I’ve been working throughout the whole week to solve the send mail problem by the new box. The thing is that I have created an online form and the completed form should be sent to an appointed email address. I have been using Sendmail as the MTA (Mail Transport Agent) but it fails to function properly. The log file shows that it failed to send the email to the appointed email hosts and whenever it spots a same domain name (local), it won’t send the email although I have continuously change the settings, rebooted the box and edited php.ini, etc. I tried to find the solutions in Ubuntu Forums and some of them suggests to replace the MTA from Sendmail to Exim. I have been a Sendmail user since my first cup of Ubuntu as it is used with the default PHP configuration and I never tried Exim, but since Sendmail is not working as it suppose to be, I’m giving Exim a try. A couple of my first trial with Exim still doesn’t solve the matter and I have to reinstall it a couple of times since I have mess with  the configuration file. Thankfully apt-get saves most of my time. (just run apt-get install exim4 <- current version)

The configuration of Exim is user friendly than Sendmail and it’s easier to understand the settings as the configuration’s user interface will take you step by step with details and explanation. To configure Exim by user interface, the following command should be issued;

dpkg-reconfigure exim4-config

Manual configuration can be done by editing /etc/exim4/update-exim4.conf file but then we have to run;

update-exim4.conf

and restart exim4 process for the configuration to take place. The process should be running and listening on port 25 (smtp)

Exim4 process running and listening on port 25

To check the installation, run mail command (install mailutils first) and try sending mail and refer the log file for the status. The mail may be arriving late to your inbox for the first time, sometimes delayed until 7 hours as it may be on queue for spam check by the recipient server but it should be OK after that.

Send mail and tail the log

There seems no error whatsoever on the log but I can’t receive the mail on my yahoo account. On the previous log, it says that yahoo gives a “421 message deferred” error. It seems that yahoo’s filtering the message and considering it as a spam, etc. No luck on Yahoo I guess..whatever..I won’t be using Yahoo for the apps. (and I don’t want to waste my time contacting them) . I tried to figure out why the message was not able to be received by Yahoo Mail and I think it must be something related to the mail header. So I open the received mail on my Gmail account and inspect the message header;

email header shows SPF: Neutral

The SPF (Sender Policy Framework), an extension of RFC2822, shows that the query was neutral. Maybe Yahoo Mail is being strict on this…maybe . As you can see on the above image, inspecting email headers is very interesting too as you can trace the sender’s IP, location, mail client, etc. These are some of the tricks used to bust spammers, anonymous mailers, etc. hehe~ . In the end, Exim works as my box’s new MTA.

References:
Ubuntu documentation to install Exim4
OpenSPF

Problems..they never stop!

(9-12/6)
I have set up a file server running on Dell PowerVault 725N using Win2k3 as the OS (Windows..makes life easier.. ). The box was set to join domain with PKK’s network so that every authorized user may access the box. Working with the access rules, domain configuration, etc. is something new to me . After spending about 2 hours trying to understand and experimenting with the configs, the box was successfully accessible throughout the network. I have also set a pointer record in the domain controller to resolve the box’s IP address. Everything went fine and I even run a few tests to make sure it is 100% ready for deployment. The only thing left that I have to do is to see the box’s user tomorrow morning and to teach her the steps to insert the data.

