Posts Tagged ‘virus’

Set up Modsecurity on Debian 7 GNU / Linux to mitigate websites virus infections / Cross Site Scripting and SQL Injects

Friday, September 6th, 2013

mod security raise up your Apache webserver security and protect against cross site scripting javascript hacks and viruses

There are plenty of tutorials around on how to install and configure modsecurity  So This tutorial is nothing new, but I decided to write it since, I had to install mod_security on Debian Wheezy to protect a Debian Linux server websites from being periodically infected with Viruses / XSS / Backdoored Javascripts and Trojan horses.

Everyone who used Debian stable distribution knows the packages included in it are usually about 2 years older than latest available. Situation with latest Debian stable Wheezy  is same, but anyways even a bit outdated my experience so far is mod_security does a great job of protecting Apache sites …

1. Install libapache-mod-security and other libraries (not obligitory), but useful on most Apache + PHP servers

  Run below commands to add xml and rest of useful Apache stuff:


apt-get install libxml2 libxml2-dev libxml2-utils
apt-get install libaprutil1 libaprutil1-dev

Above commands will install a bunch of other dependency packages.

Next install mod-security deb. Run below command, to install and activate modsecurity. Note that installing libapache-mod-security will also automatically restart the Apache server.
 

apt-get install libapache-mod-security

Next to enable all functionality of modsecurity headers Apache module is required as well, activate it with:

 
a2enmod headers
service apache2 restart

2. Make sure mod_security Apache config looks like

 

<IfModule security2_module>
        # Default Debian dir for modsecurity's persistent data
        SecDataDir /var/cache/modsecurity

        # Include all the *.conf files in /etc/modsecurity.
        # Keeping your local configuration in that directory
        # will allow for an easy upgrade of THIS file and
        # make your life easier
        Include "/etc/modsecurity/*.conf"
</IfModule>

Important part of conf is  "Include "/etc/modsecurity/*.conf"" line. /etc/modsecurity directory is main place to set up and configure modsecurity. This configuration file, combined with mod-security.load, do everything necessary to load the modsecurity into Apache server.

3.Enable and Load modsecurity default configuration rules:

So far, modsecurity is loaded into the apache server, but isn't stopping any attempts of hack scripts / Viruses / or automated tools to exploit Vulnerabilities in Web Applications. To make modsecurity start filtering requests, should activate  modsecurity specific configuration and load some regular expression rules.
First to do is enable "recommended" modsecurity configuration file:
 

Code:
cd /etc/modsecurity
mv modsecurity.conf-recommended modsecurity.conf

Default configuration from recommended conf enables modsecurity in an "examine only" mode. In order to make full use of the module, we have to make a few changes. With  favorite text editor open modsecurity.conf (mine is vim)and make the following change:

Code:
SecRuleEngine On

This makes modsecurity to block requests based on its (pre-written) developer rules. Other settings in this file that are useful to know about are the debug controls, very useful, whether you have to debug problems with sites not properly opening due to server enabled mod_security.
 

Code:
#SecDebugLog /opt/modsecurity/var/log/debug.log
#SecDebugLogLevel 3

This controls how much information is stored in modsecurity's "audit log as well as keeps track of attacks launched to server. Default debug level of 3 is pretty much and stores "everything". This is dangerous as a huge logs are produces on  busy servers.
 

Code:
SecAuditLogParts ABIJDEFHZ

4. Enable extra modsecurity prevention rules

Modsecurity works by using rules by pre-defined patterns used to recognize when your website/s is being probed or attacked. Once installed modsecurity base package as a dependency modsecurity-crs package is installed. modsecurity-crs contains addition free core rule set. Current Core rule from modsecurity.org are newer than version included with wheezy,  thus rules lack a bit behind but this is only option whether using default debian bundled packge otherwise manual modsecurity recompile is required. We all know how bad it is to custom compile software on production machines, so custom compile experiments are really bad idea.

CRS (Core Rule Set) is installed in /usr/share/modsecurity-crs. This directory contains an "activated_rules" directory present also in /etc/modsecurity

Quickest way to activate rules is by symlinking from the actual config and rule files into the /etc/modsecurity config directory.

