed in as opposed to local. :)

Next I set out to complete my prompt. To make a log posting short, this is what I ended up with in my ".cshrc" script:

set prompt = '\n%{\033[37m%}%n@%m:%/\t[%D-%w-%y %t]\n%# '

This adds a new line to separate the previous output, color, user@host, current directory, and tabs to a Day-Month-Year Time output, and newlines to the prompt. It looks something like this:

eon@ZETA:/home/eon [30-Jun-06 10:42pm]
>

or as root:

root@ZETA:/root [30-Jun-06 10:43pm]
#

This currently fulfills my needs. Any new additions/updates will be posted here.

Monday, June 26, 2006

Up and running!

This is the debut of my blog on blogger.com. I will use this as a forum to post and publish my works and thoughts. Enjoy!

<---btw... Me at the step pyramid at Sakkara