tmp Archives - Page 2 of 2 - ☩ Walking in Light with Christ - Faith, Computing, Diary ☩ Walking in Light with Christ

Posts Tagged ‘tmp’

Where does Debian GNU / Linux Apache + PHP stores session files?

Tuesday, November 22nd, 2011

In order to debug some PHP session problems on Debian, I needed to check the count of existing session files.
When PHP is compiled from source usually, by default sessions are stored in /tmp directory, however this is not the case on Debian.

Debian’s PHP session directory is different, there the sessions are stored in the directory:

/var/lib/php5

I’ve discovered the session directory location by reading Debian’s cron shell script, which delete session files on every 30 minutes.

Here is the file content:

debian~# cat /etc/cron.d/php5 # /etc/cron.d/php5: crontab fragment for php5 # This purges session files older than X, where X is defined in seconds # as the largest value of session.gc_maxlifetime from all your php.ini # files, or 24 minutes if not defined. See /usr/lib/php5/maxlifetime

# Look for and purge old sessions every 30 minutes
09,39 * * * * root [ -x /usr/lib/php5/maxlifetime ] &&
[ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -delete

To check the amount of existing PHP opened session files:

debian:~# ls -1 /var/lib/php5|wc -l 14049

Tags: amount, amp, apache, cat, check, count, cron, crontab, Debian, debian gnu, DEBUG, directory location, file, fragment, gnu linux, ini files, lib, Linux, linux apache, location, maxlifetime, order, php session, purges, root, session directory, session files, sessions, Shell, shell script, tmp, type, usr, value, var
Posted in Linux, System Administration, Various | No Comments »

How to copy CD or DVD on GNU/Linux and FreeBSD using console or terminal

Monday, November 14th, 2011

CD Burning Console Terminal Linux / FreeBSD picture

These days more and more people start to forget the g* / Linux old times when we used to copy CDs from console using dd in conjunction with mkisofs .

Therefore to bring some good memories back of the glorious console times I decided to come up with this little post.

To copy a CD or DVD the first thing one should do is to make an image copy of the present inserted CD into the CD-drive with dd :

1. Make copy of the CD/DVD image using dd

# dd if=/dev/cdrom of=/tmp/mycd.iso bs=2048 conv=notrunc

/dev/cdrom is the location of the cdrom device, on many Linuces including (Debian) /dev/cdrom is just a link to the /dev/ which corresponds to the CD drive. Note on FreeBSD the location for the CD Drive is /dev/acd0
/tmp/mycd.iso instructs dd CD image creation to be placed in /tmp/ directory.
bs argument instructs it about the byte size portions by which the content of the CD-Drive inserted CD will be read. bs value of 2048 is actually only 2KB per dd read, increasing this value will decrease the time required for the CD image to be extracted.

2. Prepare CD image file to be ready for burning

After dd completes the image copy operation, next to prepare the extracted image / ISO to be ready for burning mkisofs is used:

# mkisofs -J -L -r -V TITLE -o /tmp/imagefile.iso /tmp/mycd.iso

The -J option makes the CD compatible for Pcs running Microsoft Windows. The -V TITLE option should be changed to whatever title the new CD should have, -r will add up status bar for the mkisofs operation.
-r is passed to create specific file permissions on the newly created CD, -o specifies the location where mkisofs will produce its file based on the CD image /tmp/mycd.iso .

3. Burning the mkisofs image file to a CD/DVD on GNU / Linux

linux:~# cdrecord -scanbus linux:~# cdrecord dev=1,0,0 /tmp/imagefile.iso

If all wents okay with cdrecord operation, after a while the CD should be ready.

4. Burning the mkisofs image file to CD on FreeBSD

freebsd# burncd -f /dev/acd0 data /tmp/imagefile.iso fixate

Tags: argument, byte, byte size, cd image, CD-drive, cdrom, conv, copy, dd cd, drive, file, file permissions, freeb, gnu linux, Image, image copy, image creation, image file, image iso, imagefile, ISO, isoIf, linux cdrecord, linux linux, location, Microsoft, mkisofs, mycd, new cd, notrunc, operation, option, size, size portions, status, terminal, time, title option, tmp, value
Posted in Linux, Linux and FreeBSD Desktop, System Administration, Various | 1 Comment »

rkhunter, chkrootkit and unhide three Linux handy tools to find out if a Linux server is compromised

Wednesday, August 17th, 2011

Check Linux server for rootkit using rkhunter, chrkootkit unhide

I’ve been hired, just recently by a company to make them a quick security audit analysis as they complain of having severe Denial of Service problems against an online e-store.

