Thursday, 5 December 2013

could not bind to address no listening sockets available, shutting downUnable to open logs

Yesterday i tried to restart my apache service ( httpd) in my server but i got following error

[root@server ~]# service httpd restart
Stopping httpd:                                            [  FAILED  ]
httpd not running,
trying to start(98)Address already in use: make_sock: could not bind to address x.x.x.x:80 no
listening sockets available, shutting downUnable to open logs
                                                           [  FAILED  ]
[root@server ~]#


After i checked my server http established connection using following command

[root@st-web ~]# netstat -n | grep :80 |wc -l
1800

[root@server ~]# pgrep httpd | wc -l
1800

Then i killed all the http established connection and restart the httpd service

[root@server ~]# killall httpd

[root@server ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                             [  OK  ]



My issue resolved...

Friday, 29 November 2013

mail_queue_enter: create file maildrop/xxxxxx.xxxx: Permission denied

Yesterday i tried to delete postfix queue mail but i can't delete that. I got below error

[root@server]# postsuper -d ALL

postsuper: fatal: remove file defer/1/13A7B62058F: Permission denied

After i checked following things,

[root@server]# tail /var/log/maillog

Nov 28 18:59:14 server postfix/postdrop[7269]: warning: mail_queue_enter: create file maildrop/913395.7269: Permission denied
Nov 28 18:59:17 server postfix/postdrop[7785]: warning: mail_queue_enter: create file maildrop/960660.7785: Permission denied
Nov 28 18:59:24 server postfix/postdrop[7269]: warning: mail_queue_enter: create file maildrop/913567.7269: Permission denied
Nov 28 18:59:27 server postfix/postdrop[7785]: warning: mail_queue_enter: create file maildrop/960808.7785: Permission denied



[root@server ]# postfix check

postfix/postfix-script: warning: group or other writable: /var/spool/postfix
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/defer/4
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/defer/F
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/defer/5
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/defer/6
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/defer/C
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/defer/0
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/defer/9
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/defer/3
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/defer/7
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/defer/B
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/defer/8
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/defer/E
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/defer/D
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/defer/1
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/defer/1/13A7B62058F
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/defer/A
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/defer/2
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/defer/2/2F356620591
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/deferred/4
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/deferred/F
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/deferred/5
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/deferred/6
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/deferred/C
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/deferred/0
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/deferred/9
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/deferred/3
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/deferred/7
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/deferred/B
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/deferred/8
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/deferred/E
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/deferred/D
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/deferred/1
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/deferred/1/13A7B62058F
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/deferred/A
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/deferred/2
postfix/postfix-script: warning: not owned by postfix: /var/spool/postfix/deferred/2/2F356620591
postfix/postfix-script: warning: not set-gid or not owner+group+world executable: /usr/sbin/postqueue
postfix/postfix-script: warning: not set-gid or not owner+group+world executable: /usr/sbin/postdrop
[root@server ]#



The above error is giving the permission error . So i restored default permission for postfix using below command

[root@server]# postfix set-permissions

After i  run "postfix check" command. It is not showing any error.

Again i tried to clear the queue mail but i can't. So i stopped the postfix service

[root@server]# service postfix stop

Shutting down postfix:                                     [  OK  ]

After I checked postdrop process using below command

[root@server]# pgrep postdrop

7269
7785

I killed all the postdrop process 

[root@server]# killall postdrop
I restarted the posfix service

[root@server]# service postfix restart 

Shutting down postfix:                                     [FAILED]
Starting postfix:                                          [  OK  ]
 

Now i can able to remove my queue mail.....

