Wednesday, 14 October 2015

Scan of the Month 15

Dilbert, Copyright Scott Adams.

See the original challenge here:


The Challenge

On 15 March. 2001, a Linux honeypot was successfully compromised, a rootkit was downloaded to the / partition and then deleted from the system. Your mission is to find and recover the deleted rootkit. If you are not sure where to begin on conducting this forensic analysis and recover the rootkit, we highly reccommend you start with the Forensic Challenge. The steps you will have to follow for the rootkit recovery are similar to the steps discussed there. We have posted only the / partion for download to keep this challenge simple. The compressed image is 13MB,(honeynet.tar.gz) MD5=0dff8fb9fe022ea80d8f1a4e4ae33e21. Once you have downloaded, untarred, and unzipped the partition image, it will be 255 MB and the checksum should be MD5=5a8ebf5725b15e563c825be85f2f852e.

Show step by step how you identify and recover the deleted rootkit from the / partition.

What files make up the deleted rootkit?"


The preparations


sudo apt-get install tree

mkdir honey

cd honey

I installed tree for getting a better visual understanding of the files and locations I was about to explore.
I created a folder for the image-file I would download from

tar xf honeynet.tar.gzhoneynet

I extracted the file by using tar and a new folder, honeynet, appeared. Inside this folder I could find the README file and also the target image honeypot.hda8.dd

xubuntu@xubuntu:~/honey/honeynet$ tree
├── honeypot.hda8.dd

Recovering the lost files

I used the instractions written by Tero Karvinen ( as a guide while recovering the lost files.

mkdir allocated deleted
tsk_recover -a honeypot.hda8.dd allocated/

When trying to ran the recovering command I got a notification that installation of sleuthkit was required. 

sudo apt-get install sleuthkit
tsk_recover -a honeypot.hda8.dd allocated/
tsk_recover -a honeypot.hda8.dd deleted/

This time the command was functional and I could see that totally  1614 allocated and 37 deleted files were recovered.

The research and discovering the rootkit

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) while at the same time masking its existence or the existence of other software.
- Wikipedia: Rootkit, source:

tar xvf lk.tgz
cd last
ls -la

Inside the folder of deleted files I found a strange package which I chose to open with using tar onche again.
Wits ls -la I could find out which file was edited last (in this case the install file).

xubuntu@xubuntu:~/honey/honeynet/deleted/last$ tree
├── cleaner
├── ifconfig
├── inetd.conf
├── install
├── last.cgi
├── linsniffer
├── logclear
├── lsattr
├── mkxfs
├── netstat
├── pidfile
├── ps
├── s
├── sense
├── services
├── sl2
├── ssh
├── ssh_config
├── sshd_config
├── ssh_host_key
├── ssh_random_seed
└── top

cat install

I opened the install file with cat and was soon more than sure that this was indeed the source a rootkit.   

Lectures by Tero Karvinen Based on Linux course by Tero Karvinen (

Tuesday, 13 October 2015

WordPress installation on Linux

Before starting the installation of WordPress I make sure you have added all the elements of LAMP. It is important to check and double check that your PHP module is actually working. The best way to verify this is to create a webpage with a small example code.

You can find more information about installation of LAMP from my previous posts:
Installing LAMP:
Warming up with LAMP:

Creating a MySql Database

mysql -u root -p


CREATE USER wpcarola@localhost IDENTIFIED BY 'verydifficultpassword';

I created a new database + user and configured the password.

GRANT ALL PRIVILEGES ON wpcarola.* to wpcarola@localhost IDENTIFIED BY 'verydifficultpassword';
Gave all privileges on this user.

Reloaded the privaledges from the possible grant tables in the database.

And finally exit the database.

Downloading WordPress

Since I had already created a public_html folder for xubuntu I decided to ran the installation under it.
After navigating to I copied the URL of the download link, entered my terminal and wrote:

wget  (wget + URL of download file)

Once the download was complete I unzipped the file and wordpress folder appeared.

Configuring the settings and installation

I tried to open the configuration by writing the address based on the file's location (localhost/~xubuntu/wordpress) by using the browser and was ready to start the action!

I entered MySQL information which I had defined earlier.

