Bruit force attacks and hacking my web server

My web server got hacked today, i know because my datacenter contacted me today telling me that there is a bruit force attack originating from my server to another server on a different network, so what is happening is that my server got hacked, then the hacker is using the server she hacked to hack other servers by sending FTP requests.

So, how come i got hacked when i am so obsessed with security, well, in reality, this is just an intermediate machine that i used to run a certain script that would move my mail server, and i did not (and did not see the need) to secure it.

What i usually do to secure my server is simply install fail2ban, in this case i did not out of lazyness but here is how i got hacked and how fail2ban would have protected me.

Before i show you the log files, this whole problem would not happen if i had a strong password combined with fail2ban

In the complaining partie’s log files

Tue Jul 24 22:28:27 2012: user: hauvouuc service: ftp target: yyy.yyy.yyy.yyy source: xxx.xxx.xxx.xxx
Tue Jul 24 22:28:27 2012: user: pkmcndgq service: ftp target: yyy.yyy.yyy.yyy source: xxx.xxx.xxx.xxx
Tue Jul 24 22:28:27 2012: user: malumdvc1 service: ftp target: yyy.yyy.yyy.yyy source: xxx.xxx.xxx.xxx

In my log files (auth.log):

Many lines like the following right below each other

Jul 24 18:03:08 run sshd[14229]: pam_unix(sshd:auth): check pass; user unknown
Jul 24 18:03:08 run sshd[14229]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=9.12-14-84.ripe.coltfrance.com 
Jul 24 18:03:10 run sshd[14229]: Failed password for invalid user ts3 from 84.14.12.9 port 41014 ssh2
Jul 24 18:03:11 run sshd[14231]: Invalid user ts3 from 84.14.12.9

Anod some lines like this

Jul 25 15:30:46 run sshd[10728]: pam_unix(sshd:auth): check pass; user unknown
Jul 25 15:30:46 run sshd[10728]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.119.29.135 
Jul 25 15:30:48 run sshd[10728]: Failed password for invalid user public from 217.119.29.135 port 34292 ssh2
Jul 25 15:30:48 run sshd[10730]: Address 217.119.29.135 maps to gamma2-7.cust.smartspb.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jul 25 15:30:48 run sshd[10730]: Invalid user public from 217.119.29.135

Thousands of lines like this one

Jul 24 14:12:38 run sshd[2025]: error: connect_to 213.186.33.207 port 80: failed.
Jul 24 14:12:39 run sshd[2025]: error: connect_to 192.168.10.24 port 2110: failed.
Jul 24 14:12:39 run sshd[2025]: error: connect_to 195.130.65.50 port 80: failed.

OR

Jul 24 06:41:19 run sshd[9824]: error: connect_to 213.186.33.207 port 80: failed.
Jul 24 06:41:19 run sshd[13434]: Failed password for invalid user test from 202.28.123.191 port 37830 ssh2
Jul 24 06:41:20 run sshd[9824]: error: connect_to 213.186.33.207 port 80: failed.

And more like this

Jul 24 08:19:18 run sshd[20882]: pam_unix(sshd:auth): check pass; user unknown
Jul 24 08:19:18 run sshd[20882]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=puck748.server4you.de 
Jul 24 08:19:21 run sshd[20882]: Failed password for invalid user kk from 85.25.235.73 port 49213 ssh2
Jul 24 08:19:21 run sshd[20884]: Invalid user css from 85.25.235.73

Installing my 3TB hard drive on Debian linux step by step

It is simple, here is what you need to know

You can format it EXT4, but ext2 and ext3 are also OK ! ext2 and ext3 allow up to 16TB disks, and file sizes of up to 2TB, ext4 allows much more.

Any linux kernel newer than 2.6.31 should work just fine with “Advanced format” drives using the exact same steps in this article.

MBR only supports 2TB drives, you need GPT, so let us get started

1- apt-get update
2- apt get install parted
3- parted /dev/sdc
4- mklabel gpt
5- Answer yes to: Warning: The existing disk label on /dev/sdb will be destroyed and all data on this disk will be lost. Do you want to continue?
Yes/No? yes
6- mkpart primary ext4 0% 100% (to make a partition as big as the disk (will occupy starting from first megabyte (for alignment) to the end of disk))
7- quit

FYI, if you want multiple partitions, here are the 2 lines that should replace step 6
6- mkpart primary ext4 0% 40%
6- mkpart primary ext4 40% 100%

and remember to format both (sdc1 and sdc2) when you are done with parted

Now to formatting the drive

mkfs.ext4 /dev/sdc1

Before mounting it, i like ext4, but i don’t want a journaling OS on this drive that is not the system drive, so i will need do a few things to the drive first

Lazy writeback

tune2fs -o journal_data_writeback /dev/sdc1

No Journaling

tune2fs -O ^has_journal /dev/sdc1

Now to check what we have

dumpe2fs /dev/sdc1 |grep 'Filesystem features'


Or maybe if you want the whole thing on the screen

dumpe2fs /dev/sdc1 |more

if has_journal option exist when executing the first – you have journal on the file system

And there we are, Now we need to mount it at boot time by adding it to fstab, to do that, we will need the disk’s unique ID !

