Tag Archives: ubuntu

Installing Conpot on Ubuntu 12.04

Conpot is a low interactive server side Industrial Control Systems (ICS) honeypot with the goal to collect intelligence about the motives and methods of adversaries targeting industrial control systems.

For more info, you can refer at here

First, edit your apt list file and insert this line below:

nano /etc/apt/sources.list
deb http://us.archive.ubuntu.com/ubuntu precise main multiverse

After that, update your OS:

sudo apt-get update

Then, install required dependencies:

sudo apt-get install libsmi2ldbl snmp-mibs-downloader python-dev libevent-dev libxslt1-dev libxml2-dev sqlite sqlite3 git

Some of dependencies need to be install via pip:

pip install --upgrade gevent pysnmp lxml bottle jinja2 beautifulsoup4 requests sphinx libtaxii xlrd crc16
  • Ensure that you have installed python-pip before you run this command.

Install Modbus-tk (to create modbus app easily with Python):

cd /opt
git clone https://github.com/glastopf/modbus-tk.git
cd modbus-tk
python setup.py build
python setup.py install

Install Conpot:

cd /opt
git clone https://github.com/glastopf/conpot.git
cd conpot
python setup.py build
python setup.py install

Finish! Next step is to run the conpot:

$ conpot

Conpot is running on these port:

$ netstat -lnput | grep python
tcp 0 0 0.0.0.0:102 0.0.0.0:* LISTEN 62822/python
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 62822/python
tcp 0 0 0.0.0.0:502 0.0.0.0:* LISTEN 62822/python
udp 0 0 0.0.0.0:161 0.0.0.0:* 62822/python

Do ensure that those port is not occupied or used yet.

Installing Comodo Positive SSL Certs on Apache

Recently, I purchased Comodo Positive SSL for one of my web. Since this is my new experience on installing SSL onto Apache, I write this article so that anyone can refer to this step and also as my personal note.

  1. Before you install the certificates, you need to set up your virtual hosts and Apache configuration.
    In /etc/apache2/ports.conf add this line:
NameVirtualHost *:443

So the ports.conf will be something like this:

NameVirtualHost *:80
Listen 80

NameVirtualHost *:443
  1. Then in your vhost file which is usually located at /etc/apache2/sites-enabled/default-ssl, edit or make sure this line is there:
<VirtualHost _default_:443>

SSLEngine on
SSLCertificateFile    /etc/ssl/crt/www_your_domainname_org.crt
SSLCertificateKeyFile /etc/ssl/crt/private.key
SSLCACertificatePath /etc/ssl/crt/
SSLCACertificateFile /etc/ssl/crt/www_your_domainname_org.cer

SSLCertificateFile
This is the actual SSL certificate. Comodo will name it after your domain e.g. www_your_domainname_org.crt. So just copy the file into the correct directory /etc/ssl/crt/ and make sure your vhost file points to it.

SSLCertificateKeyFile
When you first generated your CSR to send to the commercial SSL issuer you should have gotten a key file. You just need to move it into the same folder as your SSL cert if it’s not there already and point the line to your vhost config.

SSLCACertificateFile
Comodo sends you that zip file with 3 individual CRT files in it you need to combine a couple of them into one file. You can ignore the file named after your domain and just focus on the other two. You need to combine them into one file in a very specific order.

Run this command to generate a file that matches your vhost config, remembering to change the file names to whatever the SSL issuer has given you:

cat PositiveSSLCA2.crt AddTrustExternalCARoot.crt > www_your_domainname_org.cer

Then, restart your server:

sudo a2enmod ssl
sudo service apache2 restart

Update MySQL root password

To change your MySQL root password, first you need to connect to the sql server via terminal
mysql -u root -p

In my case, my root password is null/empty. So I need to create new mysql root password.
So, after you login to the mysql, enter this command:

use mysql;
update user set password=PASSWORD("") where User='root';
flush privileges;