I got a notification that the right configuration file would be needed. Luckily WordPress configured it for me so all I needed to do was following the instructions.

As guided I made the new wp-config file manually and pasted the text WordPress gave me there.

nano wp-config.php

I could now continue the installation and got to enter the information for my brand new WordPress.

Installing a new theme and plugin

The installation was done. After making a small "Hello World" post I took a closer look on my dashboard. I could already find some pre-installed themes but I fancied something different.

I selected theme from and copied the URL.

cd wp-content
cd themes


After unzipping I could find the theme from my own library.

The installation of a plugin was done with the same method.

From plugin directory I found Akismet that should automatically blog spam messages from the comment box of WordPress. From terminal I chose a plugin folder and installed Akismet:


Success! The plugin appeared to the library.

Lectures by Tero Karvinen
Based on Linux course by Tero Karvinen (

Thursday, 1 October 2015

Configuring settings for Apache2 virtual server

In this post I will show how to configure the basic settings for apache2 based virtual server and guide a website to appear in the desired address in local computer.

Setting up Apache

sudo apt-get update I ran the update.
sudo apt-get install apache2 Installed Apache.

sudo a2enmod userdir
Enabled userdir

sudo service apache2 restart
and restarted the module.

I tested the functionality by writing "localhost" on my address bar and got "it works!"-page.


Creating a webpage

mkdir public_html
nano index.html

I created public_html on my home directory, entered and added a new folder for my virtual server ( Finally I made my index.html page with the following code:

<!doctype html>
              <meta charset="utf-8" />
               <h1>Carola's homepage</h1>
               <p>Welcome to</p>



I needed to find out my own ip address so I could get the website to appear where I wanted to. After copying it I changed the directory to hosts and modied the file by adding the ip and my own desired address.
nano hosts


Everything good so far but this wouldn't be enough. In order to work I would have to enable it from apache's settings.

cd /etc/apache2/sites-available/
sudo cp 000-default.conf

I copied my as the default-file (000-default.conf) and replaced contents with configurin server name, alias and giving the address to the root file as shown:
<VirtualHost *:80>
     DocumentRoot /home/xubuntu/public_html/

sudo a2ensite

When trying to enable my site (actually making it appear in I faced an error that claimed my site did not even exist. a2ensite is actionally a  perl script which only work with files ending with .conf. I changed my original file name from to and tried again.

sudo mv /etc/apache2/sites-available/ /etc/apache2/sites-available/

 The Result

sudo a2ensite

The second time running a2ensite was succesful and my address appeared to both and

Lectures by Tero Karvinen
Based on Linux course by Tero Karvinen (

Wednesday, 23 September 2015


This assingment was performed following the instractions written by our teacher Tero Karvinen
( &

Creating a metapackage


My goal was to create a packge that would install my favorite softwares. As a fan of digital art I chose to go with Inkscape and digiKam.

sudo apt-get update
sudo apt-get install equivs
I ran the update and installed Equivs so I would be able to create my package
equivs-control carolas-artpack.cfg

nano carolas-artpack.cfg
I created the source file and edited it by remowing the commends (#) where they wouldnt be needed. This is the outfit of my first metapackage (version 0.1):

Building and installation

After this was done I still needed to build the packge.
equivs-build carolas-artpack.cfg
The package was created succesfully in my desktop where I would let it be temporary.

sudo apt-get install gdebi
sudo gdebi -n carolas-artpack_0.1_all.deb

I got GDebi (package installer) and tested my brand new artpack and it seemed to work fine! Inkscape and digiKam were installed on my system.

Passing Lintian

sudo apt-get install lintian
lintian -c carolas-artpack_0.1_all.deb

When trying to validate my package with Lintian I encountered with two errors which were also related to each other.

E: carolas-artpack: debian-changelog-file-contains-invalid-email-address xubuntu@xubuntu
E: carolas-artpack: maintainer-address-malformed Live session user

I opened my source file (carolas-artpack) and made the needed changes:

Version: 0.1  -> 0.2
# Maintainer: Your name <> -> Carola Wennermark <>

Lintian proofed file
I built the package just like before and installed the new 0.2-file with gdebi. This time the package passed Lintian and I did not get any errors.

