Denial-of-service attack

A denial-of-service attack (also, DoS attack) is an attack on a computer system
or network that causes a loss of service to users, typically the loss of network
connectivity and services by consuming the bandwidth of the victim network or
overloading the computational resources of the victim system.
Attacks can be directed at any network device, including routers and Web, electronic
mail, and Domain Name System servers.

A DoS attack can be perpetrated in a number of ways. There are four basic types
of attack:

1) consumption or overload of system or network resources, such as bandwidth,
disk space, or CPU time
2) disruption of configuration information, such as routing information
3) disruption of physical network components
4) disruption of normal operating-system functionality by exploiting a software
vulnerability.

Attempts to “flood” a network with bogus packets, thereby preventing
legitimate network traffic, are the most common form of attack, often conducted
by disrupting network connectivity with the use of multiple hosts in a distributed
denial-of-service attack or DDoS. Such attacks can consume the resources of
intervening systems and networks over which the attack is transmitted. Other
than incorrectly formed packets or random traffic, two specific sophisticated
means of attack include:

1) a smurf attack, in which ICMP requests are sent to the broadcast address
of misconfigured networks, with a faked, or spoofed, source IP Address set to
the one of the target
2) a SYN flood, in which bogus SYN requests to a service (often HTTP) cause
a server to be overloaded by spawning half-open connections
You can check the current http usage by firing the shell command

top -d2

If you are getting lots of httpd processes, then you have to check if it is
a DoS attack and the server is flooded with SYN packets. You can check this
by the following command.

netstat -nap | grep SYN | wc -l

If you are getting abnormal numbers then your server is under attack.
You can check from which IPs the SYN packets are coming. Give the following
command

netstat -nap | less

You will get all the details of kernel routing table also the IPs from where
the packets are coming. If it is coming from any particular IP then you can
simply block that IP on the server. Or if its from one network then you will
have to block the range of IPs.
If there are multiple IPs which are attacking then you will have to find which
site is under attack.
To check this go to /usr/local/apache/domlogs/
Check how stat’s date is defined. Then run the command “date“.
Check the current time of the server. Then you have to check which site was
under attack before few mins ago. Suppose current time is Sep 15 02:03:38 then
run the command

grep “15/Sep/2005:02:01″ *

It will show you the list of sites accessed at that time. If you see any particular
site is being accessed multiple times, then the site is under attack. You can
chnage the time to check if different sites are under attack. You can suspend
that site to prevent the server from overloading.

Many times the attack hits a particular IP and all the sites having that IP
get attacked. All you have to do is change the IP of those sites and then null-route
that IP.

These are the simple steps you have to follow when attack is going on. Obviously
you have to use your presence of mind while working on it. You will find many
ways to solve this issue.

No related posts.

First, login to the new server as root. Then browse to the following page:

http://download.r1soft.com/

Click on the Linux Stable link under CDP Agent, and copy the link location of the latest CentOS agent.

Now, go back to the server, and execute the following command:

For 64bit CentOS : wget http://download.r1soft.com/d/linux-agent/1.46.5-x86_64/linux-agent-64-1.46.5-centos.run

For 32bit CentOS : wget http://download.r1soft.com/d/linux-agent/1.46.5-x86/linux-agent-32-1.46.5-centos.run

for newer kernels go to the Pre
Release
section

wget http://download.r1soft.com/d/linux-agent/1.47.0-x86_64/linux-agent-64-1.47.0-centos.run

The link will look different depending on the release you download. Once this has finished, execute the file:

sh linux-agent-64-1.46.5-centos.run

or

sh linux-agent-32-1.46.5-centos.run

If you are installing a custom kernel then you need to install the headers first

yum install kernel-devel

A graphical wizard will appear. Just go through here accepting the defaults; they usually work fine. Once this is done, we need to create the server key. Browse to the following directory:

cd /etc/buagent/server.allow/

Now create a file called the IP of your main backup server.

nano 111.222.333.444 (Your backup server IP)

Browse to your main backup server, login as administrator, click on Options, then click on Server Key. You need to copy this key into the file you just created on the server to be backed up. Once this is done, save the file. The path to the file should look like this:

/etc/buagent/server.allow/SERVER_IP

One last thing to do; open up TCP port 1167 on the server firewall. This can easily be done through a iptables frontend like csf, or just use iptables via the command line.

Everything is now completed on the server to be backed up; now you just need to add it in the CDP interface. Login as administrator and click on the New Host button.

{gallery}winagent4{/gallery}

Now fill out the form like this:

Host Name or IP: The IP address/hostname of the server you just installed the agent on.

Host Description: A description of the server you installed the agent on

Host Type: Select “Linux”

Tick the Use Default Network Settings box

In the “Licensed Add-on Modules” section, you need to tick the Control Panel option if you want CDP to integrate with a hosting

control panel (like cPanel or Plesk), and you need to tick the MySQL module if you want CDP to perform a proper granular (table by

table) backup of the databases on the server.

Now select the Volume you want the server to place the backups in, check the “Create Disk Safe Next” box, and click on OK.

These settings are usually fine for a standard CDP server setup; however, keep in mind that your server setup may mean that you need to use different settings from the ones listed here.

The next page contains Disk Safe configuration settings.

{gallery}agentcompression{/gallery}

The first, Compression Level, I would recommend setting to at least 1. Uncompressed backups can use up all the available disk space on your backup server quickly; setting the Compression Level to 1 can reduce backup size by up to 50% without too significant a hit on CPU consumption. Leaving the Defragment setting at 5% is fine.

I would not recommend encryption unless the data you are backing up sensitive data. Now click on OK.

You should now be directed to the host summary page. CDP automatically attempts to find the host; click on History at the top and see if it was succesful or not.

{gallery}hosthistory{/gallery}

If it was, you can now start the first backup and setup a recurring backup schedule to your liking in the Backup and Restore tab in the host’s page.

{gallery}backupandrestore{/gallery}

Here is a brief overview of setting up a recurring backup schedule:

1. Login to CDP as admin

2. Click on the Host

3. Click on the “Backup and Restore” option

4. Click on “Schedule Backup”

Now fill out the settings to your liking. Do backup the swap partition (CDP will skip it anyway), disable the tmp partition. If you have a second hard drive for backups (for example, for cPanel backups), do not include it.

If you now need to setup a granular MySQL backup using the MySQL addon, click on the MySQL button.

{gallery}agentmysql{/gallery}

Fill out the description and the root username and password of your
MySQL server. I recommend changing the Connection Type to Socket File -
the default socket file location on CentOS servers is:

/var/lib/mysql/mysql.sock

CDP will now backup your MySQL databases table by table in line with your backup schedule.

All done, you have setup a Linux server to be backed up by R1soft

No related posts.

2. Notify your DataCenter to setup Reverse DNS for the IP addresses used above
and for your name servers. (Normally you put in a ticket to request RDNS for “NS1.yourdomain.com = IP#1 NS2.yourdomain.com = IP#2″ and they will complete this within a day)

Please note it can take up to 36 hours for your name servers to propogate through the web. Once they have propogated procede to step #3.

1. Login to WHM as root

2. Click “Edit Setup” from the left hand menu. (x2 theme)

3. Type: ns1.yourdomain.com in the Primary Nameserver field.

4. Press Assign IP Address

5. Then Press Add an A Entry for this nameserver

6. Type ns2.yourdomain.com in the Secondary Nameserver field.

7. Click Assign IP Address

8. Then Click Add an A Entry for this nameserver

9. Click Manage Nameserver IPs from the left menu in WHM.

10. If you see any nameservers that do not belong to you, remove them now.

11. Click Initial NameServer Setup from the left menu in WHM
Run this for the “initial name server setup”

12. Login to SSH to restart bind. (Be sure it restarts, so don’t do this in WHM)

13. Type: service named stop

14. Type: service named start

15. While in SSH do the following to verify installation has gone well.

16. Type: pico /etc/wwwacct.conf
Scroll to the bottom and insure that your name servers are listed like this:
NS ns1.yourdomain.com
NS2 ns2.yourdomain.com

17. While still in SSH do the following to verify installation has gone correctly.
Type: pico /etc/resolv.conf
It should look like this:

domain yourdomain.com
search yourdomain.com
#nameserver 127.0.0.1
nameserver ip address #1 here
nameserver ip address #2 here

18. Check one more thing in SSH to make sure Name Server Configuration went GOOD.
Type: pico /etc/nameserverips
It should look like this:
ip address 1=ns1.yourdomain.com
ip address 2=ns2.yourdomain.com

There may be more IP Addresses that are equal to 0 this is ok.

No related posts.

