Linux/XOR.DDoS

Have you ever wondered why your box(es) using so much bandwidth? Check this out.

Some malware has spread out, cause its origin, some of us call it China ELF. I've found this in about three or four boxes. Some of them, mostly on Digital Ocean, have been suspended or networking-disabled for their own goodness. But some providers aint do that. You on your own. One of my friend even charged for about 50 dollars for bandwidth exceed usage. Only in two days! :))

Check this superuser thread for how to clean it. Anyone who interested in how it comes and its characteristics, you can read more this in depth analysis on Malware Must Die! and Avast! blog.

P.S: 

Don’t forget, some times ago, we have Bill Gates trojan too.

How they come to your box(es)? Most of the time, it caused by weak root password. Don’t use dictionary password like secret (and its variants in another language), localhost, opensesame, vendetta and so on. 

Better, you can disable password authentication method, use public key, and even disable root if necessary.

If you’ve make sure that your password is good, you may check your installed apps and do some Googling or code checking. They may have vulnerabilities. 

Quoted from Malware Must Die!:

Semper legerent "Salve Regina" ante venatione malware

Change Your Usual Shell

Bored with your ususal shell? Try some alternative like zsh. And for myself I prefer fish over tcsh or zsh. And what is fish?

Quoted from their website fishshell.com:

> fish is a smart and user-friendly command line shell for OS X, Linux, and the rest of the family.

Quite interesting eh?

One thing I hate from changing shell is about the environment, setup this and that. Quite not so interesting "jobs" lol. So, I use oh-my-fish to take care of this

So, lets start, since I'm on Ubuntu machine, installation steps are for Ubuntu 14.04. For other distros/os, kindly check their website.

Install fish from ppa:

sudo apt-add-repository ppa:fish-shell/release-2 sudo apt-get update sudo apt-get install fish

Install oh-my-fish

clone the repo

git clone git://github.com/bpinto/oh-my-fish.git ~/.oh-my-fish

Create a new fish config. Easiest way is by copying the fish template they've provided

cp ~/.oh-my-fish/templates/config.fish ~/.config/fish/config.fish

Change your default shell with fish

chsh -s /usr/bin/fish

Logout and login :D

Bonus:

function and funcsave are fun to play with. for example, I use fortune and cowsay to set my greeting

function fish_greeting fortune|cowsay end

and save it with

funcsave fish_greeting

So I'll see stupid cow saying random fortune everytime I login to my box :))

How Big Is Your MySQL databases?

Ever wonder which databases are actually taking up much space but you only have one huge ibdata1 in your /var/lib/mysql?

Run this from a mysql root console:

SELECT table_schema AS "Database name", SUM(data_length + index_length) / 1024 / 1024 AS "Size (MB)" FROM information_schema.TABLES GROUP BY table_schema;

it will show (my db for example):

+--------------------+----------------+ | Database name | Size (MB) | +--------------------+----------------+ | eanextras | 2983.84570313 | | eanprod | 11404.06250000 | | information_schema | 0.00976563 | | mysql | 0.93723297 | | performance_schema | 0.00000000 | +--------------------+----------------+

Pardon my bad markdown formating xD

Installing Nginx With Pagespeed Support

Pagespeed is nice tools designed to help you optimize the performance of your website. Released by Google with what best for them in mind. Pagespeed is available for Apache and Nginx. It easy to install in Apache but quite trivial to install in Nginx, we must compile our own Nginx with pagespeed module. Here's quick howto install them:

1. Prepare to compile nginx by installing compiler and its common dependencies

apt-get install build-essential libpcre3 libpcre3-dev openssl libssl-dev libperl-dev libxslt-dev libgd2-xpm-dev libgeoip-dev libpam-dev

2. Check latest version of nginx and ngx_pagespeed, Here I'm using Nginx 1.6.1 from stable branch and ngx_pagespeed v1.8.31.4-beta, download and extract it

mkdir nginx cd nginx NPS_VERSION=1.8.31.4 wget https://github.com/pagespeed/ngx_pagespeed/archive/release-${NPS_VERSION}-beta.zip unzip release-${NPS_VERSION}-beta.zip cd ngx_pagespeed-release-${NPS_VERSION}-beta/ wget https://dl.google.com/dl/page-speed/psol/${NPS_VERSION}.tar.gz tar -xzvf ${NPS_VERSION}.tar.gz # extracts to psol/ cd .. NGINX_VERSION=1.6.1 wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz tar -xvzf nginx-${NGINX_VERSION}.tar.gz

3. Configure it, environment parameters, what to disable and what to enable. You can see install options and full list of modules at nginx website. Configure it one line or if you prefer multi line for readability sake, separate each line with backslash. Here's mine:

cd nginx-${NGINX_VERSION}/ ./configure \ --prefix=/etc/nginx \ --sbin-path=/usr/sbin/nginx \ --conf-path=/etc/nginx/nginx.conf \ --pid-path=/var/run/nginx.pid \ --lock-path=/var/lock/nginx.lock \ --http-log-path=/var/log/nginx/access.log \ --error-log-path=/var/log/nginx/error.log \ --http-client-body-temp-path=/var/lib/nginx/body \ --http-proxy-temp-path=/var/lib/nginx/proxy \ --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ --user=www-data \ --group=www-data \ --without-http_ssi_module \ --without-http_scgi_module \ --without-http_uwsgi_module \ --without-mail_pop3_module \ --without-mail_imap_module \ --without-mail_smtp_module \ --with-http_ssl_module \ --with-http_gzip_static_module \ --with-http_spdy_module \ --with-http_realip_module \ --with-http_geoip_module \ --with-http_image_filter_module \ --with-http_sub_module \ --with-http_flv_module \ --with-http_mp4_module \ --with-http_stub_status_module \ --with-debug \ --add-module=../ngx_pagespeed-1.8.31.4-beta

