shukko·HOWTO: ProFTPD Antivirus using CLAMAV için yorumlar kapalı
This howto is about making ProFTPD work with CLAMAV to scan all files uploaded by users using a FTP client.
Recently our customers are having real difficulty with Iframe viruses, Php shells and other kind of windows viruses are also a headache always.
ClamAV is already working with exim mail server in our servers for years. Why not make it also scan incoming FTP uploads.This will add more CPU Time to our servers, but preventing users to upload any kind of virus data makes sense.

How will this work? :
-we will add ClamAV support to ProFTPD using mod_clamav module.
-when a user uploads a file using FTP, ClamAV will scan incoming file after upload finishes.
-if any kind of virus like signature found by ClamAV, uploaded file will be deleted from server, notifying the FTP client.

1- we will need a working ClamAV installation on server before this. I prefer not to tell how to install ClamAV to server this time, because there is already a very handy script called update.script which can install ClamAV and tons of other stuff. I take portions of this script to automate my process. Thanks to original update.script creator!

If ClamAV is already installed and updating itself regularly please skip this step.

-INSTALL CLAMAV-

Code:
mkdir /usr/local/updatescript
cd /usr/local/updatescript
wget http://tools.web4host.net/update.script
chmod 755 update.script

Run it once.

Code:
./update.script

Install Clamav

Code:
./update.script CLAMAV

Clamav Installation Done!

2- Update ProFTPD with current version. And patch it using mod_clamav for ClamAV usage.

Code:
cd ~
wget http://www.serverdirekt.com/DA/FTPAV/ftpantivirus
chmod +x ftpantivirus
./ftpantivirus

-this script will download ProFTPD, download mod_clamav latest version, patch ProFTPD with mod_clamav, compile and install new ProFTPD package with ClamAV support.

3- We need to edit our clamav.conf file to allow TCPSocket connections to port 3310

Code:
nano /etc/clamd.conf

find #TCPSocket 3310 line and comment it out.
find #TCPAddr 127.0.0.1 line and comment it out.
Final file will look like this:

Code:
....................
# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
LocalSocket /tmp/clamd

# Remove stale socket after unclean shutdown.
# Default: no
FixStaleSocket yes

# TCP port address.
# Default: no
TCPSocket 3310

# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
# Default: no
TCPAddr 127.0.0.1
....................

4- Finally we need to edit proftpd.conf to use our new mod_clamav module.

Code:
nano /etc/proftpd.conf

inside <Global></Global> tags at the end add:

Code:
<IfModule mod_clamav.c>
   ClamAV on
   ClamServer localhost
   ClamPort 3310
   ClamMaxSize 5 Mb
</IfModule>

we do not want to scan files bigger than 5 Mb to save some CPU time.

5- Restart ClamAv and ProFTPD to test this out!

Code:
service clamd restart
service proftpd restart

6- Finally go to http://www.eicar.org/anti_virus_test_file.htm to download eicar test virus and upload it to your ftp server with your favorite FTP client.

If you see something like that on your FTP client logs, well done!

Code:
Command:	STOR eicar_com.zip
Response:	150 Opening BINARY mode data connection for eicar_com.zip
Response:	550 Virus Detected and Removed: Eicar-Test-Signature
Status:	Retrieving directory listing...

7- IF something goes wrong and your ClamAV enabled ftp server is not scanning files as it should.

first check ProFTPD if mod_clamav is activated

Code:
proftpd -vv

If you see mod_clamav.c under Loaded modules:
you have mod_clamav ready.

For further investigation we can run our ProFTPD server in debug mode to see what’s going on:

Code:
service proftpd stop
proftpd -n -d 10

Try to login and upload eicar test virus to your FTP now, you will see what’s going on under the hood in good detail…

FINAL NOTE: I tested this only on Centos 5.x i386 and X86_64 servers. So there is no guarantee that it will work on any other O/S.

shukko·SPF SHIT! için yorumlar kapalı

microzoftun spf duzenleyicisi:

1- http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/default.aspx

hotmail spf spf diye tutturursa buna bakiyoruz

2- bu linkdeki amca cok ugrasmis helal olsun
cozmus olayi

http://www.innovation-station.net/archives/2007/03/29/hotmail-and-my-spf-nightmare/

Hatta icerigide su sekilde yazdiklarinin:

Do you know what a SPF record is?

No?

Neither did I until Microsoft decided to class me as a spammer, and if you read on you might just save yourself from loosing several days of your life trying to implement one.

