IFS

How many times have you written scripts and a had bad time with those having spaces? The remedy to this situation is your IFS value.

IFS or Internal Field Seperator holds the value which seperates the various entities. This can be file names, values read into a script by read etc. It is the character or characters designated as whitespace by the operating system.

The IFS is set to the newline and space character. The global variable $IFS stores the value. To view the exact value stored in IFS execute:

echo "$IFS" | cat -vTE
 ^I$
$

Running echo “$IFS” will not give you any visible output (after all, you are going to see a space and a newline). cat -vTE displays non printable characters , tabs as ^I and ends each line with a $ sign.

In a script which utilises filenames (with spaces), it is always preferable to change the IFS to include only the newline character opposed to the default space and newline character. Lets check out one such script which accepts filenames wih spaces. This scripts simply prints the file names in your current directory. (Remember to create some files in your currenct directory which has spaces. You may try the same script removing the lines with the IFS variable in reference to see the difference)

#!/bin/bash
OIFS=$IFS # Original IFS

IFS=$(echo -en "\n\b") # New IFS

for fil in $(ls -1 $PWD); do
	echo $fil
done

IFS=$OIFS # Restore earlier IFS

IFS can also be used to read files with lines sepearated by a special character. For example in the /etc/passwd, to store the various entries like username, homedirectory etc.

The following script uses the while construct to determine the users who have the shell portion as /bin/false

#!/bin/bash

OIFS=$IFS
IFS=':'

while read username password userid groupid comments homedir shell_avail
do
	if [[ $shell_avail == /bin/false ]]; then
                echo "$username has no shell"
        fi

done < /etc/passwd
IFS=$OIFS

In the above script each of the 7 portions of the /etc/passwd file is assigned to the 7 variables
username password userid groupid comments homedir shell_avail with the read command. The if portion in the script compares the seventh variable – shell_avail to /bin/false to determine the username and outputs it.

From now on you can use the IFS variable for all those files with spaces and extracting values separated by a special character.

Tweet This Post

RootKits and anti rootkits

A rootkit is a collection of programs that enable an attacker to get the same privilage as the root user in a linux or unix system. The word is composed of two portions: ‘root’ – meaning the application will provide the highest access level of the root/administrator in the system and ‘kit’ – meaning it has a number of tools.

Attackers after getting access to a server, will install a rootkit to hide their identity and run desired scripts anywhere within the server. It makes the life of a hacker easy once installed. Rootkits are not easily detectable. Sometimes, if the rootkit is one of the latest ones without a diagnosis, the server will have to be rebuild from scratch.

A rootkit will have multiple applications for cracking the entire server, some of them are:

Server Access Applications (Back door application)
These applications will create a backdoor to log in to the hacked system without using the exploit again.

Log clearing Applications
These applications clear the logs of the events performed by the hacker or the applications used. They all the associated log files in the server.

Packet sniffing Applications
These applications monitor the data through the various interfaces in the server at particular ports.

Malicious Scripts
Many scripts will be installed like IRC bots, ddos daemons, spam servers, trojans, worms etc.

There are mainly two kinds of root kits. The application rootkit and the kernel rootkit.

Application rootkits
These rootkits mimic a particular application and will hide the attackers files/processes from being revealed by the original application. To illustrate, a rootkit ls application will perform all the task of a normal ls but will not display any of the files of the attacker. Other application rootkits will create backdoors for unauthorised access, packet sniffers etc which go undetected or are hidden by renaming. Application rootkits are the most common.

Kernel rootkits
Kernel rootkits modify the kernel and apply patches to the kernel and device drivers. They also hide the applications and files of the attacker. As antivirus and other applications run beneath the kernel, they are the most undetectable rootkits.

‘Prevention is better than cure’ – as this saying goes, it is always better to keep the system secure and updated when ever possible to stop these installations. There are some applications which help detect any known rootkits running in the system. One such is the chkrootkit.

chkrootkit is one of the popular rootkit detectors (an anti-rootkit) and it is know to detect common rootkits on unix/linux servers. chkrootkit relies on basic string processing techniques to determine the presence of rootkits. It scans specific sytem files and binaries targeted by rootkits for known signatures.

