Thursday, March 15, 2012

tmux disable confirmation prompt on kill-window

SkyHi @ Thursday, March 15, 2012
By default  & is bound to confirm-before -p "kill-window #W? (y/n)" kill-window. The use of confirm-before causes the prompting. If you do not want the confirmation prompt, then just rebind & directly to kill-window:
bind-key & kill-window
You may also want to rebind x, too. It defaults to a confirming version of kill-pane; though you might want to consider whether this one might be too easy to accidentally type before removing the confirmation.
bind-key x kill-pane
Note: Both examples above are suitable for direct inclusion in .tmux.conf, but you could also type them into a  : prompt, or type them into a shell after tmux (though you would have to quote/escape & since it usually special to the shell).
I think those are the only default bindings that use confirm-before. You can check your particular configuration like this:
tmux list-keys | grep confirm-before


Steps to investigate hacked linux server

SkyHi @ Thursday, March 15, 2012
Check your server is hacked or not

 find text files that were last modified 60 days ago
$ find /home/you -iname "*.txt" -mtime -60 -print

Following are the few to investigate whether the linux server is hacked or not:

Follow the steps one by one and analyse or check your linux server is hacked or not.

Who is on the Server:
$ w 

 $ netstat -nalp | grep ":22"


$ w && netstat -nalp | grep ":22"
The above commands will say who are all logged into the server.

Who was on the Server
$ last

$ cat /var/log/secure* | grep ssh | grep Accept

$ cat /var/log/secure* | grep ftp | grep Accept

Check what is the Current Network Activity of your server
$ netstat -nalp 

 $ nmap localhost


$ netstat -nalp && nmap localhost

What Processes are Running:
$ ps -elf 

 $ ls /proc/*/exe -la

What Files are in the Common Attack Points:
$ ls /tmp -la 

 $ ls /var/tmp -la 

 $ ls /dev/shm -la
These are all the common unsecured places where the hacker intrudes into your linux server.

Don't delete any thing or make changes just yet, just catalog every thing. Do not access a file with cat or strings, catalog the files and save that for later. Once you start deleting things you can no longer further investigate as to how deep they have penetrated. Don't be fooled into seeing a common Apache compromise and think it ended there. Many times that was just the broken window they used to get in the first time, meanwhile they are tunneling deeper trying to get into root access.

What version of Linux is running
$ cat /etc/redhat-release

For non Red-Hat Linux
$ cat /etc/issue

Compare this to the kernel
$ uname -a


$ cat /proc/version

Who is the author of the file:
$ ls -la --author

When was the last time the file has been accessed and by who:
$ ls -l --time=access

Before you run off and use the cat command it is good to first check the file type with the file command. Many a time I myself have been fooled seeing a file marked as something.html and finding it was really a binary file.

What kind of file is it(ASCII or Binary):
$ file filename


$ file /path/to/directory/*

You have been trying to be sneaky and not have any obvious virus scan running in the process list so as to not be detected, but that is tedious work and slow.

Update the Locate Database:
$ updatedb &

If this is a web server then the next thing to hunt for is signs of Apache exploits and SQL injection scripts. This nice little script was handed down to me from a co-worker and does a nice job of hunting through the log files rather than the long tedious work of searching manually.

Search for Apache Exploit
$ for i in `locate access_log`; do echo $i; egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' $i; done


$ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /path/to/log/files/*

$ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/* 

 $ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/*/statistics/logs/*

egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20'/home/virtual/site*/fst/var/log/httpd/*

$ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/httpd/vhosts/*/statistics/logs/* 

 $ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /var/log/httpd/*

Search for Shell Code:
$ cat /path/to/access/logs/* | grep "/x90/"

From the steps provided above you can make a guess or conclude whether there is any intruder present in your server or not. Hope the above steps were much helpful to check your hacked server.


Wednesday, March 14, 2012

Ubuntu Apt Cheat Sheet

SkyHi @ Wednesday, March 14, 2012

Command line package administration can be powerful but it’s not obvious at first glance.
The commands to list, install, upgrade and uninstall are not using the same shell command.
Sometime you need apt-get, sometimes apt-cache, sometimes dpkg,… not very consistent.
Some commands are also confusing, for instance:
bash# apt-get install phpmyadmin
will install only the phpmyadmin package.
However this one:
bash# apt-get upgrade phpmyadmin
or this one:
bash# apt-get upgrade
are exactly the same and will attempt to upgrade ALL your packages, and not a specific one.
apt-get upgrade should probably give an error that is has an extra argument instead, otherwise you think you’re just upgrading one package.
Worse: you need to reuse the apt-get “install” command to upgrade a specific package, which makes the “upgrade” keyword confusing.
This cheat sheet is also valid for Debian systems as Ubuntu is based on Debian.
It is presented in a chronological manner for the lifetime of a package: searching, getting more details, installing, upgrading, removing.
Here is a quick cheat sheet summary:

1/ Package Management Cheat Sheet

sudo apt-get update # Update the local repository to have all the latest available packages
apt-cache search phpmyadmin # Search by keyword for a package
apt-cache show phpmyadmin # Get more information about a specific package before installing it
sudo apt-get install phpmyadmin # Install a specific package
dpkg -L phpmyadmin # List the files installed by a specific package
dpkg -l # List ALL installed packages
sudo apt-get install # Upgrade a package to the latest available version
apt-get upgrade # Upgrade ALL installed packages
sudo apt-get remove phpmyadmin # Uninstall, Remove, Delete, Suppress, Deinstall a specific package
And here are what the commands return in detail:

2/ Update the local repository to have all the latest available packages

bash# sudo apt-get update
Hit maverick Release.gpg
Ign maverick/main Translation-en
Ign maverick/main Translation-en_US
Get:1 maverick-security Release.gpg [198B]

3/ Search by keyword for a package

bash# apt-cache search phpmyadmin
dtc-toaster - web control panel for admin and accounting hosting services (metapackage)
phpmyadmin - MySQL web administration tool

4/ Get more information about a specific package before installing it

bash# apt-cache show phpmyadmin
Package: phpmyadmin
Priority: extra
Section: universe/web
Installed-Size: 17040
Maintainer: Ubuntu Developers
Original-Maintainer: Thijs Kinkhorst

5/ Install a specific package

The following command will take all dependencies into account and install the required packages for this specific package to work.
bash# sudo apt-get install phpmyadmin
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  dbconfig-common javascript-common libapache2-mod-php5 libgd2-xpm libjs-mootools libmcrypt4 libt1-5
  php5-cli php5-common php5-gd php5-mcrypt php5-mysql wwwconfig-common
Suggested packages: