Pages

Saturday, April 15, 2017

Linux: tools to scan a Linux server for malware and rootkits.

This tools are: chkrootkit, rkhunter, fuser and ISPProtect. All of this tools can be install under Fedora 25 with dnf tool. First tool is chkrootkit is a classic rootkit scanner. It checks your server for suspicious rootkit processes and checks for a list of known rootkit files.
[root@localhost mythcat]# chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
...
The Rootkit Hunter named rkhunter is a Unix-based tool that scans for rootkits, backdoors and possible local exploits.
[root@localhost mythcat]# rkhunter --update
[ Rootkit Hunter version 1.4.2 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/tr                                      [ No update ]
  Checking file i18n/tr.utf8                                 [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]
[root@localhost mythcat]# rkhunter --propupd
[ Rootkit Hunter version 1.4.2 ]
File created: searched for 172 files, found 136
[root@localhost mythcat]# rkhunter -c --enable all --disable none
[ Rootkit Hunter version 1.4.2 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks
    Checking for prerequisites                               [ OK ]
    /usr/bin/awk                                             [ OK ]
    /usr/bin/basename                                        [ OK ]
    /usr/bin/bash                                            [ OK ]
    /usr/bin/cat                                             [ OK ]
    /usr/bin/chattr                                          [ OK ]
    /usr/bin/chmod                                           [ OK ]
    /usr/bin/chown                                           [ OK ]
    /usr/bin/cp                                              [ OK ]
...
Another tool is fuser
[root@localhost mythcat]# fuser -vn tcp 5222
...
The output of this command let you to see the recall of anything on your machine that should be listening on tcp port 5222.
[root@localhost mythcat]# fuser -vn tcp 19635
...
This output indicates that there is a process named "foo" running with PID number and listening on port 19635. The last tool is ISPProtect. ISPProtect is a malware scanner for web servers, it scans for malware in website files and CMS systems like Wordpress, Joomla, Drupal

Tuesday, March 28, 2017

The journalctl command.

This is a good Linux command for Linux maintenance.
The first step is to read the documentation:
[root@localhost mythcat]# man journalctl
JOURNALCTL(1)                     journalctl                     JOURNALCTL(1)

NAME
       journalctl - Query the systemd journal

SYNOPSIS
       journalctl [OPTIONS...] [MATCHES...]

DESCRIPTION
       journalctl may be used to query the contents of the systemd(1) journal
       as written by systemd-journald.service(8).

       If called without parameters, it will show the full contents of the
       journal, starting with the oldest entry collected.

       If one or more match arguments are passed, the output is filtered
       accordingly. A match is in the format "FIELD=VALUE", e.g.
       "_SYSTEMD_UNIT=httpd.service", referring to the components of a
       structured journal entry. See systemd.journal-fields(7) for a list of
       well-known fields. If multiple matches are specified matching different
       fields, the log entries are filtered by both, i.e. the resulting output
       will show only entries matching all the specified matches of this kind.
       If two matches apply to the same field, then they are automatically
       matched as alternatives, i.e. the resulting output will show entries
       matching any of the specified matches for the same field. Finally, the
       character "+" may appear as a separate word between other terms on the
       command line. This causes all matches before and after to be combined
       in a disjunction (i.e. logical OR).
       ...
The self-maintenance method is to vacuum the logs.
This helps you with free space into your Linux OS.
For example, I got 3 Gigabytes of data in just 3 days.
# journalctl --vacuum-time=3d
Vacuuming done, freed 3.7G of archived journals on disk. To clean up this you can use the command into several ways:
  • by time
  • journalctl --vacuum-time=2d
  • retain only the past 500 MB
  • journalctl --vacuum-size=500M
As you know: The is an init system used in Linux distributions to bootstrap the user space and manage all processes subsequently. The journald daemon handles all of the messages produced by the kernel, initrd, services, etc. You can use the journalctl utility, which can be used to access and manipulate the data held within the journal. Let's start with some examples: How to see the configuration file for this process:
[root@localhost mythcat]# cat /etc/systemd/journald.conf
Also, you can see the status of this service:
[root@localhost mythcat]# systemctl status  systemd-journald
● systemd-journald.service - Journal Service
   Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service; static; vendor preset: disabled)
   Active: active (running) since Tue 2017-03-28 09:12:20 EEST; 1h 8min ago
     Docs: man:systemd-journald.service(8)
           man:journald.conf(5)
 Main PID: 803 (systemd-journal)
   Status: "Processing requests..."
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/systemd-journald.service
           └─803 /usr/lib/systemd/systemd-journald

