Saturday, February 25, 2012

Installation of Linux Malware Detect or maldet

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

Some other antivirus scanners are rkhunter and chkrootkit.

Friday, February 24, 2012

Recovering a deleted file if there is still a running process asosciated with it


Recovering a deleted file in linux operating system if there is still a running process asosciated with it.

This is very interesting. We know filename is just a link to the inode. If we delet a file, only the link betweek filename to inode is removed. The data in the inode remains same until it is readded to the free list of inodes and allocated to an another file.

We can check this with a small example.

Here we create a text file with name filename.txt as follows.
[root@work1 ~]# vi filename.txt
[root@work1 ~]# cat filename.txt
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
[root@work1 ~]#

Now we view that file using less
[root@work1 ~]# less filename.txt
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
filename.txt (END)

Without quitting the less command, we delete the filename.txt from another terminal.
[root@work1 ~]# rm -rf filename.txt

Now try to cat it. Its gone!
[root@work1 ~]# cat  filename.txt
cat: filename.txt: No such file or directory
[root@work1 ~]#

Now using lsof command get the pid of the less process associated with the filename.txt
[root@work1 ~]# lsof | grep filename.txt
less      5315      root    4r      REG      253,0      140    1115137 /root/filename.txt (deleted)
[root@work1 ~]#

2nd field is the pid. i.e 5315

Now try cat the following
[root@work1 ~]# cat /proc/5315/fd/
0  1  2  3  4
[root@work1 ~]# cat /proc/5315/fd/4
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
[root@work1 ~]#

You can see its the very same file content.

Now just copy that to our desired file
[root@work1 ~]# cp /proc/5315/fd/4 filename.txt

Its done.
[root@work1 ~]# cat filename.txt
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
This is a test file
[root@work1 ~]#

Now we will see what are the content of /proc/pid/
[root@work1 ~]# ls /proc/5354/
attr  cmdline          cpuset  environ  fd      limits    maps  mounts      oom_adj    root       smaps  statm   task
auxv  coredump_filter  cwd     exe      limits  loginuid  mem   mountstats  oom_score  schedstat  stat   status  wchan
[root@work1 ~]#

/proc/[pid]
There is a numerical subdirectory for each running process; the subdirectory is named by the process ID. Each such subdirectory contains the following pseudo-files and directories

/proc/PID/cmdline
This holds the complete command line for the process, unless the process is a zombie. In the latter case, there is nothing in this file: that is, a read on this file will return 0 characters. The command-line arguments appear in this file as a set of strings separated by null bytes ('\0'), with a further null byte after the last string.

/proc/PID/cpu
Current and last cpu in which it was executed.

/proc/PID/cwd
This is a symbolic link to the current working directory of the process.

/proc/PID/environ
This file contains the environment for the process.

/proc/PID/exe
Under Linux 2.2 and later, this file is a symbolic link containing the actual pathname of the executed command. This symbolic link can be dereferenced normally; attempting to open it will open the executable.
Under Linux 2.0 and earlier /proc/[pid]/exe is a pointer to the binary which was executed, and appears as a symbolic link

/proc/PID/fd
This is a subdirectory containing one entry for each file which the process has open, named by its file descriptor, and which is a symbolic link to the actual file. Thus, 0 is standard input, 1 standard output, 2 standard error, etc.

/proc/PID/maps
A file containing the currently mapped memory regions and their access permissions.

/proc/PID/mem
This file can be used to access the pages of a process's memory through open(2), read(2), and lseek(2).

/proc/PID/root
UNIX and Linux support the idea of a per-process root of the file system, set by the chroot(2) system call. This file is a symbolic link that points to the process's root directory, and behaves as exe, fd/*, etc. do.

/proc/PID/stat
Status  information  about  the  process.

/proc/PID/statm
Provides information about memory status in pages.

/proc/PID/status
Provides much of the information in /proc/[pid]/stat and /proc/[pid]/statm in a format that's easier for humans to parse.

For more information regarding the fields under /proc/pid kindly run the following command
#man 5 proc

Thursday, February 23, 2012

warning: unsupported SASL server implementation: cyrus


You may get this error while enabling the smtp_auth using cyrus with postfix

[root@work1 postfix-2.9.1]# postfix start
postfix/postfix-script: starting the Postfix mail system
[root@work1 postfix-2.9.1]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.

