A few tools that may help rid of malware

Posted on February 9, 2010 by Stephen Reese

These tools may help rid a computer system of malware but be warned they can be very destructive to your system. In other words if you don’t know what you’re doing then backup what you can and take it to a professional.

  • Ad-Aware – This seems to be a popular click and point tool
  • Spybot – Search & Destroy – Same as above
  • RootkitRevealer – Older tool but still useful
  • GMER – Great manual tool but can cause more damage than good if you do not know what you are doing.
  • HijackThis – Similar to above, if you do not know what to remove manually then be careful as you could damage your system.
  • McAfee Labs Stinger – Detection tool from McAfee
  • Sophos Anti-Rootkit – Requires sign-up to download, annoying to say the least

Of course keep your current anti-spyware and virus installs and definitions up2date.

Posted in security | Tagged | Leave a comment

Setting up maildrop with Courier MTA

Posted on February 8, 2010 by Stephen Reese

Setting up maildrop with Courier MTA

Before I get into the maildrop here’s a few notes to myself for setting up Courier.

Before running ./configure you should add ssl bin directory to your path
To receive local mail indifferent of caps touch {your/etc/courier/dir}locallowercase

Account postmaster@ HAS to be set up as well in the /usr/lib/courier/etc/aliases/system file

To tell courier about hosted domains,

add domain to, /etc/courier/hosteddomains

then,as root, run makehosteddomains

and to tell courier to accept esmtp connections for the domain

add domains to /etc/courier/esmtpacceptmailfor.dir/domains

then,as root, run makeacceptmailfor

Also, the email account postmaster@ HAS to be set up as well.

Here’s the maildrop stuff:

1. Edit the “/usr/lib/courier/etc/maildroprc” to have “| /usr/lib/courier/bin/maildrop” as your delivery method

2. Create a “$HOME/.mailfilter” file to be read by maildrop, there is no need for the most part of a “.courier” since mail drop is already being used!

3. Make sure your “/usr/lib/courier/etc/maildroprc” doesn’t kill the install IE:

#attempt at a maildroprc file…
if ( $SIZE < 26144 )
{
exception {
xfilter “/usr/bin/spamassassin”
}
}
if (/^X-Spam-Flag: *YES/)
{
exception {
to “$HOME/Maildir/.Trash/”
}
}
#else
#{
# exception {
# to “$HOME/Maildir/”
# }
#}

The commented out part is no good since your “.mailfilter” will never be read so DON’T specifiy the default delivery since no matter what unless specified other wise by an exit command will courier deliver to the default “$HOME/Maildir” also goes for the .mailfilter, no matter where u send the mail to there is no need to send it to the default location unless you have some crazy kaos going on that is beyond my lame howto =)

4. The contents of your “.mailfilter should be something like the following:

“| /usr/lib/courier/bin/mailbot -t autoresponse -s ‘AutoGoAwayMessage’ -A ‘From: test@prcdigital.com’ /usr/sbin/sendmail -f ”

A “autoresponse” file should be created and placed in the same $HOME directory as the “.mailfilter” is located, though a universal file can be created from multiple users to access if desired.

5. “chmod 600 .mailfilter autoresponse”

Also the same user:group that is owner of the Maildir should also own these two files so “chown user:group .mailfilter autoresponse”

or Once you get to maildrop, you don’t want to bounce it. Your best bet is to just drop it. Also, I would suggest using spamc/spamd if at all possible. This is what I would do:

  if ( $SIZE < 204800 )  {      exception {          xfilter "/usr/bin/spamc"      }  }

  if ((/^X-Spam-Flag: YES/))  {      if ((/^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*/))      {          echo "***** Dropping 15+ Spam *****"          EXITCODE = 0          exit      }      else      {          to "$HOME/Maildir/.Trash/"      }  }  to "$HOME/Maildir/"

You can get rid of the echo if you don’t want an entry in the log when it drops an email.

if ((/^X-Spam-Flag: YES/))

Why double parentheses? This is what I am using and it is not working, though it seemed to work until recently:

if (/^X-Spam-Level: *\*\*\*\*\*\*\*/){      exception {              to "/dev/null"      }}
Posted in linux | Tagged | Leave a comment

Migrating from Blogger to WordPress

Posted on February 4, 2010 by Stephen Reese

Blogger is removing the functionality to host your own “Blogger” content by disabling the FTP/SFTP functionality from their system. I’m considering their hosting solution or migrating to a WordPress solution.