4. Compile it!

make && sudo make install

5. Start your nginx, or restart if you have installed it before. On some machine it will cause an error like this

[emerg]: bind() to 0.0.0.0:80 failed (98: Address already in use)

Just kill the process using:

sudo fuser -k 80/tcp

and restart nginx

service nginx start

6. All Done :D

Funny MySQL 5.6

So I decided to upgrade MySQL 5.5 to 5.6 on one of my server today and found that it use more memory than I think it should. I expect no more than 200 MB, but it eats almost 700 MB. After some visit to Google search results, I found that performance_schema is the problem. On MySQL 5.6 Oracle decided to turn it on by default. I don't know yet what's the benefits of it. But since my memory is sort of limited, I think it's good idea to turn it off for now. Turn performance_schema is simple, open your my.cnf and add this line under [mysqld] performance_schema = off p.s: once again I don't know what's the benefits of turning it on, will do some searching again when I have some spare time.

one who move from RHEL family to Debian family should add this to their .bashrc

alias fuck='sudo $(history -p \!\!)'

credit: https://twitter.com/liamosaur/status/506975850596536320

Silly rsyslogd

Today I found that after upgrading my ubuntu VPS from 12.04 to 14.04 one of my cpu core are hung at 100%. I tried to htop it and found rsyslogd consuming 100% cpu.

My vps is OpenVZ, and short story I found how to fix it. Just run this command on your OpenVZ vps

service rsyslog stop

sed -i -e 's/^\$ModLoad imklog/#\$ModLoad imklog/g' /etc/rsyslog.conf

service rsyslog start

Quite easy, but dont ask me what second line means, I'm bad at explaining, lol

Debugging Sendmail

Debugging sendmail is quite easy, using command sendmail -vt, I did my test with this two simple step.

Create text file

create text file contain to, subject,from. As example:

To: [email protected] Subject: Subject Goes Here From: [email protected] And here's the place to put the body

Save it, name it like: ehlo.txt  and send it with sendmail:

$ sendmail -vt < ./ehlo.txt

And then, you'll got like this output for example:

[root@mymachine ~]# sendmail -vt < ./testmail.txt [email protected]... Connecting to [127.0.0.1] via relay... 220 ds01.buy8wood.com ESMTP Postfix >>> EHLO mymachine.yourserver.org 250-mymachine.yourserver.org 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN >>> MAIL From:<[email protected]> SIZE=108 250 2.1.0 Ok >>> RCPT To:<[email protected]> >>> DATA 250 2.1.5 Ok 354 End data with <CR><LF>.<CR><LF> >>> . 250 2.0.0 Ok: queued as AF67328057E [email protected]... Sent (Ok: queued as AF67328057E) Closing connection to [127.0.0.1] >>> QUIT 221 2.0.0 Bye

Quite easy eh?

Today I found solutions that made me have some headache when inserting RSA public key in centos 6. Aparenty, it's a bug, and here's how to fix it:

[root@node01 ~]# restorecon -R -v /root/.ssh

WordPress websites are typically slow. Here's how to fasten it and make it more resource wise.

If you’re nginx user, utilising redis as object cache is deadly simple. Just use that script, and see your new blazing fast WordPress site.

Warning: this script using object cache method. Most of the time it will mess your cron (scheduled post, backup, etc) I'm not recommending it if you have scheduled anything at your WordPress site.

outlook.com Free EAS

Did you know that outlook.com give us exchange active sync for free. With EAS, we can push our mail realtime to our mail client. Most of today's mail client support EAS. And here's the detail:

domain: (leave it blank) user: [email protected] password: (obviously, your password) server: m.hotmail.com port: 443

in domain\user format it will be like this:

\[email protected]

And, it's worked for Windows Live Domain user too! Kinda relieving since Google charge their Google Apps now. 5 bucks a month ain't expensive. But still, at some point we can't afford it yet.

What we cab learned from reddit with its scaling. 1 Billion Pageviews ftw!

Check Your Mailserver Auth

It's quite easy to check your mailserver auth. Like DKIM, spf and so on. One of most simplest way is using Port 25's service. Send an email to:

They'll reply your email with an automated message contains your email auth verification.

Easy eh?

Nah, it’s not. It just a script that’ll make your job easier. It will install LAMP / LNMP with dbgui and Varnish cache (optional)

I don't know with yours, but I never succeed to install it on several hosting (especially cloud) provider without pain in the ass. Including at highly popular Digital Ocean.

Webmin Virtual Host Not Working? Here's How To Fix It. A guide with code examples on how to fix Webmin's Virtual Hosts.

Some Useful Netstat Commands

netstat -na Display all active Internet connections to the servers and only established connections are included.

netstat -an | grep :80 | sort Show only active Internet connections to the server at port 80 and sort the results. Useful in detecting single flood by allowing users to recognize many connections coming from one IP.

netstat -n -p|grep SYN_REC | wc -l Let users know how many active SYNC_REC are occurring and happening on the server. The number should be pretty low, preferably less than 5. On DoS attack incident or mail bombed, the number can jump to twins. However, the value always depends on system, so a high value may be average in another server.

netstat -n -p | grep SYN_REC | sort -u List out the all IP addresses involved instead of just count.

netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}' List all the unique IP addresses of the node that are sending SYN_REC connection status.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n Use netstat command to calculate and count the number of connections each IP address makes to the server.

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n List count of number of connections the IPs are connected to the server using TCP or UDP protocol.

netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr Check on ESTABLISHED connections instead of all connections, and displays the connections count for each IP.

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1 Show and list IP address and its connection count that connect to port 80 on the server. Port 80 is used mainly by HTTP web page request.