Install/Upgrade to MySQL 5.6 on Ubuntu 12.04 LTS

First, you need to get MySQL installers from https://dev.mysql.com/downloads/mysql/#downloads

I ran following command to get MySQL 5.6.14(32bit):
wget -O mysql-5.6.14.deb https://dev.mysql.com/get/Downloads/MySQL-5.6/mysql-5.6.14-debian6.0-i686.deb/from/http://cdn.mysql.com/

Install dependency
sudo apt-get install libaio1

Then install Mysql 5.6.14
sudo dpkg -i mysql-5.6.14.deb

Backup your MySQL 5.5 data
You will need this only if you are upgrading…

cd ~
mkdir backup && cd backup
mysqldump -A –events > dump/alldb.sql

cp -pr /etc/mysql config

service mysql stop
cp -pr /var/lib/mysql/ data

This is your backup folder & data in case if of anything. But if everything when well, you will not need the backups.

Remove MySQL 5.5 Packages
sudo apt-get remove mysql-common mysql-server-5.5 mysql-server-core-5.5 mysql-client-5.5 mysql-client-core-5.5
sudo apt-get autoremove

Setup MySQL 5.6 Startup Script
cp /opt/mysql/server-5.6/support-files/mysql.server /etc/init.d/mysql.server
update-rc.d -f mysql remove
update-rc.d mysql.server defaults

Update environment
sudo nano /etc/environment
PATH=”/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/opt/mysql/server-5.6/bin”
source /etc/environment

Confirm changes
Run this command:
which mysql

Should show:
/opt/mysql/server-5.6/bin/mysql

Update mysql config file
sudo nano /etc/mysql/my.cnf
basedir = /opt/mysql/server-5.6
lc-messages-dir = /opt/mysql/server-5.6/share

Start MySQL 5.6
Its time to start new mysql…
service mysql.server start

If you cannot start mysql server, then install this package:
sudo apt-get install ia32-libs php5-mysql

Then try to start it again.

Final Step
If you are upgrading from mysql, run this command:
mysql_upgrade -u root -p

Otherwise if its a fresh install, run following:
/opt/mysql/server-5.6/scripts/mysql_install_db –user=mysql –datadir=/var/lib/mysql

Enjoy. 🙂

SSH warning: unprotected private key file!

Recently I tried to playing around with Amazon EC2 server. After subscribing & setup my server, it will give you cert pem key to access the server instead of entering the key manually.

When I try to login, I got this error:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0440 for ‘xxx.pem’ are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: xxx.pem
Password:

To fix this problem, just run this command:
chmod 0400 xxx.pem

The xxx.pem is your cert key file. After that try to login again. Should be fine. 🙂

Check MySQL db size

If you want to find how much your database size in MySQL, you can run this command in mysql console:

If you want the output in MB’s:
mysql> SELECT table_schema “database”, sum(data_length + index_length)/1024/1024 “size in MB” FROM information_schema.TABLES GROUP BY table_schema;

If you want the output in GB’s:
mysql> SELECT table_schema “database”, sum(data_length + index_length)/1024/1024/1024 “size in GB” FROM information_schema.TABLES GROUP BY table_schema;

If you want to view specific database size in GB’s:
mysql> SELECT table_schema “database”, sum(data_length + index_length)/1024/1024/1024 “size in GB” FROM information_schema.TABLES WHERE table_schema=’test3′ GROUP BY table_schema;

How to install ClamAV on Ubuntu Server 12.04

Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library.