The following are the instructions to install chkrootkit version 0.49 in a server.

cd /usr/local/

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5

md5sum -c chkrootkit.md5 # to check if the downloaded file is intact

tar -xzf chkrootkit.tar.gz

cd chkrootkit-0.49/

make sense

./chkrootkit

chkroootkit will check all the files and display the status of the files analysed. This information may be logged for future reference. For this a cron job may be setup to be run at least once a month.

Inserting an entry like the one below into the systems cron tasks (executed atleast once a month) will send the report of the chkrootkit vulnerabilities to the administrator conserned.

/usr/local/chkrootkit-0.49/chkrootkit | mail -s "chkrootkit report $(date +%d/%m/%y)" "admin@domain.com"

Tweet This Post

MySQL Storage Engines – an overview, their limitations and an attempt for comparison

Most of us are using Mysql database and majority don’t know how to choose the data base engines, what are the different types of storage engines available in mysql and how they differ from each other. In this article let me give you a brief idea about the Storage Engines and what are the limitations and where to use these various storage engines.

One of the greatest things about MySQL, other than being free, widely supported and fast, is the flexibility of choosing different storage engines for different tables. These storage engines act as handlers for different table types. Thus MySQL storage engines include both those that handle transaction-safe tables and those that handle non-transaction-safe tables along with many others. MySQL does this through their Pluggable Storage Engine Architecture.

MySQL Storage Engines Overview

To determine which storage engines your server supports, we use the SHOW ENGINES statement. The value in the Support column indicates whether an engine can be used. A value of YES, NO, or DEFAULT indicates that an engine is available, not available, or available and currently set as the default storage engine. (Read the rest of this entry…)

Tweet This Post

How to create a RPM from source package(Creating CSF RPM)

We create RPM’s from the Source for a package. As an initial step, compile and install the source using normal procedures just to confirm all necessary libraries/dependencies are met.

Here I am explaining the whole process to create an RPM for CSF that could be  installed on cPanel servers.

Getting ready with the Source Files:

Download Latest CSF from here : http://www.configserver.com/free/csf.tgz

Extract the tarball.

[root@server new]# tar -xvf csf.tgz
[root@server new]# ls
csf  csf.tgz

Install to check all libraries/dependencies are met.

[root@server csf]# cd csf
[root@server csf]# sh install.cpanel.sh
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
Installation Completed

We confirmed all libraries/dependencies are met for installing CSF.  We need to rename the tarball to define a version so that it could be used in the SPEC file.

[root@server csf]# cd ..
[root@server new]# ls
csf  csf.tgz
[root@server new]#mv csf csf-0.0.1
[root@server new]# tar -cvf csf-0.0.1.tar.gz csf-0.0.1

0.0.1 defines the version. (Can assign any). Now we are ready with the source file for CSF csf-0.0.1.tar.gz that could be used to generate RPM.

Building the RPM:

Install RPMBUILD tool:

[root@server ~]# yum install rpm-build

We never build RPM’s as ‘root’ users, but as normal users, because root can alter any file on the system, it was easy to inadvertently alter a running system by adding extraneous files or removing important files during interim builds of an RPM. Earlier RPM’s were build as root user but recently the RPM system changed to allow any user to build RPMs in a home directory. Building an RPM without the privileges of root prevents changes to core system files and hence we are on the safer side.

Initial Set-up:

We need to create a directory hierarchy for the rpm build tool to work with. To begin with, create a directory under your home directory which will act as the root directory for the build process. Lets make a directory ‘csfrpm’ under home directory for this purpose.

[sage@server ~]$ mkdir -p /home/your_username/csfrpm

[sage@server ~]$ cd /home/your_username/csfrpm

Create Five sub-directories under csfrpm.

[sage@server csfrpm]$ mkdir BUILD RPMS SOURCES SPECS SRPMS

• BUILD: BUILD is used as a space to compile the software.
• RPMS: RPMS contains the binary RPM that rpmbuild builds.
• SOURCES: SOURCES is for source code.
• SPECS: SPECS contains your spec file or files—one spec file per RPM you want to build.
• SRPMS: SRPMS contains the source RPM built during the process.

[sage@server csfrpm]$ ls
BUILD  RPMS  SOURCES  SPECS  SRPMS

Copy the source code that we have created(csf-0.0.1.tar.gz) to the SOURCES folder. Make sure that the owner  for source file is your_username.