We'll be making links from the /usr/share/modsecurity location into /etc/modsecurity to activate some other useful modsec useful rules. First link main crs config file:
 

ln -s /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf /etc/modsecurity/modsecurity_crs_10_setup.conf

This file provides some basic configuration directives for crs.

Futher on, link each rule file in the base_rules and optional_rules directories using 2 tiny bash loops.
 

 
cd /usr/share/modsecurity-crs/base_rules
for f in * ; do sudo ln -s /usr/share/modsecurity-crs/base_rules/$f /etc/modsecurity/$f ; done
cd /usr/share/modsecurity-crs/optional_rules
for f in * ; do sudo ln -s /usr/share/modsecurity-crs/optional_rules/$f /etc/modsecurity/$f ; done

With that done, there's one more edit to check if modsecurity blocking works as expected. Open the /etc/modsecurity/modsecurity.conf file and add the following lines at the end (this is from the free, modsecurity pdf book, link provided below)
 

 
SecRule ARGS "MY_UNIQUE_TEST_STRING"\
  "phase:1,log,deny,status:503"

Finally after all configuration rules are loaded to modsec, Usual Apache restart is required:

 
/etc/init.d/apache2 restart

Whether no fatal errors pop up and Apache starts normally, now modsecurity should be properly running.

5. Verify if modsecurity is set-up and kicking ass

To verify installation, open a browser and access some of hosted websites  like this:
http://www.your-server-domain.com/?test=MY_UNIQUE_TEST_STRING

A sure sign that modsec works is  503 "Service Temporarily Unavailable" message from Apache. Alternatively  examine server's modsec audit log file (default location in /var/log/apache2/modsec_audit.log) (grep the string MY_UNIQUE_TEST_STRING. You should see full transcript of the communication between your browser and server logged. Depending on amount of site traffic gets make sure to monitor  size of file for some minutes to make sure it doesn't grow too big and it doesn't fill up quickly your HDD.

Well now all fine your Apache server security is better for sure and by God's grace you should not have to deal with hundreds of hours of sites recovery after a bunch of client's websites are hacked.

Feedback and comments are mostly welcome. Enjoy 😉

Fixing picture non display in Windows Explorer Thumbnails preview

Tuesday, July 2nd, 2013

I've been called to one of secretary PCs running Windows 7 with complain that pictures are no longer visible with Thumbnail preview.
The problem is pretty trivial but with today''s Viruses boom, my first logical reaction was it is caused by some Virus or Spyware. After scanning thoroughfully the PC and finding nothing suspicious in msconfig I remembered to check in Windows Explorer Folder Options and this was it. Problem can be fixed by tuning Windows Explorer Folder Options settings. By default Folder Options menu is not visible in Windows 7 so to display menu first  had to press Alt+F.

After pressing Alt+F navigate to:

Tools -> Folder Options -> View (tab) -> Untick (Always show icons, never thumbnails)

Windows explorer Folder Options Show View always show icons never thumbnails ticked screenshot

Windows explorer Folder options View always show icons unticked solve thumbnails preview problem screenshot

That's all Apply new settings and its resolved, pictures will be visible in Explorer and Desktop again 🙂

 

A sysctl Linux variable to change randomly temporary the PC mac address for IPv6 and increase anonymity on IPv6 networks

Tuesday, September 20th, 2011

To prevent tracking and increase anonymity in IPv6 networks the Linux kernel has a variable to change randomly the MAC identifier. This feature will be very useful in terms of security in the short future, when all the IPv4 IP addresses are finished. The UIE (Extended Unified Udentifier) for an ipv6 address can be changed with command:

sysctl -w net.ipv6.conf.all.use_tempaddr=2 Microsoft Windows Vista and Windows 7 has the UIE enabled by default, enabling the random MAC changes automatically for a host cvan be done as usual by adding the net.ipv6.conf.all_use_tempaddr=2 to /etc/sysctl.conf

On an IPv6 network every ifconfig eth0 down and ifconfig eth0 up will instruct the lan card to be set a different MAC address for the ipv6 ip on the interface.

