Hard Drive Data Recovery

November 13th, 2014

This article discusses hard disk data recovery on Linux using dd and fdisk.

I recently left for a trip to South America, and took my trusty Intenso 320GB external drive with. Well aware that I’ve dropped it a couple too many times and that it was beginning to click more and more often during regular usage, I took a full backup before leaving. There’s nothing critical on the drive that I don’t have additional copies of elsewhere, however losing it would be a pain.

Having reached Madrid airport, I plugged the drive in and was about to pull some documents off it when disaster struck. The drive just clicked for about 30 seconds before Windows prompted me to format it. I tried removing it and reinserting it a couple of times but no luck – the drive had failed. I went to the duty free store in the airport and picked up a 1Tb WD Elements drive for 99 Euros, and planned to attempt data recovery when I arrived in South America.

I’m keen to get the data recovery started – it’s going to take a while on my USB 2.0 laptop and the more bad sectors, the longer it will take.

Read the rest of this entry »

Debian Wheezy Xen + Guest Howto

October 8th, 2014

Xen is usually my go to virtualization technology for Linux. Here’s a HOWTO on setting up Xen on Debian Wheezy and the first guest virtual machine.

First step is getting the required packages:

apt-get install xen-linux-system xen-tools xen-utils-4.1 xen-utils-common xenstore-utils xenwatch

Now, we’ll need to specify the Xen kernel as the default boot kernel on the host, and then reboot:
Read the rest of this entry »

Debian Linux Wheezy OpenVPN & Squid3 HOWTO with Transparent Proxying

October 4th, 2014

Before my last extended period travelling and using public networks, I decided to set up a new low spec virtual machine on one of my hosted servers. I trust my datacenter and their uplinks more than I trust the free WiFi and public networks I travel through, and so while all my internet traffic is being routed over an encrypted tunnel to my dedicated server, I’m a lot happier.

I threw Squid3 into the mix, as it caches common assets and the sites I visit. This speeds up my web access and page load time.

OpenVPN can be configured more simply with a ‘static key’ configuration, however I’ve chosen to go down the PKI route for future growth. On my new VPN server I run:

apt-get install openvpn

Once OpenVPN is installed, I’ll need to set up my PKI system, certificate authority (CA), server certificate (vpn) and my first client certificate (npn)

Read the rest of this entry »

Multithreaded TCP Proxy Tunnel Code

August 18th, 2013

Further to my earlier article, I went ahead and developed this application. Here’s a beta!

File: tcp_tun.c
Version: 0.3-beta
Title: TCP reassembling client-server application
Date: 17 Aug 13
Author: Adam Palmer <adam [AT] sasdataservices [DOT] com>
URL: http://www.adampalmer.me/iodigitalsec/
Read the rest of this entry »

Installing and Configuring Xen with guests

October 18th, 2009

Installing and Configuring Xen on a Debian Lenny machine is pretty easy. Firstly, install the system:

apt-get install xen-tools xen-utils-3.2-1 xen-linux-system-2.6.26-2-xen-686

xen-linux-system-2.6.26-2-xen-686 comes with the Xen kernel that you’ll need. It should install a new kernel as the default, and therefore you’ll now need to reboot.

Once rebooted, issue uname -a to ensure that your new Xen kernel is running:

apnic01:~# uname -a
Linux apnic01 2.6.26-2-xen-686 #1 SMP Wed Aug 19 08:47:57 UTC 2009 i686 GNU/Linux

You now have Xen installed! Now, you’ll need to make a few changes. Firstly, none of my new guest VMs had working console, apparently this is a known issue in Lenny with Lenny guests. The work around is to change the inittab on the guest. I wanted to create guests without modifications, so in this case, I edited /etc/xen-tools/xen-tools.conf and uncommented:

#serial_device = hvc0 #default

It’s listed as the default, but uncommenting this seemed to solve my issues.

Now, you’re ready to create your first guest:
Read the rest of this entry »

Linux Consultant – How to recover a compromised server

October 11th, 2009

As a security consultant I often have to deal with machines that are already compromised. The ‘official’ standpoint is always to wipe the machine alltogether, reinstall your OS, and restore your data and configurations from the backups that you obviously have.

The above not always being possible, and as a second best alternative, you’ll have to recover the machine.