Me Sir, a ’spammer’?

Anyway, to understand what I’m rambling on about we need a bit of background, and why this ‘SPF Record’ is getting me so wound up.

I, unlike the majority of people with common sense, use Hotmail as my primary email provider, and have done since I first starting using the Internet. In fact I had my Hotmail address before it became part of the Microsoft empire. One thing that annoys me however, is that I am now having to put up with more and more spam, despite efforts to curtail it.

We all know the stress of sorting through spam, and thank the people who work on solutions to filter out or just stop that crap coming through. However, I am sure you will understand my annoyance when I found out that thanks to the configuration of my (dv) dedicated-virtual server I have in fact been branded a ’spammer’ by Microsoft, and as a result they appear to be black holing any mail sent to a Hotmail account from my (dv).

Before I go any further I would just like to clarify that this is in fact nothing to do with the (dv) server as a product or Media Temple, but rather the way in which a virtual server environment works. I have found dozens of references via Google of people complaining of the same problems, and interestingly most seem to refer to people running VPS environments using Plesk.

As with all things, when something goes wrong, you have to learn how it works to be able to fix it, and thus I have been learning some of the ins and outs of running mail servers and the DNS system.

Disclaimer: At this point I would just like to say I only have a (very) basic idea about how either work, so don’t take anything I say as gospel, but rather use it as a loose guide and reference to where you may find further help.

Where is my mail going!?

After getting in touch with the guys at (mt) I decided that I needed to find where my bloody mail was going. I wasn’t getting a bounceback mail from the Hotmail server, and Thunderbird told me that the mail was delivered. Thankfully due to the fact that the (dv) allows you to delve into the OS to see what’s going off, I thought I would interview the SMTP log and see what was going off. The SMTP server in Plesk’s case is called “Qmail’ and the logs are located at # /usr/local/psa/var/log/maillog and can be read in a number of ways. In this case I found the easiest way to track what was going off was to use the tail -f command which spurts out the log information for events as they are happening, and this is what I got when I tried to send an email to my Hotmail account:


Mar 22 17:32:23 as qmail: 1174584743.517414 delivery 437: success: 65.54.244.168_accepted_message./Remote_host_said:_250_ <4602BEEF.1080905@helloian.com>_Queued_mail_for_delivery/

So it would seem that the Hotmail server is accepting the mail, queuing it, but never actually delivering it, due to their spam filtering technology. A quick search on Google showed that plenty people seemed to have experienced the same problem. Interestingly most were using Plesk, and virtually all of them were using Qmail as their SMTP server. Clicking the seemingly never ending list of results, I realised that not one had any comments regarding a working solution, but the acronym SPF kept popping up a lot, so I decided it was worth a look.

The Sender Policy Framework

The Sender Policy Framework allows a domain owner to specify which machines are allowed to send email on its behalf. This kind of mechanism is unfortunately not present in the Simple Mail Transfer Protocol, a fact that allows spammers to send e-mail from forged addresses relatively easily, as there is no inbuilt validation when an email is sent and then received.

Fortunately the remedy is relatively straight forward to implement. The SPF record is applied as a TXT type entry in the domain’s DNS record, and it’s as simple as that. Now, when you send an email, the receiving mail server can use this SPF record to verify that the origin of the email is legitimate. To help illustrate what is happening, below is a MIME header from an email I sent between two accounts on my (dv).

Return-Path:
Delivered-To: 3-sayhello@helloian.com
Received: (qmail 32062 invoked from network);
29 Mar 2007 17:59:58 +0100
Received: from 85-211-13-70.dyn.gotadsl.co.uk 

(HELO ?192.168.1.5?) (85.211.13.70)
  by distillate-hosting.net with (DHE-RSA-AES256-SHA encrypted)
  SMTP; 29 Mar 2007 17:59:58 +0100
Message-ID: <460BF1EE.4020508@distillate.co.uk>
Date: Thu, 29 Mar 2007 18:05:50 +0100
From: Ian Halliday
User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)
MIME-Version: 1.0

The confusion arises when the receiving machine reads the email is claiming to be from the domain ‘distillate.co.uk’ but has been sent via the server ‘distillate-hosting.net’. As far as the machine is concerned, there is no link between the claimed sender and the machine it originated from. There is no way to tell if this information is legitimate or not.