8- Now executing the following command will give you the unique ID of this new partition for use with fstab (The disk list we will edit below in step 10)
blkid /dev/sdc1
9- create the directory where you want to mount your hard disk, for example
mkdir /hds
mkdir /hds/3tb
10- Now, we add the following line to fstab, notice that noatime increases performance, but some applications might need or rely on it. postfix does not and i have verified that.

UUID=b7a491b1-a690-468f-882f-fbb4ac0a3b53       /hds/3tb            ext4     defaults,noatime                0       1

defaults and noatime are but only a couple of options, here are more options that you can add
nofail = If the disk is not present, continue booting
nobootwait = Limit the amount of time you plan to wait
noauto = Don’t mount it until I issue a “mount /dev/sdb1”, or mount “/hds/thisdisk” command

11- Now execute
mount -a

You are done,. if you execute
df -h
You should see your 2+TB hard drive in there !

To make sure the drive is aligned correctly, i like to write a file on it and see how fast that goes… so let us use a 2GB file

dd if=/dev/zero of=/hds/WD2000_3/deleteme.img bs=1M count=2000

Outcome came out (for a western digital black 2TB)
First run: 2097152000 bytes (2.1 GB) copied, 5.94739 s, 353 MB/s
Consecutive runs: 2097152000 bytes (2.1 GB) copied, 11.1405 s, 188 MB/s
Outcome came out for a western digital green 3TB
First run: 2097152000 bytes (2.1 GB) copied, 8.32337 s, 252 MB/s
Consecutive runs: 2097152000 bytes (2.1 GB) copied, 14.376 s, 146 MB/s

the consecutive runs give close results, what i printed here is the average

FAQ of hard disk errors and data retrieval

Section 1: My hard drive has bad sectors / Blocks / area

Do i need to change it ?
Not necessarily, but If it is in warranty, and they allow you to replace it, a new one is not a bad idea, otherwise read on

it all depends on whether the bad sectors are expanding or not, if they are not, they are probably caused by shock to the hard drive, usually, it is enough to mark them as bad using “chkdsk /r” on windows and leave the drive working.

To find out if your bad sectors are Spreading or not spreading, do a “chkdsk /r” four times, make sure the same number appears in the second and third and fourth time (Forget the first time), then, if the second is different but the third and fourth are the same, then do the test 2 more times, and make sure you get the same number of bad sectors for trials 3, 4, 5, 6, if so, your bad sectors are not spreading.

You did not mention backup in the answer before, do we need to backup ?
People would typically ask you to backup just in case, i say you should always have backup of your most important files, non spreading sectors of the hard drive, in my humble experience do not contribute negatively to reliability, so my answer is, backup should be done regardless

How do i know how many bad sectors are marked on an NTFS hard drive ?
There is a tool called nfi.exe that comes with a bundle Microsoft makes available here http://support.microsoft.com/kb/253066/en-us this tool is part of (OEM Support Tools), it can tell you everything about a disk formatted in NTFS

Searching you hard drive for files or for a string in a file

On a linux box, there is a simple way to search for some text inside a file using regular expressions in the command line

So, the short answer, in Linux, you can simply execute this line

grep -R -B3 -A4 "MYTEXT" /var/ > /root/findingres.txt

this will show you 3 lines before the text and 4 lines after the string and the file name, it will search in the /var/ folder, and will store the searching results to /root/findingres.txt

The above is a simple example, you can use regular expressions to find more complicated stuff

Also, if you want to search the entier hard drive for a string, and you want to search only in one type of file that you want to specify using a file extension you can use the following

grep -R --include=*.txt "MYTEXT" /etc/

Now, if you want to search for a file by file name,

find / -type f -name "myfile.txt"

would look for an exact file name, if you are looking to find a file using wildcards, for example, any file that ends in a certain extension you would

find / -type f -iname "*.psd"

If you want to include directories in your search, remove the -type flag

The copy (cp) and move (mv) commands in Linux

For some reason, when you look for a way to move a folder and all it’s sub folders into another folder, overwriting the files if they exist on destination, you will find very little information, the reason behind that is that the mv command that both renames files and folders and moves them does not support the -R switch (Recursive), the answer is that you copy them, then delete the source

So, if i downloaded wordpress and i want to update my installation with the new files i would

cp -R /var/vhosts/wordpress/* /var/vhosts/example.com/

this will update my copy of wordpress by moving the contents of the wordpress folder into the virtual hosting directory of my website

