iPhone: Dumping Game Memory and Injecting Custom Code into Games — zkoolkyle
This article was written by zkoolkyle
Prerequisites:
iPhone
=Overview=
This is a tutorial for game hacking, this is the first degree of hacking for Iphone games yet and I'm hoping that it will evolve into something bigger. This kind of hacking if done correctly could lead to code injection to make your character jump 1000ft instead of 2ft, make your car go 20x faster and lead to invunerability in fighting games. I'm hoping that someone takes this idea and make a terminal app to make this alot easier for people (searchers and what not) but since this is the first of its kind for iphone you'll have to live with using the GNU debugger as your weapon lol. Which is very strong if used correctly.
This tutorial Explains how to Lock your game, Dump multiple copies of your Memory so that they may be compared to find special addresses, then inject your custom address values back into the game.
LETS BEGIN :]
1.SSH to your iphone from your OS.
Windows - Putty - PuTTY Download Page
Mac Os/Linux - Terminal
2. Go to Cydia and install GNU Debugger if you havn't already.
3.Take the non-encrypted IPA that you have on your computer and extract it. (if you downloaded it cracked then its already non-encrypted)
Inside of the .app folder you will see a file with the name of the game on there with no extension.
Example:
Im hacking TouchGrind.app so when I go inside of it I see a file called just "TouchGrind" (Its usually the biggest file in that folder)
Now boot up a file transfer application that supports SFTP (also known as SSH-FTP). WinSCP for Windows is good, as are Transmit (Shareware, but excellent) and Cyberduck (Free) for Mac, and gFTP for Linux. Test it by setting up a connection to your iPhone (get your iPhone***8217;s IP address from Settings ***8211;> Wi-Fi ***8211;> Right-arrow next to your wifi conneciton ***8211;> IP Address) over the SFTP protocol. The username for the connection is ***8216;root***8217;, and the default password is ***8216;alpine***8217;.
Then upload your MainDataFile (the file inside of your .app folder that we just talked about, Mines "TouchGrind") to /var/root/
We will be using this file later.
4.SSH to your iphone from your OS. (Same Username and Password - root:alpine)
Windows - Putty - PuTTY Download Page
Mac Os/Linux - Terminal
Now we are going to get the stack size of the program in the memory so that when we try to make a dump of our memory later we can know exactly how much to dump so we don't get to big of a file and then there would be no point in trying to hack the game lol.
While in SSH with your iphone use the command
Code:
otool -l MAINDATAFILE | grep crypt
Note: Replace the words MAINDATAFILE with the name of the file that we just uploaded to our Iphone, remember mine was TouchGrind.
Now you should get something like this
Code:
cryptoff 4096
cryptsize 913408
cryptid 0
We want the cryptsize number (Yours Will probably be different). cryptoff should be 4096 and cryptid should be 0. Now take your cryptsize number and convert it from decimal to hex. You can easily do this with this website.
DECIMAL to BINARY conversion, DECIMAL to HEX converter, Decimal to Hexadecimal convertor
913408 converted to hex is DF000 (Yours will be different then mine)
SAVE THIS HEX Value! Write it into a text file in your computer or write it down
5.Now go back to your dashboard on your iphone and Boot the game you want to Hack up. Once it***8217;s running, type the following into your ssh tunnel on your computer and press Enter:
Code:
ps ax
You***8217;ll get a massive list of every running process on your phone. It looks similar to this:
Code:
PID TT STAT TIME COMMAND
1 ?? s 0:00.00 /sbin/launchd
12 ?? s 0:00.00 /usr/sbin/mDNSResponder -launchd
13 ?? s 0:00.00 /usr/sbin/notifyd
14 ?? s 0:00.00 /usr/sbin/syslogd
15 ?? s 0:00.00 /usr/sbin/configd
19 ?? s 0:00.00 /usr/sbin/update
20 ?? s 0:00.00 /usr/libexec/lockdownd
23 ?? s 0:00.00 /System/Library/PrivateFrameworks/IAP.framework/Support/iapd
24 ?? s 0:00.00 /usr/sbin/fairplayd
28 ?? s 0:00.00 /System/Library/PrivateFrameworks/CoreTelephony.framework/Support/CommCenter
29 ?? s 0:00.00 /usr/sbin/BTServer
819 ?? s 0:00.00 /usr/sbin/mediaserverd
1325 ?? s 0:00.00 /System/Library/CoreServices/SpringBoard.app/SpringBoard
1327 ?? s 0:00.00 /var/stash/Applications.1SLxl9/MobilePhone.app/MobilePhone
1695 ?? s 0:00.00 /var/stash/Applications.1SLxl9/MobileMail.app/MobileMail
1705 ?? s 0:00.00 /System/Library/Frameworks/SystemConfiguration.framework/SCHelper
1790 ?? s 0:00.00 /var/mobile/Applications/3015A1D1-0421-31A2-2DD9-15E0A2F235A1/TouchGrindl.app/TouchGrind
1791 ?? s 0:00.00 /usr/libexec/launchproxy /usr/sbin/sshd -i
1792 ?? 0:00.00 /usr/sbin/sshd -i
1797 ?? s 0:00.00 /usr/libexec/amfid
1793 s000 s 0:00.00 -sh
1798 s000 + 0:00.00 ps ax
The very first column that says PID is what we***8217;re interested in. PID stands for Process ID, and it***8217;s a number that gets assigned to each running process. One of these processes is the currently running app, so scan down through the final column (COMMAND) until you find your app. In my case, the app I ran is TouchGrind, and its pid is 1790. Make a note of your PID.