ClamAV also can be use to look if there any malicious code e.g. web shell that has been uploaded into your server. So here I show you on how to install ClamAV on Ubuntu Server 12.04

Step 1. Install ClamAV on Ubuntu Server
root@gh0st:~# apt-get install clamav

Step 2: Update antivirus database
root@gh0st:~# freshclam

Step 3: Scan virus on your Ubuntu Server
root@gh0st:~# clamscan –recursive=yes –cross-fs=yes
/root/vpstest.sh: OK
/root/.php_history: OK
/root/.nano_history: OK
/root/.goaccessrc: OK
/root/.rnd: OK
/root/.bashrc: OK
/root/.viminfo: OK
/root/.ircmotd: Empty file
/root/.mysql_history: OK
/root/test.sh: OK
/root/.profile: OK
/root/.bash_history: OK
/root/bench.sh: OK

———– SCAN SUMMARY ———–
Known viruses: 2533901
Engine version: 0.97.8
Scanned directories: 1
Scanned files: 12
Infected files: 0
Data scanned: 0.11 MB
Data read: 0.05 MB (ratio 1.93:1)
Time: 4.765 sec (0 m 4 s)

w00tw00t.at.blackhats.romanian.anti-sec – WTF!?

One day you may find a bunch of requests in a short period of time with unusual and suspicious user agent in your Apache web server’s logs. Something like Made by ZmEu @ WhiteHat Team – http://www.whitehat.ro or ZmEu and the requests may be made from Russia or China. Search and you’ll find that ZmEu is a bot that tries to find vulnerabilities in phpMyAdmin (usually looks for phpmyadmin/scripts/setup.php file) and other web applications.

It is kind of script attack in which attacker try to find the loopholes in phpmyadmin and php with Apache and try to manipulate through URL. This is how logs looked like:

Log from nginx access.log
root@gh0st:~# grep -r w00t /var/log/nginx/*
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”

Another log from nginx access.log
root@gh0st:~# grep -r ZmEu /var/log/nginx/*
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /phpMyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /pma/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /MyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /admin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /admin/pma/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:31 +0800] “GET /db/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:31 +0800] “GET /dbadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:31 +0800] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:31 +0800] “GET /mysql/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:32 +0800] “GET /mysqladmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:32 +0800] “GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:32 +0800] “GET /phpadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:32 +0800] “GET /phpMyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:33 +0800] “GET /phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:33 +0800] “GET /phpmyadmin1/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:33 +0800] “GET /phpmyadmin2/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:33 +0800] “GET /pma/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:34 +0800] “GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:34 +0800] “GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:34 +0800] “GET /web/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:34 +0800] “GET /php-my-admin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:35 +0800] “GET /websql/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”

Dayuumm. You as*h**e run into my server with this so-called script.
You scan me server. Me block you long time. Come. Here I share with you how to mitigate this attack.

First, we install fail2ban on our server. For those who don’t know what is fail2ban, fail2ban is more advanced than DenyHosts as it extends the log monitoring to other services including SSH, Apache, Courier, FTP, and more.

Fail2ban scans log files and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc.

Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured.

So, to install it, open up your terminal and type:
sudo apt-get install fail2ban

After that, create new file called w00tw00t.conf in /etc/fail2ban/filter.d/
nano /etc/fail2ban/filter.d/w00tw00t.conf

Put this code inside that file:
[Definition]
failregex = ^ .*”GET \/w00tw00t*

ignoreregex =

Edit /etc/fail2ban/jail.conf file:
nano /etc/fail2ban/jail.conf

At the last line of the file, put this code:
[w00tw00t-scans]

enabled = true
action = iptables-allports
sendmail-whois[name=SSH, dest=root, sender=fail2ban@localhost]
filter = w00tw00t

##### set the log path ######
logpath = /var/log/nginx/access.log
maxretry = 1

###### ban for 24 hour ######
bantime = 86400

Restart fail2ban service:
/etc/init.d/fail2ban restart

Check fail2ban client status:

root@gh0st:~# fail2ban-client status
Status
|- Number of jail: 2
`- Jail list: w00tw00t-scans, ssh

credit to:
http://sharadchhetri.com/2013/06/27/protect-from-w00tw00t-at-blackhats-romanian-anti-sec/
http://myatus.com/p/blocking-w00tw00t-scans/