That will list the IPs taking the most amount of connections to a server. It is important to remember that the ddos is becoming more sophistcated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.

this MUST be executed in one line via SSH

additionally you can check the connection ports here
lsof | grep ESTABLISHED
lsof | grep LISTEN

lsof -p PID

No related posts.

This is done by setting up a cron job.

A cron job is simply an automated task carried out by the server at regular specified intervals, usually hourly, daily, weekly etc.

We are going to get the server to check your APF firewall log on a daily basis, and output the result to an email address of your choosing. To do this, we are going to create a new file containing the instructions in the relevant cron directory.

Lets do it:

This assumes you are using SSH and are logged on as root.

1. Change to the cron.daily directory. Type:

cd /etc/cron.daily

2. Create a new file. Type:

pico apfstatus.sh

3. You are now in the pico text editor. Type:

#!/bin/bash
tail -100 /var/log/apf_log | mail -s “APF Firewall Status” you@yourdomain.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it

In this case, this should be two lines only. Pico adds a carriage return to the end of the last line, so you do not need to do this.

4. Exit as follows:

Press “Ctrl” and “x”

5. You will be prompted to save the file thus:

“Save modified buffer…” Type:

y

For yes.

6. It will then say:

“File Name to Write: apfstatus.sh”:

Hit enter to save

You have now created and saved your new file (apfstatus.sh) in the /etc/cron.daily directory.

7. Next you will need to change the permissions of your file so that it can run. Type:

chmod 755 apfstatus.sh

Finished!!

You will now get a daily email showing the status of your firewall.

Lets test it (this assumes you are still in the /etc/cron.daily directory). Type:

./apfstatus.sh

You will not see anything happening on the screen as the output is being sent to email.

Check your mail!

Notes:

1. If you want to make it run hourly, put (or create) the file (apfstatus.sh) in the /etc/cron.hourly directory. This will send you an email every hour.

2. You don’t have to name the file “apfstatus.sh”, you can call it anything_you_like.sh

3. “tail -100″ asks the server to output the last 100 lines of the APF log file (apf_log). You can change this to any number. If you make it much bigger, you will get a large email!

The most important line in the log is the last one, this shows the current status of your firewall, so you don’t really need hundreds of lines unless you just like to see it’s doing its stuff!

If your firewall is up and running, the last line should read (not literally):

(date) (server name) apf(number): firewall initalized

4. “APF Firewall Status” is the subject of the email that is sent. You can change this to anything you like, between the quotes.

5. Replace you@yourdomain.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it with your own email address!!

When I first tried this on a new server, my mail provider rejected the email because the server name (hostname) myserver.mydomain.com was “unroutable”. This was because my server name was not in the DNS. You must add it to whatever DNS you are using, pointing it to the IP address of your server, so that you can be sure of getting the mails from your server.

6. You can experiment with different cron jobs, making a new file for each job for simplicity’s sake.

The important thing is to include the “shebang” line first:

#!/bin/bash

What follows this is just regular Linux commands. Put each command on a new line.

So you can get the file to do practically anything you can do at the command prompt, then email it to you if desired.

Think of it as the file entering the Linux commands for you!

This is the command that outputs to email:

mail -s “APF Firewall Status” you@yourdomain.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it

Make sure that you have ” | ” (space pipe space) after your Linux command like:

ls -l /var/log | mail -s “Email Subject” you@yourdomain.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it

To make a pipe symbol press shift backslash.

Enjoy.

No related posts.

Hope this helped a little, found the info on the cPanel forum provided by sawbuck

No related posts.

—–command—–
pico -w /etc/sysctl.conf
—–command—–

Now paste the following into the file, you can overwrite the current information.

No related posts.

cd /usr/src
wget http://rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
rm -f apf-current.tar.gz
cd apf-*
./install.sh
cd /etc/apf
nano conf.apf

Configure the ports

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=”20,21,22,25,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,
2096,3306,10000,35000_35999″
please note that ports 2082 to port 2095 is mostly used by cpanel, and port 19638 is only use in
ensim.

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS=”20,21,53,1040″[/green[

Exit nano and save and then restart apf
(ctrl+x)
y
(enter)
service apf start

If APF is functioning properly and you are not locked out edit the conf.apf again

nano conf.apf
Set the DEVM parameter to 0
DEVM=”0″
Once done Exit and save the file.
CTRL-x, y to save enter to confirm
Restart APF
service apf restart

No related posts.