The next day when I am about to give step-by-step tutorial to the user, I tried to connect to the box from the user’s PC but it was inaccessible. It gives me error messages that the target path was not found and I have no authorization to log in to the target machine. Then I check the DNS settings on the domain controller-no problems found, checked the shared folder permission settings-no problems found. Strange. I go back to the server and reset the access permission, but it was still inaccessible. The ACL is intact, no changes whatsoever. Then I figured out it must be viruses messing with the box configuration. But after running a few manual check (still no AV installed), I couldn’t find any modification on the system/registry. Then I install Symantec AV, but the AV so suck that I have to remove it half an hour after installation. It uses too much memory and it couldn’t detect any problem (I am SURE there must be something hidden inside the system). Then I installed Kaspersky but it could not get the latest updates. It gives “Unable to resolve DNS” error. Something has override the DNS table and even flushdns won’t work. This is not some ordinary virus, it must be somekind of worm/rootkit. So, I installed GMER, a rootkit detector/remover. After running a scan, it detects that a “service” is hooking with the svchost process and has made a changes into the registry. A positive rootkit activity!..fuck!..I disabled the service and the Kaspersky updates were successful but the AV also failed to detect the rootkit source. Manual removal on the registry strings were unsuccessful. I could not delete/modify any of the modified settings. I deleted one of the hooked svchost and restarted the box, but Windows give a startup error and after running another rootkit scan, the “service” was restarted AGAIN! damn! It’s impossible to delete the “service” as it was hooked with a Windows file and even after I disable the service, the modified registry settings will override my changes!

What the rootkit does:

• modify registry settings and include itself as a legit system process
• block all DNS pointing to EVERY anti virus/anti rootkit sites (EVERY site like Nod32, AVG, Symantec, etc.)
• modify security policy settings, blocking all network connection

This is the cause to my problem. It overrides the security policy and remove EVERYONE access from the network and added 2 fake users with a random strings as the username.

So, how do I remove the rootkit?
- I formatted the box again. As simple as that since I cannot remove it manually.

After a fresh installation of Win2k3, the settings that took almost 2 hours in the first time, only takes about 10 minutes now.

The question that still bother me, where does the rootkit come from?
I left the box untouched not more than 20 hours after the OS installation, I didn’t access the internet, etc. Where is the source?

Last week was my battle with OS installation on Dell PowerEdge 4600 and after several failures of Fedora installation on the box, I finally manage to get Ubuntu 9.04 running as the system! A big relief for a n0ob like me. So, the OS problem was settled and it took me the whole day (last Tuesday) to finish the installation on a couple of servers. Application installation and updates went smoothly. Among the installed components were OpenSSL for additional cryptography on the box for web apps deployment, Apache2 as the web server, MySQL as the database engine and PHPMyAdmin as the database management and VSFTPD for FTP server deployment. Another box (intended for application server) was left untouched after the OS installation as we were running out of DMZ port on the router

The server will be used for PKK’s new web server and the next day, the web development begin. The old site is using Joomla 1.0 with about 14000+ users profile that  have to be transferred to Joomla 1.5 database. The migration was  a bit difficult and confusing not only because of the massive data that I have to handle, but also because of the differences between both versions’ database structures. However, the migration was successful and all of the user profiles remain intact.

I’ve installed Fedora Core 6 on Dell PowerEdge 4600 before and this whole week I’ve been trying to upgrade the previous installation to Fedora 10. However, I can’t get it running on the box. The installation went smoothly without any error but whenever I have to reboot the system to complete the installation, it cannot load the newly installed OS. I kept getting many types of errors, SCSI…PS/2…boot…dev/sda…fail…bla..bla..and bla…I have no idea how to eliminate all of those stupid warnings. I’ve tried fixing the bios, boot, RAID config, etc. but it seems that everything that I’ve done were not working. The errors are still there! damn!…I’m getting tired with those stupid servers! I’ve got 3 boxes to be set up by next week, one for web server, another one for application server and the last one for proxy server. Previously all of them were running Windows Server 2k/2k3 and my job is to eliminate those Wins from the boxes.

I will be trying Ubuntu 9.04 on those boxes by next week. I want to test Fedora 11 on those boxes but the launching date  of Fedora 11 Leonidas has been extended from 2nd to 9th June 2009.