The reason that my initial searches on Google seemed to show that it was mostly VPS users with multiple domains that were suffering from this problem is that by its very nature, a VPS server running by multiple domains will send mail from the mail server of any given domain (in my case distillate.co.uk) through the SMTP server of the host VPS platform (distillate-hosting.net in my case). Unfortunately emails sent using this setup look very similar to ’spam’ messages, and the Hotmail spam filter (known as ‘SmartScreen’) is quick to step in and black hole the email, meaning it never reaches its destination, despite the Hotmail server notifying the sender that the email has been received and delivered.

Fortunately, this is where the SPF record steps in to clear matters up. The SPF record tells the receiving machine that the server ‘distillate-hosting.net’ sends mail on behalf of the mail exchanger for the domain ‘distillate.co.uk’ and this is written as:

v=spf1 mx ip4:XXX.XXX.XXX.XXX mx:mail.YYYYYY.YYY ?all

Where:

  • v=spf1 Denotes the following as a SPF record.
  • mx States that the Mail Exchanger sends outbound mail for server as stated in the next segment<./li>
  • ip4:XXX.XXX.XXX.XXX Is the IPv4 formatted IP address of the (dv) server.
  • mx:mail.YYYYYY.YYY States that the Mail Exchanger of the domain specified (YYYYYY.YYY) sends mail through the IP previously specified.
  • ?all States that any IP’s that fail to meet any of the listed ‘mechanisms’ will return “neutral”, thus will be treated as if a record does not exist.

To clarify, the SPF record for my domain distillate.co.uk is entered in the DNS zone file as:

v=spf1 mx ip4:216.70.127.122 mx:mail.distillate-hosting.net ?all

The Open SPF website explains the above is more detail, and offers a tool to help you set up your SPF record. Microsoft also have a similar tool available which after being referred to by Hotmail technical support, turned out to be more of a hindrance than a help. The Microsoft tool, and many other references recommend that a PTR mechanism is included in the SPF record. The PTR record allows reverse lookup of an IP address; that is identify the domain of an IP address. The reverse lookup is used to verify that the domain name and IP address in the email MIME header actually correlate and have not been faked. Whilst this sounds like a good idea, actually processing a reverse look up takes a considerable amount of time and it is not generally a method employed by large email providers like Hotmail. In fact Hotmail refused my initial SPF record as it included this PTR mechanism. To quote Hotmail technical support:

The specification for SPF records (RFC 4408) discourages use of “ptr” for performance and reliability reasons. This is especially important for Windows Live Mail, Hotmail and other large ISPs as a result of the very high volume of mail we receive each day. We highly recommend you remove the “ptr” mechanism from your SPF record and, if necessary, replace it with other SPF mechanisms that do not require a reverse DNS lookup, such as “a”, “mx”, “ip4″ and “include.”

Troubleshooting

The very nature of the DNS system made this problem a very frustrating one to tackle, as you don’t see instant results from your implementation, but of course have to wait anywhere up to 48 hours for the information to propagate throughout the internet. You can however use some of the tools on the Open SPF website to check your record is configured properly. Once you have confirmed that your record is set up correctly you can also send a blank email to check-auth@verifier.port25.com which will test your SPF record, and email you back the results.

I also found dnstuff.com invaluable in testing my DNS set-up. Whilst it doesn’t check the functionality of your SPF record (it only checks that you have one), then DNS Report tool on dnsstuff.com gives you feedback on all aspects of your DNS configuration and can be an excellent tool for troubleshooting.

SPF Works!

Finally I can email Hotmail users without worrying if it will go through, and if you are running a (dv) or similar setup then I strongly suggest you use a SPF record, even if you are having no problems at the moment. One way of making life even easier for yourself in the future if you use Plesk would be to use your Plesk server as the nameserver for all domains residing on it, and set up a SPF record in the main server DNS page, accessible from the main server configuration page. By doing this all new domains will automatically have the correct SPF record setup for them. If you are only running a few domains, just make the changes in (mt)’s account center and continue to use the (mt) nameservers.

If the above doesn’t work for you, get in touch with your hosting provider and make sure you have run all the tests I mentioned. Unfortunately in the end there is no substitute for really understanding what is going wrong, so I suggest you familiarise yourself with how the DNS system works. Wikipedia has an excellent article and Media Temple’s Knowledgebase has a more concise article available, either of which should put you on the right track.

Update:Well I may have spoken slightly too soon regarding everything being fine. It turns out that my emails are still not guaranteed to go straight through to any given Hotmail inbox, but rather the Hotmail spam filter will take a while to learn that my domains are trustworthy and that the SPF records check out. At the moment some emails go through okay, some go to the Junk folder.