Thursday, 21 November 2013

How to install nginx on Centos 6


Here i am going to install the Nginx using nginx official repository

To create nginx repo,

[root@localhost ~]# vim /etc/yum.repos.d/nginx.repo

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1

:wq



To install nginx using yum,
 
[root@localhost ~]# yum install nginx



To start the nginx service,


[root@localhost ~]# /etc/init.d/nginx start

Starting nginx:                                            [  OK  ]
[root@localhost ~]#

To verfiy the version,

[root@locahost ~]# nginx -v

To list the nginx files location,

[root@localhost ~]# rpm -ql nginx

/etc/logrotate.d/nginx
/etc/nginx
/etc/nginx/conf.d
/etc/nginx/conf.d/default.conf
/etc/nginx/conf.d/ssl.conf
/etc/nginx/conf.d/virtual.conf
/etc/nginx/fastcgi.conf
/etc/nginx/fastcgi.conf.default
/etc/nginx/fastcgi_params
/etc/nginx/fastcgi_params.default
/etc/nginx/koi-utf
/etc/nginx/koi-win
/etc/nginx/mime.types
/etc/nginx/mime.types.default
/etc/nginx/nginx.conf
/etc/nginx/nginx.conf.default
/etc/nginx/scgi_params
/etc/nginx/scgi_params.default
/etc/nginx/uwsgi_params
/etc/nginx/uwsgi_params.default
/etc/nginx/win-utf
/etc/rc.d/init.d/nginx
/etc/sysconfig/nginx
/usr/lib64/perl5/vendor_perl/auto/nginx
/usr/lib64/perl5/vendor_perl/auto/nginx/nginx.so
/usr/lib64/perl5/vendor_perl/nginx.pm
/usr/sbin/nginx
/usr/share/doc/nginx-1.0.15
/usr/share/doc/nginx-1.0.15/CHANGES
/usr/share/doc/nginx-1.0.15/LICENSE
/usr/share/doc/nginx-1.0.15/README
/usr/share/man/man3/nginx.3pm.gz
/usr/share/man/man8/nginx.8.gz
/usr/share/nginx
/usr/share/nginx/html
/usr/share/nginx/html/404.html
/usr/share/nginx/html/50x.html
/usr/share/nginx/html/index.html
/usr/share/nginx/html/nginx-logo.png
/usr/share/nginx/html/poweredby.png
/var/lib/nginx
/var/lib/nginx/tmp
/var/log/nginx
[root@localhost ~]#

Now you can able to access the nginx default page. Go to the web browser and type your machine ip address or localhost. In my case ip address 10.118.248.52


It's working...

Tuesday, 19 November 2013

Install Thunderbird on Centos 6.3 x86_64

First you need to install EPEL repo.Already you installed EPEL then  move to next steps otherwise you will install the EPEL repo from this link.

After installing the EPEL repo you will check availability of thunderbird use the following command

[root@manivel ~]# yum list thunderbird
 

Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
epel/metalink                                                                                    | 5.5 kB     00:00    
 * base: mirrors.digipower.vn
 * epel: mirror.neu.edu.cn
 * extras: mirror.vietoss.com
 * updates: 
mirror.vietoss.com
base                                                                                                   | 3.7 kB     00:00   
extras                                                                                                 | 3.4 kB     00:00   
google-chrome                                                                                   |  951 B     00:00   
linuxtech-release                                                                                | 2.6 kB     00:00   
updates                                                                                              | 3.4 kB     00:00   
Available Packages
thunderbird.x86_64           17.0.10-1.el6.centos                                updates
 

Install Thunderbird using below command

[root@manivel ~]# yum install thunderbird
 

Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
 * base: centos-hn.viettelidc.com.vn
 * epel: mirror.neu.edu.cn
 * extras: mirror.vietoss.com
 * updates: mirror.vietoss.com
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package thunderbird.x86_64 0:17.0.10-1.el6.centos will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================
 Package         Arch                       Version                    Repository             Size

Installing:
 thunderbird      x86_64                17.0.10-1.el6.centos       updates              38 M

Transaction Summary
========================================================================
Install       1 Package(s)