In your terminal window, type the following ***8212; but replace the letters PID with the actual PID number you just found:
Code:
gdb -p PID
So, for example, I would type:
Code:
gdb -p 1790
Now you SEE WHAT JUST HAPPENED - YOUR APP FROZE. This meens that all the values for that game are locked.
3. Now we are going to make our first dump of the memory! You should be in the (gdb) prompt while doing this. Remember that Hex value that I told you to save, well now here is were you use it. Replace the text "HexValueHere" with your hex value that you saved.
So now we will type:
Code:
dump ihex memory dump1.dmp 0x2000 0xHexValueHere
My Example:
dump ihex memory dump1.dmp 0x2000 0xDF000
What this line of code is saying is Dump the Memory(dump) in Hex format(ihex) starting from offset from 0x2000 to your value and naming it dump1.dmp.
CONGRADULATIONS you just made your first Game Memory Dump. Now the points of these dumps are to get 2 different dumps that have different values in them so that you can compare them and find the address of sayyy your score and edit it.
Example:
You boot your game of Touchgrind and get 16,847 during the game, well during that you
1.Freeze the game with that score:
gdp -p ProcessID (remember your process id)
2.Dump the memory:
dump ihex memory dump1.dmp 0x2000 0xHexValueHere
3.Unfreeze the game:
quit
Then you skate for 20 more seconds and now you have a score of 53,832
1.Freeze the game with that score:
gdp -p ProcessID (remember your process id)
2.Dump the memory AGAIN and rename it to dump2.dmp:
dump ihex memory dump2.dmp 0x2000 0xHexValueHere
3.Unfreeze the game:
quit
6.Fire up your SFTP client again and navigate to /var/root. Now there should be a files called ***8216;dump1.dmp & dump2.dmp' there
7. Compare your 2 dumps ECT...... (tons of tutorials online on how to compare dumps, Sketch will probably write one.)
8. To inject your code boot back up through ssh, Run your app again. Freeze it again with your pid.
Code:
gdb -p 1790
Then now for the fun part,TESTING INJECTION of code!!!
While in gdb.
code:
set * (Address You want to hack) = (Orginal + New Offset)
set * 0x08049d24 = 0x40003000 + 0x000034
Tutorial Written
By LoGiKz of OneHitGamer.com
REVIEW:
Everything you just did was accually really simple , you just have to get the concept down. You just did this in this order and this can be used as a refernce if you dont wan't to go back through everything.
1. Put the games data file on your Ipod
Extract and SFTP
2. Get the CryptID and Convert to Hex
otool -l MAINDATAFILE | grep crypt
3. Get the ProcessID
ps ax
4. Freeze the game
gdb -p ProcessID
5. Dump the Memory as many times as needed with the values you supplied
dump ihex memory dump1.dmp 0x2000 0xHexValueHere
6. Inject Code
set * (Address You want to hack) = (Orginal + New Offset)
Do this at your own risk
Thursday, June 16, 2011
Basic Linux Commands
Hi All,
This is something different which i normally post. Here are basic linux commands.. Enjoy . This is for newbies, People who know it and would like to add something else. Please do ..
so here goes nothing.