As a mean of securing the local network of the company, the old Linux server had to be replaced with a freshly installed one, which I had to configure to run smooth firewall and create DMZ zone.
The company System Administrator has installed Debian Linux and brought up sshd to allow me to futher take the lead and secure the server
After few hours, I’ve noticed unusual activities. For example processes like:

./a 207 as well as processes like ./ssh 212

debian:~# ps axu|grep -i ./ssh|wc -l 216

On the server and after checking in /etc/shadow I found that users like admin, test had a password string assigned , interestingly even system users like postgresql and man was enabled and ready for login and had a password hash assigned in /etc/shadow

I’ve seen the ./ssh shit before and I know pretty well this is a famous romanian script kiddies tools which circulates in the wild for at least 5 years already.

A quick look up in the usual places, where script kiddies store their files, like: /var/tmp, /tmp, /proc, /sys and /var/run has helped me find the ssh brute forcer the kiddie has issues on the machine in my case it was located in /var/run/2012 inside I found of course the usual sk bad stuff:

root@debian:/var/run/2012# ls1 3 5 a data.conf find internet.txt pass_file screen ssh stricat.txt vuln.txt 2 4 64.37.find.22 atack derbedeu.txt full mfu.txt ronet13.txt ss start tefac.txt x

As well as an archive in /var/run/2012.tgz which was obviously quickly extracted and the brute force ssh tool was started to lookup for some more targets.

As I like keeping script kiddie stuff to expose and share with people, to help them get a better understanding what they can expect on their servers I made a copy of the 2012.tgz brute forcer tool, download the romanian ssh brute forcer shit is here if somebody wants to take a look, though I suggest to be very careful with it as some files might contain rootkits and other unwanted tool.
If someone wants to give it a try be sure not to launch it as root.

Anyways, after finding the abuser I quickly removed all the active users, which were not supposed to be existent on the newly installed system from /etc/shadow changed the server root password, give a reinstall the openssh-server and openssh-client (as I was not if they had not been substituted with some rootkited version), e.g.:

debian:~# apt-get install --reinstall openssh-client openssh-server

Consequentially I killed all the active ./ssh and ./a processes to assure the script kiddie ssh brute forcer is no longer running on the server as well killed all connections to the ssh server manually with kill cmd to the unknown IPs.

Finally to make sure, the server is not rootkited or not backdoored I run some tests with chkrootkit, rkhunter and unhide :

On Debian the 3 tools are available as packages, so this saved me time and I proceeded installing like so:

debian:~# apt-get install rkhunter unhide chkrootkit ...

In few seconds the tools were installed so I used them to check if the server is irreversably damaged or root kitted by the kiddie.

1. unhide

First I used unhide to make sure there are no hidden backdoor processes listening on the server:

for i in $(echo proc sys brute); do unhide $i; done Unhide 20100201 http://www.security-projects.com/?Unhide [*]Searching for Hidden processes through /proc scanning Unhide 20100201 http://www.security-projects.com/?Unhide [*]Searching for Hidden processes through kill(..,0) scanning [*]Searching for Hidden processes through comparison of results of system calls [*]Searching for Hidden processes through getpriority() scanning [*]Searching for Hidden processes through getpgid() scanning [*]Searching for Hidden processes through getsid() scanning [*]Searching for Hidden processes through sched_getaffinity() scanning [*]Searching for Hidden processes through sched_getparam() scanning [*]Searching for Hidden processes through sched_getscheduler() scanning [*]Searching for Hidden processes through sched_rr_get_interval() scanning [*]Searching for Hidden processes through sysinfo() scanning HIDDEN Processes Found: 1 Unhide 20100201 http://www.security-projects.com/?Unhide [*]Starting scanning using brute force against PIDS with fork() [*]Starting scanning using brute force against PIDS with Threads

The above command checks with unhide in /proc and /sys for hidden processes as well as next uses brute option to try to brute force all PIDs on the server attempting to locate listening backdoors processes.