Mar 28 09:12:20 localhost.localdomain systemd-journald[803]: Runtime journal (/run/log/journal/) is 8.0M,
max 371.5M, 363.5M free.
Mar 28 09:12:20 localhost.localdomain systemd-journald[803]: Journal started
Mar 28 09:12:22 localhost.localdomain systemd-journald[803]: System journal (/var/log/journal/) is 3.9G,
max 4.0G, 23.8M free.
Mar 28 09:12:23 localhost.localdomain systemd-journald[803]: Time spent on flushing to /var is 915.454ms
I hope this article will help you with Linux maintenance

Friday, March 17, 2017

Measure the charging with Ampere.

This android application let you to know more about your battery.
Just use it to measure the charging and discharging current of your battery.
-
Or, you can also use a hardware device and Fedora 25 to have a great life.

Wednesday, March 15, 2017

Fedora 25: First test with clamav antivirus.

This is a short tutorial about how to use ClamAV antivirus on Fedora 25.
First, you need to install it with this commands:
[root@localhost mythcat]# dnf install clamav.x86_64 
...

[root@localhost mythcat]# dnf install clamav-update.x86_64
...
Make settings into your /etc/freshclam.conf file. I used awk tool to show you my settings from /etc/freshclam.conf:
[root@localhost mythcat]# awk -F: '/^[^#]/ { print $1 }' /etc/freshclam.conf | uniq 
DatabaseDirectory /var/lib/clamav
UpdateLogFile /var/log/freshclam.log
LogFileMaxSize 2M
LogTime yes
LogVerbose yes
LogSyslog yes
LogFacility LOG_MAIL
LogRotate yes
DatabaseOwner clamupdate
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror database.clamav.net
MaxAttempts 5
ScriptedUpdates yes
DetectionStatsCountry country-code
SafeBrowsing yes
Update the ClamAV antivirus with :
[root@localhost mythcat]# /usr/bin/freshclam
ClamAV update process started at Wed Mar 15 13:42:07 2017
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
WARNING: getfile: daily-21724.cdiff not found on database.clamav.net (IP: 195.30.97.3)
WARNING: getpatch: Can't download daily-21724.cdiff from database.clamav.net
Trying host database.clamav.net (212.7.0.71)...
nonblock_connect: connect timing out (30 secs)
Can't connect to port 80 of host database.clamav.net (IP: 212.7.0.71)
WARNING: getpatch: Can't download daily-21724.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-21724.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-21724.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-21724.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
Downloading daily.cvd [100%]
daily.cvd updated (version: 23205, sigs: 1789155, f-level: 63, builder: neo)
Downloading safebrowsing.cvd [100%]
safebrowsing.cvd updated (version: 45693, sigs: 2756150, f-level: 63, builder: google)
Downloading bytecode-279.cdiff [100%]
Downloading bytecode-280.cdiff [100%]
Downloading bytecode-281.cdiff [100%]
Downloading bytecode-282.cdiff [100%]
Downloading bytecode-283.cdiff [100%]
Downloading bytecode-284.cdiff [100%]
Downloading bytecode-285.cdiff [100%]
Downloading bytecode-286.cdiff [100%]
Downloading bytecode-287.cdiff [100%]
Downloading bytecode-288.cdiff [100%]
Downloading bytecode-289.cdiff [100%]
Downloading bytecode-290.cdiff [100%]
Downloading bytecode-291.cdiff [100%]
bytecode.cld updated (version: 291, sigs: 55, f-level: 63, builder: neo)
Database updated (8764150 signatures) from database.clamav.net (IP: 157.25.5.183)
Now you can run it on Fedora 25 folder with this.
[root@localhost mythcat]# clamscan 
/home/mythcat/.bash_logout: OK
/home/mythcat/.bash_profile: OK
...
----------- SCAN SUMMARY -----------
Known viruses: 8758441
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 54
Infected files: 0
Data scanned: 71.80 MB
Data read: 189.96 MB (ratio 0.38:1)
Time: 13.968 sec (0 m 13 s)
This tool comes with many options and features for Fedora workstations and server. Just read the documentation and make your changes. To check all files on the computer, but only display infected files and ring a bell when found:
clamscan -r --bell -i / 
To check files in the all users home directories:
clamscan -r /home 
If you got this error:
LibClamAV Warning: fmap_readpage: pread fail: ... 
Then this comes from sysfs and is a virtual file system provided by the Linux kernel and need to be excluded with this arg:
--exclude-dir="^/sys"
--exclude-dir=^/sys  --exclude-dir=^/dev --exclude-dir=^/proc 
My result of scan ( the file FOUND is not a virus) :
/home/mythcat/devil-linux-1.8.0-rc2-x86_64/install-on-usb.exe: Win.Trojan.Delfiles-17 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 9042471
Engine version: 0.99.2
Scanned directories: 98653
Scanned files: 570740
Infected files: 1
Data scanned: 29750.14 MB
Data read: 48591.70 MB (ratio 0.61:1)
Time: 3819.053 sec (63 m 39 s)