I have been informed by Microsoft that over time (approximately a month) more of my emails should go straight through to the inbox. If anyone gets an email that lands in their junk mail (by subscribing to comment updates for example) you would be doing us both a great favour by checking ‘this is not junk’, which will ensure all mail from my server reaches your inbox in future, and that I will look better in the eyes of the Hotmail spam filter.

shukko·Avira antivirus kullaniyorum için yorumlar kapalı

Avira antivirus kullaniyorum.
Cokda memnunum
Norton, kaspersky, nod32 derken simdi avira
her 2 yilda 1 antivirus programimi degistiriyorum. Su andaki yeni gozdem avira.

http://www.avira.com/en/downloads/avira_antivir_premium.html

Bu adresden aviranin guncel surumunu indiriyorum

http://dlpe.antivir.com/package/wks_avira/win32/en/pepr/avira_antivir_premium_en.exe

sonra asagidaki 2 linkden birinden 3 aylik bir key aliyorum.
ilk link 6 aylik key veriyor olabilir denemedim.
1- https://license.avira.com/en/promotion-t0q1aatr05zwftftgnqr
2- https://license.avira.com/en/promotion-6dl7vtc3unbw2mzefr1b?id=5xJVVxx5Os&sid=rXF6uB

gule gule kullaniyorum 🙂
baska key linkleri
30gun vs

denemedim lazim olursa diye koyuyorum.

https://license.avira.com/en/promotion-t0q1aatr05zwftftgnqr

https://license.avira.com/de/promotion-6788wuyfuyluz7c2sa7z

https://license.avira.com/en/promotion-t0q1aatr05zwftftgnqr

http://www1.avira.com/en/evaluate/chip.php

(ya da http://www1.avira.com/de/evaluate/welt.php)

……………………………………………………………………………………………………………………..

Avira Antivir Premium Security Suite için Key Aşağıdaki linklerde :

https://license.avira.com/en/promotion-cj0ptfb6eh8cmw6a101r

http://www.antivir.com.tr/chip/

www.avira.com/en/evaluate/vnu.php

En olmadi

ac google

yada bu linke tiklayayim lazim olunca acil

http://www.google.com.tr/search?q=avira+promotional+license&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

shukko·How to force yum to reinstall a package… için yorumlar kapalı

rpm -e –justdb –nodeps packagename

——

Some explanation is needed.

–justdb will only update the installed lists in the rpmdb, and not remove any files.

–nodeps will not process dependencies. I normally consider –nodeps to be evil as it can seriously break things by forcing their removal.

yum will never do the equivalent of either of these operations because yum doesn’t force things. You only need to force things if they are seriously broken.

When replacing packages in place, I much prefer to use rpm’s –force. It will install over even if the same package is installed, without leaving it uninstalled

———-

shukko·catalyst control centre on windows 2008 server 64 bit. için yorumlar kapalı

I am running windows server 2008 64 bit. I had 8.8 i guess. installed 8.9 to fix my 60 fps max problems on CS source. 8.9 driver fixed the problem (probably was locking vsync). But the CCC kept crashing. One would think when you installed the package the new drivers for the display adapater would be updated. Trying to revert back to older packages like 8.8, 8.7 produced the same errors on CCC.

FIX: Install the 8.9 cat set, then go to device manager, uninstall the display adapter from there and redetect, then run CCC again from start->programs->Catalyst Control Center->Restart runtime

Error Message:

————
The features in the ATI Catalyst Control Center Basic View do not support the currently active graphic processor.

To launch the Advanced View, click on the Advanced View button. Otherwise, click Exit to close this dialog.
————
“the catalyst control center is not supported by the driver version of your enabled graphics adapter “

shukko·windows block ip addressess için yorumlar kapalı

login to RDP(assuming that how your logging in).

hit start
hit run
type mmc
hit enter
hit file
hit add/remove snap ins
at the bottom hit add
go down till you see Routing and remote access & double click it
hit ok
right click hit add server
choose this computer
hit ok
it may ask you to install if it does just let it install
should come upto a configutation page
hit “Custom Configuration”
hit next
click “Nat and basic firewall”
hit finish
if it asks you to start hit yes
expand Ip routing
hit general
right click on the connection you wanna block the ip on
hit properties
hit inbound filters
hit new
click “source network”
put in IP Address and subnetmask FYI (255.255.255.255 is per single IP)
dont check destination network and keep protocol as any
repeat by hitting new and completing that per ip
hit ok
hit apply
hit ok

and your done.

shukko·Clone/Back Up/Restore OpenVZ VMs With vzdump için yorumlar kapalı

Clone/Back Up/Restore OpenVZ VMs With vzdump

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 11/20/2008

vzdump is a backup and restore utility for OpenVZ VMs. This tutorial shows how you can use it to clone/back up/restore virtual machines with vzdump.