There are 2 more unhide binaries that can be used to check for hidden backdoors, unhide-posix and unhide-tcp

For some reason unhide-posix sys detected the /usr/sbin/rsyslogd -c4 process as some kind of hidden process, which is most probably a false positive, though I can’t be one hundred sure until I try to scan completely the server remotely after mounting the filesystem via ssh and scan it with clamav chkrootkit and rkhunter and even maybe with drweb .

I assume the HIDDEN Processes Found: 1 bells the alarm, however even though I did profound look up on the server with lsof, netstat and fuser cmds I cannot find nothing suspicious any more.

2. chkrootkit scan

Next I used chkrootkit to check if some common rootkit is not installed on the server:

debian:~# chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `crontab'... not infected Checking `date'... not infected ...

The chkrootkit output displayed thanksfully failed to detect that the system is rootkitted.

3. rkhunter

Finally, tested with rkhunter to assure chkrootkit to expand the range of rootkits the system is scanned for:

debian:~# rkhunter --check [ Rootkit Hunter version 1.3.6 ]

Checking system commands…

Performing ‘strings’ command checks
Checking ‘strings’ command [ OK ]

Performing ‘shared libraries’ checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
…

After a long screen of consequential rootkit tests, each of which requires the user to press enter rkhunter was unable to detect any rootkits installed on host as well.

Finally to make sure for one more time there are no some backdoors left or some unwanted users still connected to the server I used netstat:

debian:~# netstat -tanp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7269/sshd tcp 0 0 192.168.0.1:22 83.228.93.76:54913 ESTABLISHED 24545/1 tcp 0 0 192.168.0.1:22 83.228.93.76:50240 ESTABLISHED 7059/0 tcp6 0 0 :::22 :::* LISTEN 7269/sshd

As the output shows, I coulnd’t find anything suspiciou, still I can’t be 100% percent sure the system is clean and there is no something left from the cracker, probably the Debian server will be re-installed as it doesn’t matter since it’s newly installed Debian machine.

What is amazing is that the server was compromised immediately after it was installed. This means that either the very easy default root password the admin who installed the server was cracked, or his whole network has been compromised by the script kiddie.
Tomorrow will have to investigate further to assure the security breach is closed hopefully once and for all.

Tags: administrator, atack, axu, bad stuff, brute force, brute forcer, chkrootkit, configure, Denial, denial of service, e store, forcer, handy tools, hash, kill, lead, linux server, local network, login, mfu, password, password string, postgresql, rkhunter, Romanian, root, script kiddie, script kiddies, security audit, Service, shadow, ssh, system users, test, tgz, tmp, tool, xas
Posted in Linux, System Administration | 5 Comments »

How to make pptp VPN connection to use IPMI port (IPKVM / Web KVM) on Debian Linux

Wednesday, July 27th, 2011

If you have used KVM, before you certainly have faced the requirement asked by many Dedicated Server Provider, for establishment of a PPTP (mppe / mppoe) or the so called Microsoft VPN tunnel to be able to later access via the tunnel through a Private IP address the web based Java Applet giving control to the Physical screen, monitor and mouse on the server.

This is pretty handy as sometimes the server is not booting and one needs a further direct access to the server physical Monitor.
Establishing the Microsoft VPN connection on Windows is a pretty trivial task and is easily achieved by navigating to:

Properties > Networking (tab) > Select IPv4 > Properties > Advanced > Uncheck "Use default gateway on remote network".

However achiving the same task on Linux seemed to be not such a trivial, task and it seems I cannot find anywhere information or precise procedure how to establish the necessery VPN (ptpt) ms encrypted tunnel.

Thanksfully I was able to find a way to do the same tunnel on my Debian Linux, after a bunch of experimentation with the ppp linux command.