Changing the UIE randomly however also have security downsides if the host gets infected with a Virus or Worm. The security downsides of the enabled UIE affects mainly Windows hosts on IPv6 networks as UIE variable is enabled by default there.I’ve found this great tip in an article in the latest Linux Magazine October 2011. Its the first time I saw a paper Linux Magazine, the magazine contains a lot of helpful info on the latest Linux developments and latest trends in the Linux world. Subscription to receive the magazine via normal post is for the magazine costs 6.65 EUR per month (80 EUR) yearly. The 80 euro yearly includes 12 CDS (each magazine is bundled with a newly launched new version of a Linux distribution).
There is also a cheaper subscription for the magazine which costs 64.90 EUR.

Scanning shared hosting servers to catch abusers, unwanted files, phishers, spammers and script kiddies with clamav

Friday, August 12th, 2011

Clamav scanning shared hosting servers to catch abusers, phishers, spammers, script kiddies etc.  logo

I’m responsible for some GNU/Linux servers which are shared hosting and therefore contain plenty of user accounts.
Every now and then our company servers gets suspended because of a Phishing websites, Spammers script kiddies and all the kind of abusers one can think of.

To mitigate the impact of the server existing unwanted users activities, I decided to use the Clamav Antivirus – open source virus scanner to look up for potentially dangerous files, stored Viruses, Spammer mailer scripts, kernel exploits etc.

The Hosting servers are running latest CentOS 5.5. Linux and fortunately CentOS is equipped with an RPM pre-packaged latest Clamav release which of the time of writting is ver. (0.97.2).

Installing Clamav on CentOS is a piece of cake and it comes to issuing:

[root@centos:/root]# yum -y install clamav
...

After the install is completed, I’ve used freshclam to update clamav virus definitions

[root@centos:/root]# freshclam
ClamAV update process started at Fri Aug 12 13:19:32 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
WARNING: getfile: daily-13357.cdiff not found on remote server (IP: 81.91.100.173)
WARNING: getpatch: Can't download daily-13357.cdiff from db.gb.clamav.net
WARNING: getfile: daily-13357.cdiff not found on remote server (IP: 163.1.3.8)
WARNING: getpatch: Can't download daily-13357.cdiff from db.gb.clamav.net
WARNING: getfile: daily-13357.cdiff not found on remote server (IP: 193.1.193.64)
WARNING: getpatch: Can't download daily-13357.cdiff from db.gb.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
Downloading daily.cvd [100%]
daily.cvd updated (version: 13431, sigs: 173670, f-level: 60, builder: arnaud)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 144, sigs: 41, f-level: 60, builder: edwin)
Database updated (1019925 signatures) from db.gb.clamav.net (IP: 217.135.32.99)

In my case the shared hosting hosted websites and FTP user files are stored in /home directory thus I further used clamscan in the following way to check report and log into file the scan results for our company hosted user content.

[root@centos:/root]# screen clamscan -r -i --heuristic-scan-precedence=yes --phishing-scan-urls=yes --phishing-cloak=yes --phishing-ssl=yes --scan-archive=no /home/ -l /var/log/clamscan.log
home/user1/mail/new/1313103706.H805502P12513.hosting,S=14295: Heuristics.Phishing.Email.SpoofedDomain FOUND/home/user1/mail/new/1313111001.H714629P29084.hosting,S=14260: Heuristics.Phishing.Email.SpoofedDomain FOUND/home/user1/mail/new/1305115464.H192447P14802.hosting,S=22663: Heuristics.Phishing.Email.SpoofedDomain FOUND/home/user1/mail/new/1311076363.H967421P17372.hosting,S=13114: Heuristics.Phishing.Email.SpoofedDomain FOUND/home/user1/mail/domain.com/infos/cur/859.hosting,S=8283:2,S: Heuristics.Phishing.Email.SSL-Spoof FOUND/home/user1/mail/domain.com/infos/cur/131.hosting,S=6935:2,S: Heuristics.Phishing.Email.SSL-Spoof FOUND

I prefer running the clamscan in a screen session, because it’s handier, if for example my ssh connection dies the screen session will preserve the clamscan cmd execution and I can attach later on to see how scan went.

clamscan of course is slower as it does not use Clamav antivirus daemon clamd , however I prefer running it without running the daemon, as having a permanently running clamd on the servers sometimes creates problems or hangs and it’s not really worthy to have it running since I’m intending to do a clamscan no more than once per month to see some potential users which might need to be suspended.