The most common reason is for them to run a bot which is called an xdcc bot(iroffer), what this does is allows them to “serve” files on an irc network, which will allow people to download “warez” from you. These files must be uploaded to you, which means they will have opened an extra ftp server on you aswell. These bots allow people to use your space and bandwidth, because the faster the box the more popular there irc channel becomes.

More reasons are,
they just flat out hate you.
they need some extra resources.
because they want too.

How to stop this?

There is no exact way to stop it, all you can do is take the steps provided, follow them regularly, and keep an eye out.

Ok lets move on

Lets start off by installing a bash script to check for irc related proccesses.

open up ssh
login as root
and create a new file (touch filename,nano filename,echo “” >> filename,etc)
and put this inside it

#!/usr/local/bin/bash

#Modded by HostGeekZ
PROCESS[1]=eggdrop:Eggdrop
PROCESS[2]=psybnc:psyBNC
PROCESS[3]=ezbounce:ezBounce
PROCESS[4]=ircd:IRCD
PROCESS[5]=iroffer:iroffer
NUMOF=”5″
output_proc () {
i=”1″
NUMOF=$[$NUMOF + 1]
echo “+————————————+”
echo “| Secure your box ~Scott |”
echo “+————————————+”
while [ "$i" -lt "$NUMOF" ];do
PROCESS=”`echo ${PROCESS[$i]}|tr : ” “|awk ‘{print $1}’`”
PROCESSOUT=”`echo ${PROCESS[$i]}|tr : ” “| awk ‘{print $2}’`”
echo “| “`ps -ax|grep -v “grep”|grep -wcn $PROCESS`” $PROCESSOUT processes running”
i=$[i + 1]
done
echo “+————————————+”
}

output_proc

Save this file as proccheck.
Once saved type
sh proccheck
And now you will see an output, if you do not run irc and see any output of these as not 0, then you must deal with them.
For the most of you that dont allow irc you should see

+————————————+
| Secure your box ~Scott |
+————————————+
| 0 Eggdrop processes running
| 0 psyBNC processes running
| 0 ezBounce processes running
| 0 IRCD processes running
| 0 iroffer processes running
+————————————+

If anyone recives anything other than 0 for iroffer, then you have probley been “hacked”

If this all returns 0, then you should be fine so skip these next tests.

If you get anything then firstly check who ran the proccess, so if it was an iroffer proccess you would type

ps -aux | grep iroffer
If its iroffer no doubt you will see somthing similar to

nobody 1469 0.0 0.1 1984 864 ? S Aug03 0:02 ./iroffer -b somthing.conf
if it doesnt say nobody, then suspend the user that ran it and speak to him, otherwise continue.

So if someone has attacked you how can you find out?

Start by getting the pid which in this instance is 1469 and type

cd /proc/1469
Now view the files and where it started by typing

ls -alF
You should see somthing similar to this

-r–r–r– 1 user user 0 Aug 5 07:43 cmdline
lrwxrwxrwx 1 user user 0 Aug 5 07:43 cwd -> /home/user/iroffer
-r——– 1 user user 0 Aug 5 07:43 environ
lrwxrwxrwx 1 user user 0 Aug 5 07:43 exe -> /home/user/iroffer/iroffer*
dr-x—— 2 user user 0 Aug 5 07:43 fd/

This tells us that its located in /home/user/iroffer

Because it was ran by nobody this means that its what we call a webshell, they used http to execute the commands, so go get the apache logs of the account and look at them , open them up and search for iroffer , ls, tar, search for simliar linux commands and your bound to found where they where executed from, and then you can deal with the script and ban the users ip and report him.

Now dealing with the bot.
kill -9 pid for the example i would use

kill -9 1469
Now remove the files in the example i would use

rm -rf /home/user/iroffer
And deal with the webshell, also there will be uploaded files, so you will have to read iroffer.conf before deleting it to find what dir they uploaded too.

Now install chkrootkit, follow steps below.

wget http://www.reznor.com/tools/chkrootkit.tar.gz
tar -zxvf chkrootkit.tar.gz
chkrootkit-0.43
make sense
./chkrootkit
Make sure you run chkrootkit as root, and run it every so often, its better safe than sorry.

For cpanel and whm users

A good firewall to use is apf

No related posts.

No related posts.

No related posts.