KEEP IN MIND THAT THE mv AND cp COMMANDS OVERWRITES WITHOUT PROMPTING….

to make it prompt before overwriting you must provide a -i parameter

If you don’t want a prompt, and you still want to NOT overwrite destination files… you will need to also set the “–reply=no” (depreciated) parameter so that the mv command will answer NO to all overwrite situations

NOTE: –reply has been depreciated (no longer works)

the linux move (mv) command : Moving folders

to move a folder into another folder, assuming there is a file names text.txt inside the folder /hds/ssd/mysql/moveme/text.txt, after this command we will have the file in /hds/ssd/mysql/into/moveme/text.txt

mv /hds/ssd/mysql/moveme/ /hds/ssd/mysql/into/

To move the contents of moveme including sub-folders directly into the folder into without moving the folder moveme itself

mv /hds/ssd/mysql/moveme/* /hds/ssd/mysql/into/

Adding an FTP server and setting up users to access directories

This post is rather old, and everything is secure on the internet these days, so rather than FTP, it is recommended that you setup the new user with SFTP instead (Secure file transfer protocol), SCP is another option, but i have an sftp article ready for you here

So here is a quick guide to setting up a user to have access to a certain directory via FTP

You probably already use a Linux server, you access your files via SFTP or SCP, but you want to give someone access to a certain directory within.

Here is how it is done on a Debian squeeze machine

apt-get install pure-ftpd-common pure-ftpd

Then we need to add a group and default user for our program
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser

pure-pw useradd test1 -u ftpuser -d /home/ftpusers/test1

pure-pw mkdb

This creates the file mentioned earlier called /etc/pureftpd.pdb, this file houses all information related to your virtual users

pure-pw passwd test1

Once password is set, update the database

pure-pw mkdb

To delete a user

pure-pw userdel test1

pure-pw show test1
pure-ftpwho

Create symlink to add PureDB to authentication methods

cd /etc/pure-ftpd/auth
ln -s ../conf/PureDB 50pure

Disable PAM authentication unless you need it

echo no > /etc/pure-ftpd/conf/PAMAuthentication

Disable UNIX authentication unless you need it

echo no > /etc/pure-ftpd/conf/UnixAuthentication

site would not delete from PLESK

Today, as i was managing my PLESK Version 9 for Windows server, i noticed that every website i put a tick beside and tried to remove (deleting all files and all related), i ended up disabling and it just won’t get removed

So here is the solution

Open the command prompt
in the command prompt (CMD) change the directory to the plesk bin directory like so

cd c:ParallelsPleskadminbin

Then, execute the command

domain.exe --remove domain.com

You should now find that the domain is no longer in the list of domains.

Sometimes i get an error deleting stating that a file (dll) in system32 directory is in use by…. the answer is reboot the server, then try deleting a few times with the command above until you see the success message

Just like the previous post, the reason why running from the command line works and from the control panel does not work is unknown to me.

reactivating websites on Plesk for windows.

On a PLESK for windows installation, there was a problem reactivating websites, everything seems fine when you activate, then you refresh the page and it is inactive,

the answer is to first make sure the user is still active (date for user not domain name), then to activate the domains from the command line. Why ? not sure, but this is certainly still true for version 9 of plesk panel and soon i will be testing it for version 10.

cd c:ParallelsPleskadminbin

Then

domain.exe –on domainname.com

(Type it in yourself, and notice that — is 2 consecutive dashes)

You should see

SUCCESS: Changing status of domain ‘domainname.com’ completed.

Directory and sub directory sizes and disk usage

Although this belongs to the Linux Command Cheat Sheet, this post is here to list all the Directory / Sub Directory and Disk drive usage

To begin with, if it is disk space you are looking for information about, the following command should display the useful disk usage information

df -h

If you want to know the size of all sub directories in a directory

Move to the directory containing the sub directories (if root, can take a long time)

du -sh *

Now, if you want to know all the directories above a certain size, in this case that measure in GBs, here is how you do it

du -h <dir> | grep '[0-9\.]\+G'

If the above lists directories not within the gigbytes domain, you can use the following instead

du -h <dir> | grep '^\s*[0-9\.]\+G'

Extracting Audio from youtube files without loss of quality

To not get you confused with terminology, let’s create our own with the simple words we know.

For those who have been here before and want the lowdown to remind them of the commands, just scroll to the bottom of this post.

this bit of theory i am starting with is not needed for you to extract your audio, but simply to introduce you to what we are doing

The video file has 2 sub files, one for video and one for audio, and they are synchronized together so that the people’s lips movement in the video appear to be speaking what the audio file is playing.

If we do not want to lose any of the audio’s quality by decoding then re-encoding again, we will want to extract the “Inner audio file” without modifying it, and to put it into a separate file (container).