Prerequisites:
Access to a Linux/Unix box or a Windows box with Cygwin installed.
As most people know, there's a fuck load of commands in Linux so I'm only going to be including a few of the main ones off the top of my head.
Also, there's going to be examples in here which show you some more options ex. -(whatever the fuck) that
you will need to add onto the command; better ex. tar -zxvf (-zxvf == whatever the fuck) which I will explain which options I use but will not go into detail about all of the options because there are MAN pages for that.
The operators you learned in dos >, >>, and | still apply fairly normally.
man
Linux "manual" pages, describing in detail every command, what it's options are, and what it does.
ex
$ man
What manual page do you want?
ex2
$ man ls | more
LS(1) User Commands LS(1)
NAME
ls - list directory contents
SYNOPSIS
ls [OPTION]... [FILE]...
DESCRIPTION
List information about the FILEs (the current directory by default).
Sort entries alphabetically if none of -cftuvSUX nor --sort.
Mandatory arguments to long options are mandatory for short options
too.
-a, --all
do not ignore entries starting with .
-A, --almost-all
do not list implied . and ..
--author
--More--
pwd
Shows the path of the directory you are in; aka "Parent Working Directory".
ex
$ pwd
/home/cisc0ninja
ls (ls -al shows hidden files too)
Same as dir, list files and folders in your current directory.
ex
$ ls
agetty.exe hwclock.exe mkfs.bfs mkfs.minix sln.exe
fsck.cramfs init.exe mkfs.cramfs mkswap.exe sysctl.exe
fsck.minix killall5.exe mkfs.exe runlevel.exe telinit
clear
Same as cls, clears you current shell's screen.
cat
Same as type, "concatenates" aka list the contents of a file "normally text files".
ex
$ cat test
test
grep
"Global Regular Expressions Parser"<---(don't ask me why I know this) is used for searching files for strings you want. ex $ cat hackers.txt | grep Steve Richard Stevens Steve Bellovin Steve Crocker Steve Jobs Steve Shirley Steve Wozniak Steven G. Steinberg chmod Changes the access file attributes of a file or folder.(readonly,writable,hidden,etc...) ex (the first number is (7) is for user, second number for group, and third for everyone else, 7=writable, 5=read&execute, 0=nothing chmod -R 700 /home/share/mydirectory chown Changes the ownership file attributes of a file or folder. ex (-R means recursive ie.. for every folder and file underneath) chown -R cisc0ninja:localadmins /home/share rm Removes a file. ex $ rm test.txt rmdir Removes a directory ex $ rmdir test ifconfig (ifconfig -a) List your network interfaces and their configuration options. ex shinra:/home/share# ifconfig -a | more eth1 Link encap:Ethernet HWaddr 00:17:31:37:9b:7d inet addr:172.30.115.75 Bcast:172.30.115.255 Mask:255.255.255.0 inet6 addr: fe80::217:31ff:fe37:9b7d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:751482 errors:0 dropped:0 overruns:0 frame:0 TX packets:743923 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:496898734 (473.8 MiB) TX bytes:180162903 (171.8 MiB) Interrupt:16 ssh Upgraded version of telnet with an added bonus of encryption and secure copying capabilities. ex cisc0ninja@shinra:~$ ssh -l cisc0ninja argos.soldierx.com Password: §+++++++++++++++++++++++++++++++++++++++++++++++§ ]|[ [-=- SOLDIERX.COM Presents -=-] ]|[ cisc0ninja@argos:~$ tar Linux zip utility to zip and unzip files. ex $ tar -zxvf dnsenum1.1.tar.gz belgacom.be_ips.txt dnsenum.pl dns.txt README.txt sort Sorts the content inside of a document. (alpha-numerically) ex $ sort hackers-orig.txt | uniq >> hackers.txt
uniq
Removes duplicate entries in a file.
ex
$ sort hackers-orig.txt | uniq >> hackers.txt
mv
Moves a file.
ex
$ mv test /tmp
mount
Makes a connected device (hard drive, flash drive, etc..) accessible to you and the system whether it's mounted as readonly or writable is up to you.