What Eaccelerator does is: it caches your PHP scripts so that the database is no longer being queried everytime someone needs a script. This is particularly useful for large forums, but pretty much anyone can benefit from it. Since these scripts are cached, you’ll notice a decrease in memory use and server load.

Installing Eaccelerator

1. First, you’ll want to SSH into your server as the root user. you should be in the default directory now. If you’re not, type in cd ~

2. Now we’ll make the eaccelerator directory:

mkdir /ea/

cd /ea/

2. Now we’ll grab the files, and unzip them:

wget http://optusnet.dl.sourceforge.net/sourceforge/eaccelerator/eaccelerator-0.9.4.zip

unzip eaccelerator-0.9.4.zip

3. Now that we’ve done that, let’s install Eaccelerator:
Note: in the following “export” command, you need to point that to where PHP is installed. For most, it’s usually either “usr/” or “usr/local”, but it may be something else.

cd eaccelerator-0.9.4/

export PHP_PREFIX=”/usr”

$PHP_PREFIX/bin/phpize

./configure –enable-eaccelerator=shared –with-php-config=$PHP_PREFIX/bin/php-config

make

make install

4. It’s basically installed, now we need to edit the php.ini files to include Eaccelerator. This is usually found in the /etc/ folder, but if you can’t find it, run a “locate php.ini” (without quotes) to find it.
[i]I’m editting my file with nano, which pretty much anyone with a modern server should have. You can use pico or vi, it’s your choice:

cd ~

nano /etc/php.ini

Now find ;Windows Extensions (press ctrl + W). Remove the mmcache lines (if you had it installed before) above this and…

—————————————————————————-
For a PHP extension install (most will probably want this)
—————————————————————————-

extension=”eaccelerator.so”
eaccelerator.shm_size=”16″
eaccelerator.cache_dir=”/tmp/eaccelerator”
eaccelerator.enable=”1″
eaccelerator.optimizer=”1″
eaccelerator.check_mtime=”1″
eaccelerator.debug=”0″
eaccelerator.filter=”"
eaccelerator.shm_max=”0″
eaccelerator.shm_ttl=”0″
eaccelerator.shm_prune_period=”0″
eaccelerator.shm_only=”0″
eaccelerator.compress=”1″
eaccelerator.compress_level=”9″

—————————————————————————-
For a Zend extension install (only if you have Zend installed, or
if you’re going to install it
—————————————————————————-

zend_extension=”/usr/lib/php4/eaccelerator.so”
eaccelerator.shm_size=”16″
eaccelerator.cache_dir=”/tmp/eaccelerator”
eaccelerator.enable=”1″
eaccelerator.optimizer=”1″
eaccelerator.check_mtime=”1″
eaccelerator.debug=”0″
eaccelerator.filter=”"
eaccelerator.shm_max=”0″
eaccelerator.shm_ttl=”0″
eaccelerator.shm_prune_period=”0″
eaccelerator.shm_only=”0″
eaccelerator.compress=”1″
eaccelerator.compress_level=”9″

5. Now we need to make the cache directory, where the cache files will be stored.

cd ~

mkdir /tmp/eaccelerator/

chmod 0777 /tmp/eaccelerator/

6. Yay, it’s installed! Let’s restart Apache now so that Eaccelerator will start working:

service httpd restart

7. You *should* notice some sort of speed boost or that the server load/memory use has decreased. But let’s just make sure that it’s installed properly.

Open up your favorite FTP client and upload the eaccelerator.php and eaccelerator_password.php files to any directory on your website. I uploaded mine to my forum directory, but you can pretty much place them anywhere in the public_html directory.

Once that’s done, you can go to http://www.your-domain.com/path_to_s…ccelerator.php (of course, replacing that with the path to the script) to see if it’s installed. If it’s installed properly, you’ll see a screen like this:

Otherwise, you’ll see a screen saying that it’s not installed. You have to go back through the instructions, retry it and see if that works. Check to make sure that you specified the right directories and files in the instructions above!

Now, we’ll probably want to add a password to prevent some mean user from clearing the cached scripts or causing other bad stuff to happen. Navigate to the eaccelerator_password file and set an administrator name and password.

This doesn’t set the password, but it gives you a line of code to place in your php.ini file (just below the eaccelerator part). Once you do this, you need to log in to view the eaccelerator page.

After you’re done, you can delete or rename this file, but it’s not required.