[sage@server ~]$ cp csf-0.0.1.tar.gz /home/your_username/csfrpm/SOURCES/

Create the SPEC file:

SPEC file is noting but the configuration for rpmbuild tool.

[sage@server csfrpm]$ vi SPECS/csf.spec

# This is a sample spec file for csf

%define _topdir         /home/your_username/csfrpm
%define name            csf
%define release         0
%define version         0.0.1
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Summary:                GNU csf
License:                GPL
Name:                   %{name}
Version:                %{version}
Release:                %{release}
Source:                 %{name}-%{version}.tar.gz
Group:                  Security/Tools

%description
A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.

%prep
%setup -q

%install
./install.cpanel.sh prefix=$RPM_BUILD_ROOT/usr/local

%clean
%{__rm} -rf %{buildroot}

%files
%defattr(-,root,root,0755)

Finally Build the RPM:

[sage@server csfrpm]$ rpmbuild -v -bb --clean SPECS/csf.spec

You can see the result if everything went fine:

Processing files: csf-0.0.1-0
Checking for unpackaged file(s): /usr/lib/rpm/check-files /var/tmp/csf-0.0.1-root
Wrote: /home/your_username/csfrpm/RPMS/i386/csf-0.0.1-0.i386.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.84469
+ umask 022
+ cd /home/your_username/csfrpm/BUILD
+ cd csf-0.0.1
+ /bin/rm -rf /var/tmp/csf-0.0.1-root
+ exit 0
Executing(--clean): /bin/sh -e /var/tmp/rpm-tmp.84469
+ umask 022
+ cd /home/yuor_username/csfrpm/BUILD
+ rm -rf csf-0.0.1
+ exit 0

The RPM is written to /home/your_username/csfrpm/RPMS/i386/csf-0.0.1-0.i386.rpm

Tweet This Post

Issues that are encountered in web hosting

When tried to change passwd from WHM, the following error is displayed.

Error
The password for “user” could not be changed because:

Check the error in log file: /usr/local/cpanel/logs/error_log
You will find similar error as shown below.

=============================================================

Can’t locate Crypt/PasswdMD5/XS.pm in @INC (@INC contains:
/scripts /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl
/usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl
/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi
/usr/lib/perl5/5.8.8 .) at /scripts/cPScript/CheckPass/UNIX.pm line 6.
BEGIN failed–compilation aborted at /scripts/cPScript/CheckPass/UNIX.pm line 6.
Compilation failed in require at /scripts/cPScript/CheckPass.pm line 6.
BEGIN failed–compilation aborted at /scripts/cPScript/CheckPass.pm line 6.
Compilation failed in require at /scripts/realchpass line 16.
BEGIN failed–compilation aborted at /scripts/realchpass line 16.

=============================================================

Fix:

ssh into the server with root login credentials.
# /scripts/perlinstaller Crypt::PasswdMD5
Check if the issue still persists.

Then, let’s try fixing the problem without rebuilding Perl or changing any system configuration files. Run:

# /scripts/checkperlmodules
# service cpanel restart

Try changing the password again. If you’re still getting the error, it’s likely that the cPanel Perl installation was overwritten by an updated Perl RPM either manually or by yum. Let’s make sure Perl is left up to cPanel and check if perl automatic perl update is disabled in cPanel and excluded from yum list.

# grep allowperlupdates /var/cpanel/cpanel.config

If you see allowperlupdates=1 you’ve enabled “Allow Perl updates from RPM-based linux vendors” in WHM under Tweak Settings -> System. Return to WHM and uncheck this option then click the “Save” button.

In /etc/yum.conf, check if perl is present in exclude and intall the pearl module.
exclude=apache* bind-chroot courier* dovecot* exim* httpd* mod_ssl* mysql* nsd* perl* php*

Steps to install the pearl module.
First check the current version of Perl
# perl -v
If the older version of Perl is running on server, you get an output something like,
This is perl, v5.8.7 built for i686-linux
Upgrade perl on the Cpanel server
1) Download the latest perl installer from cPanel site.
# wget http://layer1.cpanel.net/perl588installer.tar.gz

2) Untar the file.
# tar -zxvf perl588installer.tar.gz

3) Change the directory to perl588installer.
# cd perl588installer

4) Now run the installer file.
# ./install

5) Check perl modules.
# /scripts/checkperlmodules

6) Force a cPanel update.
# /scripts/upcp –force

****************************************************************************************************************

How to locate mysql log file in the server.