It can also be used (as below) to show what devices are mounted, how, and where.
ex
shinra:/home/share# mount
/dev/md2 on / type ext3 (rw,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
procbususb on /proc/bus/usb type usbfs (rw)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
/dev/md0 on /boot type ext3 (rw)
nfsd on /proc/fs/nfsd type nfsd (rw)
df (or df -h)
shows file system usage
ex
$ df -h
Filesystem Size Used Avail Use% Mounted on
C:\cygwin\bin 75G 63G 13G 84% /usr/bin
C:\cygwin\lib 75G 63G 13G 84% /usr/lib
C:\cygwin 75G 63G 13G 84% /
c: 75G 63G 13G 84% /cygdrive/c
ps (ps -aux) or top
used for showing amount of processing power and memory each service/application is using.
ex
top - 02:35:57 up 8:07, 2 users, load average: 0.00, 0.00, 0.00
Tasks: 6 total, 2 running, 4 sleeping, 0 stopped, 0 zombie
Cpu(s): 2.7% user, 4.8% system, 0.0% nice, 92.5% idle
Mem: 1015152k total, 609300k used, 405852k free, 0k buffers
Swap: 1523712k total, 71080k used, 1452632k free, 0k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
11392 cisc0ninja 8 0 2388 2860 40 R 2.9 0.3 0:00.09 top
1712 SYSTEM 8 0 2028 2292 76 S 0.0 0.2 0:00.15 cygrunsrv
2220 SYSTEM 8 0 2572 3692 40 S 0.0 0.4 0:00.15 sshd
3952 cisc0ninja 8 0 2860 356 12 R 0.0 0.0 0:01.12 bash
2344 cisc0ninja 8 0 2924 1884 40 S 0.0 0.2 0:01.06 bash
244 cisc0ninja 8 0 2640 132 0 S 0.0 0.0 0:00.18 ssh
vi/vim
A text editor for command line, very powerful, takes some time to getting use to.
note: (to exit out of vi/vim press esc a couple of times then the shift and colon key "same time", then type q! "not at same time";)
(if you want to save make it wq!)
ex
vi test.pl
MORE OPERATORS!!!
$
Used to define a variable or constant
ex
$ echo $SHELL
/bin/bash
--help
Gives further information on a command, such as what options are available for use with that command.
ex
$ cat --help
Usage: cat [OPTION] [FILE]...
Concatenate FILE(s), or standard input, to standard output.
-A, --show-all equivalent to -vET
-b, --number-nonblank number nonblank output lines
-e equivalent to -vE
-E, --show-ends display $ at end of each line
-n, --number number all output lines
-s, --squeeze-blank never more than one single blank line
-t equivalent to -vT
-T, --show-tabs display TAB characters as ^I
-u (ignored)
-v, --show-nonprinting use ^ and M- notation, except for LFD and TAB
--help display this help and exit
--version output version information and exit
With no FILE, or when FILE is -, read standard input.
Examples:
cat f - g Output f's contents, then standard input, then g's contents.
cat Copy standard input to standard output.
This is something different which i normally post. Here are basic linux commands.. Enjoy . This is for newbies, People who know it and would like to add something else. Please do ..
so here goes nothing.
Prerequisites:
Access to a Linux/Unix box or a Windows box with Cygwin installed.
As most people know, there's a fuck load of commands in Linux so I'm only going to be including a few of the main ones off the top of my head.
Also, there's going to be examples in here which show you some more options ex. -(whatever the fuck) that
you will need to add onto the command; better ex. tar -zxvf (-zxvf == whatever the fuck) which I will explain which options I use but will not go into detail about all of the options because there are MAN pages for that.
The operators you learned in dos >, >>, and | still apply fairly normally.
man
Linux "manual" pages, describing in detail every command, what it's options are, and what it does.
ex
$ man
What manual page do you want?
ex2
$ man ls | more
LS(1) User Commands LS(1)
NAME
ls - list directory contents
SYNOPSIS
ls [OPTION]... [FILE]...
DESCRIPTION
List information about the FILEs (the current directory by default).
Sort entries alphabetically if none of -cftuvSUX nor --sort.
Mandatory arguments to long options are mandatory for short options
too.
-a, --all
do not ignore entries starting with .
-A, --almost-all
do not list implied . and ..
