Thursday, February 25, 2016

Virtualmin DNS Server Template for multi domain

Virtualmin provides default server template that can be used to configure dns during creating of a new Virtual Server. We can change this default to implement our 'style' in dns record. Go to Virtualmin tab, System Settings, and Server Templates. Choose Default Settings, select Bind DNS domain and click Change. This is my custom configuration for dns record:

  1. BIND DNS records for new domains:
    $ttl 38400
    @ IN SOA ns1.${DOM}. hostmaster.${DOM}. (
    1456307163
    10800
    3600
    604800
    38400 )
    ${DOM}. IN A ${IP}
    www.${DOM}. IN A ${IP}
    ftp.${DOM}. IN A ${IP}
    m.${DOM}. IN A ${IP}
    localhost.${DOM}. IN A 127.0.0.1
    webmail.${DOM}. IN A ${IP}
    admin.${DOM}. IN A ${IP}
    mail.${DOM}. IN A ${IP}
    ${DOM}. IN MX 5 mail.${DOM}.
    ${DOM}. IN TXT "v=spf1 a mx a:${DOM} ip4:${IP} ?all"
    ${DOM}. IN NS ns1.${DOM}.
    ${DOM}. IN NS ns2.${DOM}.
    ns1.${DOM}. IN A ${IP}
    ns2.${DOM}. IN A [change-ip-to-your-slave-dns-server]
  2. Use only the records above: checked
  3. Address records for new domains: unchecked all 
  4. Default TTL for DNS records: Use BIND module setting
  5. Add nameserver record for this server -> unchecked
  6. Add sub-domain DNS records to parent domain? No
  7. Master DNS server hostname: Automatic (from system's hostname)
  8. Add SPF DNS record? No
  9. Does SPF record cover all senders? No
  10. Add DMARC DNS record? No 
  11. Additional named.conf directives for new zones: None
  12. Automatically add named.conf directives: also-notify allow-transfer
  13. Create DNSSEC key and sign new domains? No

                          You can check your dns entry using from this site https://ednscomp.isc.org/ednscomp/ 

                          Wednesday, February 17, 2016

                          Scanning rootkit on your Linux (Debian and Centos)

                          The steps to clean are:

                          1. Check the file /etc/crontab. You probably have an entry to call the virus every 3 minutes
                               */3 * * * * root /etc/cron.hourly/cron.sh
                            Delete this line.
                          2. Identify the parent process of the virus. The bfyqwykzfr in your ps -ej. The other proceses are created and killed continously.
                          3. Stop it, dont kill it, with kill -STOP 1632
                          4. Check with another ps -ej that only the parent lives, the children should die quickly
                          5. Now you can delete the files in /usr/bin and /etc/init.d. There are variants of the virus that also uses /boot or /bin. Use ls -lt | head to look for files that have been modified recently.
                          6. Check the script in /etc/cron.hourly/cron.sh. In our server it was calling another copy of the virus on /lib/libgcc.so. Delete both files.
                          7. Now you can kill definitely the bfyqwykzfr process.


                          # rm /etc/cron.hourly/gcc.sh

                          # locate bfyqwykzfr
                          /etc/cron.hourly/gcc.sh
                          /etc/rc.d/init.d/bfyqwykzfr
                          /etc/rc.d/rc0.d/K90bfyqwykzfr
                          /etc/rc.d/rc1.d/S90bfyqwykzfr
                          /etc/rc.d/rc2.d/K90bfyqwykzfr
                          /etc/rc.d/rc3.d/K90bfyqwykzfr
                          /etc/rc.d/rc4.d/K90bfyqwykzfr
                          /etc/rc.d/rc5.d/K90bfyqwykzfr
                          /etc/rc.d/rc6.d/K90bfyqwykzfr
                          /usr/bin/bfyqwykzfr

                          # ls -lRt /etc/init.d/ | grep /etc/init.d/bfyqwykzfr
                          -rwxr-xr-x  1 root root   323 Feb 16 14:57 bfyqwykzfr
                          # rm /etc/init.d/bfyqwykzfr -f

                          # chkconfig --list
                          ...
                          bfyqwykzfr      0:off   1:on    2:off   3:off   4:off   5:off   6:off
                          ...
                          # chkconfig --del bfyqwykzfr

                          # ls -l /usr/bin/ | grep bfyqwykzfr
                          ...
                          -rwxr-xr-x  1 root root     625718 Feb 12 13:23 bfyqwykzfr
                          ...
                          # rm -f /usr/bin/bfyqwykzfr

                          installing rkhunter
                          --------------------------------
                          debian
                          # apt-get install rkhunter

                          centos
                          # yum install epel-release
                          # yum -y install rkhunter

                          update rkhunter database
                          # rkhunter --update
                          scan/check rootkit
                          # rkhunter -c
                          update rkhunter property
                          # rkhunter --propupd

                          installing chkrootkit
                          --------------------------------
                          debian

                          centos
                          # yum install chkrootkit

                          scan/check
                          # chkrootkit

                          ClamAV
                          --------------------------------
                          debian

                          centos
                          # yum install clamav -y

                          update virus database
                          # freshclam
                          scan directory
                          # clamscan -r /usr/sbin/

                          --------------------------------
                          References:
                          http://superuser.com/questions/863997/ddos-virus-infection-as-a-unix-service-on-a-debian-8-vm-webserver
                          http://blog.amet13.name/2015/05/linux.html
                          http://www.woktron.com/secure/knowledgebase/79/Installation-Rootkit-Hunter-rkhunter-on-CentOS-5-and-6.html
                          http://www.clamav.net/documents/troubleshooting-faq