Tuesday, March 14, 2017

QEMU - Devil Linux on Fedora 25.

QEMU (short for Quick Emulator) is a free and open-source hosted hypervisor that performs hardware virtualization QEMU is a hosted virtual machine monitor. You can install this software using dnf tool.
dnf install qemu.x86_64 
You can use any iso image from internet to run and test your distro linux. Just use this command:
I tested with Devil Linux iso without network ( the main reason was the settings of Devil Linux distro).
qemu-system-x86_64 -boot d -cdrom ~/devil-linux-1.8.0-rc2-x86_64/bootcd.iso --enable-kvm -m 2048
 -netdev user,id=user.0
Some args of qemu tool:
- qemu-system-x86_64 is the option for x86 architecture (64 bit);
- boot and -d set options for booting and debug;
- the -cdrom option set the iso file path and file;
- the --enable-kvm enable Kernel Virtual Machine;
- the -m 2048 set memory;
- the -netdev user,id=user.0 that tells us about qemu to use the user mode network stack which requires no administrator privilege to run;  
About QEMU VLAN.
QEMU networking uses a networking technology that is like VLAN. The QEMU forward packets to guest operating systems that are on the same VLAN. Examples with qemu-kvm options:
-net nic,model=virtio,vlan=0,macaddr=00:16:3e:00:01:01 
-net tap,vlan=0,script=/root/ifup-br0,downscript=/root/ifdown-br0 
-net nic,model=virtio,vlan=1,macaddr=00:16:3e:00:01:02 
-net tap,vlan=1,script=/root/ifup-br1,downscript=/root/ifdown-br1
- net nic command defines a network adapter in the guest operating system. - net tap command defines how QEMU configures the host. You can disabling networking entirely:
-net none

Thursday, March 9, 2017

News: WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency.

This is a old news and comes from WikiLeaks how to start one new series of leaks on the U.S. Central Intelligence Agency.
For me is another way to show bugs to people.
The article can be found here:
Some software come with new updates to fix bugs - like notepad, see article: Notepad++ 7.3.3 update fixe.

Wednesday, March 8, 2017

Fedora 25: Enable gnome notifications Fedmsg and Openweather.

This tutorial is about gnome environment and notifications.
If you want to see notifications about your work and account under Fedora distro or just to see the weather then you need to deal with this tools.
Take a look to your gnome version and shell version:
[mythcat@localhost ~]$ gnome-about --gnome-version 
Version: 2.32.0
Distributor: Red Hat, Inc
Build Date: 02/04/2016
[mythcat@localhost ~]$ gnome-shell --version 
GNOME Shell 3.22.3
Use the dnf install tool and get this packages:
gnome-weather.noarch : A weather application for GNOME
gnome-weather-tests.noarch : Tests for the gnome-weather package
gnome-shell-extension-openweather.noarch : Display weather information from many
gnome-shell-extension-apps-menu.noarch : Application menu for GNOME Shell
gnome-shell.x86_64 : Window management and application launching for GNOME
gnome-shell-extension-common.noarch : Files common to GNOME Shell Extensions
gnome-tweak-tool.noarch : A tool to customize advanced GNOME 3 options
Use this command to make settings:
[mythcat@localhost ~]$ gnome-tweak-tool
You will see a window with options for enable Fedmsg and Openweather notifications.
After select on option then just use right click to make settings for each extension.