Posts Tagged ‘note’

Windows unable to delete file, file locked unlocking with Unlocker tiny tool

Wednesday, April 13th, 2016

Windows-Unlocker-program-show-what-program-or-software-is-locking-your-file-why-file-cant-be-deleted-file-locked

If you want to delete some file on a Windows server or Desktop but you get the a dialog with an error saying:

"This action can't be completed because the folder or a file in it is open in another program"

windows-unable-to-delete-file-file-locked-get-what-is-locking-it-and-unlock-the-file-with-Unlocker-tiny-desktop-graphic-tool-0

Then you need to find out which Program is preventing the file from deletion / locking the file, I've earlier blogged on how to check which process locks file with tasklist or wmic Windows commands

However some users might prefer to not bother with command line check what is locking a file and then killing the Process manually with taskmanager (taskmgr.exe) but do both file unlocking from one single gui interface, that's especially for lazy novice users, gamers and most of Desktop Windows users.

If you're one of those lazy users you will appriace

Unlocker – a useful utility for unlocking files, it will help you figure out which file is using a file what program is using the file you're prevented to delete.
Unlocker is the tool for you if you get any of below error messages, when you try to delete a file:

 

  • Cannot delete folder: It is being used by another person or program
  • Cannot delete file: Access is denied
  • There has been a sharing violation.
  • The source or destination file may be in use.
  • The file is in use by another program or user.
  • Make sure the disk is not full or write-protected and that the file is not currently in use.
     

windows-unable-to-delete-file-file-locked-get-what-is-locking-it-and-unlock-the-file-with-Unlocker-tiny-desktop-graphic-tool-1

If you stumble unto an locked file once you download and install Unlocker tool and launch the tool ( in case it disappers in future a mirror of Unlocker tool here ).
Once installed if you click properties over the file which is refused to be deleted you will get a new menu such as in below screenshot:

NB! Beware while installing Unlocker you might be offered to install a bunch of malware (make sure you deselect it). Also Unlocker's site is made in a way so the Download button could easily be confused with some Google Adsense

unlocker-windows-menu-added-to-properties-options-screenshot

Click on the file that is being locked and choose the Unlocker button, for example if you have a bunch of Videos installed and the video is being locked by VLC clicking on the file you will be shown VLC like in below screenshot

 

Unlocker-screenshot-locked-file-because-movie-opened-in-VLC

As you see you're shown the Process PID that is being used by the file the full path to the locking program and you have the option to quickly kill the process or unlock the file. Note that at some cases unlocking a file used by some critical program lets say Microsoft Word / Excel or OneNote could cause you a data loss, so before unlocking a file make sure you know what you're doing.

For more advanced users that still prefer GUI to find out what is Locking a file you can also check out Microsoft Process Explorer (advabced task manager) like tool.
If you haven't tried Process Explorer be sure to take a look at it as its a great tool for Win SysAdmins:

Process Explorer is very handy if you want to explore which .DLL (Windows Libraries) are used by a Process / Program

Windows-process-explorer-an-advanced-task-manager-for-windows-and-handy-tool-to-see-what-external-libraries-and-files-a-program-is-using.png

Windows-process-explorer-an-advanced-task-manager-for-windows-and-handy-tool-to-see-what-external-libraries-and-files-a-program-is-using-1

 

Trip to Shipka Peak,Sopot and 3rd of March Liberation of Bulgaria from Turkish Slavery 1878

Sunday, March 6th, 2016

Shipka_memorial_stone-of-Russian-Turkish-war-and-liberation-of-Bulgaria

Its 3rd of March for one more year, (Bulgaria Independence Day), the Liberation of Bulgaria from Turkish Slavery.
Eternal Glory be to all Bulgarians, Russian, Ukrainian, Belarusian, Romanian, Finish, Serbian and Moldovans and All Russian army Soldiers (Eastern Orthodox Christians) who fall fighting for the liberty of  my homeland Bulgaria!

3rd of March is Biggest and perhaps brightest among all the feasts of new history of Bulgaria because on 3-rd of March 1878 San Stefano Treaty (peace contract) between Russian Empire and Ottoman Empire.
My homeland Bulgaria was enslaved under the yoke of Turkish Empire from 1393 (when it fall under Ottoman Slavery) to 1878 received independence and Bulgaria as a country was rebuild for 3rd time (The 3rd Bulgarian Kingdom) arised.