If I stick with Google’s Blogger hosting then bandwidth should not ever be an issue as they have a distributed computing system. The only downfall is that I’ll probably have to use a sub-domain to host any static files. If I move to hosting my own WordPress then I’ll probably have to increase my virtual host resources since PHP and MySQL will be required therefore using more system resources. This also increases my hosts vulnerability footprint. Not only am I essentially increasing adding two services but WordPress has had its fair share of security issues.

If you want to stick with Blogger the simple alternative is just to migrate to a hosted Blogspot and use custom domains. You can simply point your DNS host domain.com or sub.domain.com to Google’s DNS servers and within a short amount of time you will be up and running again. With this said there are a number of variables that come into play.

Google’s Blogspot does not support subfolders, one alternative is to use a URL redirection to point to the new host which means you will need to search around for the code to insert into the header of your template to accomplish this. Per the migration tool there is no sub-folder support.

domain.com/blog/ –> blog.domain.com

Since Google would hosting your blog there really isn’t a wonderful way to handle this as there is not a provision to use Mod_Rewrite or something similar though with the number of complaints Google has received on their blog they may implement a feature.

If you are considering hosting with another solution such as WordPress then you have more options available to you depending on your hosting solution. WordPress has an integrated import function to import other Blogging but you must first convert you existing hosted Blogger account to a Blogspot solution. Blogger does have an export function but it seems broken per these posts. WordPress also has custom URL functionality so it would be easier to match the format that blogger was using especially if you can utilize Mod_Rewrite.

Personally, I’m still undecided…

Posted in blog | Tagged | Leave a comment

God Mode – Give Windows users an easier way to destory their computers

Posted on January 6, 2010 by Stephen Reese

Windows 7 and Vista (latter can be buggy) has an interesting feature that allows quick access to allow kinds of administrative tools.

To create God Mode simply create a new folder on your desktop and name it the following:

GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

Now you’ll have a quicker way to change settings that will probably lead to the demise of your operating system. Have fun.

Posted in systems administration | Tagged | Leave a comment

Google namebench helps find happy nameservers

Posted on December 15, 2009 by Stephen Reese

I was recently checking name servers that I was using to resolve hosts on a network. After using tools such as ping, traceroute, and dig I decided to search around and found Google has a new tool called namebench. Intrigued I decided to give it a shot. There is support for several platforms including Linux and Microsoft Windows. I pulled down a NIX copy and fired up the python script. By default in CLI the tool tests the top 10000 Alexa sites, as a note the GUI tool can test sites from your browsers cache. The tool compares your DNS hosts to several top resolvers around the net including their own. This was neat but I found the real usefulness was the ability to only specify the name servers you want to test. Very cool IMO.

$ ./namebench.py -O 68.87.73.242 68.87.68.162 68.87.74.162 8.8.8.8 8.8.4.4 208.67.220.220
namebench 1.0.5 - data/alexa-top-10000-global.txt (weighted) on 2009-12-14 22:09:40.248541
threads=40 tests=200 runs=1 timeout=2.0 health_timeout=4.0 servers=10
------------------------------------------------------------------------------
- Checking connection quality...
- Connection appears healthy (latency 55.15ms)
- Building initial DNS cache for 6 nameservers [40 threads]
- Waiting for health check threads for 6 servers: 0/6.6/6
.- 6 of 6 name servers are healthy
- Waiting for wildcard check threads: 1/6.....6/6
.- Waiting 4s for TTL's to decrement.
- Waiting for cache collusion threads: 0/30.30/30
30
Final list of nameservers considered:
------------------------------------------------------------------------------
68.87.68.162    68.87.68.162     48  ms |
208.67.220.220  208.67.220.220   59  ms | www.google.com. hijacked (google.navigation.opendns.com.), NXDOMAIN Hijacking
68.87.73.242    68.87.73.242     62  ms |
68.87.74.162    68.87.74.162     78  ms |
8.8.8.8         8.8.8.8          86  ms |
8.8.4.4         8.8.4.4          88  ms |