--author
--More--
pwd
Shows the path of the directory you are in; aka "Parent Working Directory".
ex
$ pwd
/home/cisc0ninja
ls (ls -al shows hidden files too)
Same as dir, list files and folders in your current directory.
ex
$ ls
agetty.exe hwclock.exe mkfs.bfs mkfs.minix sln.exe
fsck.cramfs init.exe mkfs.cramfs mkswap.exe sysctl.exe
fsck.minix killall5.exe mkfs.exe runlevel.exe telinit
clear
Same as cls, clears you current shell's screen.
cat
Same as type, "concatenates" aka list the contents of a file "normally text files".
ex
$ cat test
test
grep
"Global Regular Expressions Parser"<---(don't ask me why I know this) is used for searching files for strings you want. ex $ cat hackers.txt | grep Steve Richard Stevens Steve Bellovin Steve Crocker Steve Jobs Steve Shirley Steve Wozniak Steven G. Steinberg chmod Changes the access file attributes of a file or folder.(readonly,writable,hidden,etc...) ex (the first number is (7) is for user, second number for group, and third for everyone else, 7=writable, 5=read&execute, 0=nothing chmod -R 700 /home/share/mydirectory chown Changes the ownership file attributes of a file or folder. ex (-R means recursive ie.. for every folder and file underneath) chown -R cisc0ninja:localadmins /home/share rm Removes a file. ex $ rm test.txt rmdir Removes a directory ex $ rmdir test ifconfig (ifconfig -a) List your network interfaces and their configuration options. ex shinra:/home/share# ifconfig -a | more eth1 Link encap:Ethernet HWaddr 00:17:31:37:9b:7d inet addr:172.30.115.75 Bcast:172.30.115.255 Mask:255.255.255.0 inet6 addr: fe80::217:31ff:fe37:9b7d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:751482 errors:0 dropped:0 overruns:0 frame:0 TX packets:743923 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:496898734 (473.8 MiB) TX bytes:180162903 (171.8 MiB) Interrupt:16 ssh Upgraded version of telnet with an added bonus of encryption and secure copying capabilities. ex cisc0ninja@shinra:~$ ssh -l cisc0ninja argos.soldierx.com Password: §+++++++++++++++++++++++++++++++++++++++++++++++§ ]|[ [-=- SOLDIERX.COM Presents -=-] ]|[ cisc0ninja@argos:~$ tar Linux zip utility to zip and unzip files. ex $ tar -zxvf dnsenum1.1.tar.gz belgacom.be_ips.txt dnsenum.pl dns.txt README.txt sort Sorts the content inside of a document. (alpha-numerically) ex $ sort hackers-orig.txt | uniq >> hackers.txt
uniq
Removes duplicate entries in a file.
ex
$ sort hackers-orig.txt | uniq >> hackers.txt
mv
Moves a file.
ex
$ mv test /tmp
mount
Makes a connected device (hard drive, flash drive, etc..) accessible to you and the system whether it's mounted as readonly or writable is up to you.
It can also be used (as below) to show what devices are mounted, how, and where.
ex
shinra:/home/share# mount
/dev/md2 on / type ext3 (rw,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
procbususb on /proc/bus/usb type usbfs (rw)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
/dev/md0 on /boot type ext3 (rw)
nfsd on /proc/fs/nfsd type nfsd (rw)
df (or df -h)
shows file system usage
ex
$ df -h
Filesystem Size Used Avail Use% Mounted on
C:\cygwin\bin 75G 63G 13G 84% /usr/bin
C:\cygwin\lib 75G 63G 13G 84% /usr/lib
C:\cygwin 75G 63G 13G 84% /
c: 75G 63G 13G 84% /cygdrive/c
ps (ps -aux) or top
used for showing amount of processing power and memory each service/application is using.
ex
top - 02:35:57 up 8:07, 2 users, load average: 0.00, 0.00, 0.00
Tasks: 6 total, 2 running, 4 sleeping, 0 stopped, 0 zombie
Cpu(s): 2.7% user, 4.8% system, 0.0% nice, 92.5% idle
Mem: 1015152k total, 609300k used, 405852k free, 0k buffers
Swap: 1523712k total, 71080k used, 1452632k free, 0k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
11392 cisc0ninja 8 0 2388 2860 40 R 2.9 0.3 0:00.09 top
1712 SYSTEM 8 0 2028 2292 76 S 0.0 0.2 0:00.15 cygrunsrv
2220 SYSTEM 8 0 2572 3692 40 S 0.0 0.4 0:00.15 sshd
3952 cisc0ninja 8 0 2860 356 12 R 0.0 0.0 0:01.12 bash
2344 cisc0ninja 8 0 2924 1884 40 S 0.0 0.2 0:01.06 bash
244 cisc0ninja 8 0 2640 132 0 S 0.0 0.0 0:00.18 ssh
vi/vim
A text editor for command line, very powerful, takes some time to getting use to.
note: (to exit out of vi/vim press esc a couple of times then the shift and colon key "same time", then type q! "not at same time";)
(if you want to save make it wq!)
ex
vi test.pl
MORE OPERATORS!!!