San Stefano's Treaty The treaty created the Principality of Bulgaria with a territory including current territory of Bulgaria plus the Macedonia region (nowadays country of Macedonia) which has historically been most of the time part of Bulgarian Empire and Bulgarian country which at  the time of signing the treaty was mainly populated with Bulgarians. Later the Berlin contract revisioned San-Stefano Treaty because the countries of power at the day didn't wanted such a big country at the heart of Europe.

3rd of March has a very special way of  celebration especially at the places where there was battles between the side of Russian Empire (Ukrainians, Moldovans, Belarusians, Finnish) with the help of  few hundred thousands of Bulgarians, Romanian, Serbians has fought and defeated heroically the Turkish Army – which at the time was better equipped and more numerous than the Russian / Bulgarian and other ally soldiers, but as the saying goes The Power is not in the Multitude but in God alone, so the almost 494 397 soldiers army of Turkish Empire was defeated by just collectively 312  thousands of Russian, Bulgarians and other Christian allies.
This year here in Bulgaria we celebrate 138 years since liberation of Bulgaria from Turkish Slavery, so for one more year, we enjoy freedom from the darkness of economic and religious Turkish slavery.

In the war most of the soldiers that took participation had been Eastern Orthodox Christians so it could be said the war was almost a war of Faiths – On one side All Eastern Orthodox believers and on other Muslims.
The Turkish-Russian war (1877-1878) is hence absolutely epochal and becomes a good history lesson to look back to especially with the latest exarcebation of relations between Russia and Turkey.

The war had been disadvantageous at a certain time and there was a high chances that the Eastern Orthodox armies could have been defeated if it wasn't the heroic win of the Battle for Shipka Peak where about 35000 well equipped Turkish soldiers were defeated by just 5500 mostly Bulgarians and some  Russians.

Shipka-Ottoman-Turkish-fighting-with-Bulgarian-and-Russian-armies-on-Shipka

The Bulgarian and Russian armies has been fortified themselves and has severely fought for 3 days while on Shipka peak with some old fashined battle guns and some old riffles (many of which self produced) and insufficiency of ammos.
The Bulgarians didn't have any food so kept hungry for 3 days while being under a siege of the Ottoman, when they run out of Ammos, the only way to fight was to catch stones and throw over the enemy, when the stones were over, they started picking up the dead bodies of other mates and through over Turkish enemy.

The Bulgarian poet, publicist and Romanist Ivan Vazov has written a glorious poem being inspired by the heroism called "Epic of the Forgotten / Opylchencite na Shipka"
which occured in July / August and September 1877.

Shipka_Bulgarian_turkish-slavery-liberation_memorial_stone
Some years ago I had the chance to visit the Shipka  Monastery and the Majestic Russian Church nearby Shipka  but not until this year I haven't been on the Shipka peak itself nearby the battles where a majestic central majestic monument was build as a memorial stone and few other little memorial stones were build by the Russian Tsarist Army.

Memorial_stone-Shipka-Alexander_II_emperor-of-Russia

Memorial Russian Stone build in honour of the fallen Russian, Moldovian, Belarusian and Ukrainian for the Liberty of the Brotherly slavonic nation.

The stone depicts the Byzantine Empire Eagle (coat of arms) adopted by Russian Empire after fall of Byzantium and a memorial note in honor of Russian Emperor Tsardom Alexander (Nikolaevich) II.

This year by God's grace I had a chance to visit also the central monument stone exactly on 3rd of March as a friend of mine Pavel with his wife Ivanka had already planned a Trip to Shipka for the feast and they didn't objected to join them and visit Shipka Peak.
The monument of Shipka started on 1922 and completed in 1930, the monument was first officially opened in 1934 on top of the entrance of Shipka monument is an enormous bronze Lion (which is a Symbol of Bulgaria and also a symbol of Juda the tribe from which the Saviour God-Man Jesus Christ descended by flesh bloodline. The 3 writtings on the monumentum Shipka, Stara Zagora, Sheinovo are written to commemorate the great battles for liberation that occured on that 3 places.  Traditionally each year since 1934, there is our Eastern Orthodox prayer (Moleben) for the fallen in the fights and great feasts gatherings with Bulgarian and other country officials and a lot of people from VMRO (a nationalist organization), Voini na Tangra (Tangra Warriors) and many mostly nationalists and patriots. It is curious fact that Putin visited Shipka on 3rd of March 2003.

 

We travelled from Sofia to Shipka quite early in the morning 5:45 morning in order to escape the traffic jams and drived to there about 250 km with a short break on an oil station.
Being there nearby the village we had to wait on a long queue with cars of other people going for the Shipka feast and after some 50 mins of jam, we finally parked because it was already impossible to continue because of the multitude of parked cars all around the road.
From there we had to walk about 8 kilometers climb up the mountain as Shipka peak is about 1326 metres high.
Normal way was in a asphalt car road, but as there was many cars going back and forth and the air there was quite dirty after about 2 km we catched alternative wild route through some mountain paths.

