Wednesday, 14 October 2015

Scan of the Month 15

Dilbert, Copyright Scott Adams.


See the original challenge here:

 

The Challenge


On 15 March. 2001, a Linux honeypot was successfully compromised, a rootkit was downloaded to the / partition and then deleted from the system. Your mission is to find and recover the deleted rootkit. If you are not sure where to begin on conducting this forensic analysis and recover the rootkit, we highly reccommend you start with the Forensic Challenge. The steps you will have to follow for the rootkit recovery are similar to the steps discussed there. We have posted only the / partion for download to keep this challenge simple. The compressed image is 13MB,(honeynet.tar.gz) MD5=0dff8fb9fe022ea80d8f1a4e4ae33e21. Once you have downloaded, untarred, and unzipped the partition image, it will be 255 MB and the checksum should be MD5=5a8ebf5725b15e563c825be85f2f852e.

Show step by step how you identify and recover the deleted rootkit from the / partition.

What files make up the deleted rootkit?"

 

The preparations

 

sudo apt-get install tree

mkdir honey

cd honey

I installed tree for getting a better visual understanding of the files and locations I was about to explore.
I created a folder for the image-file I would download from http://old.honeynet.org/scans/scan15/




wget http://old.honeynet.org/scans/scan15/honeynet.tar.gz
tar xf honeynet.tar.gzhoneynet

I extracted the file by using tar and a new folder, honeynet, appeared. Inside this folder I could find the README file and also the target image honeypot.hda8.dd


xubuntu@xubuntu:~/honey/honeynet$ tree
.
├── honeypot.hda8.dd
└── README 



Recovering the lost files


I used the instractions written by Tero Karvinen (http://terokarvinen.com/2013/forensic-file-recovery-with-linux) as a guide while recovering the lost files.

mkdir allocated deleted
tsk_recover -a honeypot.hda8.dd allocated/


When trying to ran the recovering command I got a notification that installation of sleuthkit was required. 

sudo apt-get install sleuthkit
tsk_recover -a honeypot.hda8.dd allocated/
tsk_recover -a honeypot.hda8.dd deleted/

This time the command was functional and I could see that totally  1614 allocated and 37 deleted files were recovered.


The research and discovering the rootkit


A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) while at the same time masking its existence or the existence of other software.
- Wikipedia: Rootkit, source: https://en.wikipedia.org/wiki/Rootkit



tar xvf lk.tgz
cd last
tree
ls -la

Inside the folder of deleted files I found a strange package which I chose to open with using tar onche again.
Wits ls -la I could find out which file was edited last (in this case the install file).

xubuntu@xubuntu:~/honey/honeynet/deleted/last$ tree
.
├── cleaner
├── ifconfig
├── inetd.conf
├── install
├── last.cgi
├── linsniffer
├── logclear
├── lsattr
├── mkxfs
├── netstat
├── pidfile
├── ps
├── s
├── sense
├── services
├── sl2
├── ssh
├── ssh_config
├── sshd_config
├── ssh_host_key
├── ssh_host_key.pub
├── ssh_random_seed
└── top


cat install

I opened the install file with cat and was soon more than sure that this was indeed the source a rootkit.   



Sources 
Lectures by Tero Karvinen
https://en.wikipedia.org/wiki/Rootkit
http://dilbert.com/ Based on Linux course by Tero Karvinen (http://terokarvinen.com)
 

Tuesday, 13 October 2015

WordPress installation on Linux

Before starting the installation of WordPress I make sure you have added all the elements of LAMP. It is important to check and double check that your PHP module is actually working. The best way to verify this is to create a webpage with a small example code.

You can find more information about installation of LAMP from my previous posts:
Installing LAMP: http://runningwithcodes.blogspot.fi/2013/09/installing-lamp.html
Warming up with LAMP: http://runningwithcodes.blogspot.fi/2015/09/my-studies-with-linux-continue-and-our.html

Creating a MySql Database


mysql -u root -p


CREATE DATABASE wpcarola;

CREATE USER wpcarola@localhost IDENTIFIED BY 'verydifficultpassword';

I created a new database + user and configured the password.

GRANT ALL PRIVILEGES ON wpcarola.* to wpcarola@localhost IDENTIFIED BY 'verydifficultpassword';
Gave all privileges on this user.

FLUSH PRIVILEGES;
Reloaded the privaledges from the possible grant tables in the database.

EXIT
And finally exit the database.



