I’ve been working throughout the whole week to solve the send mail problem by the new box. The thing is that I have created an online form and the completed form should be sent to an appointed email address. I have been using Sendmail as the MTA (Mail Transport Agent) but it fails to function properly. The log file shows that it failed to send the email to the appointed email hosts and whenever it spots a same domain name (local), it won’t send the email although I have continuously change the settings, rebooted the box and edited php.ini, etc. I tried to find the solutions in Ubuntu Forums and some of them suggests to replace the MTA from Sendmail to Exim. I have been a Sendmail user since my first cup of Ubuntu as it is used with the default PHP configuration and I never tried Exim, but since Sendmail is not working as it suppose to be, I’m giving Exim a try. A couple of my first trial with Exim still doesn’t solve the matter and I have to reinstall it a couple of times since I have mess with  the configuration file. Thankfully apt-get saves most of my time. (just run apt-get install exim4 <- current version)

The configuration of Exim is user friendly than Sendmail and it’s easier to understand the settings as the configuration’s user interface will take you step by step with details and explanation. To configure Exim by user interface, the following command should be issued;

dpkg-reconfigure exim4-config

Manual configuration can be done by editing /etc/exim4/update-exim4.conf file but then we have to run;

update-exim4.conf

and restart exim4 process for the configuration to take place. The process should be running and listening on port 25 (smtp)

Exim4 process running and listening on port 25

To check the installation, run mail command (install mailutils first) and try sending mail and refer the log file for the status. The mail may be arriving late to your inbox for the first time, sometimes delayed until 7 hours as it may be on queue for spam check by the recipient server but it should be OK after that.

Send mail and tail the log

There seems no error whatsoever on the log but I can’t receive the mail on my yahoo account. On the previous log, it says that yahoo gives a “421 message deferred” error. It seems that yahoo’s filtering the message and considering it as a spam, etc. No luck on Yahoo I guess..whatever..I won’t be using Yahoo for the apps. (and I don’t want to waste my time contacting them) . I tried to figure out why the message was not able to be received by Yahoo Mail and I think it must be something related to the mail header. So I open the received mail on my Gmail account and inspect the message header;

email header shows SPF: Neutral

The SPF (Sender Policy Framework), an extension of RFC2822, shows that the query was neutral. Maybe Yahoo Mail is being strict on this…maybe . As you can see on the above image, inspecting email headers is very interesting too as you can trace the sender’s IP, location, mail client, etc. These are some of the tricks used to bust spammers, anonymous mailers, etc. hehe~ . In the end, Exim works as my box’s new MTA.

References:
Ubuntu documentation to install Exim4
OpenSPF

Problems..they never stop!

(9-12/6)
I have set up a file server running on Dell PowerVault 725N using Win2k3 as the OS (Windows..makes life easier.. ). The box was set to join domain with PKK’s network so that every authorized user may access the box. Working with the access rules, domain configuration, etc. is something new to me . After spending about 2 hours trying to understand and experimenting with the configs, the box was successfully accessible throughout the network. I have also set a pointer record in the domain controller to resolve the box’s IP address. Everything went fine and I even run a few tests to make sure it is 100% ready for deployment. The only thing left that I have to do is to see the box’s user tomorrow morning and to teach her the steps to insert the data.

The next day when I am about to give step-by-step tutorial to the user, I tried to connect to the box from the user’s PC but it was inaccessible. It gives me error messages that the target path was not found and I have no authorization to log in to the target machine. Then I check the DNS settings on the domain controller-no problems found, checked the shared folder permission settings-no problems found. Strange. I go back to the server and reset the access permission, but it was still inaccessible. The ACL is intact, no changes whatsoever. Then I figured out it must be viruses messing with the box configuration. But after running a few manual check (still no AV installed), I couldn’t find any modification on the system/registry. Then I install Symantec AV, but the AV so suck that I have to remove it half an hour after installation. It uses too much memory and it couldn’t detect any problem (I am SURE there must be something hidden inside the system). Then I installed Kaspersky but it could not get the latest updates. It gives “Unable to resolve DNS” error. Something has override the DNS table and even flushdns won’t work. This is not some ordinary virus, it must be somekind of worm/rootkit. So, I installed GMER, a rootkit detector/remover. After running a scan, it detects that a “service” is hooking with the svchost process and has made a changes into the registry. A positive rootkit activity!..fuck!..I disabled the service and the Kaspersky updates were successful but the AV also failed to detect the rootkit source. Manual removal on the registry strings were unsuccessful. I could not delete/modify any of the modified settings. I deleted one of the hooked svchost and restarted the box, but Windows give a startup error and after running another rootkit scan, the “service” was restarted AGAIN! damn! It’s impossible to delete the “service” as it was hooked with a Windows file and even after I disable the service, the modified registry settings will override my changes!