God had been good to us these day as even though it is still the end of Winter in Bulgaria and usually March is a cold month the day was Sunny and Warm and there was no rain at all, this was a big grace to us and all of the tens of thousands of people all around …

Being there we entered the monumentum which happens to also be a 4 staged museum with some beautiful monuments inside.

Shipka-Marble-Sarcophagus-with-bones-leftovers-of-Shipka-Heroes-thanks-to-which-Bulgaria-is-free

Sacrophagus with Bone Remains of Soldiers fallen for the Victory of Bulgarian-Russian Brotherly armies on Shipka

Then we had a walk back the road fallowing the 892 steps down from the monumentum to the asphalt road leading back to Shipka village.

Shipka_890-steps-down-the-peak-liberation-monumentum

Going down the stairs from Shipka there are plenty of Souvenirs being sold some Fast Food vans selling coffee, beer sausages and burgers so we took Karnache-ta with Bread (which is a kind of traditional famous Bulgarian hunter sausage) 🙂

Having a kind of dinner we travelled back and went to see the Majestic Russian Church built from 1882 and sanctified in 1902. The Church Crypt (containing also bones of the dead soldiers who left their bones for our freedom), the Church was build with donations from Russians and contains at the moment also a lot of Holy Relics of Eastern Orthodox saints and thus is a great destination for pilgrimage.

memorial-Russian-Church-of-soldiers-fallen-for-liberation-of-Bulgaria

We wanted to sleep in a hotel or a guest house in Shipka but because of the feast everything was already occupied so we travelled to nearby famous Bulgarian revolutionary city Sopot (which is famous for being a very central for the Bulgarian liberation movement of Vasil Levsky) and most importantly the birth place of the patriarch of Bulgarian literature and probably the best poetries, romanist and publicist of Bulgaria of all times Ivan Vazov.

We had called a gues house phone and found a accomodation place to stay for the night in one of the many Guest houses in Sopot and then we our dinner in some local pub called CHICHOVCI (Uncles), nearby Sopot center church which is in famous of Saint Peter and Saint Paul.
Here is time to say that perhaps the fact everything went smoothly with finding an accomodation so easily in so late time and having such a nice dinner nearby the Church was not a coincidence, because earlier on our road back from Shipka, my wife Svetlana was teaching Pavel the Church Troparion of Saint Peter and Paul, which is in honour of st. Paul the protector saint of Pavel.

The guest house accomodation (we got the number to seek for rooms) from a Ads in front of restaurant pub of CHICHOVCI in Sopot turned to be also quite cheap 12 lv (6 eur) per person. So 2 person room costed only 12 euro. We were accomodated straigh in the beatiful crest of the mountain nearby a pine forest.
This night I slept quite peaceful, probably because the air in a small town as Sopot is crystal clear as it is in most mountain parts of our heavinly country Bulgaria.

In the morning we had a quick meal and went for a coffee and tea as we have the custom to do here in Bulgaria mornings on free days in a small but cozy coffee place.

saint_Peter-and-Paul-Church-Sopot

From then on we took some food for a lunch Duners from nearby and went to see the St. Paul, St. Peter church.
The Church is from y. 1840 and is in its authentic form and had plenty of old 100+ years Eastern Orthodox icons and the Christ Grace inside is so heavy. The central icon of the Church in honour of Saint Paul and Peter is considered miraculous and has an all time unexplainable heavy scent.

saint-Peter-and-Paul-church-inside-interior-Sopot

Our next destination was the Museum birth house of Ivan Vazov author of the most famous Bulgarian novel after liberation "Pod Igoto / Under the Yoke", which illustrates very precisely the way of life of common Bulgarian before and throughout the efforts to organize inside bulgaria, liberation war and struggles of Bulgarian ordinary people because of the inhuman Ottoman Turkish enslavers.

Sopot-Ivan-Vazov-monument

As you see behind the monument in remembrance of Vazov, Sopot's mountains and nature just like Shipka's is amazingly beatiful.