$
Used to define a variable or constant
ex
$ echo $SHELL
/bin/bash
--help
Gives further information on a command, such as what options are available for use with that command.
ex
$ cat --help
Usage: cat [OPTION] [FILE]...
Concatenate FILE(s), or standard input, to standard output.
-A, --show-all equivalent to -vET
-b, --number-nonblank number nonblank output lines
-e equivalent to -vE
-E, --show-ends display $ at end of each line
-n, --number number all output lines
-s, --squeeze-blank never more than one single blank line
-t equivalent to -vT
-T, --show-tabs display TAB characters as ^I
-u (ignored)
-v, --show-nonprinting use ^ and M- notation, except for LFD and TAB
--help display this help and exit
--version output version information and exit
With no FILE, or when FILE is -, read standard input.
Examples:
cat f - g Output f's contents, then standard input, then g's contents.
cat Copy standard input to standard output.
Sunday, April 3, 2011
How to lie to people : Achieving anonymity through disinformation and data poisoning
[]HOW TO LIE TO PEOPLE: ACHIEVING ANONYMITY THROUGH DISINFORMATION AND DATA POISONING BY: DIzzIE aka x-c0n [antikopyright 2007][]
Preamble
When providing information, the worst thing you could possibly do is give accurate, truthful data. This should be common sense. If it's not, close this text and think about why it should be, then come back when you're ready or **** off for good. However, the recourse that many have chosen, the proverbial vow of silence, is no panacea. Actively choosing to refuse to provide information, to give the bloodhounds nothing, will make them uneasy, hungry, suspicious, and, of course, quite vicious. What one must then do is quite simple: give them a false trail to follow. In other words: Lie to people. All the time. About everything. Going further, create future lies. Lies that lie in hidden corners just waiting to be stumbled onto by the coming bloodhounds, who will then think they've stumbled onto something genuine. Your goal must then be to pro-actively mold pieces of **** into gold nuggets. Plant your buried scat treasure and watch the ****ers suck it down. The aim must always be to present the illusion of transparency, an 'I've got nothing to hide' hologram, if you will.
In short: your goal is to go around the web planting poisonous seeds of disinformation, with the intention that others who will try to track you at a later date will stumble onto them and think them to be real. The rest of this brief guide will be about general tips for creating disinformation to preserve your anonymity, it is obviously hardly exhaustive, and is meant to serve as a springboard for inspiring your own acts of data poisoning. However, as this guide is operating under the impression that most people currently do not actively engage in data poisoning, this guide also doubles as a stalker's companion. Pretty convenient, indeed.
Before You Begin
Before you're ready to engage in proactive data poisoning, you first need to do a wee bit of preliminary research. Pick a name for yourself, as well as a unique username (something that when searched for, will only return your name, not 50 million others), email address, as well as a birthday, location, pets, family, hobbies, car, political affiliation, and other basic demographic information. Keep in mind that your intention with this data is that each nugget can and should be used to track you, that is indeed your goal in the creation of this false front (i.e., if your new username is a reference to a television show which the real you would never watch, start posting on fan message boards and newsgroups for that show, this is discussed further in the section on fabricating your peripheral identity later in this text).
A key ingredient in the successful passing of illusion as reality is consistency. This means that once you pick your initial disinformative characteristics, you'll have to stick with them for all locales you later frequent (e.g., use the same username on all forums, and tell different people the same lies). After you have the initial information, here are a few more things you might want to take care of (again, these are just a couple examples to prod your own brain into thinking of more **** on its own):
~ Find a few photos of some unpopular person on social networking sites like MySpace or Facebook, or on public photo storage places akin to Flickr. These will now be your photos. Pick someone of average physical prowess, someone who doesn't have too many friends/contacts listed, doesn't live anywhere near you, doesn't frequent the same web fora that you do, and, most importantly, someone whom you and any of your legitimate contacts are not affiliated with in any way whatsoever.