To be able to establish the IPMI VPN tunnel, first I had to install a couple of software packages, e.g.:

root@linux:~# apt-get install ppp pppconfig pppoeconf pptp-linux

Further on it was necessery to load up two kernel modules to enable the pptp mppe support:

root@linux:~# modprobe ppp_mppe
root@linux:~# modprobe ppp-deflate

I’ve also enabled the modules to be loading up during my next Linux boot with /etc/modules to not be bother to load up the same modules after reboot manually:

root@linux:~# echo ppp_mppe >> /etc/modules root@linux:~# echo ppp-deflate >> /etc/modules

Another thing I had to do is to enable the require-mppe-128 option in /etc/ppp/options.pptp.
Here is how:

root@linux:~# sed -e 's$#require-mppe-128$require-mppe-128$g' /etc/ppp/options.pptp >> /tmp/options.pptp root@linux:~# mv /tmp/options.pptp /etc/ppp/options.pptp root@linux:~# echo 'nodefaultroute' >> /etc/ppp/options.pptp

In order to enable debug log for the ppp tunnel I also edited /etc/syslog.conf and included the following configuration inside:

root@linux:~# vim /etc/syslog.conf *.=debug; news.none;mail.none -/var/log/debug *.=debug;*.=info; *.=debug;*.=info; root@linux:~# killall -HUP rsyslogd

The most important part of course is the command line with ppp command to connect to the remote IP via the VPN tunnel ;), here is how I achieved that:

root@linux:~# pppd debug require-mppe pty "pptp ipmiuk2.net --nolaunchpppd" file /etc/ppp/options.pptp user My_Dedi_Isp_Given_Username password The_Isp_Given_Password

This command, brings up the ppp interface and makes the tunnel between my IP and the remote VPN target host.

Info about the tunnel could be observed with command:

ifconfig -a ppp ppp0 Link encap:Point-to-Point Protocol inet addr:10.20.254.32 P-t-P:10.20.0.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1496 Metric:1 RX packets:7 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:70 (70.0 B) TX bytes:672 (672.0 B)

One more thing before I could finally access the IPMI’s web interface via the private IP was to add routing to the private IP address via the tunnel other side IP address:

# 10.20.0.1 P-t-P IP address ip route add 10.20.1.124/32 dev ppp0

Now logically one would thing the Web interface to login and use the Java Applet to connect to the server would be accessible but no IT wasn’t !

It took me a while to figure out what is the problem and if not the guys in irc.freenode.net ##networking helped me I would never really find out why http://10.20.1.124/ and https://10.20.1.124/ were inaccessible.

Strangely enough both ports 80 and 443 were opened on 10.20.1.124 and it seems like working, however though I can ping both 10.20.1.124 and 10.20.0.1 there was no possible way to access 10.20.1.124 with TCP traffic.

Routing to the Microsoft Tunnel was fine as I’ve double checked all was fine except whether I tried accessing the IPMI web interface the browser was trying to open the URL and keeps opening like forever.

Thanksfully after a long time of futile try outs, a tip was suggested by a good guy in freenode nick named ne2k

To make the TCP connection in the Microsoft Tunnel work and consequently be able to access the webserver on the remote IPMI host, one needs to change the default MTU set for the ppp0 tunnel interface.
Here is how:

ip link set ppp0 mtu 1438

And tadam! It’s done now IPKVM is accessible via http://10.20.1.124 or https://10.20.1.124 web interface. Horay ! 🙂

Tags: connection, control, debian linux, default gateway, direct access, encrypted tunnel, establishment, gateway, info, information, IPMI, Java, java applet, kernel modules, kvm, linux boot, log, Microsoft, microsoft vpn, modprobe, necessery, none, ppp, ppp linux, ppp options, precise procedure, private ip address, ptpt, root, root linux, screen, server provider, software packages, tab, tmp, trivial task, VPN, vpn connection
Posted in Linux, System Administration | 1 Comment »

Install grsecurity kernel security from binary package (without kernel recompile) on Debian and Ubuntu

Monday, July 26th, 2010

GRsecurity is since long time known that it is a next generation armouring agains 0 day local kernel exploits as well as variousof other cracker attacks.
Grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GNU GPL.
GRSecurity is linux kernel patch which has to be applied to the kernel before compile time. However we’ve been lucky and somebody has taken the time and care to prepare linux image binary deb packages for Debian and Ubuntu .