Ivan-Vazov-birth-house-the-most-famous-Bulgarian-novelist

Vazov's house is a great place for anyone who wants to go back in time with 130 years back in time and see the way rich Bulgarians housed used to look like, what were people working, what was the common interior of a Bulgarian house for that time as well as many specifics about the glorious (intellectuals) family of Vazov, two of his brothers (Georgi Vazov and Vladimir Vazov), studied in Russian Empire and were succesful and famous Generals in Bulgarian army, where Boris Vazov was famous politician.
Nearby Sopot, there is a special lift for paraglinding and is a famous destination for paragliding very near I heard there is monastery Sveti Spas (Holy Saviour).

Unfortunately this time the time was short and we had to go back so we couldn't visit the monastery, but I'm determined to go there in Sopot / Shipka and nearby hopefully soon in some of coming next holidays – if God bless so.

Fixing Shellshock new critical remote bash shell exploitable vulnerability on Debian / Ubuntu / CentOS / RHEL / Fedora / OpenSuSE and Slackware

Friday, October 10th, 2014

Bash-ShellShock-remote-exploitable-Vulnerability-affecting-Linux-Mac-OSX-and-BSD-fixing-shellshock-bash-vulnerability-debian-redhat-fedora-centos-ubuntu-slackware-and-opensuse
If you still haven’t heard about the ShellShock Bash (Bourne Again) shell remote exploit vulnerability and you admin some Linux server, you will definitely have to read seriously about it. ShellShock Bash Vulnerabily has become public on Sept 24 and is described in details here.

The vulnerability allows remote malicious attacker to execute arbitrary code under certain conditions, by passing strings of code following environment variable assignments. Affected are most of bash versions starting with bash 1.14 to bash 4.3.
Even if you have patched there are some reports, there are other bash shell flaws in the way bash handles shell variables, so probably in the coming month there will be even more patches to follow.

Affected bash flaw OS-es are Linux, Mac OS and BSDs;

• Some DHCP clients

• OpenSSL servers that use ForceCommand capability in (Webserver config)

• Apache Webservers that use CGi Scripts through mod_cgi and mod_cgid as well as cgis written in bash or launching bash subshells

• Network exposed services that use bash somehow

Even though there is patch there are futher reports claiming patch ineffective from both Google developers and RedHat devs, they say there are other flaws in how batch handles variables which lead to same remote code execution.

There are a couple of online testing tools already to test whether your website or certain script from a website is vulnerable to bash remote code executions, one of the few online remote bash vulnerability scanner is here and here. Also a good usable resource to test whether your webserver is vulnerable to ShellShock remote attack is found on ShellShocker.Net.

As there are plenty of non-standard custom written scripts probably online and there is not too much publicity about the problem and most admins are lazy the vulnerability will stay unpatched for a really long time and we’re about to see more and more exploit tools circulating in the script kiddies irc botnets.

Fixing bash Shellcode remote vulnerability on Debian 5.0 Lenny.

Follow the article suggesting how to fix the remote exploitable bash following few steps on older unsupported Debian 4.0 / 3.0 (Potato) etc. – here.

Fixing the bash shellcode vulnerability on Debian 6.0 Squeeze. For those who never heard since April 2014, there is a A Debian LTS (Long Term Support) repository. To fix in Debian 6.0 use the LTS package repository, like described in following article.

If you have issues patching your Debian Wheezy 6.0 Linux bash, it might be because you already have a newer installed version of bash and apt-get is refusing to overwrite it with an older version which is provided by Debian LTS repos. The quickest and surest way to fix it is to do literally the following:


vim /etc/apt/sources.list

Paste inside to use the following LTS repositories:

deb http://http.debian.net/debian/ squeeze main contrib non-free
deb-src http://http.debian.net/debian/ squeeze main contrib non-free
deb http://security.debian.org/ squeeze/updates main contrib non-free
deb-src http://security.debian.org/ squeeze/updates main contrib non-free
deb http://http.debian.net/debian squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian squeeze-lts main contrib non-free

Further on to check the available installable deb package versions with apt-get, issue:



apt-cache showpkg bash
...
...
Provides:
4.1-3+deb6u2 -
4.1-3 -
Reverse Provides:

As you see there are two installable versions of bash one from default Debian 6.0 repos 4.1-3 and the second one 4.1-3+deb6u2, another way to check the possible alternative installable versions when more than one version of a package is available is with:



apt-cache policy bash
...
*** 4.1-3+deb6u2 0
500 http://http.debian.net/debian/ squeeze-lts/main amd64 Packages
100 /var/lib/dpkg/status
4.1-3 0
500 http://http.debian.net/debian/ squeeze/main amd64 Packages

