Linux detective work

When looking at logs, if an attack has taken place and the IP can be discovered of the attacking machine, then it is possible to reverse trace the attacker and potentially find out their pc details, open ports, isp etc.

From linux, open a bash terminal:

dig -x 1.2.3.4

Where 1.2.3.4 is an IP address. This command may return a pointer record. Next, try a whois:

whois 1.2.3.4

This command should give the netblock owner, ISP etc. You can also try using the commands available at www.robtex.com

Finally, try an nmap command:

nmap -O 1.2.3.4

Determining free disk space in Linux

Just use the df command:

df /

or

df -P

will generate a usage table.

To just extract the 'used' portion:

df=($(LC_ALL=C df -P /)); echo "${df[11]}"

Email the report from a shell script:

df -h | mail -s “disk space report” fromage@cheese.com

If you don't have mail installed, you can use sendmail, which would be:

df-h | sendmail fromage@cheese.com

OR if you want to get the results of this (or any other linux command) in a pop up x window then first redirect the output of a command to a file:

df -h > otterlog.txt

Then open this file in a pop up:

xmessage -file otterlog.txt

Useful Bash script stuff

When writing shell scripts it is sometimes useful to pop up a message in X or display a file, use the following to do so:

xmessage "this is my message"

xmessage -center "Hello World"

xmessage -center -file "opensomefile.txt"

Linux command lines I always forget!

Various list commands:
Normal - ls
Display dir contents (long format) - ls -l
Display dir contents (reverse) - ls -r
Display dir contents (hidden files) - ls -a

Directory creation:
mkdir folder1

Delete directory:
rmdir folder1

Delete directory and its contents:
rmdir -r folder1

Copy directories:
cp -r folder1 folder2

Move directory:
mv folder1 folder2

Delete file or directory:
rm /home/cheese.doc

View a file:
view xx (q to quit)

Show disk space:
df (see other posts on df)

Show all running processes:
ps aux

Copy a file to  make a backup:
cp /etc/X11/xorg.conf /etc/X11/xorgbak.conf

Restore the backup:
cp /etc/X11/xorgbak.conf /etc/X11/xorg.conf

Keep an eye on any hardware you plug into your Linux box
dmesg | tail -f

Modify the EXIM4 MTA on Ubuntu to mail to the outside world:
dpkg-reconfigure exim4-config

Linux APT commands

After initial install run:
sudo apt-get update

To update installed applications:
sudo apt-get upgrade

To install the 'cheese' package:
sudo apt-get install cheese

To remove the 'cheese' package:
sudo apt-get remove cheese

To clean the APT database:
sudo apt-get clean   or sudo apt-get autoclean

To have a good clear up:
sudo apt-get autoremove

Copy Windows desktop shortcuts from one profile to another - script

@echo off

REM Script to set new user desktop icons

COLOR 0a

CLS

@ECHO Hello %username%

@ECHO This Script will set up your desktop icons

SET /p name= Please enter the username for the profile you want ot copy icons from…?

if “%allusersprofile%”==”C:\ProgramData” goto WinVista7

if %os%==Windows_NT goto WinXP

:Winvista7

CLS

@ECHO Windows 7 or Vista Operating System Detected

REM If Windows Vista or WIndows 7

copy C:\Users\%name%\Desktop C:\Users\%username%\Desktop

@echo I’m Done!

EXIT

:winxp

CLS

@Echo Windows XP Operating System Detected

REM If Windows XP

copy “C:\Documents and Settings\%name%\Desktop

” “C:\Documents and Settings\%username%”

@echo I’m Done!

EXIT

@echo off
REM Script to set new user desktop icons
COLOR 0aCLS
@ECHO Hello %username%
@ECHO This Script will set up your desktop icons SET /p name= Please enter the username for the profile you want ot copy icons from…?
if “%allusersprofile%”==”C:\ProgramData” goto WinVista7if %os%==Windows_NT goto WinXP
:Winvista7
CLS@ECHO Windows 7 or Vista Operating System Detected
REM If Windows Vista or WIndows 7
copy C:\Users\%name%\Desktop C:\Users\%username%\Desktop
@echo I’m Done!
EXIT

:winxp
CLS@Echo Windows XP Operating System Detected
REM If Windows XP
copy “C:\Documents and Settings\%name%\Desktop” “C:\Documents and Settings\%username%”
@echo I’m Done!
EXIT

Windows DNS Servers records become stale and get deleted

To prevent manually added DNS names assign to static IP hosts from being deleted (automatic scavenging) use the following guidelines:
Best practice is usually to leave the no-refresh and refresh intervals to 7 days each. 1 day will result in to much scavenging activity and records may be deleted before they are refreshed. Do your servers have static ip addresses, they should not be configured by DHCP. Servers configured with static ip addresses will refresh their dns records often enough (every 24 hours i believe) to negate the possibility of being scavenged assuming the scavenging period is set appropriately, i.e. not less than the DHCP lease time. This is so that machines with dynamic addresses are not at risk of having their record deleted from DNS.

Postfix - prevent certain domains from sending to your server

Add the following line in /etc/postfix/main.cf

• smtpd_sender_restrictions = hash:/etc/postfix/access

then modify the access text file in /etc/postfix/ to include the list of rejected senders (similar to below)

• aol.com     REJECT

Then open a terminal window and ‘re-hash’ the access file with the following command

• postmap hash:/etc/postfix/access

Now restart Postfix

Download a website using WGET on Linux

wget --wait=20 --limit-rate=20K -r -p -U Mozilla http://asite.com

Noatime and atime attribute on Linux

Linux records information about when files were created and last modified as well as when it was last accessed. There is a cost associated with recording the last access time. The ext2 file system of Linux has an attribute that allows the super-user to mark individual files such that their last access time is not recorded. This may lead to significant performance improvements on often accessed frequently changing files such as the contents of the /var/spool/news directory. 

Linux has a special mount option for file systems called noatime that can be added to each line that addresses one file system in the /etc/fstab file.

If a file system has been mounted with this option, reading accesses to the file system will no longer result in an update to the atime information associated with the file like we have explained above.

The importance of the noatime setting is that it eliminates the need by the system to make writes to the file system for files which are simply being read.

Since writes can be somewhat expensive, this can result in measurable performance gains. Note that the write time information to a file will continue to be updated anytime the file is written to.

In our example below, we will set the noatime option to our /chroot file system. 

Edit the fstab file vi /etc/fstab and add in the line that refer to /chrootfile system the noatime option after the defaults option as show below:

/dev/sda7          /chroot          ext2          defaults,noatime          1  2

         

You need not reboot your system for the change to take effect, just make the Linux system aware about the modification you have made to the /etc/fstab file. This can be accomplished with the following commands:            

/#mount -oremount /chroot/

 

Using Winaudit to audit PC's to SQL Database

• Download the Winaudit application from http://www.pxserver.com/WinAudit.htm
• Setup a SQL DB for audits
• Create a windows user who has 'write' rights
• copy winaudit folder and application into root of c drive
• create odbc connect (on pc to be audited) to sql db using designated windows user
• create winaudit script and schedule as follows and save to root winaudit folder, then schedule auto-run  of this script

winaudit /r=report /o=ODBC /f=ODBC connector name /u=user /p=password

r=gsoPxuTUeERNtnzDaIbMpmidcSArCHGBLJF

Server: SQL Server name

DB: Database Name