Total download size: 38 M
Installed size: 71 M
Is this ok [y/N]: y
Downloading Packages:
http://mirror.vietoss.com/CentOS/6.4/updates/x86_64/Packages/thunderbird-17.0.10-1.el6.centos.x86_64.rpm: [Errno 12] Timeout on http://mirror.vietoss.com/CentOS/6.4/updates/x86_64/Packages/thunderbird-17.0.10-1.el6.centos.x86_64.rpm: (28, 'Operation too slow. Less than 1 bytes/sec transfered the last 30 seconds')
Trying other mirror.
thunderbird-17.0.10-1.el6.centos.x86_64.rpm                                                                                                      |  38 MB     01:25   
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : thunderbird-17.0.10-1.el6.centos.x86_64                                                                                                              1/1
  Verifying  : thunderbird-17.0.10-1.el6.centos.x86_64                                                                                                              1/1

Installed:
  thunderbird.x86_64 0:17.0.10-1.el6.centos                                                                                                                           

Complete!


Now you can open the thunderbird via command line


[root@manivel ~]# thunderbird 



If you want to open through graphical then Go to Applications ---> Internet ----> Thunderbird Email

Monday, 18 November 2013

tail: cannot watch `/var/log/httpd/access_log': No space left on device

Yesterday  suddenly I checked my apache log using following command 

[root@localhost ~]# tailf /var/log/httpd/access_log

but above command was showing error. It is like below

tail: cannot watch `/var/log/httpd/access_log': No space left on device

 After i searched google and found solution.


Solution: 


             I need to increase inotify value. I checked my default inotify value in below path
" /proc/sys/fs/inotify/max_user_watches " after that i changed that value 8192 to 16384.
This above value depends upon your needs.

         [root@localhost ~]# cat /proc/sys/fs/inotify/max_user_watches 
         8192

         [root@localhost ~]# echo 16384 > /proc/sys/fs/inotify/max_user_watches
 

Issue resolved....

Friday, 1 November 2013

How to check Hardware Information using "dmidecode" on Linux

dmidecode  is a tool for dumping a computer’s DMI  table contents in a human-readable format. This table contains a description of the system’s hardware components.

Type the dmidecode command in command line and you will get long output.It's like below (here i showed little bit)

[root@manivel ~]# dmidecode
 
# dmidecode 2.11
SMBIOS 2.7 present.
25 structures occupying 1180 bytes.
Table at 0x000E6860.

Handle 0x0000, DMI type 0, 24 bytes
BIOS Information
    Vendor: INSYDE
    Version: 1.20
    Release Date: 08/01/2011
    Address: 0xF0000
    Runtime Size: 64 kB
    ROM Size: 4096 kB
    Characteristics:
        PCI is supported
        PNP is supported

If You could like to find specific hareware information, then you can use dmidecode command with "String keywords (-s) " or "Type keywords (-t) ". You can get both keyword from man page.
( man dmidecode)

String keywords :

  bios-vendor
  bios-version
  bios-release-date
  system-manufacturer
  system-product-name
  system-version
  system-serial-number
  system-uuid
  baseboard-manufacturer
  baseboard-product-name
  baseboard-version
  baseboard-serial-number
  baseboard-asset-tag
  chassis-manufacturer
  chassis-type
  chassis-version
  chassis-serial-number
  chassis-asset-tag
  processor-family
  processor-manufacturer
  processor-version
  processor-frequency
  

Type keywords


  bios
  system
  baseboard
  chassis
  processor
  memory
  cache
  connector
  slot

 
Here i am going to show you how to use above option. 

For example if you want to know the bios-version only then you can use string keyword. Open your terminal with root user.