What the rootkit does:

• modify registry settings and include itself as a legit system process
• block all DNS pointing to EVERY anti virus/anti rootkit sites (EVERY site like Nod32, AVG, Symantec, etc.)
• modify security policy settings, blocking all network connection

This is the cause to my problem. It overrides the security policy and remove EVERYONE access from the network and added 2 fake users with a random strings as the username.

So, how do I remove the rootkit?
- I formatted the box again. As simple as that since I cannot remove it manually.

After a fresh installation of Win2k3, the settings that took almost 2 hours in the first time, only takes about 10 minutes now.

The question that still bother me, where does the rootkit come from?
I left the box untouched not more than 20 hours after the OS installation, I didn’t access the internet, etc. Where is the source?

I was doing a bit maintenance on my server when I discovered a brute force attempt on port 22 (SSH). The brute force activities comes from several IP addresses and it seems that the crackers were targetting the root account and in some cases, they were using dictionary attacks on the username.

The IP addresses involved in the cracking activities were 61.132.120.221 / 190.2.37.65 / 85.25.144.136 / 85.14.221.75 / 69.80.235.135 / 202.129.29.133 (brute forcing root account) and 61.136.145.5 / 85.14.221.75 / 202.129.29.133 / 190.65.162.154 / 74.63.192.11 (brute forcing user accounts). The most fucking culprit in the cracking activities is 85.25.144.136 where it still continues attacking since 3 days ago. Geez! What a fucking auto-bot. The IP’s were traced back to some boxes, probably zombies, and some were coming from various locations throughout China, USA, etc.

To prevent the fuckers / future fuckers from flooding my log files with shitz, I could easily change the SSH port (/etc/ssh/sshd_config) to other than the default (port 22) but I afraid this might affect some configs on the HyperVM control panel and if they’re doing some port scanning on my box, they still can find the SSH port and continue their attack. Instead, I’ll use IPTables as a firewall to block any unauthorized attempt to the SSH console.

Since my box is not equipped with iptables, I need to install the package first. A simple installation using apt-get;

root@vps:~# apt-get install iptables

Then I reconfigure my box to drop any ICMP request so that my box will not respond to any ping request. This is useful to prevent host discovery and target scanning.

root@vps:~# iptables -A INPUT -p icmp -j DROP

And then to prevent attacks on the ssh port, I install SSHGuard;

root@vps:~# apt-get install sshguard

From the documentation page, I reconfigure the SSHGuard to suite my system using syslog and iptables.

Create a new blocking chain for sshguard;
root@vps:~# iptables -N sshguard

protect port 22 using sshguard;
root@vps:~# iptables -A INPUT -p tcp --dport 22 -j sshguard

**to install killall command (as in the instruction), run;

apt-get install psmisc

The new iptables list is as below;

root@vps:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
sshguard   tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       icmp --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain sshguard (1 references)
target     prot opt source               destination

Finally, I reboot my box for the new configuration to take place. Now, die Noobs!

**Update:

After a few hours setting the firewall, I got my first victim! Kill sKiddies! Die Noobs!