Also later on, after it finishes all possible problems are logged to /var/log/clamscan.log , so I can read the file report any time.

A good idea might also be to implement the above clamscan to be conducted, once per month via a cron job, though I’m still in doubt if it’s better to run it manually once per month to search for the malicious users content or it’s better to run it via cron schedule.

One possible pitfall with automating the above clamscan /home virus check up, might be the increased load it puts to the system. In some cases the Webserver and SQL server might be under a heavy load at the exactly same time the clamscan cron work is running, this might possible create severe issues for users websites, if it’s not monitored.
Thus I would probably go with running above clamscan manually each month and monitor the server performance.
However for people, who have “iron” system hardware and clamscan file scan is less likely to cause any issues, probably a cronjob would be fine. Here is sample cron job to run clamscan:

10 05 01 * * clamscan -r -i --heuristic-scan-precedence=yes --phishing-scan-urls=yes --phishing-cloak=yes --phishing-ssl=yes --scan-archive=no /home/ -l /var/log/clamscan.log >/dev/null 2>&1

I’m interested to hear if somebody already is using a clamscan to run on cron without issues, once I’m sure that running it on cron would not lead to server down-times, i’ll implement it via cron job.

Anyone having experience with running clamscan directory scan through crond? 🙂

Fix Virtumonde.dll Virus on Windows Vista

Wednesday, February 10th, 2010

A friend of mine, brought his computer home because his machine needed a repair.
After installing Spybot S&D and checking the machine for SpyWare.
The program found like 26 spyware / adware infections. After fixing them,
I decided to run once again the program just to assure myself that the infections has been properly removed.
After scanning his hard drive a second time with SpyBot S&D, just one infection
was found though I have to admit a really tough one!
The questionable spyware found was called virtumonded.ll
I followed instructions from fixvirtumondedll.com to remove the cursed spyware.

There are basicly two major alternatives in removing virtumonde.dll in a
quick way.

1. Buy or find cracked version of Spyware Doctor
2. Or use SuperAntiSpyware

I decided to use SuperAntiSpyware, because it’s a freeware.
After installing it and running a test on the Windows Vista system,
happily It found and removed a dozen of malicious spyware.
However I decided to check the system afterwards with Spyware Doctor
cause I wanted to be certain that all the Spyware on the system is removed.
Once again checking the Fujistu Siemens notebook with Spyware Doctor
it rendered that some more 40 pieces of spyware was left undetected
by SuperAntiSpyware.
After removing the security threads lastly with Spyware Doctor, now the
system is perfectly clear.

Pravetz and Puldin – The first serial produced 8 / 16 bit Bulgarian Computers – Retro Computing in Bulgaria

Sunday, March 16th, 2008

pravetz-16-cm-5508-bulgarian-16-bit-computer
A friend of mine gave me an interesting link it’s about Pravetz A computer systems which were an absolute hit here in Bulgaria, they are produced here and we should be proud we had our Bulgarian computers. Here is the link Pravetz! 🙂

pravetz-16-bulgarian-computer-peripherals-and-hardware-pictures
Pravetz was a was copy of Apple ][ (Pravetz 8A, 8C, 8M), Oric (Pravets 8D) and IBM-PC (Pravetz 16 also known as XT)
Pravetz was named after a town of Pravetz which is the homeplace of the ex-Bulgarian communist party leader and President of Socialist Bulgaria Todor Jivkov. Pravetz had a huge production quantities as about 200 000 were exported to coutnries from Soviet Union block. My generation people about 30 have grown with Pravetz and many nowadays IT specialists in Bulgaria had learned computer basics on 8 or 16 bit Pravetz machine. Its compatability with DOS made it a great game-station PC. Owning Pravetz PC at communist times was considered as a sign of elitism as only Police station and highest authorities or people close to party leaders had one of those even in 1995 still owning a Pravetz PC was considered an extra-ordinary think.