Adding a package into repository

sudo apt-get install apache2
mkdir public_html
cd public_html
mkdir -p repository/conf
nano repository/conf/distributions

I created a folder html_public, made a new directory for a configuration file with the following contents:

Codename: lucid
Components: main
Suite: lucid
Architectures: i386 amd64 source

cp /home/xubuntu/Desktop/carolas-artpack_0.2_all.deb /home/xubuntu/Desktop/public_html/carolas-artpack/carolas-artpack_0.2_all.deb

My metapackage was still in desktop so I was thinking of copying it to public_html but this time I decided to write it's location path when I added it to repository. In order to do so I installed reprepro.

sudo apt-get install reprepro
reprepro -VVVV -b repository/ includedeb lucid /home/xubuntu/Desktop/carolas-artpack_0.2_all.deb

The artpack was now in it's new location but I still needed to ran a command that would add it to "repository"-list so it could be used by all the users and clients.
reprepro -VVVV -b repository/ includedeb lucid /home/xubuntu/Desktop/carolas-artpack_0.2_all.deb

Now I could use the basic installation command for calling the created metapackage.

sudo apt-get update
sudo apt-get install carolas-artpack

Since the package was already installed and updated I naturally did not receive anything new but I could be quite sure my package was working and living well.

Inserting script into a metapackage

nano lotto

echo "This week's lucky numbers are:"
echo $(expr $RANDOM % 40)-$(expr $RANDOM % 40)-$(expr $RANDOM % 40)-$(expr $RANDOM % 40)-$(expr $RANDOM % 40)-$(expr $RANDOM % 40)-$(expr $RANDOM % 40)

I started by creating my script that would show 7 lucky number's of the week. I would included it to my original package, carolas-artpack.

chmod +x lotto

I ran the script and saw it working. Next I opened carolas-artpack and modified it once again. I added the script and changed the version number to 0.3.

I linked the "Files" to my lotto file, built the package and ran it.

Lectures by Tero Karvinen

Based on Linux course by Tero Karvinen (

Wednesday, 9 September 2015

Monitoring data with Munin and stressing the system

This installation was performed following the instractions by Tero Karvinen (

Installing Munin

sudo apt-get update
First things first. By running the command I received the latest packages and ensured the correct functionality of programs.

sudo apt-get -y install munin
'sudo software-properties-gnome'
I gave the installation command for Munin and enabled universe repository so I could actually run it. At this stage Mumin should be already monitoring the system.

firefox /var/cache/munin/www/index.html
After entering Munin's location via Firefox I chose to view information of disk space usage. Naturally there was no data yet - Munin updates itself every 5-10 minutes.

Stressing the system

sudo apt-get install iotop
I installed iotop which is a program specified gathering information of the processes stressing a computer.

sudo apt-get -y install stress
After installing and running the program's (stress) name I didn't only get a small manual of the functions but also an example code I could use to stress the system.

I modified the example code and increased the values of vm-bytes and timeout. After running it my computer started humming and I could not get any response for a while because of the long timeout I generated. I opened a new Terminal window and ran iotop.

sudo iotop -oa

Here is a comparison before and after launching the stress. I was able to monitor how stress was opening and running processes by itself.

Before and after stress

Monitoring with Munin

After returning to check if Munin had gathered enough information I noticed a long spike in the diagram. I could see some unused memory and made a note that applications I had used took about half of it.

Log analysis

cd /var/log/
tail syslog

On September 8, 16:51:30 (UTC), Xubuntu gave a command which was invalid since the system did not have enough memory. The process was killed.

Sources: Lectures by Tero Karvinen
Based on Linux course by Tero Karvinen (

Wednesday, 2 September 2015

Creating a Bootable USB for Kali Linux
If you are interested to see my documentation about making a bootable USB for Xubuntu please click here!

This USB was made by using the latest version of Xubuntu (the 14.04 release).

Downloading Kali Linux 

23.13. After navigating to I chose the version that would suit me the best and started downloading the ISO image for 64-Bit system.