- Try opening the photo file in a text or hex editor. If it is an unmodified file taken with a digital camera, you should see various nuggets of metadata imbedded in the file, such as the date the picture was taken, the resolution/camera settings, and, most importantly, the camera model. This will now be your camera. Find a forum for this camera, or failing that, a forum for amateur photography, and make a few posts asking some basic questions about the camera. When someone then searches for you and examines the metadata of your images, your identity will thus further be validated in their bloodthirsty, datahungry eyes.
--> Any data match serves to validate your illusory identity, any data discrepancy serves to question it.
- Once you have the photos, open them up and perform a minor modification such as adding an extra pixel. This is to change the MD5 checksum of the image file. Each file has a unique number that can be shown by using programs like ChaosMD5(Elgorithms :: Downloads :: Chaos MD5 the Free MD5 Generator). By modifying the file, you are also modifying the MD5 checksum. This is done so that, should anyone later be performing comparisons/searches by MD5, your stolen image will not be presented as a match, therefore improving the chances that your false identity will not be discovered.
~If you wish to, create a phone number for yourself, there are plenty of free services such as www.j2.com which give you a free voicemail box and fax number. Often times the free services do not let you pick your own area code, in which case you will have to make sure that your location matches the area code. If your free number requires a call every X days to be kept active, use a free service akin to phonemyphone.com :: Find your cell phone, escape boring meetings, free telephone reminders, wakeup calls to place the call. Websites such as Area codes locator - Area code lookup by number or city, US and Canada area code listings, area codes directory provide lists of area codes and the states to which they belong, while sites like Telephone Number Location Information allow you to locate the city within a state by using the prefix (the first three digits after the area code). When performing reverse phone lookups on site like Free Reverse Phone Number Lookup | WhitePages or Fone Finder query form, be aware that the phone service provider may also be visible. In keeping with our consistency motif, never contradict this data (with natural exceptions, such as if you're stating that you recently moved from X to Y in your fake blog, thus implicitly explaining the geographical discrepancy of the phone number's location and your present residence).
Creating the Core You
Once you have acquired what you feel is a sufficient amount of preliminary disinformation, it is time to start actively engaging in its proliferation; that is, the fun and tedious process of data poisoning. Ten years ago, I would've told you to create a personal homepage for yourself. Today, homepages are obsolete and unnecessary (though if you have the time, additional data poisoning can't hurt; that is, unless you half ass it). Instead, you should set up your core identity on social networking sites like MySpace and Facebook, as well as on blog sites like LiveJournal and Xanga. Create your personal pages using the fake data you generated in the step above: listing your name, email, birth date, hobbies, favorite music, photos, and so on. These are known as the core sites, because they will be the main websites that any bloodhound on your trail will discover first, and which will contain the greatest amount of information about you.
Creating the Periphery You
After you setup the core sites, you will need to extend your data poisoning to various periphery outposts to further entrench the legitimacy of your faux identity. Although the periphery you is secondary to the core, it is no less essential; indeed, perhaps more so. The role of the periphery is to dupe the meticulous bloodhound who will spend hours mining through search results, harvesting little **** nuggets here and there, and looking for any inconsistencies that might suggest duplicity. In other words, take the task of creating the periphery as seriously as the core.
Now then, to create the periphery you must cannibalize upon your initial information. If you said you like a certain band, start posting on the message boards for that band, being sure to indicate that you went to any relevant concerts close to your geographic area. If you said you have a certain exotic pet, start posting on newsgroups and message boards asking for advice on taking care of said pet. Rinse and repeat for all other periphery components of your identity: your car, favorite book/author/movie/pornstar, favorite hobby, sport team, and so on. Always post on all message boards with the same username. This will make you easier to track, and make the bloodhound :) when ze thinks that ze's just discovered that you not only like Korn, but also have a pet ferret and drive a pimped out Audi.
And lest you're by this point losing faith at the apparently humdrum meaninglessness of it all, keep in mind that there is no such thing as an insignificant detail. Every bit of information can be, and, indeed is, being harvested and subsequently has the potential for being used for tracking you the **** down. To give a (non)trivial example, someone who knows where you live, the car you drive, and the band you like, can then proceed to find you outside of a concert hall on the night that your band's playing. Copasetic?