The victim’s IP is now blocked from accessing my server for a certain time;

root@vps:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
sshguard   tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       icmp --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain sshguard (1 references)
target     prot opt source               destination
DROP       all  –  89-97-241-4.ip19.fastwebnet.it  anywhere

All requests from every protocol (tcp,udp,etc.) on every port from the attacker’s hostname is dropped. The auth.log file showed the process that sshguard performed on the attacker’s IP;

root@vps:~# cat /var/log/auth.log
Jan 20 17:27:58 vps sshguard[3511]: Releasing 89.97.241.4 after 521 seconds.
Jan 20 17:27:58 vps sshguard[3511]: Setting environment: SSHG_ADDR=89.97.241.4;SSHG_ADDRKIND=4;SSHG_SERVICE=10.
Jan 20 17:27:58 vps sshguard[3511]: Run command “case $SSHG_ADDRKIND in 4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;; 6) exec /sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac”: exited 0.

The IP is blocked for 521 seconds (about 9 minutes) and after that the IP is automatically removed from the iptables. Although the ban is not permanent, this can stop automatic bots from continuing to waste my bandwidth and flooding my log file with crapz.

Rapidshare has introduced a new security feature to all Premium and Collector’s Accounts holders. The new feature called “Security Lock” will prevent unwanted changes on “Settings” page, RapidPoints conversion and file transfer. Before this, they have introduced a feature to transfer files between Premium/Collector’s accounts and in my opinion the transfer feature is nice, but it has a big security flaw since it allow anyone who has access to your account to steal all your files and transfer them to other account since the transfer process doesn’t require any further confirmation from both account owner.

Now, the “Security Lock” feature will cover all the previous security flaw and it even sends an automated notification to your email if a wrong access code is entered to unlock the security settings!

Pictures of Universiti Malaysia Sabah hacking team (UMS_Hackers) in International Hacking Competition 2008 (i-hack’0 at UiTM Shah Alam from 14-17 August 2008. Me and Adrian representing UMS_Hackers for the second year. Last year, the team (me, Adrian and blueskrinz) won third place in Computer Forensic & Defense Challenge and this year (me and Adrian) we won second place in the same category. No luck for us in CTF though. UTP’s Project Tango is still hard to beat.

my name tag. aLzy?? wo0t.

waiting for other participant's arrival

baca Utusan Malaysia online sementara tunggu manusia lain datang. nampak gambar Saiful Bukhari kat laptop aku tu?..hehe

UMS_Hackers. from left rizal, Adrian, me

" width="360" height="270" />

the REAL UMS_Hackers

Adrian analyzing log file. entah apa dia cari dalam tu.

watching bro. hazrul from Scan-Associates giving away the answer at the end of the challenge

the result?. win la of course...hehe~

during prize giving ceremony.

winners of CTF and forensic & defense challenge. all of them are from UTP except us la of course.

at Sunway Pyramid's Wendy. makan dulu sebelum blah naik flight

Danone dan Adrian yang gelojoh. melantak burger 3 tingkat. Adrian nak muntah.

Apa-apa pun, thanx to my best friend, encik Danone yang sudi menjadi “drebar” kitorang sepanjang the events. Dia sanggup susah payah ke hulu ke hilir bawak kitorang jenjalan (Lain kali aku datang sana, aku bagitau lagi dan ko mestilah standby menjadik guider. hehe~)

As the title, ada apa dengan Monsun-biz.com?..well, if you watch TV3 you will notice their advertisement. And a few days ago, I went to their website and take a brief look on the contents..it has NOTHING!!..so, ada apa dengan Monsun-biz.com?..jawapannya; tiada apa-apa pun..the site is like full of business type of spam..yang macam buat-duit-cepat, etc. and everything. I couldn’t find anything useful there..haha..and what’s more, the site is possibly vulnerable to SQL injection..why?..take a look at this;

haha..Invalid Query bla..bla..The site is using PHP Pro Bid, an auction script software written in PHP of course. Besides SQL injection, The site is also vulnerable to Cross Site Scripting (XSS).

It seems that dorang just membazir duit buying some script like that. Harga script tu je dah $217.17 (RM704.17)- based on the website- plus other side charge, nak juga lebih RM2000. Bayaran kepada site developer lagi…I don’t know how much la, tapi obviously it’s very expensive plus the advertisement on TV3..and now they’re depending on their luck, tunggu masa je untuk dihancurkan oleh those-internet-criminal. Haha..