Tag Archives: centos

The Mystery of Duqu: Part Six (The Command and Control servers)

Posted on by

The Mystery of Duqu: Part Six (The Command and Control servers) – Securelist.

For our particular server, several spikes immediately raise suspicions: 15 February and 19 July, when new versions of OpenSSH were installed; 20 October, when the server cleanup took place. Additionally, we found spikes on 10 February and 3 April, when certain events took place. We were able to identify “dovecot” crashes on these dates, although we can’t be sure they were caused by the attackers (“dovecot” remote exploit?) or simply instabilities.

Of course, for server ‘A’, three big questions remain:

  • How did the attackers get access to this computer in the first place?
  • What exactly was its purpose and how was it (ab-)used?
  • Why did the attackers replace the stock OpenSSH 4.3 with version 5.8?

Interesting read. Apparently there might have been a zero day exploit in openssh.

From: http://en.wikipedia.org/wiki/Duqu

Duqu is a computer worm discovered on 1 September 2011, thought to be related to the Stuxnet worm. The Laboratory of Cryptography and System Security (CrySyS)[1] of the Budapest University of Technology and Economics in Hungary, which discovered the threat, analyzed the malware and wrote a 60-page report[2], naming the threat Duqu.[3] Duqu got its name from the prefix “~DQ” it gives to the names of files it creates.

Here‘s an interesting comment on slashdot.

The only things you should need open to the internet are SSH (“the attackers may have used a zero-day in OpenSSH 4.3 to compromise the C&C servers initially”) and/or IPSec/L2TP. Anything else should redirect to a DMZ that does NOT route to the same subnet as SSH/IPSec/L2TP. The DMZ should not have port access to the regular network (everything should be pushed). The firewall should be set to not allow active connections out from the DMZ to anywhere, and any activity should not just be logged, but flagged and sent to the administrator. All devices in the DMZ should log to a remote (to them) syslog that is polled from outside the DMZ.

There… that’s the ideal world. In reality, this doesn’t account for people who don’t have that much hardware/expertise with VMs, for people who don’t keep up with their patches, for those who want to do an end-run around this policy to set up torrents, etc. directly from their working computer, etc.

It also doesn’t help that most gateway routers these days have some full-fledged OS inside and as a result often have exploits that can be leveraged directly against them due to inappropriate default configurations.

HowTos/KVM

Posted on by

For the impatient, here is our simple script. We’ll explain it afterwards. This is assuming that you’re on a 192.168.1.0/24 network with no DHCP server.

#!/bin/sh

PATH=$PATH:/usr/sbin:/sbin

sudo brctl addbr br0

sudo ifconfig eth0 0.0.0.0

sudo brctl addif br0 eth0

sudo ifconfig br0 192.168.1.120 netmask 255.255.255.0 up

sudo route add -net 192.168.1.0 netmask 255.255.255.0 br0

sudo route add default gw 192.168.1.1 br0

sudo tunctl -b -u john

sudo ifconfig tap0 up

sudo brctl addif br0 tap0

export SDL_VIDEO_X11_DGAMOUSE=0

sudo iptables -I RH-Firewall-1-INPUT -i br0 -j ACCEPT

qemu-kvm ~/win2k.img -m 512 -net nic -net tap,ifname=tap0,script=no

via HowTos/KVM – CentOS Wiki.

How Can I Justify Using Red Hat When CentOS Exists? – Slashdot

Posted on by

How Can I Justify Using Red Hat When CentOS Exists? – Slashdot.

by Paska (801395) Alter Relationship on Sunday October 30, @05:20PM (#37888510) Homepage

CentOS’s release schedule has been really struggling recently. Release 6 was almost edging a 250 day delay over Red Hat.

CentOS have still to announce an official date for 6.1 to be released, which Red Hat released back on May 19th. There is a lot of uncertainty regarding CentOS releases and as such in my opinion makes CentOS not the ideal choice for the enterprise.