The first thing to do is compare each command line utility to that of a known good identical system before using it, so you can rely on the results that it returns. A hacker will often drop a modified ‘ls’, ‘lsmod’, ‘ps’ and various other tools onto your system to hide the various other things that he may have installed.

You’ll need to use md5sum and ls to check the size and checksum of each utility before you use it, although of course, md5sum and ls themselves could be hardcoded with predefined responses. You could also use ‘strings’ to check the ASCII contents of those tools, although the ‘strings’ could just as easily be rigged. If you’re that paranoid, you’ve got no choice but to wipe the machine alltogether.

So firstly, check the integrity, of each of your core utilities. If your Debian 5.0 with the latest updates installed system was compromised, you’ll need to check against another Debian 5.0 system with the same updates and tools installed. Or, if you can find a listing online somewhere of what binaries should be what sizes and have what MD5s then you should be fine.

Once you have confirmed your ‘md5sum’ utility, you should be able to just start comparing MD5s and not worrying about file sizes and strings. Check your package management utilities and check that you’re happy with them, then apt-get install rkhunter this will check a number of issues. There are other ‘root kit hunters’ that you can use as well if you wish. Once this has been run, check your ps utility and ensure that it is as you expect. Then once done just run ps auxw and check each running process in the same way. Assuming that all of that is done and has not shown up anything, all is good so far. If something has been found and one of your binaries is compromised. Assuming your package manager is in good order, dpkg -P <package> and reinstall. If it is a core package that can not be removed/purged without affecting the rest of the system, then just scp over a new binary. Check again that the libc6 version and package version is IDENTICAL, and check of course that scp itself is in good order.

At this point, we can assume that your binaries themselves are in good order. Check for any new SUID utilities with find / -perm +4000 and once done, firstly make sure that everything on that list is as expected, and secondly, double check your md5sums of each and everyone of those.

This all being OK, continue to check by looking at your /etc/passwd, /etc/group and /etc/shadow files checking for user accounts that you don’t recognise. Then check syslog, wtmp, lastlog, etc, and check the IPs and last logins of each account. Also check directories such as /tmp/ especially with ls -al to check for directories beginning with a ‘.’ which would otherwise be hidden.

If everything above returns success, then it’s unlikely that your system was directly compromised. There is always the chance that your web application or database was compromised, but then that’s outside of the scope of this article. In short though, check your webserver log files as that should give you the information on what was compromised, and how it was done. Obviously ensure that any 3rd party software that you may be using such as wordpress, vBulletin, etc, etc are always up to the latest version.

Edit/Addition:
In response to a reader’s comments, I would add that should you be able to remove the network connection to the compromised machine and still access it, then do. Your login and anything you type could be being sent to an attacker without you even realising it.

Additionally, there is no point in simply recovering a hacked server without knowing how it was compromised in the first place. Arguably you should have worked it out though by following the steps above.

Using the Phidget Interface Kit under Linux

August 5th, 2009

I thought that it might be a good idea to write a quick high level overview of getting the USB Phidget Interface Kit working under Linux. In my case I am of course using 32bit Debian, however these instructions should mostly be portable to any other Linux based OS

Read the rest of this entry »

Linux SCREEN Command

March 14th, 2009

To start with, apt-get install screen on your favorite Debian server.

For the purposes of this tutorial (and throughout the site), ‘^C’ refers to Ctrl+C, ‘^A’ to Ctrl+A etc.

Now run screen with: screen

You are now within a virtual terminal. Typing exit will close your virtual terminal, and as it is the only virtual terminal open, also terminate the screen command.

Run screen again. Now within the screen type watch -n 1 ps aux – although outside the scope of this screen tutorial, this command will issue ‘ps aux’ to show the running process list every second. Let’s assume that we want to leave this running. Now type ^A, D – this will detach from your screen and you should see “[detached]” on your terminal. You are now back to your terminal, with screen still running.

Type screen -x to reconnect back to your screen session, and you will notice that your watch/ps processes are still running.

Type ^A, C and you will create a new ‘window’ within your same screen session. You can create as many windows as you wish, and the type exit to close them.

You can use ^A, 0 where 0 is your window number to switch between windows within your screen. When your last window is closed, screen will terminate.


