If you are a system administrator, you should dread any time you use the normal “ls” command and receive a strange error in return. That is a sure sign that your machine has been hacked and ls has been replaced by an unknown program. Gnist blog has a nicely written step-by-step list of what you can do to track back an intruder.

In his case it sounds like the original owner of the machine may have used a weak root password on his machine, allowing for someone to crack it and break into the box. People, don’t forget to use a hard-to-brute force password, and finally disable root login s. Instead, use normal users and sudo.

Finally, if you are doing this in a legal setting and preparing for a possible future court case, don’t forget to make an image of the drive (using dd or Norton Ghost) before your analysis; otherwise the intruder can get your evidence thrown out.

Some other security resources:

• APF + BFD
• OSSEC
• Sleuthkid
• chkrootkit

If you use a windows ssh terminal client, or even macosx’s terminal.app, the functionality of your page up and page down key may not behave like you want it to. For example, in SecureCRT using pageup will actually page up your scroll buffer, and pagedown will scroll down your page buffer.

You’ll need to remap your keys to send the correct signal to your terminal. Change it from the default system function to “send string” and the following strings:

PageUp = \033[5~
PageDown = \033[6~

\033 is a shortcut for the ESCAPE key (esc) since in some programs you can’t type in the actualy escape key.

Here are some other codes as well in case you need to remap keys.

Pause = \032
Macro = \003 # Break (Shift-Pause)
Home = \033[1~
Insert = \033[2~
Remove = \033[3~ # Delete
End = \033[4~

In SecureCRT the area to remap your keys is Tools -> Keymap Editor.

This is especially handy if you use command line IRC clients such as Irssi or BitchX.

I recently had a problem with a dual Opteron system going into an infinite reboot situation after upgrading to Fedora Core 6 from Fedora Core 4. It turns out the culprit is the cpuspeed package - as soon as this service was starting, the system would reboot instantly. My guess is that there is some incompatibility with the Dual Opteron CPU, as I have seen some posts in bugzilla about this. Here is information on the cpuspeed package:

---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2007-045
2007-01-10
---------------------------------------------------------------------

This update can be installed with the 'yum' update program. Use 'yum update
package-name' at the command line. For more information, refer to 'Managing
Software with yum,' available at http://fedora.redhat.com/docs/yum/.
---------------------------------------------------------------------

In order to fix your system, boot into single user mode, and disable cpuspeed:

chkconfig --level 123456 cpuspeed off

alternatively you can uninstall the package:

rpm -e cpuspeed

Your system should now boot properly.

This seems like a pretty rare bug but annoying anyway. On my system I found that when logrotate would run, some log files such as /var/log/maillog did not rotate properly.

Typically, logrotate works like

Write to <tag>maillog</tag>
Daily, move maillog to maillog.1
Daily, move maillog.1 to maillog.2
etc...

However it was going

Write to maillog,
Daily, move maillog to maillog.1, keep writing to maillog.1
Daily, move maillog.1 to maillog.2, keep writing to maillog.2
etc.

According to this bug tracker entry and this post, it is a problem with the version of logrotate, and people having the /tmp directory on a separate mount (I did not even have mine set to noexec like I should have, and I still had this problem [fixed now, by the way]).

It is easily fixed by installing the version of logrotate from the CentOS fasttrack repository [link]. After installing this, it looks like logrotate is rotating the log files correctly.

Developing web apps cross platform can be a pain sometimes, as the drivers used in Windows are typically not available (by default anyway) in linux. For example, if you are using perl based software in linux, and you need to connect to a Windows database (for example, MSDE 2000 or SQL Server)

There are two essential pieces of open source software you will need to use. The first one is UnixODBC [http://www.unixodbc.org]. This software provides the software to create an ODBC connection. Secondly, you will need the driver to connect to your Windows data source. This driver is provided by FreeTDS [http://www.freetds.org].

After installing this software according to their respective websites, if you are using perl you need to also install the module “DBD::ODBC”.

perl -MCPAN -e 'install DBD::ODBC'

You can now set up datasources in your configuration files. In my case, it would be located in /usr/local/etc/odbc.ini, but you can find the location of your driver file using the command
odbcinst -j
In addition to setting up your connection here, you can create a “DSN-less” connection using a connection string. Depending on how your system is set up, you may need to supply the connection password in your connection string anyway.

I’m not going to go over the coding of the database connection, for better instructions on how to use the UnixODBC software see their website:

• Perl ODBC Documentation
• PHP ODBC Documentation

The software I am using as a particular example is Lyris Technologies ListManager. You can synchronize your mailing lists with your database. Depending on your database software your needs will change, so you will need to talk to your software provider for specific information. The information I am providing below is for iMIS software from Advanced Solutions International (ASI).

For the connection string in ListManager, you will use the following syntax:
DRIVER=FreeTDS;SERVER=10.0.0.X;UID=dbusername;PWD=dbpassword;DATABASE=dbname;TDS_Version=8.0;Port=1433;

dbusername = database username, must have dbreader access to your database
dbpassword = password to match username
dbname = actual database name

Make sure your SERVER IP is correct, and the port for MSDE 2000 is 1433 by default. (As a gotcha, make sure any firewall installed allows connections between your servers and ports).

This allows your linux server to connect to your windows server running the database.

Additionally, you’ll need to provide the query string. I’ve found that Listmanager’s tolerance is not very good when dealing with SQL queries, for example it does not accept JOINs. You need to use an alternative method of joining tables. Refer to the Listmanager documentation to see what variables you can pull into their databases.

