technomenace.com

chkrootkit (Check Rootkit) is a common Unix based program intented to help system administrators check their system for known rootkits. It is basically a shell script using common UNIX/Linux tools like strings and grep commands to check core system programs for signatures. If you doubt that your server has been hacked, chkrootkit is what you need to run.

Chkrootkit’s installation is very easy. I am describing the steps below.

1. Ssh to the server as ‘root’, and then wget the chkrootkit from its FTP location.

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

2. Unpack the tarball in the current directory.

tar xvzf chkrootkit.tar.gz

3. Go to the directory newly created, and compile the script.

cd chkrootkit*
make sense

4. Once the compilation is complete, use the below command to execute chkrootkit.

./chkrootkit

NOTE: Make sure that you have gcc and make on the server or else the installation will fail

At this point, I would suggest that you set a crontab to execute this chkrootkit daily. You can even have the results sent to you via email.

For that, create a file /etc/cron.daily/chkrootkit.sh

Insert the following to the new file and save it:

#!/bin/bash
cd /yourinstallpath/chkrootkit-0.42b/
./chkrootkit | mail -s "Daily chkrootkit from Servername" admin@youremail.com

1. Replace ‘yourinstallpath’ with the actual path to where you unpacked Chkrootkit.
2. Change ‘Servername’ to the server your running so you know where it’s coming from.
3. Change ‘admin@youremail.com’ to your actual email address where the script will mail you.

Change the file permissions so that it can execute:

chmod 755 /etc/cron.daily/chkrootkit.sh

You will receive daily chkrootkit reports on your email address from now on.

This tutorial describes how to close an Open DNS server. An Open DNS server allows anyone to use that server as a DNS lookup server. This is a potential threat and such access must either be blocked, or restricted to a few trusted IPs. This is how it is done.

1. Make a list of IPs you consider as trusted (i.e., only those IPs which can use this DNS server for DNS lookups). The list should include all IPs on the server. Now if you don’t know what I am talking about, ssh to your server, and type in the below command as root:

ifconfig | grep 'inet addr' | cut -f2 -d: | cut -f1 -d' ' | sort | uniq

2. Open /etc/named.conf in an editor. I would recommend that you take a backup of the file first before this.

cp -p /etc/named.conf /etc/named.conf.bak
vi /etc/named.conf

3. Locate this line:

key "rndckey" {
};

Move your cursor below this block of code, and press ‘i’ (to change into vi’s insert mode) and then type in the following:

acl "trusted" {
IP1; IP2; IP3; IP4; externalIP1 ;
};

Modify the line IP1; IP2; IP3; IP4; externalIP1 ; to include server’s IP addresses and any external IPs which you wish to allow recursive queries.

4. Once the acl “trusted” is added, move down the file and locate the block named options. Inside it add the below lines:

allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };

This is how the options block might look like once the changes are made:

options {
directory "/var/named";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

5. Save the changes (use ‘esc’ + ‘:wq’ in vi editor) and then restart named

/etc/init.d/named stop
/etc/init.d/named start

This article describes how to install ionCube loader extension in PHP. ionCube provides tools for PHP source code protection. Usually, a PHP file is in plain-text format. Which means anyone who has access to the actual PHP file can use a text editor (like vim) to view the source code.

If a skilled hacker/programmer gets access to the entire PHP source code, then it would allow him/her to find vulnerabilities which can be used to launch attack on website(s) or web server(s).

It was this reason which led to the web industry search for an encoding engine that is capable of translating source code to efficient bytecodes, and one of the best solution today is ionCube loader. ionCube encoding tools deliver the ideal combination of maximum source code protection without sacrificing performance, reliability or language compatibility.

By default, PHP is unable to parse files encoded using ionCube. In order to do so, you have to install ionCube loader extension in PHP. This is how it is done:

1. Download ionCube loader from ioncube.com

wget http://downloads2.ioncube.com/loader_downloads/ ioncube_loaders_lin_x86.tar.gz

2. Extract the tar.gz file

tar zxvf ioncube_loaders_lin_x86.tar.gz

3. Change to directory ‘ioncube’ and copy over the file ioncube-install-assistant.php to a web directory such as your hosting directory

cd ioncube/
cp ioncube-install-assistant.php /home/userdirectoryhere/public_html/

4. Then open it http://www.yourdomain.com/ioncube-install-assistant.php.
The output should be something similar to:

Analysis of your system configuration shows:

PHP Version 4.3.3
Operating System Linux
Threaded PHP No
php.ini file /usr/local/lib/php.ini
Required Loader ioncube_loader_lin_4.3.so

5. Now move the iconcube directory to a permanent location:

cd ../
mv ioncube /usr/local

6. Now that you know the location of php.ini you need to edit it.

pico /usr/local/lib/php.ini

Now find where other zend extentions are in the file.
ctrl + w: zend_extension

Paste in your new line for ioncube loader

zend_extension = /usr/local/ioncube/ioncube_loader_lin_4.3.so

7. Save the changes
ctrl + X then Y and enter

8. Restart the web server to take effect.

/etc/init.d/httpd restart

Now, create a new document named phpinfo.php. The file should contain the below lines:

phpinfo();
?>

Place this document in your www directory and open it from your web browser by pointing to http://www.yourdomain.com/phpinfo.php. You should now see ionCube loader listed in it (search for the string ‘ioncube’).

That’s it!