[root@manivel ~]# dmidecode -s bios-version
 
1.20
 
If you want  to know the processor-version then type below command

[root@manivel ~]# dmidecode -s processor-version
 
Intel(R) Core(TM) i5-2430M CPU @ 2.40GHz
 
If you want to know BIOS full details then you can use below command

[root@manivel ~]# dmidecode -t bios
 
# dmidecode 2.11
SMBIOS 2.7 present.

Handle 0x0000, DMI type 0, 24 bytes
BIOS Information
    Vendor: INSYDE
    Version: 1.20
    Release Date: 08/01/2011
    Address: 0xF0000
    Runtime Size: 64 kB
    ROM Size: 4096 kB
    Characteristics:
        PCI is supported
        PNP is supported
        BIOS is upgradeable
        BIOS shadowing is allowed
        Boot from CD is supported
        Selectable boot is supported
        EDD is supported
        8042 keyboard services are supported (int 9h)
        CGA/mono video services are supported (int 10h)
        ACPI is supported
        USB legacy is supported
        AGP is supported
        Smart battery is supported
        BIOS boot specification is supported
        Function key-initiated network boot is supported
        Targeted content distribution is supported
    BIOS Revision: 1.20
    Firmware Revision: 1.40

 If you want to know about System product name and serial number then you can use below command.

[root@manivel ~]# dmidecode -t system
 
# dmidecode 2.11
SMBIOS 2.7 present.

Handle 0x0001, DMI type 1, 27 bytes
System Information
    Manufacturer: TOSHIBA
    Product Name: Satellite C640
    Version: PSC2UG-014001
    Serial Number: YB112847Q

    UUID: C04687AB-720C-E111-AA37-00266CE6425D
    Wake-up Type: Power Switch
    SKU Number: PSC2UG-014001
    Family: 

Handle 0x0005, DMI type 12, 5 bytes
System Configuration Options
    Option 1: NVR:00707902
    Option 2: DSN: X197S1O3S         
    Option 3: DSN:TSB1333D3S9SR8/2G471A397D
    Option 4: 

Handle 0x0007, DMI type 32, 20 bytes
System Boot Information
    Status: No errors detected

If you want to know about Memory information then type below command.The below command will show Total RAM slot, Maximum RAM capacity and Total RAM Memory etc...

[root@manivel ~]# dmidecode -t memory
 
# dmidecode 2.11
SMBIOS 2.7 present.

Handle 0x0008, DMI type 16, 15 bytes
Physical Memory Array
    Location: System Board Or Motherboard
    Use: System Memory
    Error Correction Type: None
    Maximum Capacity: 32 GB
    Error Information Handle: 0x0011
    Number Of Devices: 2

Handle 0x0009, DMI type 17, 34 bytes
Memory Device
    Array Handle: 0x0008
    Error Information Handle: 0x000B
    Total Width: 64 bits
    Data Width: 64 bits
    Size: 2048 MB
    Form Factor: SODIMM
    Set: None
    Locator: DIMM0
    Bank Locator: BANK 0
    Type: DDR3
    Type Detail: Synchronous
    Speed: 1333 MHz
    Manufacturer: Kingston
    Serial Number: 471A397D
    Asset Tag: 0123456789
    Part Number: TSB1333D3S9SR8/2G
    Rank: Unknown
    Configured Clock Speed: 1333 MHz

Handle 0x000A, DMI type 6, 11 bytes
Memory Module Information

Handle 0x000D, DMI type 17, 34 bytes
Memory Device
    Array Handle: 0x0008
    Error Information Handle: 0x000F
    Total Width: 64 bits
    Data Width: 64 bits
    Size: 2048 MB
    Form Factor: SODIMM
    Set: None
    Locator: DIMM1
    Bank Locator: BANK 2
    Type: DDR3
    Type Detail: Synchronous
    Speed: 1333 MHz
    Manufacturer: Transcend Information
    Serial Number: 00096FF6
    Asset Tag: 0123456789
    Part Number: JM1333KSN-2G    
    Rank: Unknown
    Configured Clock Speed: 1333 MHz