Errors:
tail -f /var/log/maillog
Feb 23 15:54:17 work1 postfix/postfix-script[10991]: starting the Postfix mail system
Feb 23 15:54:17 work1 postfix/master[10992]: daemon started -- version 2.9.1, configuration /etc/postfix
Feb 23 15:57:22 work1 postfix/smtpd[10996]: warning: unsupported SASL server implementation: cyrus
Feb 23 15:57:22 work1 postfix/smtpd[10996]: fatal: SASL per-process initialization failed
Feb 23 15:57:23 work1 postfix/master[10992]: warning: process /usr/libexec/postfix/smtpd pid 10996 exit status 1
Feb 23 15:57:23 work1 postfix/master[10992]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

Reason and solution:
The Postfix-with-Cyrus-SASL build procedure has changed. You now need to specify -DUSE_CYRUS_SASL in addition to -DUSE_SASL_AUTH

Run the command as follows:
[root@work1 postfix-2.9.1]# make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl" AUXLIBS="-L/usr/lib -lsasl2"

Now it works
[root@work1 postfix-2.9.1]# postfix start
postfix/postfix-script: starting the Postfix mail system
[root@work1 postfix-2.9.1]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 work1.lap.work ESMTP Postfix
ehlo localhost
250-work1.lap.work
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH GSSAPI LOGIN PLAIN DIGEST-MD5 CRAM-MD5 NTLM
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Wednesday, February 22, 2012

Configuring simple DNS using bind or named


Configuring simple DNS using bind or named

I was searching for a simple DNS implementation using bind. But couldnt find one. So I'm posting this here. Here we are configuring dns for a domain lap.work

Server side configuration :
Install the bind and other needed packages
yum install bind-chroot bind bind-devel bind-utils caching-nameserver

Change the directory to /var/named/chroot/etc/ as we have installed chroot package. The ROOTDIR of named changed to /var/named/chroot
#cd /var/named/chroot/etc/

Create a named.conf using the sample files created by caching-nameserver
cat named.* > named.conf

Edit the named.conf as follows
[root@server ~]# cat /var/named/chroot/etc/named.conf
options {
        directory       "/var/named";
};

zone "lap.work" IN {
        type master; // This is the forward zone declaration for the domain lap.work
        file "lap.work.zone";
};

zone "137.168.192.in-addr.arpa" IN {
        type master; // This is the reverse zone declaration for the domain lap.work
        file "lap.work.local";
};
[root@server ~]#

Now creating the forward and reverse zone files.
[root@server ~]# cd /var/named/chroot/var/named/
cp localdomain.zone lap.work.zone
cp named.local lap.work.local

Create the forward zone as follows
[root@server named]# cat  lap.work.zone
$TTL    86400
@               IN SOA  lap.work. root (
                                        43              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum
                IN NS           ns1.lap.work.
                IN MX  10       work1.lap.work.

www             IN A            192.168.137.10
ftp             IN A            192.168.137.10
mail            IN A            192.168.137.10
work1           IN A            192.168.137.10
ns1             IN A            192.168.137.10
[root@server named]#

Reverse zone file as
[root@server named]# cat  lap.work.local
$TTL    86400
@       IN      SOA     lap.work. root.lap.work.  (
                                      1997022701 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
         IN      NS      lap.work.
10       IN      PTR     work1.lap.work.
[root@server named]#

Change the permissions so that the following files belongs to the group named
[root@server named]# chown root.named /var/named/chroot/etc/named.conf
[root@server named]# chown root.named /var/named/chroot/var/named/lap.work.zone
[root@server named]# chown root.named /var/named/chroot/var/named/lap.work.local

start the named service.
[root@server named]# /etc/init.d/named start
Starting named:                                            [  OK  ]
[root@server named]#

client side configuration:
Edit the resolv.conf as follows.
[root@work1 ~]# cat /etc/resolv.conf
nameserver 192.168.137.100
[root@work1 ~]#

Testing the server using host and nslookup commands
[root@work1 ~]# host work1.lap.work
work1.lap.work has address 192.168.137.10
[root@work1 ~]# host -i 192.168.137.10
10.137.168.192.in-addr.arpa domain name pointer work1.lap.work.
[root@work1 ~]# nslookup work1.lap.work
Server:         192.168.137.100
Address:        192.168.137.100#53
Name:   work1.lap.work
Address: 192.168.137.10
[root@work1 ~]# nslookup 192.168.137.10
Server:         192.168.137.100
Address:        192.168.137.100#53
10.137.168.192.in-addr.arpa     name = work1.lap.work.
[root@work1 ~]#