Dedetok: My Experience Notes

Friday, March 4, 2016

Installing AMD Radeon driver on Debian Jessie

Edit /etc/apt/sources.list
deb http://httpredir.debian.org/debian/ jessie main contrib non-free

Install these software

# aptitude update
# aptitude -r install linux-headers-$(uname -r|sed 's,[^-]*-[^-]*-,,') fglrx-driver

Run initial configuration
```
# aticonfig --initial
```

https://wiki.debian.org/ATIProprietary#AMD_Catalyst_14.9

Thursday, February 25, 2016

Virtualmin DNS Server Template for multi domain

Virtualmin provides default server template that can be used to configure dns during creating of a new Virtual Server. We can change this default to implement our 'style' in dns record. Go to Virtualmin tab, System Settings, and Server Templates. Choose Default Settings, select Bind DNS domain and click Change. This is my custom configuration for dns record:

BIND DNS records for new domains:
$ttl 38400
@ IN SOA ns1.${DOM}. hostmaster.${DOM}. (
1456307163
10800
3600
604800
38400 )
${DOM}. IN A ${IP}
www.${DOM}. IN A ${IP}
ftp.${DOM}. IN A ${IP}
m.${DOM}. IN A ${IP}
localhost.${DOM}. IN A 127.0.0.1
webmail.${DOM}. IN A ${IP}
admin.${DOM}. IN A ${IP}
mail.${DOM}. IN A ${IP}
${DOM}. IN MX 5 mail.${DOM}.
${DOM}. IN TXT "v=spf1 a mx a:${DOM} ip4:${IP} ?all"
${DOM}. IN NS ns1.${DOM}.
${DOM}. IN NS ns2.${DOM}.
ns1.${DOM}. IN A ${IP}
ns2.${DOM}. IN A [change-ip-to-your-slave-dns-server]
Use only the records above: checked
Address records for new domains: unchecked all
Default TTL for DNS records: Use BIND module setting
Add nameserver record for this server -> unchecked
Add sub-domain DNS records to parent domain? No
Master DNS server hostname: Automatic (from system's hostname)
Add SPF DNS record? No
Does SPF record cover all senders? No
Add DMARC DNS record? No
Additional named.conf directives for new zones: None
Automatically add named.conf directives: also-notify allow-transfer
Create DNSSEC key and sign new domains? No

You can check your dns entry using from this site https://ednscomp.isc.org/ednscomp/

Wednesday, February 17, 2016

Scanning rootkit on your Linux (Debian and Centos)

The steps to clean are:

Check the file /etc/crontab. You probably have an entry to call the virus every 3 minutes
*/3 * * * * root /etc/cron.hourly/cron.sh
Delete this line.
Identify the parent process of the virus. The bfyqwykzfr in your ps -ej. The other proceses are created and killed continously.
Stop it, dont kill it, with kill -STOP 1632
Check with another ps -ej that only the parent lives, the children should die quickly
Now you can delete the files in /usr/bin and /etc/init.d. There are variants of the virus that also uses /boot or /bin. Use ls -lt | head to look for files that have been modified recently.
Check the script in /etc/cron.hourly/cron.sh. In our server it was calling another copy of the virus on /lib/libgcc.so. Delete both files.
Now you can kill definitely the bfyqwykzfr process.

# rm /etc/cron.hourly/gcc.sh

# locate bfyqwykzfr
/etc/cron.hourly/gcc.sh
/etc/rc.d/init.d/bfyqwykzfr
/etc/rc.d/rc0.d/K90bfyqwykzfr
/etc/rc.d/rc1.d/S90bfyqwykzfr
/etc/rc.d/rc2.d/K90bfyqwykzfr
/etc/rc.d/rc3.d/K90bfyqwykzfr
/etc/rc.d/rc4.d/K90bfyqwykzfr
/etc/rc.d/rc5.d/K90bfyqwykzfr
/etc/rc.d/rc6.d/K90bfyqwykzfr
/usr/bin/bfyqwykzfr

# ls -lRt /etc/init.d/ | grep /etc/init.d/bfyqwykzfr
-rwxr-xr-x 1 root root 323 Feb 16 14:57 bfyqwykzfr
# rm /etc/init.d/bfyqwykzfr -f