BTW just in addition: eaccelerator does NOT work with php compiled as cgi, so it is not possible to use it with phpsuexec or with suphp.

No related posts.

No related posts.

T0rn Rootkit

Tornkit is a rootkit, a set of programs that is used by an intruder to have unrestricted access to a compromised Linux system. Tornkit is also attempts to hide its presence.

The t0rn rootkit is designed for speed. By that I mean that it was designed to install quickly on Linux machines. T0rn can do this because it takes very little skill to install and run. All of the binaries that the attacker would need come pre-compiled and the installation process is as simple as ./t0rn. T0rn comes standard with a log cleaner called t0rnsb, a sniffer named t0rns and a log parser called t0rnp.

I am including this so that you all diag and clean up your hacked server.

First of all,
Login to WHM as root
Click Tweak Settings
and please remove the tick from
Allow cPanel users to reset their password via email

Step 1. run chkrootkit, and you will see some INFECTED lines. It will also report that some process are hidden from the ps

chkrootkit

Checking `ifconfig’… INFECTED
Checking `login’… INFECTED
Checking `pstree’… INFECTED
and also:
Checking `lkm’… You have X process hidden for ps command
Warning: Possible LKM Trojan installed

Step 2. /etc/init.d/syslog restart

Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [FAILED]
Starting kernel logger: [ OK ]

Step 3. top

top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory

Step 4. tail /etc/rc.d/rc.sysinit

# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q

——————————————————–

OK.. looks like someone got to your server as well. Since we know what rootkit it is, let us investigate further.

Configuration files

/usr/include/file.h (for file hiding)
/usr/include/proc.h (for ps proc hiding)
/lib/lidps1.so (for pstree hiding)
/usr/include/hosts.h (for netstat and net-hiding)
/usr/include/log.h (for log hiding)
/lib/lblip.tk/ (backdoored ssh configuration files are in this directory)
/dev/sdr0 (systems md5 checksum)
/lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}

Infected Binaries:

top, ps, pstree lsof, md5sum, dir, login, encrypt,ifconfig,find,ls,slocate,
tks,tksb,top,tkpnetstat,pg,syslogd,sz

Infected Librairies:
libproc.a,libproc.so.2.0.6,libproc.so

BackDoor: (located at /lib/lblip.tk)

shdc
shhk.pub
shk
shrs

——————————————————–

Now, Lets start the cleaning process:

Step 1.
pico /etc/rc.d/rc.sysinit

remove the lines that show

# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q

Step 2.
reboot the system

WARNING: 2 servers got their kernel removed after reboot.
If your’s is the case and that is what the DataCenter complains after reboot, please ask them to do the following:

reboot the system using the redhat CD into rescue mode
chroot to the /mnt/sysimage
reinstall kernel packages

that should fix it.

– since already in resuce mode, perhaps also ask them to –force install the following rpm’s

procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm

Step 3.
After the system is up

cd /lib
rm -rf lblip.tk

Step 4.
remove the configuration files given above.

Step 5.
cat /etc/redhat-release
note down your version of redhat, then from
www.rpmfind.net
search for the following rpm’s

procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm

– and rpm –force install them

Step 6.
if you see the hosts.h file, it says to hide all IP’s from

cat /usr/include/hosts.h
193.60

thus, if you want, you can block all the IP’s from 193.60 to your server via iptables.

Step 7.
If all goes OK,
please reboot the server, and run chkrootkit again…

You should be OK!

No related posts.

Type the following at the command prompt:

pico -w /etc/httpd/conf/httpd.conf

Press [CTRL-W] to start a text search, then type ‘ServerSignature’ and press
[RETURN]

Change:

ServerSignature On

To:

ServerSignature Off
ServerTokens ProductOnly

Now press [CTRL-O] to save the file, then [CTRL-X] to leave the text editor.
Finally, type the following at the command prompt:

service httpd restart

No related posts.

Oh sure, they say they?ll take your name off the list, but they?re lying. What they really want to do is confirm that they?ve got a live address. Also, if you respond, they?ll sell your address to every other spammer on the planet meaning you?ll soon be flooded with even more spam.

2) DON?T POST YOUR ADDRESS ON YOUR WEBSITE

It seems like a good idea at the time, but posting your email address on your personal home page is just an invitation to spammers. Spammers and the people who sell spamming as a business have software that “harvests” email addresses from the Net. This software crawls through the Internet seeking text strings that are -something-@-something-.-something-. When it finds one, it catalogs it on a database of other email addresses to be used to send spam.

