Wednesday, 14 October 2015

Scan of the Month 15

Dilbert, Copyright Scott Adams.

See the original challenge here:


The Challenge

On 15 March. 2001, a Linux honeypot was successfully compromised, a rootkit was downloaded to the / partition and then deleted from the system. Your mission is to find and recover the deleted rootkit. If you are not sure where to begin on conducting this forensic analysis and recover the rootkit, we highly reccommend you start with the Forensic Challenge. The steps you will have to follow for the rootkit recovery are similar to the steps discussed there. We have posted only the / partion for download to keep this challenge simple. The compressed image is 13MB,(honeynet.tar.gz) MD5=0dff8fb9fe022ea80d8f1a4e4ae33e21. Once you have downloaded, untarred, and unzipped the partition image, it will be 255 MB and the checksum should be MD5=5a8ebf5725b15e563c825be85f2f852e.

Show step by step how you identify and recover the deleted rootkit from the / partition.

What files make up the deleted rootkit?"


The preparations


sudo apt-get install tree

mkdir honey

cd honey

I installed tree for getting a better visual understanding of the files and locations I was about to explore.
I created a folder for the image-file I would download from

tar xf honeynet.tar.gzhoneynet

I extracted the file by using tar and a new folder, honeynet, appeared. Inside this folder I could find the README file and also the target image honeypot.hda8.dd

xubuntu@xubuntu:~/honey/honeynet$ tree
├── honeypot.hda8.dd

Recovering the lost files

I used the instractions written by Tero Karvinen ( as a guide while recovering the lost files.

mkdir allocated deleted
tsk_recover -a honeypot.hda8.dd allocated/

When trying to ran the recovering command I got a notification that installation of sleuthkit was required. 

sudo apt-get install sleuthkit
tsk_recover -a honeypot.hda8.dd allocated/
tsk_recover -a honeypot.hda8.dd deleted/

This time the command was functional and I could see that totally  1614 allocated and 37 deleted files were recovered.

The research and discovering the rootkit

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) while at the same time masking its existence or the existence of other software.
- Wikipedia: Rootkit, source:

tar xvf lk.tgz
cd last
ls -la

Inside the folder of deleted files I found a strange package which I chose to open with using tar onche again.
Wits ls -la I could find out which file was edited last (in this case the install file).

xubuntu@xubuntu:~/honey/honeynet/deleted/last$ tree
├── cleaner
├── ifconfig
├── inetd.conf
├── install
├── last.cgi
├── linsniffer
├── logclear
├── lsattr
├── mkxfs
├── netstat
├── pidfile
├── ps
├── s
├── sense
├── services
├── sl2
├── ssh
├── ssh_config
├── sshd_config
├── ssh_host_key
├── ssh_random_seed
└── top

cat install

I opened the install file with cat and was soon more than sure that this was indeed the source a rootkit.   

Lectures by Tero Karvinen Based on Linux course by Tero Karvinen (

Tuesday, 13 October 2015

WordPress installation on Linux

Before starting the installation of WordPress I make sure you have added all the elements of LAMP. It is important to check and double check that your PHP module is actually working. The best way to verify this is to create a webpage with a small example code.

You can find more information about installation of LAMP from my previous posts:
Installing LAMP:
Warming up with LAMP:

Creating a MySql Database

mysql -u root -p


CREATE USER wpcarola@localhost IDENTIFIED BY 'verydifficultpassword';

I created a new database + user and configured the password.

GRANT ALL PRIVILEGES ON wpcarola.* to wpcarola@localhost IDENTIFIED BY 'verydifficultpassword';
Gave all privileges on this user.

Reloaded the privaledges from the possible grant tables in the database.

And finally exit the database.

Downloading WordPress

Since I had already created a public_html folder for xubuntu I decided to ran the installation under it.
After navigating to I copied the URL of the download link, entered my terminal and wrote:

wget  (wget + URL of download file)

Once the download was complete I unzipped the file and wordpress folder appeared.

Configuring the settings and installation

I tried to open the configuration by writing the address based on the file's location (localhost/~xubuntu/wordpress) by using the browser and was ready to start the action!

I entered MySQL information which I had defined earlier.

I got a notification that the right configuration file would be needed. Luckily WordPress configured it for me so all I needed to do was following the instructions.

As guided I made the new wp-config file manually and pasted the text WordPress gave me there.

nano wp-config.php

I could now continue the installation and got to enter the information for my brand new WordPress.

Installing a new theme and plugin

The installation was done. After making a small "Hello World" post I took a closer look on my dashboard. I could already find some pre-installed themes but I fancied something different.

I selected theme from and copied the URL.

cd wp-content
cd themes


After unzipping I could find the theme from my own library.

The installation of a plugin was done with the same method.

From plugin directory I found Akismet that should automatically blog spam messages from the comment box of WordPress. From terminal I chose a plugin folder and installed Akismet:


Success! The plugin appeared to the library.

Lectures by Tero Karvinen
Based on Linux course by Tero Karvinen (

Thursday, 1 October 2015

Configuring settings for Apache2 virtual server

In this post I will show how to configure the basic settings for apache2 based virtual server and guide a website to appear in the desired address in local computer.

Setting up Apache

sudo apt-get update I ran the update.
sudo apt-get install apache2 Installed Apache.

sudo a2enmod userdir
Enabled userdir

sudo service apache2 restart
and restarted the module.

I tested the functionality by writing "localhost" on my address bar and got "it works!"-page.


Creating a webpage

mkdir public_html
nano index.html

I created public_html on my home directory, entered and added a new folder for my virtual server ( Finally I made my index.html page with the following code:

<!doctype html>
              <meta charset="utf-8" />
               <h1>Carola's homepage</h1>
               <p>Welcome to</p>



I needed to find out my own ip address so I could get the website to appear where I wanted to. After copying it I changed the directory to hosts and modied the file by adding the ip and my own desired address.
nano hosts


Everything good so far but this wouldn't be enough. In order to work I would have to enable it from apache's settings.

cd /etc/apache2/sites-available/
sudo cp 000-default.conf

I copied my as the default-file (000-default.conf) and replaced contents with configurin server name, alias and giving the address to the root file as shown:
<VirtualHost *:80>
     DocumentRoot /home/xubuntu/public_html/

sudo a2ensite

When trying to enable my site (actually making it appear in I faced an error that claimed my site did not even exist. a2ensite is actionally a  perl script which only work with files ending with .conf. I changed my original file name from to and tried again.

sudo mv /etc/apache2/sites-available/ /etc/apache2/sites-available/

 The Result

sudo a2ensite

The second time running a2ensite was succesful and my address appeared to both and

Lectures by Tero Karvinen
Based on Linux course by Tero Karvinen (