* Check whether the mysql log file is present in /var/log such as /var/log/mysqld.log

* Usually, the mysql log file is present in /var/lib/mysql for cPanel servers. Kindly follow the steps to find the log file

======================================================================================================
root@server1 [/var/lib/mysql]# top -c | grep mysql
17545 mysql 15 0 427m 209m 5176 S 3.9 2.6 266:16.79 /usr/sbin/mysqld –basedir=/ –datadir=/var/lib/mysql –user=mysql –pid-file=/var/lib/mysql/server1.abc.com
======================================================================================================

Find the hostname of the server.
=======================
root@server1 [~]# hostname
server1.abc.com
=======================

We need to find the presently running mysql log file in the server. Usually, mysql log file will be associated with the hostname.

=======================================================
root@server1 [/var/lib/mysql]# ls -l | grep -i server1.abc.com
-rw-rw—-   1 mysql mysql  48495912 Aug 19 16:46 server1.abc.com.err
-rw-rw—-   1 mysql mysql     41720 May 18  2009 SERVER1.ABC.COM.err
-rw-rw—-   1 mysql mysql         6 Aug 19 16:46 server1.abc.com.pid
-rw-rw—-   1 mysql mysql         6 May 18  2009 SERVER1.ABC.COM.pid
=======================================================

From the above code, we find that server1.abc.com.err is used recently (checking with date). Therefore, server1.abc.com.err is the log file. To confirm it further, kindly check the process ID of server1.abc.com.pid with that of mysql process ID.

==========================================
root@server1 [/var/lib/mysql]# cat server1.abc.com.pid
17545
==========================================

The mysql log file displayed below.

==============================================================================
root@server1 [/var/lib/mysql]# vi server1.abc.com.err

090503 04:31:43 mysqld started
InnoDB: The first specified data file ./ibdata1 did not exist:
InnoDB: a new database to be created!
090503 4:31:43 InnoDB: Setting file ./ibdata1 size to 10 MB
InnoDB: Database physically writes the file full: wait…
090503 4:31:43 InnoDB: Log file ./ib_logfile0 did not exist: new to be created
InnoDB: Setting log file ./ib_logfile0 size to 5 MB
InnoDB: Database physically writes the file full: wait…
090503 4:31:43 InnoDB: Log file ./ib_logfile1 did not exist: new to be created
InnoDB: Setting log file ./ib_logfile1 size to 5 MB
InnoDB: Database physically writes the file full: wait…
InnoDB: Doublewrite buffer not found: creating new
InnoDB: Doublewrite buffer created
InnoDB: Creating foreign key constraint system tables
InnoDB: Foreign key constraint system tables created
090503 4:31:43 InnoDB: Started; log sequence number 0 0
090503 4:31:43 [Note] /usr/sbin/mysqld: ready for connections.
Version: ‘5.0.67-community’ socket: ‘/var/lib/mysql/mysql.sock’ port: 3306 MySQL Community Edition (GPL)
090503 4:31:46 [Note] /usr/sbin/mysqld: Normal shutdown

090503 4:31:46 InnoDB: Starting shutdown…
090503 4:31:47 InnoDB: Shutdown completed; log sequence number 0 43655
090503 4:31:47 [Note] /usr/sbin/mysqld: Shutdown complete

090503 04:31:47 mysqld ended
==============================================================================

***********************************************************************************

The “latest visitor” log in the stats of the cpanel is weird and not getting updated.

Error: Raw Access log contain only term “combined”, liked combined combined combined……………………

Fix:
Check if the format provided below is correct in the apache configuration file where version is Apache/2.2.15.
=======================================================================
<IfModule log_config_module>
LogFormat “%h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\”" combined
LogFormat “%h %l %u %t \”%r\” %>s %b” common

CustomLog logs/access_log common

<IfModule logio_module>
LogFormat “%h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\” %I %O” combinedio

</IfModule>

</IfModule>
=====================================================================

Tweet This Post