# chkconfig --list
...
bfyqwykzfr 0:off 1:on 2:off 3:off 4:off 5:off 6:off
...
# chkconfig --del bfyqwykzfr

# ls -l /usr/bin/ | grep bfyqwykzfr
...
-rwxr-xr-x 1 root root 625718 Feb 12 13:23 bfyqwykzfr
...
# rm -f /usr/bin/bfyqwykzfr

installing rkhunter
--------------------------------
debian
# apt-get install rkhunter

centos
# yum install epel-release
# yum -y install rkhunter

update rkhunter database
# rkhunter --update
scan/check rootkit
# rkhunter -c
update rkhunter property
# rkhunter --propupd

installing chkrootkit
--------------------------------
debian

centos
# yum install chkrootkit

scan/check
# chkrootkit

ClamAV
--------------------------------
debian

centos
# yum install clamav -y

update virus database

# freshclam

scan directory

# clamscan -r /usr/sbin/

--------------------------------
References:
http://superuser.com/questions/863997/ddos-virus-infection-as-a-unix-service-on-a-debian-8-vm-webserver
http://blog.amet13.name/2015/05/linux.html
http://www.woktron.com/secure/knowledgebase/79/Installation-Rootkit-Hunter-rkhunter-on-CentOS-5-and-6.html
http://www.clamav.net/documents/troubleshooting-faq

Wednesday, January 27, 2016

Installing OpenJDK 8 and Tomcat 8 on Debian Jessie

Debian 8 (Jessie) already support JDK 8 and Tomcat 8.

Tomcat 8 exist in jessie repository and jessie-backports repository. For latest Tomcat 8, we use jessie-backports

Do these easy step to install OpenJDK 8 and Tomcat 8 on Debian Jessie:

Edit /etc/apt/sources.list and add these lines (you may ignore line with #)
# Backport Testing on stable
# JDK 8
deb http://ftp.de.debian.org/debian jessie-backports main
# apt-get update
# apt-get install openjdk-8-jdk
# apt-get install tomcat8 tomcat8-admin

If you upgrade your Debian 7 (does not support Tomcat 8) to Debian 8, you may lost some Tomcat 8 files. Here is some script you can used into your tomcat8 installation:
/etc/default/tomcat8

# Run Tomcat as this user ID. Not setting this or leaving it blank will use the
# default of tomcat8.
TOMCAT8_USER=tomcat8

# Run Tomcat as this group ID. Not setting this or leaving it blank will use
# the default of tomcat8.
TOMCAT8_GROUP=tomcat8

# The home directory of the Java development kit (JDK). You need at least
# JDK version 7. If JAVA_HOME is not set, some common directories for
# OpenJDK and the Oracle JDK are tried.
#JAVA_HOME=/usr/lib/jvm/java-7-openjdk

# You may pass JVM startup parameters to Java here. If unset, the default
# options will be: -Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC
#
# Use "-XX:+UseConcMarkSweepGC" to enable the CMS garbage collector (improved
# response time). If you use that option and you run Tomcat on a machine with
# exactly one CPU chip that contains one or two cores, you should also add
# the "-XX:+CMSIncrementalMode" option.
JAVA_OPTS="-Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC"

# To enable remote debugging uncomment the following line.
# You will then be able to use a java debugger on port 8000.
#JAVA_OPTS="${JAVA_OPTS} -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,serv
er=y,suspend=n"

# Java compiler to use for translating JavaServer Pages (JSPs). You can use all
# compilers that are accepted by Ant's build.compiler property.
#JSP_COMPILER=javac

# Use the Java security manager? (yes/no, default: no)
#TOMCAT8_SECURITY=no

# Number of days to keep logfiles in /var/log/tomcat8. Default is 14 days.
#LOGFILE_DAYS=14
# Whether to compress logfiles older than today's
#LOGFILE_COMPRESS=1

# Location of the JVM temporary directory
# WARNING: This directory will be destroyed and recreated at every startup !
#JVM_TMP=/tmp/tomcat8-temp

# If you run Tomcat on port numbers that are all higher than 1023, then you
# do not need authbind. It is used for binding Tomcat to lower port numbers.
# (yes/no, default: no)
#AUTHBIND=no

/etc/init.d/tomcat8 with chmod 755

#!/bin/sh
#
# /etc/init.d/tomcat8 -- startup script for the Tomcat 8 servlet engine
#
# Written by Miquel van Smoorenburg <miquels@cistron.nl>.
# Modified for Debian GNU/Linux   by Ian Murdock <imurdock@gnu.ai.mit.edu>.
# Modified for Tomcat by Stefan Gybas <sgybas@debian.org>.
# Modified for Tomcat6 by Thierry Carrez <thierry.carrez@ubuntu.com>.
# Modified for Tomcat7 by Ernesto Hernandez-Novich <emhn@itverx.com.ve>.
# Additional improvements by Jason Brittain <jason.brittain@mulesoft.com>.
#
### BEGIN INIT INFO
# Provides:          tomcat8
# Required-Start:    $local_fs $remote_fs $network
# Required-Stop:     $local_fs $remote_fs $network
# Should-Start:      $named
# Should-Stop:       $named
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start Tomcat.
# Description:       Start the Tomcat servlet engine.
### END INIT INFO

set -e

PATH=/bin:/usr/bin:/sbin:/usr/sbin
NAME=tomcat8
DESC="Tomcat servlet engine"
DEFAULT=/etc/default/$NAME
JVM_TMP=/tmp/tomcat8-$NAME-tmp

if [ `id -u` -ne 0 ]; then
    echo "You need root privileges to run this script"
    exit 1
fi