Some of the key grsecurity features are :

An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
Change root (chroot) hardening
/tmp race prevention
Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
Prevention of arbitrary code execution in the kernel
Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
A restriction that allows a user to only view his/her processes
Security alerts and audits that contain the IP address of the person causing the alert

To install from the http://debian.cr0.org/ grsecurity patched kernel image repository use the following steps:

1. Include in your /etc/apt/sources.list

deb http://ubuntu.cr0.org/repo/ kernel-security/
deb http://debian.cr0.org/repo/ kernel-security/

Directly from the bash command line execute:

debian:~# echo "deb http://ubuntu.cr0.org/repo/ kernel-security/" >> /etc/apt/sources.list debian:~# echo "deb http://debian.cr0.org/repo/ kernel-security/" >> /etc/apt/sources.list

2. Add the debian.cr0.org repository gpg key to the trusted repositories key ring

Download the repository’s gpg key , check it (it has been signed with the repository owner GPG key )

Thence from to include the gpg key to the trusted repos key issue:

debian:~# apt-key add kernel-security.asc

3. Install the linux-image-grsec package itself

Currently to install on my x86_amd64 Debian Squeeze/Sid and possibly on Debian Lenny I’ve issued:

debian:~# apt-get update debian:~# apt-get install linux-image-2.6.32.15-1-grsec

Now simply restarting your system and choosing the Linux kernel patched with the GRsecurity kernel patch from Grub should enable you to start using the grsecurity patched kernel.
Though this tutorial is targetting Debian it’s very likely that the grsecurity hardened kernel installation on Debian will be analogous.

Tags: alertTo, arbitrary code execution, audits, care, containment, cracker, deb packages, entire system, generation, gnu gpl, grsecurity, heap, heap corruption, image repository, information, Install, Install grsecurity kernel security from binary package (without kernel recompile) on Debian and Ubuntu, kernel image, kernel patch, kernelReduction, package, person, prevention, preventionPrevention, privilege, race, rbac, repo, repositories, restriction, role based access control, root, smashing, technique, time, tmp, tmp race, Ubuntu, variousof
Posted in Computer Security, Linux, System Administration | 10 Comments »

How to fix clamd “ERROR: LOCAL: Socket file /tmp/clamd.socket is in use by another process.”

Monday, May 23rd, 2011

One of the Qmail server installations I’m taking care of’s clamd antivirus process started loading the system heavily.
After a bit of log reading and investigation I’ve found the following error in my /var/log/clamd/current

@400000004dda1e1815cf03f4 ERROR: LOCAL: Socket file /tmp/clamd.socket is in use by another process.

I’ve noticed in my process list that actually I do have two processes clamd :

11608 ? Sl 0:05 /usr/local/sbin/clamd 11632 ? S 0:00 /usr/bin/multilog t /var/log/clamd 16013 ? Sl 0:06 /usr/local/sbin/clamd

It appeared that for some weird reason one of the clamd process was failing to connect constantly to the clam server socket /tmp/clamd.socket and each time it tried to connect and failed to connect to the socket the system gets about 5% of extra load …

Resolving the issues was a piece of cake, all I had to do is stop the clamd server delete the /tmp/clamd.socket and relaunch the clamd server.

Here is exactly the commands I issued:

debian:~# cd /service/ debian:/service# svc -a clamd debian:/service# svc -h clamd debian:/service# svc -d clamd debian:/service# rm -f /tmp/clamd.socket debian:/service# svc -u clamd

Afterwards the clamd extra load went out and in /var/log/clamd/current I can see clamd loads fine without errors, e.g.:

Listening daemon: PID: 16013 MaxQueue set to: 150 No stats for Database check - forcing reload Reading databases from /usr/local/share/clamav Database correctly reloaded (966822 signatures) SelfCheck: Database status OK. ...

Tags: antivirus, care, cd service, clam, clamddebian, Database, database check, database status, databases, dda, debian cd, ERROR, file tmp, investigation, LOCAL, multilog, PID, piece of cake, Qmail, reading, reason, rm, sbin, SelfCheck, server installations, server socket, share, signatures, Socket, socketdebian, time, tmp, use, var, weird reason
Posted in Linux, System Administration | 1 Comment »

☩ Walking in Light with Christ – Faith, Computing, Diary

Posts Tagged ‘tmp’

Daily Bible quote

GET ARTICLE UPDATES

Useful blog? Help it:

Links to Other Places

Recent Posts

Ads

Categories

About Myself

Recent Comments

Top Post Views

blogtopsites