Other advantages are Red Hat’s support services and the Red Hat Network (RHN) are second to none. RHN alone is what convinced us to pony up money for licenses.

The gist of the advantages are: better support, quicker updates/security fixes, easier and centralised management of multiple servers with the only disadvantage being a price tag.

Interesting discussion about this over on Slashdot.

What do these SATA errors mean?

Posted on by

For SATA drives, occasional transmission problems are expected even on otherwise pretty healthy systems. No need to worry about it too much unless the problem repeats itself a lot.

via What do these SATA errors mean / kernel 2.6.25.6 (DRDY ERR/ICRC ABRT) | Linux | Kernel.

This error occurred on the drive using the hot swap cage.  I wonder if perhaps the circuitry on the cage is iffy.  The circuit board on that cage is about the simplest board that can be designed — it just maps wires from one pin connector to another — that’s it.

Perhaps the centos install is OK after all.  It’s intermittent which is bad.  Looks like it might pay to use higher quality hot swap cages.  Tomorrow I’ll try another brand and investigate this further.  Here’s another pertinent point.  I’m seeing this exact same error.

> 51/84:f8:47:dc:35/00:03:02:00:00/e0 Emask 0x10 (ATA bus error)
> Jun 11 05:46:23 p34 kernel: [ 1445.288637] ata12.00: status: { DRDY ERR }
> Jun 11 05:46:23 p34 kernel: [ 1445.288639] ata12.00: error: { ICRC ABRT }

That’s your drive reporting that it saw transmission error on the wire.

Finding linux distro release info

Posted on by

Fedora Core: /etc/fedora-release

Red Hat: /etc/redhat-release, /etc/redhat_version (rare)

via release-files.

I got confused between two Centos VMs.  I had thought one Centos VM that I have running DNS was Centos 5.4 and the new one was Centos 5.6.  When I saw that they both used a 2.6.18.* kernel I got confused.  Fedora Core is using 2.6.35 and greater.  This led me to check the distro version upon which I didn’t get it out of uname -a or dmesg.  Searching the intertubes and I got the above answer.  Apparently the VM I thought was 5.4 is really 5.5.

It is interesting that Centos, which tracks RHEL, doesn’t make too many radical changes to the kernel.

Update: It should be noted that I wouldn’t have noticed the kernel versions had I not tried to compile and install my own kernel.

Create Your Own Web Server With BIND And Apache On CentOS 5 (Simplified)

Posted on by

Installing necessary packages

yum install bind bind-chroot bind-libs bind-utils caching-nameserver -y

After installing the necessary packages you are ready to start configuring named.conf. You may check and see that there is no named.conf in your /etc/ directory in Centos 5. No worries here you can see a sample named.conf file. Now create the file /etc/named.conf and copy/paste the content of the sample config file – just make sure you replace website.com with your own domain name.

via Create Your Own Web Server With BIND And Apache On CentOS 5 (Simplified) | HowtoForge – Linux Howtos and Tutorials.

Centos making things difficult again.

OpenSIPS and Control Panel Install Guide

Posted on by

It’s assumed you already have a server with a base CentOS installation before you begin.  Do NOT install a GUI such as Gnome or KDE.  We only want to be running in console text mode not GUI graphics mode.  If you already have a desktop or server GUI installed you will want to exit to console mode.  You do that by typing init 3 from a terminal or console window.  You will need to be logged in as root in order to do this so if not you can su root.  All instructions in this guide are assuming you are always logged in as root running in level 3 console text mode.

Via OpenSIPS and Control Panel Install Guide | PowerPBX.org.

How Linux mastered Wall Street

Posted on by

Others just use off-the-shelf distributions and pay consultants to tweak the settings for maximum performance. Red Hat Enterprise Linux is now the dominant Linux distribution among exchanges, Lameter said. Red Hat counts among its customers the Chicago Mercantile Exchange, New York Mercantile Exchange, Frankfurt Stock Exchange, Eurex derivative exchange and Philippine Stock Exchange.

via How Linux mastered Wall Street | ITworld.