Then to install the LTS bash version on Debian 6.0 run:



apt-get install bash=4.1-3+deb6u2

Patching Ubuntu Linux supported version against shellcode bash vulnerability:
A security notice addressing Bash vulnerability in Ubuntus is in Ubuntu Security Notice (USN) here
USNs are a way Ubuntu discloses packages affected by a security issues, thus Ubuntu users should try to keep frequently an eye on Ubuntu Security Notices

apt-get update
apt-get install bash

Patching Bash Shellcode vulnerability on EOL (End of Life) versions of Ubuntu:

mkdir -p /usr/local/src/dist && cd /usr/local/src/dist
wget http://ftpmirror.gnu.org/bash/bash-4.3.tar.gz.sig
wget http://ftpmirror.gnu.org/bash/bash-4.3.tar.gz
wget http://tiswww.case.edu/php/chet/gpgkey.asc
gpg --import gpgkey.asc
gpg --verify bash-4.3.tar.gz.sig
cd ..
tar xzvf dist/bash-4.3.tar.gz
cd bash-4.3
mkdir patches && cd patches
wget -r --no-parent --accept "bash43-*" -nH -nd
ftp.heanet.ie/mirrors/gnu/bash/bash-4.3-patches/ # Use a local mirror
echo *sig | xargs -n 1 gpg --verify --quiet # see note 2

cd ..
echo patches/bash43-0?? | xargs -n 1 patch -p0 -i # see note 3 below

./configure --prefix=/usr --bindir=/bin
--docdir=/usr/share/doc/bash-4.3
--without-bash-malloc
--with-installed-readline

make
make test && make install

To solve bash vuln in recent Slackware Linux:

slackpkg update
slackpkg upgrade bash

For old Slacks, either download a patched version of bash or download the source for current installed package and apply the respective patch for the shellcode vulnerability.
There is also a GitHub project “ShellShock” Proof of Concept code demonstrating – https://github.com/mubix/shellshocker-pocs
There are also non-confirmed speculations for bash vulnerability bug to impact also:

Speculations:(Non-confirmed possibly vulnerable common server services):

• XMPP(ejabberd)

• Mailman

• MySQL

• NFS

• Bind9

• Procmail

• Exim

• Juniper Google Search

• Cisco Gear

• CUPS

• Postfix

• Qmail

Fixing ShellShock bash vulnerability on supported versions of CentOS, Redhat, Fedora

In supported versions of CentOS where EOL has not reached:

yum –y install bash

In Redhat, Fedoras recent releases to patch:

yum update bash

To upgrade the bash vulnerability in OpenSUSE:

zipper patch –cve=CVE-2014-7187

Shellcode is worser vulnerability than recent SSL severe vulnerability Hearbleed. According to Redhat and other sources this new bash vulnerability is already actively exploited in the wild and probably even worms are crawling the net stealing passwords, data and building IRC botnets for remote control and UDP flooding.

find text strings recursively in Linux and UNIX – find grep in sub-directories command examples

Tuesday, May 13th, 2014

unix_Linux_recursive_file_search_string_grep
GNU Grep
is equipped with a special option "-r" to grep recursively. Looking for string in a file in a sub-directories tree with the -r option is a piece of cake. You just do:

grep -r 'string' /directory/

or if you want to search recursively non-case sensitive for text

grep -ri 'string' .
 

Another classic GNU grep use (I use almost daily) is whether you want to match all files containing (case insensitive) string  among all files:

grep -rli 'string' directory-name
 

Now if you want to grep whether a string is contained in a file or group of files in directory recursively on some other UNIX like HP-UX or Sun OS / Solaris where there is no GNU grep installed by default here is how to it:

find /directory -exec grep 'searched string' {} dev/null ;

Note that this approach to look for files containing string on UNIX is very slowThus on not too archaic UNIX systems for some better search performance it is better to use xargs;

find . | xargs grep searched-string


A small note to open here is by using xargs there might be weird results when run on filesystems with filenames starting with "-".

Thus comes the classical (ultimate) way to grep for files containing string with find + grep, e.g.

find / -exec grep grepped-string {} dev/null ;

Another way to search a string recursively in files is by using UNIX OS '*' (star) expression:

grep pattern * */* */*/* 2>/dev/null

Talking about recursive directory text search in UNIX, should mention  another good GNU GREP alternative ACK – check it on betterthangrep.com 🙂 . Ack is perfect for programmers who have to dig through large directory trees of code for certain variables, functions, objects etc.

 

Finding spam sending php scripts on multiple sites servers – Tracing and stopping spammer PHP scripts

Monday, April 14th, 2014

stop_php_mail-spam-find-spammer-and-stop-php-spammer-websites
Spam has become a severe issue for administrators, not only for mail server admins but also for webshosting adms. Even the most secure spam protected mail server can get affected by spam due to fact it is configured to relay mail from other servers acting as web hosting sites.