- Reading test data from data/alexa-top-10000-global.txt
- Benchmarking 6 server(s), run 1 of 1: 1/200.........10.........20.........30.........40.........50.........60.........70.........80.........90.........100.........110.........120.........130.........140.........150.........160.........170.........180.........190.........200/200
200
- Rendering template: ascii.tmpl
- Saving rendered ascii output
Fastest individual response (in milliseconds):
----------------------------------------------
68.87.68.162     ############################ 32.37295
68.87.73.242     ################################# 38.33604
208.67.220.220   ################################# 39.38794
68.87.74.162     ########################################## 49.34692
8.8.4.4          ##################################################### 63.43389
8.8.8.8          ##################################################### 63.49301

Mean response (in milliseconds):
--------------------------------
8.8.4.4          ########################## 67.35
68.87.73.242     ################################## 90.54
8.8.8.8          #################################### 95.24
68.87.68.162     #################################### 95.31
208.67.220.220   ######################################### 108.85
68.87.74.162     ##################################################### 142.74

Response Distribution Chart URL (200ms):
----------------------------------------

http://chart.apis.google.com/chart?cht=lxy&chs=720x410&chxt=x,y&chg=10,20&chxr=0,0,200|1,0,100&chd=t:0,20,20,20,21,21,21,24,27,49,59,67,116|0,1,12,40,57,63,69,73,77,80,84,87,91|0,16,17,17,18,19,25,26,29,35,39,51,77,95,102|0,1,14,28,48,53,56,60,65,69,72,76,80,83,87|0,19,20,20,20,21,21,23,24,26,36,56,69,90,112|0,1,8,30,45,50,54,61,64,70,73,77,80,84,87|0,25,25,25,26,27,45,46,49,51,57,71,77,91,116|0,1,5,33,39,47,50,54,58,62,65,69,73,77,80|0,32,32,32,33,33,34,34,35,38,48,53|0,1,7,28,55,65,80,88,91,95,98,100|0,32,32,32,33,33,34,34,34,37,41,50,63,78,126|0,1,7,28,44,54,66,70,74,77,81,85,89,92,96&chco=ff9900,1a00ff,80ff00,ff00e6,00e6ff,fae30a&chxt=x,y,x,y&chxl=2:||Duration+in+ms||3:||%25|&chdl=208.67.220.220|68.87.68.162|68.87.73.242|68.87.74.162|8.8.4.4|8.8.8.8

Response Distribution Chart URL (Full):
---------------------------------------

http://chart.apis.google.com/chart?cht=lxy&chs=720x410&chxt=x,y&chg=10,20&chxr=0,0,1333|1,0,100&chd=t:0,3,3,3,3,3,3,4,4,7,9,10,17,23,62,100|0,1,12,40,57,63,69,73,77,80,84,87,91,94,98,100|0,2,2,3,3,3,4,4,4,5,6,8,12,14,15,19,22,24,60|0,1,14,28,48,53,56,60,65,69,72,76,80,83,87,90,94,97,100|0,3,3,3,3,3,3,3,4,4,5,8,10,13,17,20,23,25,32|0,1,8,30,45,50,54,61,64,70,73,77,80,84,87,91,94,98,100|0,4,4,4,4,4,7,7,7,8,9,11,11,14,17,19,22,25,28,45,67|0,1,5,33,39,47,50,54,58,62,65,69,73,77,80,84,88,91,95,98,100|0,5,5,5,5,5,5,5,5,6,7,8|0,1,7,28,55,65,80,88,91,95,98,100|0,5,5,5,5,5,5,5,5,6,6,8,9,12,19,55,69|0,1,7,28,44,54,66,70,74,77,81,85,89,92,96,99,100&chco=ff9900,1a00ff,80ff00,ff00e6,00e6ff,fae30a&chxt=x,y,x,y&chxl=2:||Duration+in+ms||3:||%25|&chdl=208.67.220.220|68.87.68.162|68.87.73.242|68.87.74.162|8.8.4.4|8.8.8.8