3) USE A SECOND EMAIL ADDRESS IN NEWSGROUPS

Newsgroups are the great email address gathering ground for spammers. If you post to a group, you?re going to get spam — it is just a matter of time. So how are you supposed to participate? Use a different email address than the one you use for talking to friends and relatives. In other words, have a public address and a private address. You?ll just have to deal with the spam in your public account.

4) DON?T GIVE YOUR EMAIL ADDRESS WITHOUT KNOWING HOW IT WILL BE USED

If a website is asking for your email address, they want to use it for something. Be sure you know what. Read the terms of use and privacy statements of any site before telling them your address. Ask yourself some simple questions. Are they going to share or sell my address? Do I want emails from this website? Do I trust them? Is it worth the risk? If you can?t answer these questions satisfactorily, if you can?t find their privacy statement, don?t tell them your address.

5) USE A SPAM FILTER

While there is no such thing as a perfect filter, anti-spam software can help keep spam at manageable level. Some of it is cumbersome, some works better than others, some even requires that you let your email messages go through another system for storage and cleaning.

6) NEVER BUY ANYTHING ADVERTISED IN SPAM

The reason that people spam is because they can make money. They make money, like all advertisers, by convincing people to buy a product. If no one buys the things advertised in spam, companies will quit paying spammers to advertise their products.

No related posts.

How To Install RKHunter

How To Install CHKROOTKIT

1. Login to your server as root. (SSH)

2. Down load the chkrootkit.
Type: wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

3. Unpack the chkrootkit you just downloaded.
Type: tar xvzf chkrootkit.tar.gz

4. Change to new directory

Type: cd chkrootkit*

5. Compile chkrootkit
Type: make sense

6. Run chkrootkit
Type: ./chkrootkit

If it says “Checking `bindshell’… INFECTED (PORTS: 465)”

This is normal and it is NOT really a virus.

No related posts.

This How-To will show you how to install BFD on your Linux Server to prevent and monitor brute force hack attempts.

This software like some others has requirements. You must be running APF / Advanced Policy Firewall for Brute Force Detection to work.

1. Login to your server via SSH as Root.

2. Type: wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

3. Type: tar -xvzf bfd-current.tar.gz

4. Type: cd bfd*

5. Now let’s install BFD onto the server.
Type: ./install.sh

:: You Should See ::
.: BFD installed

Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd

6. Now we need to edit the configuration file, and set some options.
Don’t worry the BFD Configuration isn’t hard to edit or understand!
Type: pico -w /usr/local/bfd/conf.bfd

7. Now we need to find the line to edit:

Press: CTRL-W
Type: ALERT_USR
Change ALERT_USR=”0″ TO ALERT_USR=”1″ <
Right below that we need to change the email:
Change EMAIL_USR=”root” TO EMAIL_USR=”you@yoursite.com”

8. That wasn’t to bad let’s save and exit the file
Press: CTRL-X then type Y then hit enter

9. Now we have to prevent locking yourself out of the server.
Type: pico -w /usr/local/bfd/ignore.hosts

10. Add any IP address that you want to be ignored from the rules. If your server provider is doing monitoring add their IP(s) here. Since you need these IPs open in APF as well you can copy the IPs you used in APF.
Type: pico -w /etc/apf/allow_hosts.rules
Then scroll down to the bottom and copy those IPs (drag mouse over that’s it)
Press: CTRL-X
Type: pico -w /usr/local/bfd/ignore.hosts

Paste those IPs to the bottom. You should also add your home IP if you hadn’t done so before. If your home IP is dynamic this is not a good idea, and you should get a static IP.
Press: CTRL-X then Y to save then enter.

11. Now lets run BDF!!!
Type: /usr/local/sbin/bfd -s

Just in case if you want to enable a banned IP again to acess your server again:

pico /etc/apf/deny_hosts.rules and find the IP address which has been banned and simply delete it !
after that ctrl + x and y and enter

No related posts.

2. Type: pico -w /etc/xinetd.d/telnet

3. Change the disable = no line to
disable = yes.

4. CTRL+X then Y then enter to save the file.

5. Restart xinted.
Type: /etc/rc.d/init.d/xinetd restart

No related posts.