Webhosting companies almost always suffer seriously from spam issues and often their mail servers gets blocked (enter spam blacklists), because of their irresponsible clients uploading lets say old vulnerable Joomla, WordPress without Akismet or proper spam handling plugin,a CMS which is not frequently supported / updated or custom client insecure php code.

What I mean is Shared server A is often configured to sent mail via (mail) server B. And often some of the many websites / scripts hosted on server A gets hacked and a spam form is uploaded and tons of spam start being shipped via mail server B.

Of course on mail server level it is possible to configure delay between mail sent and adopt a couple of policies to reduce spam, but the spam protection issue can't be completely solved thus admin of such server is forced to periodically keep an eye on what mail is sent from hosting server to mail server.
 


If you happen to be one of those Linux (Unix) webhosting admins who find few thousand of spammer emails into mail server logs or your eMail server queue and you can't seem to find what is causing it, cause there are multiple websites shared hosting using mainly PHP + SQL and you can't identify what php script is spamming by reviewing  Apache log / PHP files. What you can do is get use of:

PHP mail.log directive

Precious tool in tracking spam issues is a PHP Mail.log parameter, mail log paramater is available since PHP version >= 5.3.0 and above.
PHP Mail.log parameter records all calls to the PHP mail() function including exact PHP headers, line numbers and path to script initiating mail sent.

Here is how it is used:
 

1. Create empty PHP Mail.log file

touch /var/log/phpmail.log

File has to be writtable to same user with which Apache is running in case of Apache with SuPHP running file has to be writtable by all users.

On Debian, Ubunut Linux:

chown www:data:www-data /var/log/phpmail.log

On CentOS, RHEL, SuSE phpmail.log has to be owned by httpd:

chown httpd:httpd /var/log/phpmail.log

On some other distros it might be chown nobody:nobody etc. depending on the user with which Apache server is running.

 

2. Add to php.ini configuration following lines

mail.add_x_header = On
mail.log = /var/log/phpmail.log

PHP directive instructs PHP to log complete outbund Mail header sent by mail() function, containing the UID of the web server or PHP process and the name of the script that sent the email;
 

(X-PHP-Originating-Script: 33:mailer.php)


i.e. it will make php start logging to phpmail.log stuff like:
 

 

mail() on [/var/www/pomoriemonasteryorg/components/com_xmap/2ktdz2.php:1]: To: info@globalremarketing.com.au — Headers: From: "Priority Mail" <status_93@pomoriemon
astery.org> X-Mailer: MailMagic2.0 Reply-To: "Priority Mail" <status_93@pomoriemonastery.org> Mime-Version: 1.0 Content-Type: multipart/alternative;boundary="——
—-13972215105347E886BADB5"
mail() on [/var/www/pomoriemonasteryorg/components/com_xmap/2ktdz2.php:1]: To: demil7167@yahoo.com — Headers: From: "One Day Shipping" <status_44@pomoriemonastery.
org> X-Mailer: CSMTPConnectionv1.3 Reply-To: "One Day Shipping" <status_44@pomoriemonastery.org> Mime-Version: 1.0 Content-Type: multipart/alternative;boundary="—
——-13972215105347E886BD344"
mail() on [/var/www/pomoriemonasteryorg/components/com_xmap/2ktdz2.php:1]: To: domainmanager@nadenranshepovser.biz — Headers: From: "Logistics Services" <customer.
id86@pomoriemonastery.org> X-Mailer: TheBat!(v3.99.27)UNREG Reply-To: "Logistics Services" <customer.id86@pomoriemonastery.org> Mime-Version: 1.0 Content-Type: mult
ipart/alternative;boundary="———-13972215105347E886BF43E"
mail() on [/var/www/pomoriemonasteryorg/components/com_xmap/2ktdz2.php:1]: To: bluesapphire89@yahoo.com — Headers: From: "Priority Mail" <status_73@pomoriemonaster
y.org> X-Mailer: FastMailer/Webmail(versionSM/1.2.6) Reply-To: "Priority Mail" <status_73@pomoriemonastery.org> Mime-Version: 1.0 Content-Type: multipart/alternativ
e;boundary="———-13972215105347E886C13F2"

 

On Debian / Ubuntu Linux to enable this logging, exec:

echo 'mail.add_x_header = On' >> /etc/php5/apache2/php.ini
echo 'mail.log = /var/log/phpmail.log' >> /etc/php5/apache2/php.ini