After failing miserably (this whole week!) to run Ubuntu 8.10 (Intrepid Ibex) on Dell PowerEdge 4600, today I had successfully installed Fedora Core 6 on the box. At first when I get the chance to work with the quite-old-server (6 years old), I wasn’t aware about any OS related issues with it, so I just go on with my favourite distro (Ubuntu) and formatted the whole disks and install Intrepid as the server’s new operating system. But then whenever the box was rebooted, the only thing that appear after the BIOS startup were “Error Loading Operating System” and “Missing Operating System”. At first, I thought it was my fault that maybe I have done something wrong during installation process, RAID settings, etc. but then after trying several times I am sure that it was caused by the box itself. Googling for the problem doesn’t help much. When I came across PE4600 user guide, I found that the only operating system supported by PE4600 are:

• Microsoft® Windows NT® 4.0 Server
• Microsoft Windows® 2000 Server and Advanced Server
• Red Hat Linux 7.x
• Novell® NetWare® version 5.x

No wonder the installation before were complete failure. Then I look for other Linux OS on the CD archive but most of them were either damaged, “partial” (missing parts) or outdated (…and they have about 5 same-version-Ubuntu discs..wow!). The only working discs were Fedora Core 6 (in 4 CDs), a 2006 distro…duh! I have no choice but to use it because:

• - the PE4600 can only read CDs as it has no DVD drive (…it’s really fucking old…
• - no more CDs stock at the moment..
• - I’ve wrongly downloaded the Fedora 10 live CD, and the installation failed on that..
• - Fedora has somewhat relation with RHL, I “think” it will meet the OS requirement..
• - …..I’m in a hurry!

Inserted the first CD, choose the options and remove all GUI leaving only the core components, and there it goes…a smooth and successful installation!

The “new” box is running, but without a proper network connection. Then I reconfigure the network settings, set up the static IP address for eth0 adapter (the other two NIC slots were not used). The box were running fine on the network, but without connection to WAN. damn!…I forgot to add the NameServer record.

Edited the /etc/resolv.conf file and added the DNS server’s address, nameserver 10.x.x.x, to the record and walla!…a success!

*side note: Kris Allen won A.I 2009!…suck. Adam was way better…so does Allison

GEORGETOWN: Seorang pensyarah Universiti Sains Malaysia (USM) hari ini membuat laporan polis berhubung satu klip video dalam sebuah laman web yang didakwa menghina dan mempersenda Islam.

Pensyarah di Jabatan Komunikasi USM, Prof Madya Muhammad Hatta Muhammad Tabut, berkata klip video selama 1 minit 23 saat itu dimasukkan dalam laman web http://www.youtube.com oleh seorang yang menamakan dirinya sebagai “Streeticeshark” kira-kira dua bulan lalu.

“Klip video itu memaparkan seorang lelaki memakai seluar jean tanpa baju sedang menyembah potongan ayat Al-Quran sambil berkata, ’sabda Rasulullah (saw.), marilah kita semua orang Melayu makan babi’.

“Klip video yang turut memaparkan dia mengajuk laungan azan telah disaksikan 9,032 pengunjung laman web antarabangsa itu,” katanya kepada pemberita selepas membuat laporan polis di Balai Polis Jalan Patani di sini, hari ini.

Muhammad Hatta berkata, pihaknya telah membuat siasatan dan alamat Internet Protokol (IP) di laman web berkenaan menunjukkan ia didaftarkan di Kota Baharu, Kelantan.

“Kami berharap pihak yang bertanggungjawab menyiasat dan mengambil tindakan tegas demi mencegah perkara sedemikian daripada terus berulang”, katanya. - Bernama

source: Berita Harian

Ternampak berita ni sebentar tadi di headline Mutakhir dan teringat kembali tentang video ni yang semacam pernah dilihat sebelum ni. Bila tengok balik history browser dan klip video tu, baru la konfem yang memang aku pernah tengok benda ni dulu. Satu tindakan yang bagus dengan melaporkan kepada polis, at least lepas ni tiada lagi orang-orang bangang suka letak klip video macam tu di internet. Cuma ada satu benda saja yang menarik perhatian aku tentang berita tu yang telah di-bold-kan. How the heck can he trace the IP of the user?..kecuali la dia ni admin youtube atau dia ada berhubung dengan staff youtube (which I doubt!)..Mungkin tersalah laporan oleh wartawan yang tak tau selok belok komputer atau pensyarah ni yang tak tau nak describe the situation. Actually the location is stated clearly on his (the poster’s) profile (betul atau tidak, blakang cerita..), no need to do stupid IP tracing la..