Below is the SQL statement for 2 different mailing lists.

Selecting a particular Committee or Section:
SELECT Name.EMAIL AS EmailAddr_, Name.FULL_NAME AS FullName_, Name.ID AS Additional_, 'H' AS MailFormat_
FROM Name, Activity, Product
WHERE Activity.ID = Name.ID AND Activity.PRODUCT_CODE = Product.PRODUCT_CODE AND Product.PRODUCT_MINOR ='TEC'
In this case, ‘TEC’ is the code used in iMIS for the committee. You use the WHERE clause to specify joins. I do not think this is the best way, but it works in this case.

To select all Active Members:
SELECT Name.EMAIL as EmailAddr_, Name.FULL_NAME as FullName_, Name.ID as Additional_, 'H' AS MailFormat_
FROM Name
WHERE ((Name.MEMBER_TYPE)='REG' Or (Name.MEMBER_TYPE)='AFF' Or (Name.MEMBER_TYPE)='HON' Or (Name.MEMBER_TYPE)='SEN') AND ((Name.STATUS)='A')

As you can see, it is not exactly simple but it is easy enough to do once you have the right software. Once your software is talking to your databases, it makes things a lot easier!

This is a pretty simple thing to do, once you’ve figured it out. You attach files using the following syntax:

uuencode filename1 filename2|mail user@domain.name

This will uuencode the file names, then pipe the output to the mail command, and mail to the user.

If you try to make or install a program and you receive an error like this:

make[2]: cc: Command not found

Then that means you don’t have a C+ compiler installed!

If you are using centOS or other yum based distro, type:

yum install gcc-c++

That will install the needed RPMs for you.

I recently had a problem where my Spamassassin install started thinking that a lot of spam messages were really ham (non-spam). Since these were getting BAYES_00 scores of -2.5 they were almost all getting through my spam filter. These particular messages all were regarding STOCK quotes and were pretty obviously spam just by looking at the text of the messages. Somehow my Spamassassin install thought that they were not spam because the messages were being passed as ham by the Bayesian filter. Since they kept getting past, the bayesian filter kept learning them as HAM.

In order to break this vicious cycle, you just need to clear out the bayesian tokens. It’s very easy to do. As root user, type:
sa-learn --clear
This starts you fresh. By default, Spamassassin won’t use the bayes filter until it has 200 spam and ham messages, so until you get to that level it will continue to learn based the other Spamassassin detection settings.

Ideally, I would have sa-learn train using these spam messages. But since I use Outlook, and there is no “easy” way to have it interface with sa-learn, I find it easier to clean out the bayes tokens every once in a while. SpamAssassin Coach is a plugin for outlook which should connect to your spamd server and “learn” a message as ham or spam. But in practice, it did not work for me. It looks like the project has a lot of potential.

For more information on how Bayesian filtering works, check out this wikipedia article.

Changing your cpan mirror.

Although it seems like it would be easy task to accomplish, it seems there is no easy way to change the perl CPAN module mirror list. I have only found two ways to do this.

The first way I found is to modify your Config.pm in the CPAN module. In my install, it is located at /usr/lib/perl5/5.8.5/CPAN/Config.pm. Look for ‘urllist’ and you will see the list of mirrors. Modify this variable to change where CPAN looks for its modules.

The second way is to re-run the CPAN configuration. You do this by running the cpan command line:
perl -MCPAN -e shell

and then running o conf init

cpan> o conf init

This will run the initial configuration of CPAN again.

It seems like there should be an easier way to do this - if anyone knows please post a comment!

SMSSend is a program used to send SMS messages over the network via command line in linux. It is licensed unto the GNU General License.

I recently aimed to integrate this into Zabbix remote monitoring software. I had a hell of a time finding the software because its original page, here, has some sort of apache configuration error and does not load. Thankfully, I found the source files needed on a mirror. For the sake of anyone else looking for this file, you can download it locally here:

http://systembash.com/source/smssend-3.5.tar.gz
http://systembash.com/source/skyutils-2.9.tar.gz

You will need to install that particular version of skyutils first, before compiling smssend.

Also, since the site is down, you can not grab the versions of the .sms that you need for certain providers. However, I used google cache to grab the one for clickatell and re-formatted the file to look right. Since it was not so obvious how to do this, I will paste clickatell.sms for you:

## SkySMS provider file - http://www.clickatell.com
## # Version 0.1
# by Steve Herrell
# Error codes :
# 1 -> General failure

GetURL https://api.clickatell.com/http/sendmsg
Params from=\%Sender%&user=\%Login%&password=\%Password%&api_id=\%ApiID%&to=\%Tel%&text=\%Message%
Search ID:
PrintMsg message sent
Else
ErrorMsg 1 error sending message
GO

You then use this file (you can place in /usr/local/share/smssend/ which is the default location of the rest of the scripts) and then call this file using this syntax:

smssend clickatell.sms <Username> <Password> <API_ID> <API NAME> <Your Cell Phone Number> "Hello World"

If all goes well, you now have a text message that says “hello world”.

Note: Some of you, like me, may think that using your phones email address is a better (free) way to send alerts. You may be right. But my opinion is that adding e-mail into the mix adds an extra layer of uncertainty in actually receiving the message. I have had messages delayed for days that were sent via e-mail. Sending via SMS should be a more direct way to receive your urgent alerts.

Note 2: Don’t forget that you need to have internet connectivity to send SMS messages this way. The only way to have your server send an SMS message while being offline is by having a GSM Modem attached to it. Zabbix can talk directly with this modem to send your page.