Handle 0x000E, DMI type 6, 11 bytes
Memory Module Information

Handle 0x0013, DMI type 5, 20 bytes
Memory Controller Information
    Error Detecting Method: None
    Error Correcting Capabilities:
        Unknown
        None
    Supported Interleave: One-way Interleave
    Current Interleave: One-way Interleave
    Maximum Memory Module Size: 8192 MB
    Maximum Total Memory Size: 16384 MB
    Supported Speeds:
        Other
    Supported Memory Types:
        Other
    Memory Module Voltage: Unknown
    Associated Memory Slots: 2
        0x000A
        0x000E
    Enabled Error Correcting Capabilities:
        None
 
 If you want to know about Procssor details, then you can use below command

[root@manivel ~]# dmidecode -t processor
 
# dmidecode 2.11
SMBIOS 2.7 present.

Handle 0x0014, DMI type 4, 42 bytes
Processor Information
    Socket Designation: CPU
    Type: Central Processor
    Family: Core i5
    Manufacturer: Intel(R) Corporation

    ID: A7 06 02 00 FF FB EB BF
    Signature: Type 0, Family 6, Model 42, Stepping 7
    Flags:
        FPU (Floating-point unit on-chip)
        VME (Virtual mode extension)
        DE (Debugging extension)
        PSE (Page size extension)
        TSC (Time stamp counter)
        MSR (Model specific registers)
        PAE (Physical address extension)
        MCE (Machine check exception)
        CX8 (CMPXCHG8 instruction supported)
        APIC (On-chip APIC hardware supported)
        SEP (Fast system call)
        MTRR (Memory type range registers)
        PGE (Page global enable)
        MCA (Machine check architecture)
        CMOV (Conditional move instruction supported)
        PAT (Page attribute table)
        PSE-36 (36-bit page size extension)
        CLFSH (CLFLUSH instruction supported)
        DS (Debug store)
        ACPI (ACPI supported)
        MMX (MMX technology supported)
        FXSR (FXSAVE and FXSTOR instructions supported)
        SSE (Streaming SIMD extensions)
        SSE2 (Streaming SIMD extensions 2)
        SS (Self-snoop)
        HTT (Multi-threading)
        TM (Thermal monitor supported)
        PBE (Pending break enabled)
    Version: Intel(R) Core(TM) i5-2430M CPU @ 2.40GHz
    Voltage: 1.3 V
    External Clock: 1333 MHz
    Max Speed: 4000 MHz
    Current Speed: 2400 MHz

    Status: Populated, Enabled
    Upgrade: ZIF Socket
    L1 Cache Handle: 0x0015
    L2 Cache Handle: 0x0016
    L3 Cache Handle: 0x0017
    Serial Number: Not Specified
    Asset Tag: FFFF
    Part Number: Not Specified
    Core Count: 2
    Core Enabled: 2
    Thread Count: 4
    Characteristics:
        64-bit capable

I hope, you get some ideas from here...

Tuesday, 29 October 2013

Snort Alert - ZmEu Scanner

Yesterday I was doing my work suddenly i received some alerts on my Snort IDS with Signature. It's like below

 #48-(3-699628) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:28:00 91.121.158.56:59362 10.21.1.19:80 TCP
#49-(3-699627) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:59 91.121.158.56:59179 10.21.1.19:80 TCP
#50-(3-699626) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:59 91.121.158.56:59010 10.21.1.19:80 TCP
#51-(3-699625) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:58 91.121.158.56:58725 10.21.1.19:80 TCP
#53-(3-699623) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:58 91.121.158.56:58563 10.21.1.19:80 TCP



after i searched google regarding ZmEu and found some one try discovering phpMyAdmin security hole. I confirmed my apache access.log also. It is showing some hacker try to hack phpMyAdmin.


91.121.158.56 - - [29/Oct/2013:13:27:58 +0530] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 17119 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:27:59 +0530] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 17119 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:27:59 +0530] "GET /pma/scripts/setup.php HTTP/1.1" 404 17112 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:28:00 +0530] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 17116 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:28:00 +0530] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 17116 "-" "ZmEu"

We can block above ZmEu scanner using iptables or fail2ban. Here i am going to use iptables string match.