Anyway, the statement “pihaknya telah membuat siasatan dan alamat Internet Protokol (IP) di laman web berkenaan menunjukkan” makes him looks super-fucking-cool, like he’s somewhat a hacker or working with some special organization that can track and trace user’s IP without having to ask youtube’s permission, etc.

cool huh!

A week without internet is VERY terrible. I haven’t been online since Chinese New Year’s holiday (last week) until today (2 Feb.). I’m just using the ‘ala kadar’ internet connection by the unstable-Celcom Blue-24 hour-internet-subscription and wasted about RM20++ just to do some basic stuffs (emails, fb, news, etc.). And today (2 Feb.), about 6PM I tried to switch on my modem and luckily the modem’s DSL light is blinking, something which I’ve been waiting for since a week ago. All of the fuss was caused by the stupidly-low-quality-retarded-shit Aztech DSL 605EU modem which was damaged within ~5 months after the purchase date, a very insanely low lifetime for a modem. And another worse thing is that I’ve lost the warranty card! it’s the house maid’s fault since she always mess all my things. I wouldn’t recommend any Aztech stuff again after this. duh!

As soon as I got back online for a few hours, suddenly it’s my lappy’s turn to ‘buang tebiat’ and my hosting also was down for 5 hours. The wireless network adapter (broadcom) suddenly gone crazy and were unable to be detected by the device manager. duh!..it’s like “sudah jatuh ditimpa tangga” (literal translation: after falling, the ladder falls upon you.) (meaning: after one bad thing, another follows.). Luckily I had a 10M CAT 5e cabble which I used back 2 years ago during my stay in hostel and now my lappy is depending on the cabble for internet connection. It has been a very tiring day..hmm…

I’ll upload some pics taken during the CNY holidays tomorrow.

I was doing a bit maintenance on my server when I discovered a brute force attempt on port 22 (SSH). The brute force activities comes from several IP addresses and it seems that the crackers were targetting the root account and in some cases, they were using dictionary attacks on the username.

The IP addresses involved in the cracking activities were 61.132.120.221 / 190.2.37.65 / 85.25.144.136 / 85.14.221.75 / 69.80.235.135 / 202.129.29.133 (brute forcing root account) and 61.136.145.5 / 85.14.221.75 / 202.129.29.133 / 190.65.162.154 / 74.63.192.11 (brute forcing user accounts). The most fucking culprit in the cracking activities is 85.25.144.136 where it still continues attacking since 3 days ago. Geez! What a fucking auto-bot. The IP’s were traced back to some boxes, probably zombies, and some were coming from various locations throughout China, USA, etc.

To prevent the fuckers / future fuckers from flooding my log files with shitz, I could easily change the SSH port (/etc/ssh/sshd_config) to other than the default (port 22) but I afraid this might affect some configs on the HyperVM control panel and if they’re doing some port scanning on my box, they still can find the SSH port and continue their attack. Instead, I’ll use IPTables as a firewall to block any unauthorized attempt to the SSH console.

Since my box is not equipped with iptables, I need to install the package first. A simple installation using apt-get;

root@vps:~# apt-get install iptables

Then I reconfigure my box to drop any ICMP request so that my box will not respond to any ping request. This is useful to prevent host discovery and target scanning.

root@vps:~# iptables -A INPUT -p icmp -j DROP

And then to prevent attacks on the ssh port, I install SSHGuard;

root@vps:~# apt-get install sshguard

From the documentation page, I reconfigure the SSHGuard to suite my system using syslog and iptables.