Recommended configuration (fastest + nearest):
----------------------------------------------
nameserver 8.8.4.4         # 8.8.4.4
nameserver 68.87.68.162    # 68.87.68.162
nameserver 68.87.73.242    # 68.87.73.242
Posted in network | Tagged , | Leave a comment

I’m certified to handle ninjas and stuff

Posted on December 3, 2009 by Stephen Reese
After passing my previous certification the GPEN I decided to take on the GIAC Certified Incident Handler (GCIH). I decided to save a few dollars this round and challenge the certification without purchasing the full course which comes with a test voucher since I had done well on the GPEN. The test was straight forward and the topics closely resemble the Certification bulletin. I guess my fu was strong yesterday as I was able to pull off a passing grade and add another great certification to my list of skllz.
Posted in education | Tagged , , | Leave a comment

Problem with RAID volume larger then 2TB on Dell workstations

Posted on October 21, 2009 by Stephen Reese

I ran into a interesting issue this weekend. I was setting up a RAID volume on a Optiplex and Precision workstations, which have three 1.5 Terabyte (TB) drives. I tried creating a single large RAID 5 volume but the Intel Matrix storage manger (8.5.2) would not set the array to bootable. After much trial I found I could create smaller volume 160 Gigabyte (GB) for the system which was bootable and another utilizing the rest of the storage. My original plan was to create a large volume and partition it using the OS but this worked just as well, so instead I had two RAID 5 volumes. The only difference is the large volume is not bootable and requires the small one with the OS on it to first be mounted.

Posted in hardware | Tagged | Leave a comment

Python file uploader

Posted on October 17, 2009 by Stephen Reese

I recently had a need to upload large files to a server via HTTP. Most of the solutions required tweaking the web server or PHP instance which I didn’t feel like dealing with. I found a Python script that would write the data in chunks so it could handle large files. I modified to script to include a few additional features including reporting a hash to the user, appending a date and revision to the file. I did my testing with Apache so your mileage may very with other httpd instances. The script is released under to GNUv3 so feel free to download a copy for your use or destruction. You can find it at Google Code or directly here: http://code.google.com/p/file-uploader/

Posted in coding | Tagged | Leave a comment

I’m a certified penetrator

Posted on October 8, 2009 by Stephen Reese
Okay that title is a bit loaded but I did pass my GIAC penetration tester exam today and did fairly well on it. As with most of the SANS certifications this one was quite difficult. I believe the only reason I did better on this exam then my previous SANS certifications exams was due to knowing in advance this is one of SANS more difficult exams to sit for (i.e. I actually studied). There were a number of very cool topics on the exam you can see here. My favorite topics were probably “Cross Site Scripting/Request Forgery” attacks since I was not as familiar with these concepts. I highly recommend a SANS certification to anyone looking to further their knowledge in information security with great vendor neutral certifications.

Posted in education | Tagged , | Leave a comment

Trouble accessing Gmail or internal chat client

Posted on September 10, 2009 by Stephen Reese

I have been in a couple of places which I needed to access my email and chat so here’s a little fix to get around DNS fixes that redirect hosts to the localhost.

Modify your hosts file to look like the following:

C:\Windows\System32\drivers\etc\hosts

127.0.0.1       localhost
74.125.79.17    mail.google.com
66.102.1.189    chatenabled.mail.google.com        #or 74.125.19.189 for non-Comcast.

# A friend recommended these, YMMV.
#209.85.135.17    mail.google.com
#72.14.204.189   chatenabled.mail.google.com
#72.14.204.189   talk.google.com
#72.14.204.189    talkx.l.google.com
#72.14.204.189    hostedtalkgadget.google.com
#72.14.204.189   talkgadget.google.com

This basically tell your system where these services are located instead of relying on a third party to instead let you know.

Posted in internet | Tagged , | Leave a comment