# Make sure tomcat is started with system locale
if [ -r /etc/default/locale ]; then
    . /etc/default/locale
    export LANG
fi

. /lib/lsb/init-functions

if [ -r /etc/default/rcS ]; then
    . /etc/default/rcS
fi

# The following variables can be overwritten in $DEFAULT

# Run Tomcat 8 as this user ID and group ID
TOMCAT8_USER=tomcat8
TOMCAT8_GROUP=tomcat8

# this is a work-around until there is a suitable runtime replacement
# for dpkg-architecture for arch:all packages
# this function sets the variable JDK_DIRS
find_jdks()
{
    for java_version in 9 8 7
    do
        for jvmdir in /usr/lib/jvm/java-${java_version}-openjdk-* \
                      /usr/lib/jvm/jdk-${java_version}-oracle-* \
                      /usr/lib/jvm/jre-${java_version}-oracle-*
        do
            if [ -d "${jvmdir}" ]
            then
                JDK_DIRS="${JDK_DIRS} ${jvmdir}"
            fi
        done
    done

    # Add older non multi arch installations
    JDK_DIRS="${JDK_DIRS} /usr/lib/jvm/java-7-oracle"
}

# The first existing directory is used for JAVA_HOME (if JAVA_HOME is not
# defined in $DEFAULT)
JDK_DIRS="/usr/lib/jvm/default-java"
find_jdks

# Look for the right JVM to use
for jdir in $JDK_DIRS; do
    if [ -r "$jdir/bin/java" -a -z "${JAVA_HOME}" ]; then
    JAVA_HOME="$jdir"
    fi
done
export JAVA_HOME

# Directory where the Tomcat 8 binary distribution resides
CATALINA_HOME=/usr/share/$NAME

# Directory for per-instance configuration files and webapps
CATALINA_BASE=/var/lib/$NAME

# Use the Java security manager? (yes/no)
TOMCAT8_SECURITY=no

# Default Java options
# Set java.awt.headless=true if JAVA_OPTS is not set so the
# Xalan XSL transformer can work without X11 display on JDK 1.4+
# It also looks like the default heap size of 64M is not enough for most cases
# so the maximum heap size is set to 128M
if [ -z "$JAVA_OPTS" ]; then
    JAVA_OPTS="-Djava.awt.headless=true -Xmx128M"
fi

# End of variables that can be overwritten in $DEFAULT

# overwrite settings from default file
if [ -f "$DEFAULT" ]; then
    . "$DEFAULT"
fi

if [ ! -f "$CATALINA_HOME/bin/bootstrap.jar" ]; then
    log_failure_msg "$NAME is not installed"
    exit 1
fi

POLICY_CACHE="$CATALINA_BASE/work/catalina.policy"

if [ -z "$CATALINA_TMPDIR" ]; then
    CATALINA_TMPDIR="$JVM_TMP"
fi

# Set the JSP compiler if set in the tomcat8.default file
if [ -n "$JSP_COMPILER" ]; then
    JAVA_OPTS="$JAVA_OPTS -Dbuild.compiler=\"$JSP_COMPILER\""
fi

SECURITY=""
if [ "$TOMCAT8_SECURITY" = "yes" ]; then
    SECURITY="-security"
fi

# Define other required variables
CATALINA_PID="/var/run/$NAME.pid"
CATALINA_SH="$CATALINA_HOME/bin/catalina.sh"

# Look for Java Secure Sockets Extension (JSSE) JARs
if [ -z "${JSSE_HOME}" -a -r "${JAVA_HOME}/jre/lib/jsse.jar" ]; then
    JSSE_HOME="${JAVA_HOME}/jre/"
fi

catalina_sh() {
    # Escape any double quotes in the value of JAVA_OPTS
    JAVA_OPTS="$(echo $JAVA_OPTS | sed 's/\"/\\\"/g')"

    AUTHBIND_COMMAND=""
    if [ "$AUTHBIND" = "yes" -a "$1" = "start" ]; then
       AUTHBIND_COMMAND="/usr/bin/authbind --deep /bin/bash -c "
    fi

