Pages

Unixbhaskar's Blog

Friday, October 16, 2009

Checking malware for GNU/Linux system

Besically I am using two very good open source software to check my servers in certain time interval. One is chkrootkit ,and the second one is rkhunter . Both of them are capable of checking trojan and sign of rootkit.

You have to get them from their site as source and build them or install them manually or by some created scripts.Once they are installed ,both the software can be put into the cron to check it after certain interval.

I do not issue any guarantee that this will work for you.

Here is some excerpt from the chkrootkit site for how to use it below. For detail please visit the website:

Usage
--------

chkrootkit must run as root. The simplest way is:

# ./chkrootkit

This will perform all tests. You can also specify only the tests you
want, as shown below:

Usage: ./chkrootkit [options] [testname ...]
Options:
-h show this help and exit
-V show version information and exit
-l show available tests
-d debug
-q quiet mode
-x expert mode
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs

Where testname stands for one or more from the following list:

aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper
z2 chkutmp amd basename biff chfn chsh cron crontab date du dirname
echo egrep env find fingerd gpm grep hdparm su ifconfig inetd
inetdconf identd init killall ldsopreload login ls lsof mail mingetty
netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd
slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed
traceroute vdir w write

For example, the following command checks for trojaned ps and ls
binaries and also checks if the network interface is in promiscuous
mode.

# ./chkrootkit ps ls sniffer

The `-q' option can be used to put chkrootkit in quiet mode -- in
this mode only output messages with `infected' status are shown.

With the `-x' option the user can examine suspicious strings in the
binary programs that may indicate a trojan -- all the analysis is
left to the user.

Lots of data can be seen with:

# ./chkrootkit -x | more

Pathnames inside system commands:

# ./chkrootkit -x | egrep '^/'

chkrootkit uses the following commands to make its tests: awk, cut,
egrep, find, head, id, ls, netstat, ps, strings, sed, uname. It is
possible, with the `-p' option, to supply an alternate path to
chkrootkit so it won't use the system's (possibly) compromised
binaries to make its tests.

To use, for example, binaries in /cdrom/bin:

# ./chkrootkit -p /cdrom/bin

It is possible to add more paths with a `:'

# ./chkrootkit -p /cdrom/bin:/floppy/mybin

Sometimes is a good idea to mount the disk from a compromised machine
on a machine you trust. Just mount the disk and specify a new
rootdir with the `-r' option.

For example, suppose the disk you want to check is mounted under
/mnt, then:

# ./chkrootkit -r /mnt
Now for rkhunter you have to follow these steps to use it and must follow the below paragraph:
      Prior to any incident it is recommended that you have read
"Intruder Detection Checklist". This is available from
http://www.cert.org/tech_tips/intruder_detection_checklist.html
This document will tell you what to check, and makes it easier

which is an excerpt from the site.

We can put the rkhunter in the cron job like below in GNU/Linux system:



The next example is of a cronjob script. For Linux systems this
script could be put in to the /etc/cron.daily directory, so that
it will be automatically run every day.

The script might look like this:

#!/bin/sh

( /usr/local/bin/rkhunter --cronjob --update --rwo && echo "" ) \
| /bin/mail -s "Rkhunter daily run on `uname -n`" root

exit 0
Please read the FAQ regarding those wonderful software to get best out of it. I used to read a lot inside the README/readme file ,which comes along with the source before installing any open source software.

Hope this outline will help you to prevent some owes ,but not everything!!. A system is as secure as you made it.Plus security is an constant process ,which should not be ignored or left behind.

Bhaskar Chowdhury
Chat Google Talk: unixbhaskar Skype: unixbhaskar Y! messenger: unixbhaskar
Contact Me DiggLinkedinWordpressTwitterTechnoratiStumbleuponReddit

Monday, October 12, 2009

The firefox saga on openSUSE

Ahh what a pain!! I have been struggling to get firefox going on OpenSUSE for quite some time. The problem is that it(firefox) eats out 100% cpu and freeze it forever.So it hinders the productivity of mine heavily ,because I spent lot of time in the browser to do lot of day to day activity.At last I am able to figure out and solve the owes regarding that problem.

I do not issue any guarantee that this will work for you.

The Solution:

The first step I took discard firefox and start using "swiftfox", which is specifically optimized to run on GNU/Linux and of course on specific processor!!!. You can have a look at it in the website http://www.getswiftfox.com.

Once it came up ,I create a new profile in it and install my fatty extension(around 57 of them) on it(all firefox extensions are compatible with it) one by one.You can find my extension for firefox in mozilla site by looking at this url : https://addons.mozilla.org/collection/unixbhaskar

Then I have created a small script to restrict the cpu usage of swiftfox by a specific limit with the help of a software called "cpulimit",which can be found here : http://cpulimit.sourceforge.net/ . So the next step to call it when the swiftfox start. So here is small snippet of code will do that:

#!/bin/bash
2
3 if [[ `ps -ef | grep swiftfox-bin` ]]
4 then
5 echo "swiftfox is running."
6 `/usr/local/bin/cpulimit -e swiftfox-bin -l 70`&
7 echo "limiting the cpu usage by 70%"
8
9 fi

So I have restricted swiftfox to 70% of cpu usage.So it will never utilise more then that cpu usage power.

Now it's running fine on OpenSUSE11.1 with latest kernel-2.6.31.3 .

At last some respite :)

Bhaskar Chowdhury
Chat Google Talk: unixbhaskar Skype: unixbhaskar Y! messenger: unixbhaskar
Contact Me DiggLinkedinWordpressTwitterTechnoratiStumbleuponReddit

Sunday, October 4, 2009

How to install Postfix, Amavisd-new, SpamAssassin, Pyzor, Rzor, DCC, and ClamAV on Fedora Core 4 v2.1.8

This is an wonderful wonderful article to explain Postfix from source,Amavisd-New, Spamassassain, ClamAV, Pyzor, Razor ,DCC.Although all those implemented on FC4, but I think can be implemented with slight modification with other distros too.The author has take great pain to discover lot of intricacies and explained in pretty good way.

How to install Postfix, Amavisd-new, SpamAssassin, Pyzor, Rzor, DCC, and ClamAV on Fedora Core 4 v2.1.8

Bhaskar Chowdhury
Chat Google Talk: unixbhaskar Skype: unixbhaskar Y! messenger: unixbhaskar
Contact Me StumbleuponFacebookDiggTwitterBloggerRedditTechnoratiWordpress

Integrating Tomcat and Apache on Red Hat Linux | HowtoLinux

Very well explained article to implement Tomcat and Apache on Redhat Linux

Integrating Tomcat and Apache on Red Hat Linux | HowtoLinux

Bhaskar Chowdhury
Chat Google Talk: unixbhaskar Skype: unixbhaskar Y! messenger: unixbhaskar
Contact Me StumbleuponFacebookDiggTwitterBloggerRedditTechnoratiWordpress