Iptables rule:


[root@server~]# iptables -I INPUT -p tcp --dport 80 -m string --to 1000 --algo bm --string 'ZmEu' -j DROP

Explanation:-

     
                --dport   -----> destination port
                     --to   -----> offset to stop searching
                      1000   -----> total 1000 bytes
                 --algo   -----> Algorithm ( Two type : 1. bm (Boyer Moore) and 2.kmp (Kunth Pratt Morris )
                --string  -----> Text search pattern (case sensitive)


Save the iptables rule and restart

[root@server~]# service iptables save
[root@server~]# service iptables restart

After you will check the iptables rule. It will show like below

[root@server~]#  iptables -nvL

   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:80 STRING match "ZmEu" ALGO name bm TO 1000


Now I blocked ZmEu using Iptables.....

Wednesday, 23 October 2013

Snort Alert - DFind w00tw00t GET-Requests

I received some alerts on my IDS with Signature. It's like below


        #632-(3-693403) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-23 08:51:34 89.46.161.210:30693 10.21.1.19:80 TCP

       #706-(3-692963) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-23 00:21:54 85.214.236.97:64368 10.21.1.19:80 TCP

#707-(3-692918) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-22 23:34:23 24.172.10.141:4456 10.21.1.19:80 TCP

#726-(3-692857) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-22 22:23:33 89.46.161.210:21368 10.21.1.19:80 TCP



After i checked all the payload. It is like below



I searched regarding this alert (w00tw00t.at.ISC.SANS.Win32 ) and getting this is one type of vulnerability scanners after i checked my apache access.log . It's like below

[root@server~]# less /var/log/httpd/access_log | grep "GET /w00tw00t.at.ISC.SANS"


89.46.161.210 - - [22/Oct/2013:22:23:33 +0530] "GET /w00tw00t.at.ISC.SANS.Win32:) HTTP/1.1" 400 226 "-" "-"
24.172.10.141 - - [22/Oct/2013:23:34:23 +0530] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"
85.214.236.97 - - [23/Oct/2013:00:21:54 +0530] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"
89.46.161.210 - - [23/Oct/2013:08:51:34 +0530] "GET /w00tw00t.at.ISC.SANS.Win32:) HTTP/1.1" 400 226 "-" "-"

The above attempt was unsuccessful because 400 (Bad request) error indicating after I checked my apache error.log also. It is like below


[root@server ~]# less /var/log/httpd/error_log | grep "89.46.161.210"


[Tue Oct 22 22:23:33 2013] [error] [client 89.46.161.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)
[Wed Oct 23 08:51:34 2013] [error] [client 89.46.161.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)
[Wed Oct 23 19:08:46 2013] [error] [client 89.46.161.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)

[root@server~]# less /var/log/httpd/error_log | grep "24.172.10.141"

[Tue Oct 22 23:34:23 2013] [error] [client 24.172.10.141] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)


 Above request without hostname.  Any HTTP/1.1 request should have host ( like example.com).

Today also i received lot of alert regarding  vulnerability scanners. So I decided to drop this type of GET request using IPTABLES.

Iptables rule:

I used string match option.

[root@server~]# iptables -I INPUT -d xx.xx.xx.xx -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

Explanation:-

       
                       -d   ------> Destination
        xx.xx.xx.xx   -----> your server ipaddress
                --dport   -----> destination port
                     --to   -----> offset to stop searching
                      70   -----> total 70 bytes
                 --algo   -----> Algorithm ( Two type : 1. bm (Boyer Moore) and 2.kmp (Kunth Pratt Morris )
                --string  -----> Text search pattern (case sensitive)


Save the iptables rule and restart

[root@server~]# service iptables save
[root@server~]# service iptables restart

After you will check the iptables rule. It will show like below

[root@server~]#  iptables -nvL

   0     0 DROP       tcp  --  *      *       0.0.0.0/0            176.9.7.40          tcp dpt:80 STRING match "GET /w00tw00t.at.ISC.SANS." ALGO name bm TO 70


Now we blocked DFind w00tw00t GET-Requests using Iptables.....