USB imaging

22.40. I followed the guide offered by and used the command  sudo fdisk -l without plugging the USB yet. I needed to pay attention to the path of Device Boot (/dev/sdb1). After this I inserted USB and ran the same command again. Now I could see how the name of Device Boot had changed to sdc1. This would be my USB to use.

22.50 It only took a while to format the dd code correctly as the base was already given on Kali's web page. After running the correct command for the first time I got an error message "'/dev/sdc1': Permission denied". In these kind of situations I tend to ask sudo for help and it also worked this time.

sudo dd if=kali-linux-2.0-amd64.iso of=/dev/sdc1 bs=512k

23.04 Running the command did not give any printout until the process was complete in 14 minutes. After imaging the USB the feedback was:

6333+1 records in
6333+1 records out
3320512512 bytes (3.3 GB) copied, 756.411 s, 4.4 MB/s 

Now I was ready to boot Kali.

Running Kali

I navigated to the boot menu and chose the USB but instead of the new OS I bashed straight into the Secure Boot Violation.

I followed the instructions of the message, chose the Security tab from BIOS and enabled Secure Boot state. BIOS restarted and I tried to boot my USB again. This time it happened without any error messages. After choosing Live (amd) I finally got inside successfully.


I tried many times creating the USB with unetbootin, just like with Xubuntu, but I never got it to work. I used different versions of Kali and unetbootin seemingly imaged the USB but when I tried to run it from BIOS I only got a flash of a black screen before I was guided to the BIOS view again.

I strongly recommend using Xubuntu's command line for creating a bootable Kali Linux. It is easy and in my opinion more simple than unetbootin.

Sources: Making a Kali Bootable USB Drive,

Warming up with LAMP

My studies with Linux continue and our first assignment was executing an old exam from the basic course (Työasemat ja tietoverkot, Linux).

I chose this exam from beginning of spring in 2012.
This exercise was made by using Xubuntu's 14.04 version.

Installing Apache

sudo apt-get update
First things first. I wanted to have the latest packages available.
sudo apt-get install apache2
I changed the location to user's directory and restarted Apache.

After the installation I tested if Apache is running by writing localhost to the web browser's address bar. "It works!" -page appeared.

Installing MySql

sudo apt-get install mysql-server
After a moment the console asked me to define root's new password. I did this and continued the installation.

sudo apt-get install phpmyadmin
Now when I had mySql I could connect it with phpmyadmin. In package configuration I selected Apache2. 

The installation was successful and phpMyAdmin appeared to localhost/phpmyadmin.

Installing PHP

sudo apt-get install libapache2-mod-php5
I ran the installation command for PHP module and navigated to /apache2/mods-enabled. I would need to modify a file called php5.conf in order to get the module actually working.

sudoedit php5.conf
I commented the whole Running PHP scripts in user directories is disabled by default with ### and saved the file.

php5.conf after being modified

Installation and management of SSH

sudo apt-get install openssh-server

After the installation was complete I created accounts for Einari Vähäkäähkä, Pekka Winha, Åke Andersson ja Leila Laila. 

sudo adduser einavaha
sudo adduser pekkwinh
sudo adduser akeande 
sudo adduser leillail

Each command was followed by information form where I entered the user's full name and password.

Creating a webpage and testing PHP

ssh leillail@localhost
mkdir public_html
nano index.html

I logged into Leila's profile, made a new folder for the webpage and created there index.html
I wrote a small sample code for her page and it appeared in localhost/~leillail.

I still needed to test if the PHP module was working so I signed out from Leila's profile and got in this time as Pekka Winha. Once again I made a new directory public_html but this time instead of html I created a simple php file. 

And it worked! localhost/~pekkawinh/foo.php showed up as it should. 

Creating a Shell Script

The final goal was creating a shell script that could show the free disc space and IP.

First I created the file. Notice that .sh wouldn't be required but it is just something I have used to do to clarify things. The script would work perfectly fine without it too. 

I wrote the needed commands ( df -h and /sbin/ifconfig eth0 | grep 'inet addr:' | cut -d: -f2) inside the file and saved it.

chmod +x
I gave the rights for all users being able executing this command.

sudo cp
The last step was to copy the script into this location so it would be able to run.

Sources: Lectures by Tero Karvinen,

Based on Linux course by Tero Karvinen (