Centos 6.4 how to check if sshd is infected with Fokirtor

Centos 6.4 how to check if sshd is infected with Fokirtor

At first you need to install

yum install python-psutil

after that

cp /sbin/pidof /bin/pidof

and download and execute this script

https://github.com/kumina/nagios-plugins-kumina/blob/master/check_fokirtor.sh

#!/bin/sh

#

# A simple check to see if running ssh processes contain any string that have

# been designated an indication of Fokirtor by Symantec.

#

# More info here:

# http://www.symantec.com/connect/blogs/linux-back-door-uses-covert-communication-protocol

#

# (c) 2013, Kumina bv, [email protected]

#

# You are free to use, modify and distribute this check in any way you see

# fit. Just don't say you wrote it.

#

# This check is created for Debian Squeeze/Wheezy, no idea if it'll work in

# other distros. You'll need gdb-minimal (for gcore) installed.




# We need to be root

if [ `/usr/bin/id -u` -ne 0 ]; then

        echo "You need root for this script. Sorry."

        exit 1

fi




# For all pids of the ssh process, do the check

for pid in `/bin/pidof sshd`; do

        t=$(/bin/mktemp)

        /usr/bin/gdb </dev/null --nx --batch \

          -ex "set pagination off" -ex "set height 0 " -ex "set width 0" \

          -ex "attach $pid" -ex "gcore $t" -ex detach -ex quit




        i=0

        for str in hbt= key= dhost= sp= sk= dip=; do

                /usr/bin/strings $t | /bin/grep "${str}[[:digit:]]"

                if [ $? -eq 0 ]; then

                        i=$(($i + 1))

                fi

        done

        /bin/rm $t

        if [ $i -eq 6 ]; then

                echo "CRITICAL: Fokirtor strings found in sshd process ${pid}!"

                exit 2

        fi

done







echo "OK: No indication of Fokirtor found."

exit 0



After that you will see output like this:





[Thread debugging using libthread_db enabled]
0x00007f5b2e4d7513 in __select_nocancel () from /lib64/libc.so.6
Saved corefile /tmp/tmp.Q89Sku0vPN
[Thread debugging using libthread_db enabled]
0x00007f5b2e4d1630 in __read_nocancel () from /lib64/libc.so.6
Saved corefile /tmp/tmp.QLWtlfoMok
[Thread debugging using libthread_db enabled]
0x00007f5eb920d513 in __select_nocancel () from /lib64/libc.so.6
Saved corefile /tmp/tmp.1d41QbCaA3
[Thread debugging using libthread_db enabled]
0x00007f5eb9207630 in __read_nocancel () from /lib64/libc.so.6
Saved corefile /tmp/tmp.lXIzRAYB4g
[Thread debugging using libthread_db enabled]
0x00007eff8f06c513 in __select_nocancel () from /lib64/libc.so.6
Saved corefile /tmp/tmp.e4QmwlYJtT


OK: No indication of Fokirtor found.
 



 

Bash: Timestamp in bash history

The bash history is a useful thing to remember commands which were entered on a system. But it’s not only useful to help your mind – you can also keep track of the entered commands. This is especially interesting on multi user systems. You are able to check the executed commands after the user logs out. That is extra interesting when you spotted some problems like missing files on a system – you would be able to check if someone removed that file.
But by default you can only track the commands entered and you won’t know when they were entered. This could be very important. Thankfully there is a way to add timestamps to the bash history since Bash version 3.0.

See how to configure your bash to save the timestamp for each command execution…

It is quite easy to configure. You just need to set one environment variable HISTTIMEFORMAT. The HISTTIMEFORMAT variable needs to be added to your bashrc scripts. I prefer to add it to a system wide script rather than a user specific script. So I append the code to  

/etc/bash.bashrc on my Ubuntu system.

export HISTTIMEFORMAT="%F %T "

The HISTTIMEFORMAT uses the format of strftime. You can find the available macros in man 3 strftime or for example here.

After modifying your file start a new shell, type some commands, call history and see the magic:

:> history (...) 501 2009-01-29 21:12:16 history 502 2009-01-29 21:12:54 sudo vi /etc/bash.bashrc 503 2009-01-29 21:13:04 /bin/bash 504 2009-01-29 21:13:11 history

The timestamps are saved directly above each command in the ~/.bash_history file after you exit the shell:

#1233259936 history #1233259974 sudo vi /etc/bash.bashrc #1233259984 /bin/bash #1233259991 history #1233260151 less .bash_history #1233260157 exit

You just made your system a little better to control.

found at: http://larsmichelsen.com/open-source/bash-timestamp-in-bash-history/

A bunch of commands to change UIDS and GIDS

A bunch of commands to change UIDS and GIDS

Here's the commands to run as root to change the UID and GID for a user. 
Simply change the variables in angled brackets to match your settings:

usermod -u <NEWUID> <LOGIN>    
groupmod -g <NEWGID> <GROUP>
find / -user <OLDUID> -exec chown -h <NEWUID> {} \;
find / -group <OLDGID> -exec chgrp -h <NEWGID> {} \;
usermod -g <NEWGID> <LOGIN>

usermod and groupmod simply change the UID and GID for their respective named counterpart usermod also changes the UID for the files in the homedir but naturally we can't assume the only place files have been created is in the user's homedir.
The find command recurses the filesystem from / and changes everything with uid of OLDUID to be owned by NEWUID and them changes the group for the files owned by the OLDGROUP
The final usermod command changes the login group for the user

found at : https://muffinresearch.co.uk/linux-changing-uids-and-gids-for-user/

Reset “Use Secure in Front End or Admin” in Database – Magento

Reset “Use Secure in Front End or Admin” in Database – Magento

by Nick Cron

I ran into an issue this week where I switched on SSL on a development site and then realized the SSL cert was not installed correctly. 

This is a big issue in Magento because there is no way to get back to the admin to switch it back off.

If this ever happens do the following to switch back:
1. Open up your admin panel (cPanel or other)
2. Go to phpMyAdmin (if MySql)
3. Find your Magento Database
4. Find table “core_config_data”
5. Look for the columns “web/secure/use_in_frontend” and “web/secure/use_in_adminhtml”
6. Edit both values, make them equal to “0″

After this is done you will be back in action.


found at http://www.njcmedia.com/2011/10/reset-use-secure-in-front-end-in-database-magento/