Create a new blocking chain for sshguard;
root@vps:~# iptables -N sshguard

protect port 22 using sshguard;
root@vps:~# iptables -A INPUT -p tcp --dport 22 -j sshguard

**to install killall command (as in the instruction), run;

apt-get install psmisc

The new iptables list is as below;

root@vps:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
sshguard   tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       icmp --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain sshguard (1 references)
target     prot opt source               destination

Finally, I reboot my box for the new configuration to take place. Now, die Noobs!

**Update:

After a few hours setting the firewall, I got my first victim! Kill sKiddies! Die Noobs!

The victim’s IP is now blocked from accessing my server for a certain time;

root@vps:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
sshguard   tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       icmp --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain sshguard (1 references)
target     prot opt source               destination
DROP       all  –  89-97-241-4.ip19.fastwebnet.it  anywhere

All requests from every protocol (tcp,udp,etc.) on every port from the attacker’s hostname is dropped. The auth.log file showed the process that sshguard performed on the attacker’s IP;

root@vps:~# cat /var/log/auth.log
Jan 20 17:27:58 vps sshguard[3511]: Releasing 89.97.241.4 after 521 seconds.
Jan 20 17:27:58 vps sshguard[3511]: Setting environment: SSHG_ADDR=89.97.241.4;SSHG_ADDRKIND=4;SSHG_SERVICE=10.
Jan 20 17:27:58 vps sshguard[3511]: Run command “case $SSHG_ADDRKIND in 4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;; 6) exec /sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac”: exited 0.

The IP is blocked for 521 seconds (about 9 minutes) and after that the IP is automatically removed from the iptables. Although the ban is not permanent, this can stop automatic bots from continuing to waste my bandwidth and flooding my log file with crapz.

I’ve bought a new box a few weeks ago but haven’t used it until today. I have just set up a simple HTTP server with PHP support using Lighttpd with PHPCGI. A step-by-step installation procedure is as below, starting from adding the repositories until getting the web server running. Btw, I’m using Ubuntu Linux as my distro (I like it very much!).

The first and basic thing to do is to install a text editor since a new box will only have server core without any softwares installed. I choose nano as it’s the most basic and easiest text editor to use .

root@vps:~# apt-get install nano

Then, proceed with adding extra repositories.

root@vps:~# nano /etc/apt/sources.list

and add the Universe and Multiverse repositories.

deb http://us.archive.ubuntu.com/ubuntu/ hardy universe
deb-src http://us.archive.ubuntu.com/ubuntu/ hardy universe
deb http://us.archive.ubuntu.com/ubuntu/ hardy-updates universe
deb-src http://us.archive.ubuntu.com/ubuntu/ hardy-updates universe

deb http://us.archive.ubuntu.com/ubuntu/ hardy multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ hardy multiverse
deb http://us.archive.ubuntu.com/ubuntu/ hardy-updates multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ hardy-updates multiverse

Then run an update to get the latest release.

root@vps:~# apt-get update


Install new application in the box. In my case, I’ll install zip, unzip, rar, unrar and wget since this will be handy should I downloaded something to my box and need to extract the contents.

root@vps:~# apt-get install {zip,unzip,rar,unrar,wget}


I’m using the { } (curly brackets) to install multiple files at once.

The next step is to install Lighttpd with all of the required components.

root@vps:~# apt-get install lighttpd
#this will install lighttpd web server

root@vps:~# apt-get install php5-cgi
#this will install php5-cgi (compatible with lighttpd)

root@vps:~# lighty-enable-mod fastcgi
#this will enable fastCGI support in lighttpd

root@vps:~# apt-get install php5-curl
#this will install curl for php

After that, reload the web server.

/etc/init.d/lighttpd force-reload

You can also edit the lighttpd server settings on /etc/lighttpd/lighttpd.conf and reload the server once more after making changes.

A new web server is now running and ready to serve!

I just realized that Google has changed their favicon.

Google's new favicon

The new favicon story was posted on the Official Google blog.