Downloading WordPress


Since I had already created a public_html folder for xubuntu I decided to ran the installation under it.
After navigating to https://wordpress.org/download/ I copied the URL of the download link, entered my terminal and wrote:

wget https://wordpress.org/latest.zip  (wget + URL of download file)

unzip latest.zip
Once the download was complete I unzipped the file and wordpress folder appeared.



Configuring the settings and installation


I tried to open the configuration by writing the address based on the file's location (localhost/~xubuntu/wordpress) by using the browser and was ready to start the action!


I entered MySQL information which I had defined earlier.


I got a notification that the right configuration file would be needed. Luckily WordPress configured it for me so all I needed to do was following the instructions.


As guided I made the new wp-config file manually and pasted the text WordPress gave me there.

nano wp-config.php

I could now continue the installation and got to enter the information for my brand new WordPress.


Installing a new theme and plugin


The installation was done. After making a small "Hello World" post I took a closer look on my dashboard. I could already find some pre-installed themes but I fancied something different.

I selected theme from https://wordpress.org/themes/ and copied the URL.

cd wp-content
cd themes

wget https://downloads.wordpress.org/theme/pure-simple.1.1.3.zip
unzip pure-simple.1.1.3.zip


After unzipping I could find the theme from my own library.


The installation of a plugin was done with the same method.



From plugin directory I found Akismet that should automatically blog spam messages from the comment box of WordPress. From terminal I chose a plugin folder and installed Akismet:

wget https://downloads.wordpress.org/plugin/akismet.3.1.4.zip
unzip akismet.3.1.4.zip





Success! The plugin appeared to the library.

Sources 
Lectures by Tero Karvinen
https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-on-ubuntu-12-04
https://miro.metsanheimo.fi/2015/10/08/installing-wordpress-along-with-plugins-themes-and-images/
Based on Linux course by Tero Karvinen (http://terokarvinen.com)

Thursday, 1 October 2015

Configuring settings for Apache2 virtual server

In this post I will show how to configure the basic settings for apache2 based virtual server and guide a website to appear in the desired address in local computer.

Setting up Apache


sudo apt-get update I ran the update.
sudo apt-get install apache2 Installed Apache.

sudo a2enmod userdir
Enabled userdir

sudo service apache2 restart
and restarted the module.

I tested the functionality by writing "localhost" on my address bar and got "it works!"-page.

 

Creating a webpage


mkdir public_html
mkdir carolwenn.com
nano index.html


I created public_html on my home directory, entered and added a new folder for my virtual server (carolwenn.com). Finally I made my index.html page with the following code:

<!doctype html>
<html>
<head>
              <title>carolwenn.com</title>
              <meta charset="utf-8" />
</head>
<body>
               <h1>Carola's homepage</h1>
               <p>Welcome to carolwenn.com</p>
</body>
</html>

 

Settings


ifconfig
I needed to find out my own ip address so I could get the website to appear where I wanted to. After copying it I changed the directory to hosts and modied the file by adding the ip and my own desired address.
/etc/hosts/
nano hosts


192.168.***.*** www.carolwenn.com
192.168.***.*** carolwenn.com


Everything good so far but this wouldn't be enough. In order carolwenn.com to work I would have to enable it from apache's settings.

cd /etc/apache2/sites-available/
sudo cp 000-default.conf carolwenn.com


I copied my carolwenn.com as the default-file (000-default.conf) and replaced contents with configurin server name, alias and giving the address to the root file as shown:
<VirtualHost *:80>
     ServerName www.carolwenn.com
     ServerAlias carolwenn.com
     DocumentRoot /home/xubuntu/public_html/carolwenn.com
</VirtualHost>



sudo a2ensite carolwenn.com

When trying to enable my site (actually making it appear in carolwenn.com) I faced an error that claimed my site did not even exist. a2ensite is actionally a  perl script which only work with files ending with .conf. I changed my original file name from carolwenn.com to carolwenn.com.conf and tried again.
 

sudo mv /etc/apache2/sites-available/carolwenn.com /etc/apache2/sites-available/carolwenn.com.conf

 The Result


sudo a2ensite carolwenn.com

The second time running a2ensite was succesful and my address appeared to both carolwenn.com and www.carolwenn.com






Sources 
Lectures by Tero Karvinen
https://viivijarvela.wordpress.com/2014/03/10/apache-ja-virtuaalipalvelin/
https://eliimatt.wordpress.com/2012/09/24/harjoitustehtava-5-apache/
http://stackoverflow.com/questions/20591889/site-does-not-exist-error-for-a2ensite
http://manpages.ubuntu.com/manpages/jaunty/man8/a2ensite.8.html
Based on Linux course by Tero Karvinen (http://terokarvinen.com)