    # Define the command to run Tomcat's catalina.sh as a daemon
    # set -a tells sh to export assigned variables to spawned shells.
    TOMCAT_SH="set -a; JAVA_HOME=\"$JAVA_HOME\"; source \"$DEFAULT\"; \
       CATALINA_HOME=\"$CATALINA_HOME\"; \
       CATALINA_BASE=\"$CATALINA_BASE\"; \
       JAVA_OPTS=\"$JAVA_OPTS\"; \
       CATALINA_PID=\"$CATALINA_PID\"; \
       CATALINA_TMPDIR=\"$CATALINA_TMPDIR\"; \
       LANG=\"$LANG\"; JSSE_HOME=\"$JSSE_HOME\"; \
       cd \"$CATALINA_BASE\"; \
       \"$CATALINA_SH\" $@"

    if [ "$AUTHBIND" = "yes" -a "$1" = "start" ]; then
       TOMCAT_SH="'$TOMCAT_SH'"
    fi

    # Run the catalina.sh script as a daemon
    set +e
    touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
    chown $TOMCAT8_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
    start-stop-daemon --start -b -u "$TOMCAT8_USER" -g "$TOMCAT8_GROUP" \
       -c "$TOMCAT8_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \
       -x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"
    status="$?"
    set +a -e
    return $status
}

case "$1" in
start)
    if [ -z "$JAVA_HOME" ]; then
       log_failure_msg "no JDK or JRE found - please set JAVA_HOME"
       exit 1
    fi

    if [ ! -d "$CATALINA_BASE/conf" ]; then
       log_failure_msg "invalid CATALINA_BASE: $CATALINA_BASE"
       exit 1
    fi

    log_daemon_msg "Starting $DESC" "$NAME"
    if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
       --user $TOMCAT8_USER --exec "$JAVA_HOME/bin/java" \
       >/dev/null; then

       # Regenerate POLICY_CACHE file
       umask 022
       echo "// AUTO-GENERATED FILE from /etc/tomcat8/policy.d/" \
           > "$POLICY_CACHE"
       echo "" >> "$POLICY_CACHE"
       cat $CATALINA_BASE/conf/policy.d/*.policy \
           >> "$POLICY_CACHE"

       # Remove / recreate JVM_TMP directory
       rm -rf "$JVM_TMP"
       mkdir -p "$JVM_TMP" || {
           log_failure_msg "could not create JVM temporary director
y"
           exit 1
       }
       chown $TOMCAT8_USER "$JVM_TMP"

       catalina_sh start $SECURITY
       sleep 5
           if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
           --user $TOMCAT8_USER --exec "$JAVA_HOME/bin/java" \
           >/dev/null; then
           if [ -f "$CATALINA_PID" ]; then
               rm -f "$CATALINA_PID"
           fi
           log_end_msg 1
       else
           log_end_msg 0
       fi
    else
            log_progress_msg "(already running)"
       log_end_msg 0
    fi
    ;;
stop)
    log_daemon_msg "Stopping $DESC" "$NAME"

    set +e
    if [ -f "$CATALINA_PID" ]; then
       start-stop-daemon --stop --pidfile "$CATALINA_PID" \
           --user "$TOMCAT8_USER" \
           --retry=TERM/20/KILL/5 >/dev/null
       if [ $? -eq 1 ]; then
           log_progress_msg "$DESC is not running but pid file exis
ts, cleaning up"
       elif [ $? -eq 3 ]; then
           PID="`cat $CATALINA_PID`"
           log_failure_msg "Failed to stop $NAME (pid $PID)"
           exit 1
       fi
       rm -f "$CATALINA_PID"
       rm -rf "$JVM_TMP"
    else
       log_progress_msg "(not running)"
    fi
    log_end_msg 0
    set -e
    ;;
   status)
    set +e
    start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
       --user $TOMCAT8_USER --exec "$JAVA_HOME/bin/java" \
       >/dev/null 2>&1
    if [ "$?" = "0" ]; then

       if [ -f "$CATALINA_PID" ]; then
            log_success_msg "$DESC is not running, but pid file exists."
           exit 1
       else
            log_success_msg "$DESC is not running."
           exit 3
       fi
    else
       log_success_msg "$DESC is running with pid `cat $CATALINA_PID`"
    fi
    set -e
        ;;
restart|force-reload)
    if [ -f "$CATALINA_PID" ]; then
       $0 stop
       sleep 1
    fi
    $0 start
    ;;
try-restart)
        if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
       --user $TOMCAT8_USER --exec "$JAVA_HOME/bin/java" \
       >/dev/null; then
       $0 start
    fi
        ;;
*)
    log_success_msg "Usage: $0 {start|stop|restart|try-restart|force-reload|
status}"
    exit 1
    ;;
esac

exit 0

You can check folder /etc/tomcat8 and compare them with its default https://packages.debian.org/jessie-backports/all/tomcat8/filelist