I find it useful to symlink /etc/php5/apache2/php.ini to /etc/php.ini its much easier to remember php location plus it is a standard location for many RPM based distros.

ln -sf /etc/php5/apache2/php.ini /etc/php.ini

Or another "Debian recommended way" to enable mail.add_x_header logging on Debian is via:

echo 'mail.add_x_header = On' >> /etc/php5/conf.d/mail.ini
echo 'mail.log = /var/log/phpmail.log' >> /etc/php5/conf.d/mail.ini

On Redhats (RHEL, CentOS, SuSE) Linux issue:

echo 'mail.add_x_header = On' >> /etc/php.ini
echo 'mail.log = /var/log/phpmail.log' >> /etc/php.ini

3. Restart Apache

On Debian / Ubuntu based linuces:

/etc/init.d/apache2 restart

P.S. Normally to restart Apache without interrupting client connections graceful option can be used, i.e. instead of restarting do:

/etc/init.d/apache2 graceful

On RPM baed CentOS, Fedora etc.:

/sbin/service httpd restart

or

apachectl graceful
 

4. Reading the log

To review in real time exact PHP scripts sending tons of spam tail it:

tail -f /var/log/phpmail.log

 

mail() on [/var/www/remote-admin/wp-includes/class-phpmailer.php:489]: To: theosfp813@hotmail.com — Headers: Date: Mon, 14 Apr 2014 03:27:23 +0000 Return-Path: wordpress@remotesystemadministration.com From: WordPress Message-ID: X-Priority: 3 X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version 2.0.4] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="UTF-8"
mail() on [/var/www/pomoriemonasteryorg/media/rsinstall_4de38d919da01/admin/js/tiny_mce/plugins/inlinepopups/skins/.3a1a1c.php:1]: To: 2070ccrabb@kiakom.net — Headers: From: "Manager Elijah Castillo" <elijah_castillo32@pomoriemonastery.org> X-Mailer: Mozilla/5.0 (Windows; U; Windows NT 5.0; es-ES; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 Reply-To: "Manager Elijah Castillo" <elijah_castillo32@pomoriemonastery.org> Mime-Version: 1.0 Content-Type: multipart/alternative;boundary="———-1397463670534B9A76017CC"
mail() on [/var/www/pomoriemonasteryorg/media/rsinstall_4de38d919da01/admin/js/tiny_mce/plugins/inlinepopups/skins/.3a1a1c.php:1]: To: 20wmwebinfo@schools.bedfordshire.gov.uk — Headers: From: "Manager Justin Murphy" <justin_murphy16@pomoriemonastery.org> X-Mailer: Opera Mail/10.62 (Win32) Reply-To: "Manager Justin Murphy" <justin_murphy16@pomoriemonastery.org> Mime-Version: 1.0 Content-Type: multipart/alternative;boundary="———-1397463670534B9A7603ED6"
mail() on [/var/www/pomoriemonasteryorg/media/rsinstall_4de38d919da01/admin/js/tiny_mce/plugins/inlinepopups/skins/.3a1a1c.php:1]: To: tynyrilak@yahoo.com — Headers: From: "Manager Elijah Castillo" <elijah_castillo83@pomoriemonastery.org> X-Mailer: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; pl; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 Reply-To: "Manager Elijah Castillo" <elijah_castillo83@pomoriemonastery.org> Mime-Version: 1.0 Content-Type: multipart/alternative;boundary="———-1397463670534B9A7606308"
mail() on [/var/www/pomoriemonasteryorg/media/rsinstall_4de38d919da01/admin/js/tiny_mce/plugins/inlinepopups/skins/.3a1a1c.php:1]: To: 2112macdo1@armymail.mod.uk — Headers: From: "Manager Justin Murphy" <justin_murphy41@pomoriemonastery.org> X-Mailer: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; pl; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 Reply-To: "Manager Justin Murphy" <justin_murphy41@pomoriemonastery.org> Mime-Version: 1.0 Content-Type: multipart/alternative;boundary="———-1397463670534B9A76086D1"

 

As you can see there is a junky spam mails sent via some spammer script uploaded under name .3a1a1c.php, so to stop the dirty bastard, deleted the script:

rm -f /var/www/pomoriemonasteryorg/media/rsinstall_4de38d919da01/admin/js/tiny_mce/plugins/inlinepopups/skins/.3a1a1c.php

It is generally useful to also check (search) for all hidden .php files inside directoring storing multiple virtualhost websites, as often a weirdly named hidden .php is sure indicator of either a PHP Shell script kiddie tool or a spammer form.