I do not issue any guarantee that this will work for you!

1 Preliminary Note

I’m using two OpenVZ servers in this tutorial:

  • server1.example.com: IP 192.168.0.100
  • server2.example.com: IP 192.168.0.101

(Both are using Debian Etch and are set up according to this tutorial: Installing And Using OpenVZ On Debian Etch – but it works with any other distribution as well.)

I’m running a virtual machine with the hostname test.example.com, the IP address 192.168.0.102 and the VEID 102 on server1.example.com, and I want to back up that machine and restore it on server2.example.com.

We can restore it on server2.example.com with no changes (e.g. same IP address and hostname), but in that case we must stop the VM on server1.example.com because otherwise the IP address and hostname would conflict; the second possibility is to restore it on server2.example.com, but change some parameters like the IP address and hostname with the vzctl set command – in this case we can run both VMs (the original one on server1.example.com and the clone on server2.example.com) at the same time. This is a great method to clone VMs.

2 Preparing The OpenVZ Servers

First we must install vzdump and rsync which is a dependency. On Debian, the command is as follows:

server1/server2:

apt-get install vzdump rsync

3 Creating A Backup Of A VM

(This chapter is for server1 only!)

On server1.example.com, I want to create a backup of my VM with the VEID 102. Take a look at

man vzdump

to learn how to use vzdump.

To back up all VMs on your server, you’d use something like

vzdump –compress –dumpdir /home/backup –stop –all

–compress means: compress the dump file (results in a .tgz).

–dumpdir specifies the directory in which you want to store the dump. If you don’t specify a dumpdir, it defaults to /vz/dump or /var/lib/vz/dump (depends on your distribution).

–stop stops the VM, creates the backup, and starts it again afterwards. Your VM can be down a few minutes if you use –stop. A faster solution would be to use…

–suspend: it suspends the VM; the VM is then copied via rsync to a temporary directory. The VM gets resumed right afterwards so that it’s down only a few seconds, and then the dump is created using the copy in the temporary directory. I recommend to use this one if you can’t afford long downtimes.

You can as well leave out –stop and –suspend and dump a running VM. In most cases this makes no problem, but it is possible that the dump is inconsistent, so be warned!

–all creates a dump of all available VMs. If you want to dump only a specific VM, replace –all with the VEID of the VM.

To create a dump of our VM 102 in /home/backup and stop the VM during the backup, use

vzdump –compress –dumpdir /home/backup –stop 102

To create a dump in the default directory (/vz/dump or /var/lib/vz/dump), use

vzdump –compress –stop 102

The output could look as follows:

server1:/vz/dump# vzdump –compress –stop 102
INFO: starting backup for VPS 102 (/var/lib/vz/private/102)
INFO: starting first sync /var/lib/vz/private/102 to /var/lib/vz/dump/tmp9009
INFO: stopping vps
Stopping container …
Container was stopped
Container is unmounted
INFO: final sync /var/lib/vz/private/102 to /var/lib/vz/dump/tmp9009
INFO: restarting vps
Starting container …
Container is mounted
Adding IP address(es): 192.168.0.102
Setting CPU units: 1000
Configure meminfo: 65536
Set hostname: test.example.com
File resolv.conf was modified
Container start in progress…
INFO: vps is online again after 15 seconds
INFO: Creating archive ‘/var/lib/vz/dump/vzdump-102.tgz’ (/var/lib/vz/dump/tmp9009/102)
Total bytes written: 340428800 (325MiB, 11MiB/s)
INFO: backup for VPS 102 finished successful (1.37 minutes)
server1:/vz/dump#

To not stop, but suspend the VM, use

vzdump –compress –suspend 102

This is a sample output:

server1:~# vzdump –compress –suspend 102
INFO: starting backup for VPS 102 (/var/lib/vz/private/102)
INFO: starting first sync /var/lib/vz/private/102 to /var/lib/vz/dump/tmp10842
INFO: suspend vps
Setting up checkpoint…
suspend…
get context…
Checkpointing completed succesfully
INFO: final sync /var/lib/vz/private/102 to /var/lib/vz/dump/tmp10842
INFO: resume vps
Resuming…
INFO: vps is online again after 4 seconds
INFO: Creating archive ‘/var/lib/vz/dump/vzdump-102.tgz’ (/var/lib/vz/dump/tmp10842/102)
Total bytes written: 340428800 (325MiB, 24MiB/s)
INFO: backup for VPS 102 finished successful  (1.57 minutes)
server1:~#