Separating the audio from the video is easy with a free tool called ffmpeg, and here are the exact instructions

1- Make sure ffmpeg is installed on your computer and is added to the system path, if not see the article (installing ffmpeg)
2- Download the youtube or any other video file to c:downloadvideo, assuming we have 2 tutorial files one is tutorial.flv and the other is tutorial.mp4, both were downloaded from youtube.com (if you don’t know how to download a youtube video, see this article).
3- open the command line (Command prompt can be opened from your start menu, look in accessories).
4- Enter the following command into your command prompt to change active directory to where you have your files, in our example we enter the following into the command prompt

cd c:downloadvideo

5-Then, for my first file, i will execute the command

ffmpeg -i tutorial.flv

You should now see, on your command prompt window, what sub files (streams) are inside your container file (the file you downloaded from youtube or anywhere else).

--------------------------------------------------------------
  Duration: 00:02:06.59, start: 0.000000, bitrate: 64 kb/s
    Stream #0.0: Video: flv, yuv420p, 320x240, 29.97 tbr, 1k tbn, 1k tbc
    Stream #0.1: Audio: mp3, 22050 Hz, mono, s16, 64 kb/s
--------------------------------------------------------------

if you don’t see the word mp3 like this example, don’t panic, just move on to step 7.

In our first example file, the audio stream turned out to be an MP3 stream as you can see below, if that was not the case and we had a different format (As i will explain next), we would have had different choices in extracting, but for this example, we have MP3, meaning we do not need to re-encode anything, just copy the stream from the container we downloaded into a new container that will be created

6- Extract the MP3 file without re-encoding and while keeping full quality like in the video

ffmpeg.exe -i tutorial.flv -acodec copy tutorial.mp3

But for some reason, copeying the OGG ogg vorbis from a webm file without reencoding did not work untill i added the -vn switch

ffmpeg -i Bir_G_zellik_Yap_Murat_Dalk_l.webm -vn -acodec copy test1.ogg

So, now i have the file tutorial.mp3 that simply has the same clarity as my video file. the -acodec copy parameter told ffmpeg to just copy into new file, and not to re-encode

7- If it does not say mp3 anywhere in your results, you have a different audio format. that we will deal with now.

so let us deal with our second file tutorial.mp4 that turned out not to have MP3 in it, but rather AAC.

So executing the command

ffmpeg.exe -i tutorial.mp4

Returned the result

--------------------------------------------------------------
Duration: 00:05:02.44, start: 0.000000, bitrate: 281 kb/s
  Stream #0.0(und): Audio: aac, 44100 Hz, mono, s16
  Stream #0.1(und): Video: h264, yuv420p, 320x240 [PAR 1:1 DAR 4:3], 25 tbr, 25 tbn, 50 tbc
--------------------------------------------------------------

In this case, we do NOT have the option that will allow us to get an MP3 without re-encoding, we can re-encode it into MP3 as i will show you in a bit, or we can extract and use an AAC audio file.

An AAC file is not at all bad, sometimes it is better than an MP3. Why ? The AAC file is a newer format and it will still play on many devices, on most computers, relatively new IPODs, Most modern mobile phones and many other MP3 players.

AAC file streams are mostly put into m4a containers, but can also be .m4b, .m4p, .m4v, .m4r, .3gp, .mp4, .aac. (OF YOUR CHOICE, the most common is m4a, but some older mobiles use 3GP)

So, let us first try to extract the AAC stream without re-encoding (next step we will re-encode to MP3 for those who want an MP3)

ffmpeg.exe -i tutorial.mp4 -acodec copy tutorial.m4a

Now, the device you want to use does not support AAC files, so what we can do is ask ffmpeg to convert it to MP3 for us

ffmpeg -i tutorial.mp4 tutorial.mp

—————————————————–

The Lowdown

1- Find out what streams exist

ffmpeg -i tutorial.mp4

2- Copy MP3 stream without re-encoding

ffmpeg.exe -i tutorial.mp4 -acodec copy tutorial.mp3

3- Copy AAC stream without re-encoding

ffmpeg.exe -i tutorial.mp4 -acodec copy tutorial.m4a

4- Re-encode audio to MP3 file fromat

ffmpeg -i tutorial.mp4 tutorial.mp3

 

To encode any file into a DVD compatible file (Best when used with DVD players that have a USB input or with USB TV)

ffmpeg -i 9.mp4 -threads 2 -filter:v "scale='if(gt(a,720/480),720,-1)':'if(gt(a,720/480),-1,480)',pad=w=720:h=480:x=(ow-iw)/2:y=(oh-ih)/2" -target pal-dvd 9.mpg

Sometimes, you might want to replace pal-dvd with ntsc-dvd