Pravetz 16 was part of the MIK-16 family of computers, which included:
– Pravetz 16 (the one on the picture, 4.77Mhz)
– Pravetz 16A (1x Floppy, 1x 5MB HDD)
– Pravetz 16H (improved one, 8Mhz, 1 or 2 Half size floppies + 1x HDD 20MB – half size)
– Pravetz-286

The first version of Pravetz 16 had a built-in Basic on a ROM chip, which loaded if no OS was present. The 16A did not have a built-in Basic. 
The 20 Megabytes HDD was a revolution, for almost 4 years the HDD never show any errors. There was a CGA (Color Graphics Adapter) built-in control, and i had a 16-color display (or monochrome black and green display based on the model). This machine was excellent for making DOS-programing, and was used till the middle of the 90’s, mostly in government facilities.

The following software was available for Pravetz:

-programing languages (BASIC-16, PASCAL, Cobol,Ada);
-dBASE systems (Micro-PC-2);
-Text editors (Text-16, MicroTEXT-16, DOKS-2);
-Electronic schedules (Superplan-16, MicroPLAN/16);
-information-searching systems (INFOS);
-Administration automatisation (MIS);
-Integrated products (MULTIPACK);
-Machine graphics;
-CAD (GraphCAD, PLOT-1);
-communication utilities;
-learning&enjoy programs;
-specialised products. 

Many people were installing MS-DOS 5.0 or 7.0 or DR-DOS and using the PC with DOS programs, where most compatible with XT were working just fine. My own monitor was monochrome and had problems with displaying some color gammas and thus in Games some of the colors were not displayed. However owning a Pravetz was amazing thing at that time, it was a mania and a building block of a whole PC-geek generation that emerged from Pravetz Culture.

At that time in the distant 1988 when Bulgaria was still highly industrialized country in Plovdiv we were producing another made in Bulgarian Computer called Puldin (Puldin is the ancient name of the city of Plovdiv Bulgaria).
What was unique about Puldin was it was computer completely built from scratch with its own hardware and software architecture.

Puldin was produced in 4 modifications 601-A/U/M/T, the RAM memory was 64KB, the ROM was from 4KB up to 68KB depend on the model, the video output could be connected to normal TV, there was LAN card, Printer centronics output, Cassete input, RS232, Floppy disk, etc.

puldin-unique-made-in-bulgaria-computer-software-and-hardware-pc-architecture

As you can see in above screenshot the keyboard was slightly different from Pravetz one it gives an impression of unique design (Apple Mac styled) 🙂
Though keyboard looks nice it was terrible to use, there was no tactile click feed back so you basically don’t know if you pressed the key, fortunately later models had connector for external IBM-PC keyboard with keys, which make the work easier.The computer was already unefficient as in 1988  there were already lot of computers on the market including IBM-PC with 16 bit processor running at the remarkable 4.77Mhz.
Puldin processor was a Motorola 6800 copies named CM601 at that time produced in Botevgrad. It was running UniDOS which was basically a made from scratch MS-DOS alternative.
The computer was equipped with Assembler, BASIC, Pascal, Editor, Diagnostic tools, even DBase equivalent. Puldin was produced in small volume ~ 30 000 – 50000 computers mainly shipped to Russia as Russia was main market for Bulgarian products at that time. Software developed on Puldin could be moved to IBM-PC by using Pascal P-code and this was highly revolutionary as it had capabilities similar to Java long before Java was existent.
Computer was developed by 6 developers which were students at that time and they made it as enthusiasts without taking a penny for it. One of the software developers who worked on Puldin was also author of Eagle DOS for Apple ][ (Pravetz82) and UniDOS for Puldin and now has his own company selling computers http://eagle.bg.
The guy who wrote the Assembler BIOS and Basic ROM for Puldin – Todor Todorov became more famous with his virus works instead of what he did for Puldin the now mythological Dark Avanger
 

The week

Tuesday, January 8th, 2008

After 10 minutes I’ll have Deutcsh lessons anyways I’ve caught some winter virus :)I’m having snots coughing and stuff. In Sunday I was on a Liturgy in the Church as usual.Yesterday was a quiet and peaceful day. Static came home and we installed Windows. NowI have Windows,Linux,FreeBSD on one machine. I’m surprised how well is Windows working.I’m eating a lot of garlic recently to stimulate my immune system. Yesterday I playedsome Warcraft III. Having Windows now gives me the opportunity to play some gameswhich weren’t working in wine. Well that’s most of how my day passed. I went to seemy grandma and she made me tea as always (her tea is awesome!). :)END—–