After the backup, take a look at the dump directory…

ls -l /vz/dump/

… and you should see a .tgz file:

server1:~# ls -l /vz/dump/
total 147864
-rw-r–r– 1 root root      1170 2008-11-20 17:40 vzdump-102.log
-rw-r–r– 1 root root 151249685 2008-11-20 17:40 vzdump-102.tgz
server1:~#

You can now copy the dump to the other OpenVZ server, e.g. with scp (this copies /vz/dump/vzdump-102.tgz to the /home directory on server2.example.com):

scp /vz/dump/vzdump-102.tgz root@192.168.0.101:/home

4 Restoring A VM

(This chapter is for server2 only!)

On server2.example.com, you can now restore the VM as follows…

vzdump –restore /home/vzdump-102.tgz 250

… where 250 is the new VEID of the restored VM – you can use any VEID that is unused on server2.example.com – you could even use 102 again if it is unused on server2.example.com.

If you don’t want to modify the settings of the VM (e.g. IP address, hostname), you can start it now, but please make sure that the original VM is stopped on server1.example.com because otherwise the IP addresses conflict:

vzctl start 250

If you want to run both VMs (the original one and the clone) at the same time, you must change the IP address and hostname of the clone before you start it.

To set a new hostname, run sonething like this:

vzctl set 250 –hostname test2.example.com –save

To set a new IP address, we must first delete the original one…

vzctl set 250 –ipdel 192.168.0.102 –save

… and then set a new one:

vzctl set 250 –ipadd 192.168.0.250 –save

Afterwards we can start the clone:

vzctl start 250

5 Links

shukko·./check.cgi & ./hnc.cgi & ./***.cgi ??? için yorumlar kapalı

./check.cgi & ./hnc.cgi & ./***.cgi ???

bunlar mail spam gateway proxy olarak kullanilan seyler.

abuse edilen bir php script vs ile servera yuklenip run ediliyorlar

run edildikten sonra da dosya siliniyor ve bulunmaz bir hale geliyor

serverdan bulup silmek icin en kolay yonem

#grep -r “check.cgi” /var/log/proftpd/.

olabilir

veyahut

updatedb

locate .pl diyip 2332832683276.pl diye bir dosya aramak da olabilir sonuclarda.

—————————

I think one of your domains in the server is hacked.. Can you do a grep -i hnc.cgi /var/log/messages got any results ?

if you didn’t got any results do this too..

zgrep -i hnc.cgi /var/log/messages.*.gz

also check if any hnc.cgi files is there in the server using find

cd /home; find -name “hnc.cgi” -type f

Any results ?

Somehow one of your ftp account/domain is hacked and it’s used to upload hnc.cgi or check.cgi script and they start running it… After running this script usually it will be deleted and hence you may not find this script if you use locate/find command. So the best way to check which account got hacked is to check the pattern hnc.cgi in the ftp logs..

After verifying the logs you may clearly see that it’s uploaded and removed after running that script.

yes hnc.cgi is used to send spams. If you find any patterns of hnc.cgi in /var/log/messages immediately you change the password for the account and ftp accounts..

Also just verify the files uploaded checking the logs and make sure the hacker didn’t modified your webfiles..

shukko·Correct line drawing in PUTTY için yorumlar kapalı

Hi all,

I had some issues with line drawing when accessing my linux box from work. I found the following workaround in this site:

To make it all work right, you need to twiddle the following configuration settings:

Terminal → Keyboard:

Change the sequences sent by: The Functions keys and Keypad:
Select Linux.

Window → Appearance:

Font settings:
Pick a font that contains the Unicode line drawing characters, such as Andale Mono or Lucida Console. (Unfortunately Vista’s gorgeous new Consolas font does not have those.)

Window → Translation:

Character set translation on received data:
Select UTF-8.
Adjust how PuTTY handles line drawing characters:
Select Use Unicode line drawing code points.

Connection → Data:

Terminal details: Terminal-type string:
Enter “linux”.

Now line drawing characters should show up as they are supposed to.

++

I also had do the following:
Terminal -> Features
check – Disable bidirectional text display

to get aptitude running correctly