Monday, 21 October 2013

Apache (internal dummy connection)

Today i checked my apache log file in my server and  found lot of  "internal dummy connection". That is like below

          [root@server ~]# cat /var/log/httpd/access_log


 - - [21/Oct/2013:23:21:14 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:22:21 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:22:49 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:23:51 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:24:53 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:25:10 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:32:32 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:32:34 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:34:05 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:34:06 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
 - - [21/Oct/2013:23:34:32 +0530] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"


I want to ignore above log from access.log file . So i searched and found solution for "internal dummy connection"

Solution :


    I added below lines in "httpd.conf" file

             [root@server ~]# vim /etc/httpd/conf/httpd.conf

                          SetEnvIf Remote_Addr "127\.0\.0\.1" loopback
                          SetEnvIf Remote_Addr "::1" loopback
                          SetEnvIf User-Agent ".*internal dummy connection.*" loopback
                          CustomLog logs/access_log combined env=!loopback

              :wq

     After i restarted  the httpd service

            [root@server ~]# /etc/init.d/httpd restart

My issue resolved.....


Thursday, 17 October 2013

Snort Alert - Morfeus F Scanner

Today morning i received some alerts on Snort IDS with Signature. It is like below



#2885-(2-579886) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60300 10.21.1.19:80 TCP

#2886-(2-579887) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60747 10.21.1.19:80 TCP

#2887-(2-579888) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:32975 10.21.1.19:80 TCP

#2888-(2-666456) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60191 10.21.1.19:80 TCP

#2889-(2-666457) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60300 10.21.1.19:80 TCP

#2890-(2-666458) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60747 10.21.1.19:80 TCP

#2891-(2-666459) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:32975 10.21.1.19:80 TCP

#2892-(2-754607) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60191 10.21.1.19:80 TCP

#2893-(2-754608) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60300 10.21.1.19:80 TCP


After that i searched above alert in google and found out they scan websites.I checked my apache access.log  also.


[root@snort~]# grep -R "88.190.22.62" /var/log/httpd/access_log 



88.190.22.62 - - [17/Oct/2013:08:51:13 +0530] "GET /roundcubemail/README HTTP/1.1" 404 15869 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:13 +0530] "GET /rc/README HTTP/1.1" 404 15858 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:14 +0530] "GET /roundcube/README HTTP/1.1" 404 15865 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:14 +0530] "GET /mail/README HTTP/1.1" 404 15860 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:14 +0530] "GET /README HTTP/1.1" 404 15855 "-" "Morfeus strikes again."


They have not done anything because status code 404 (Not Found) . I decided to block this type of scanner before they will do something 

I bocked Morfeus F Scanner using .htaccess file

Go to website directory and open the ".htaccess " file and  add below two lines

             RewriteCond %{HTTP_USER_AGENT} ^Morfeus
             RewriteRule ^.*$ - [F]

End.....

Friday, 20 September 2013

How to Reset "root" Password Using Single User Mode in Ubuntu

While your system booting hold the Shift Key. You will get the GRUB screen like below


Select the first Grub entry and press e to edit the the Grub entry that splash screen like below



Find and change the line 

linux /boot/vmlinuz-3.2.0-23-generic-pae root=UUID=xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx ro  quiet splash to linux /boot/vmlinuz-3.2.0-23-generic-pae root=UUID=xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx rw init=/bin/bash


After changed above line Press crtl+x or F10 to boot. Now you logged in without password



Now you can able to reset the root password using following command



Enjoy....