Contributed by Reader Phil:

* CTRL + A + p for previous screen
* CTRL + A + n for next screen
* CTRL + A + A to name screen
* CTRL + a + S split screen
* CTRL + a + TAB change screen
* CTRL + a + q close split screen

And you also can modify your .screenrc to add a status bar:
hardstatus alwayslastline
hardstatus string ‘%{= kG}[ %{G}%H %{g}][%= %{=kw}%?%-Lw%?%{r}(%{W}%n*%f%t%?(%u)%?%{r})%{w}%?%+Lw%?%?%= %{g}][%{B}%Y-%m-%d %{W}%c %{g}]‘

I hope you’ve found this helpful

bc – Linux command line calculator

March 3rd, 2009

bc is a great command line calculator for Linux. Under Debian based distributions just:

apt-get install bc

Read the rest of this entry »

How to upgrade from Debian Etch to Lenny

March 2nd, 2009

Debian Lenny is now stable, so here is a quick guide to upgrading. I would recommend taking backups before doing this, and not performing this upgrade on a live/production machine.
Read the rest of this entry »

Local and Remote Kernel Upgrades – Failsafe Grub

February 28th, 2009

Grub (and LILO too for that matter) has a useful ‘failsafe’ feature that can be configured. This proves especially useful for remote kernel upgrades, where a failed boot will render your machine offline and unavailable.

Here is my standard grub config. I have just added my new 2.6.28 kernel.
Read the rest of this entry »

Linux PPTP (Poptop) VPN Setup with MPPE and MPPC

February 15th, 2009

Here’s a quick guide that I write as I’m setting up PPTP/MPPE/MPPC on a Linux server. My preferred VPN technology is OpenVPN mainly because it’s so quick and easy to set up and use, however in some cases PPTP is required chiefly when the Client wants to use the inbuilt Windows VPN capabilities rather than having to deploy 3rd party software.

My server is a Debian (of course) etch machine, with 2.6.24 (from source) kernel. My client is Windows XP Pro SP3.
Read the rest of this entry »

How to reset forgotton MySQL root password

January 20th, 2009

As long as you have root access to your debian machine, you can do this as follows:

/etc/init.d/mysql stop #stop MySQL
/usr/bin/mysqld_safe –skip-grant-tables & #start MySQL with --skip-grant-tables
/usr/bin/mysql -u root mysql #connect to mysql as root, straight into the 'mysql' database. No password is required
UPDATE user SET password=PASSWORD(’newrootpassword’) WHERE user=’root’; #Do replace 'newrootpassword' with something that you'll remember.
FLUSH PRIVILEGES;
q #to quit
/etc/init.d/mysql stop #stop MySQL
/etc/init.d/mysql start #start MySQL

You can now test with mysql -u root -p you’ll be prompted for your password and your ‘newrootpassword’ should now work!

Debian Lovers – Why I love Voyage Linux

December 14th, 2008

For those Debian lovers I have finally found a great embedded distro. I’ve always stayed away from the multitude of distros available, each with their own package manager or lack of, each with their own preinstalled software or again, lack of, and each with their own caveats.

I began my jorney into Linux with SuSE about 11 years ago at the time of writing, and have also given RedHat a fair chance in the past. In my first employment I was forced to battle against Slackware for two years, and about 7 years ago, discovered Debian.
Read the rest of this entry »

The Robot: Successful installation of Debian onto the Alix 3c2 board

November 2nd, 2008

Some hardware has arrived!

Mess

Mess

So my working space is a little bit of a mess at the moment. There’s no better way of getting started than just getting straight to the point.

The Alix 3c2 main board arrived in good health and works well. On the underside is a 512MB CF card and an Atheros MiniPCI Wifi. I’ve soldered single core wire to the I2C bus pinout. GND, CLK, Data & +3v.

I’ve also soldered bell wire across the power input. It accepts a wide input and so I’ve decided on 12v.

This is my prototype “power distribution board”. Currently it consists of 2 12V/2A regulators, some resistors and a 1000uF/30V smoothing capacitor. It provides 12v to the Alix board, and 12v to the motor controller. If both motors stall, they can use up to 6A, so whilst this is fine for testing the controller board, I’m going to have to replace one of the regulators with a transformer system to provide the necessary power to the motors.
Read the rest of this entry »