Here is how to Find all Hidden Perl / PHP scripts inside /var/www:

find . -iname '.*.php'
./blog/wp-content/plugins/fckeditor-for-wordpress-plugin/ckeditor/plugins/selection/.0b1910.php
./blog/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/browser/default/.497a0c.php
./blog/wp-content/plugins/__MACOSX/feedburner_feedsmith_plugin_2.3/._FeedBurner_FeedSmith_Plugin.php

find . -iname '.*.pl*'

….

Reviewing complete list of all hidden files is also often useful to determine shitty cracker stuff

 find . -iname ".*"

Debugging via  /var/log/phpmail.log enablement is useful but is more recommended on development and staging (QA) environments. Having it enable on productive server with high amounts of mail sent via PHP scripts or just on dedicated shared site server could cause both performance issues, hard disk could quickly get and most importantly could be a severe security hole as information from PHP scripts could be potentially exposed to external parties.

How to search text strings only in hidden files dot (.) files within a directory on Linux and FreeBSD

Saturday, April 28th, 2012

how-to-search-hidden-files-linux-freebsd-logo_grep
If there is necessity to look for a string in all hidden files with all sub-level subdirectories (be aware this will be time consuming and CPU stressing) use:
 

hipo@noah:~$ grep -rli 'PATH' .*

./.gftp/gftprc
./.gftp/cache/cache.OOqZVP
….

Sometimes its necessery to only grep for variables within the first-level directories (lets say you would like to grep a 'PATH' variable set, string within the $HOME directory, the command is:

hipo@noah:~$ grep PATH .[!.]*

.profile:PATH=/bin:/usr/bin/:${PATH}
.profile:export PATH
.profile:# set PATH so it includes user's private bin if it exists
.profile: PATH="$HOME/bin:$PATH"
.profile.language-env-bak:# set PATH so it includes user's private bin if it exists
.profile.language-env-bak: PATH="$HOME/bin:$PATH"
.viminfo:?/PATH.xcyrillic: XNLSPATH=/usr/X11R6/lib/X11/nls
.xcyrillic: export XNLSPATH

The regular expression .[!.]*, means exclude any file or directory name starting with '..', e.g. match only .* files

Note that to use the grep PATH .[!.]* on FreeBSD you will have to use this regular expression in bash shell, the default BSD csh or tsch shells will not recognize the regular expression, e.g.:

grep PATH '.[!.]*'
grep: .[!.]*: No such file or directory

Hence on BSD, if you need to look up for a string within the home directory, hidden files: .profile .bashrc .bash_profile .cshrc run it under bash shell:

freebsd# /usr/local/bin/bash
[root@freebsd:/home/hipo]# grep PATH .[!.]*

.bash_profile:# set PATH so it includes user's private bin if it exists
.bash_profile:# PATH=~/bin:"${PATH}"
.bash_profile:# do the same with …

Another easier to remember, alternative grep cmd is:

hipo@noah:~$ grep PATH .*
.profile:PATH=/bin:/usr/bin/:${PATH}
.profile:export PATH
.profile:# set PATH so it includes user's private bin if it exists
.profile: PATH="$HOME/bin:$PATH"
….

Note that grep 'string' .* is a bit different in meaning, as it will not prevent grep to match filenames with names ..filename1, ..filename2 etc.
Though grep 'string' .* will work note that it will sometimes output some unwanted matches if filenames with double dot in the beginning of file name are there …
That's all folks 🙂

How to fix “Fatal error: Call to undefined function: curl_init()” on FreeBSD and Debian

Saturday, June 18th, 2011

After installing the Tweet Old Post wordpress plugin and giving it, I’ve been returned an error of my PHP code interpreter:

Call to undefined function: curl_init()

As I’ve consulted with uncle Google’s indexed forums 😉 discussing the issues, I’ve found out the whole issues are caused by a missing php curl module

My current PHP installation is installed from the port tree on FreeBSD 7.2. Thus in order to include support for php curl it was necessery to install the port /usr/ports/ftp/php5-curl :

freebsd# cd /usr/ports/ftp/php5-curl
freebsd# make install clean

(note that I’m using the php5 port and it’s surrounding modules).

Fixing the Call to undefined function: curl_init() on Linux hosts I suppose should follow the same logic, e.g. one will have to install php5-curl to resolve the issue.
Fixing the missing curl_init() function support on Debian for example will be as easy as using apt to install the php5-curl package, like so:

debian:~# apt-get install php5-curl
...

Now my tweet-old-post curl requirement is matched and the error is gone, hooray 😉