Realtime Data Poisoning and Time Syncing
Once you have setup the core/periphery disinfo centres, your job isn't quite done yet. Indeed, data poisoning is a persistent process around which you must adapt all of your everyday actions, both online and offline. Each time you chat with friends over instant messaging or IRC, you are leaking data. Comments about the weather, current events, even your speech mannerisms, all serve to betray your identity, and therefore must all be modified. You must then engage in realtime data poisoning: consistently lying to anyone and everyone you communicate with about everything.
An extension of realtime poisoning is time syncing. If you say you have a 9 to 5 job in time zone X, then be sure that you're idle during those times, or explicitly mention that you have Internet access from work/school to present a resolution to the apparent time conflict. Do this proactively, meaning volunteer the information yourself, before the person on the other end becomes suspicious. Saying something like 'I just came back from watching Lesbian Scat Girls VII' when according to your time zone you should be at work/school can be disastrous to your identity (speaking of time zones, don't forget to set the appropriate zone on all of your forums). However, we all slip up and **** up here and there. Such discrepancies can then be explained away with relative ease by stating that you had the day off school or whatnot, as long as they don't accumulate to an excess over prolonged periods of time.
When chatting, it is further advantageous to initiate apparently accidental data slippages. Pretend that you thought you were talking to someone else, and share a seemingly intimate bit of information about yourself, and then follow it up with a 'oh ****, wrong person.' Similar techniques should be used by accidentally pasting private emails into instant messaging conversations, and then hurriedly explaining that your fershlugginer copy and paste keeps jamming, and urging your chat partner to pay the information no heed.
As aforementioned, your very speech patterns betray your identity. In the spirit of practicing what you preach, looking a few lines above you can see that I used a seemingly odd adjective, 'fershlugginer.' Doing a little bit of research, you'll undoubtedly find that it was a term popularized by MAD Magazine in the 70's, leading you to believe I must be an old school fan of that particular zine ;), which will in turn lead you to make now intrinsic assumptions about my age, nationality, and so forth. Therefore, you must always strive to saturate your everyday parlance with various cultural (and therefore also potentially geographic) references. If you are communicating via phone or voip, which is highly inadvisable as extensive forensic analysis of voiceprints can reveal your real identity even when you're attempting to adopt various masking techniques, you should nonetheless use a hardware or software voice modification application, at the very least.
Realtime data can further be poisoned by injecting false descriptions of everyday events. Saying you just got your hair highlighted, a spiffy new tattoo, or even a broken leg, are all as essential as the aforementioned core/periphery identity modifiers. Again, keep in mind the physical location you're supposed to be situated in, and after checking the weather for that day, make appropriate comments about how how/cold it is, and so on it goes... End of Part I Finally, keep in mind that if the so-called first rule of forensics is Locard's theory--every contact leaves a trace--then a necessary corollary is that every false contact leaves a false trace. Again: there is no such thing as innocuous data. Every little morsel of information is engorged with saliency, and every little morsel can likewise be manipulated to suit your needs; in our case, the poisoning of the unknowing bloodhounds on your illusory trail. Consistently lie your ass off to achieve the much- thought after ambrosia of anonymity.
Cheers.
Preamble
When providing information, the worst thing you could possibly do is give accurate, truthful data. This should be common sense. If it's not, close this text and think about why it should be, then come back when you're ready or **** off for good. However, the recourse that many have chosen, the proverbial vow of silence, is no panacea. Actively choosing to refuse to provide information, to give the bloodhounds nothing, will make them uneasy, hungry, suspicious, and, of course, quite vicious. What one must then do is quite simple: give them a false trail to follow. In other words: Lie to people. All the time. About everything. Going further, create future lies. Lies that lie in hidden corners just waiting to be stumbled onto by the coming bloodhounds, who will then think they've stumbled onto something genuine. Your goal must then be to pro-actively mold pieces of **** into gold nuggets. Plant your buried scat treasure and watch the ****ers suck it down. The aim must always be to present the illusion of transparency, an 'I've got nothing to hide' hologram, if you will.
In short: your goal is to go around the web planting poisonous seeds of disinformation, with the intention that others who will try to track you at a later date will stumble onto them and think them to be real. The rest of this brief guide will be about general tips for creating disinformation to preserve your anonymity, it is obviously hardly exhaustive, and is meant to serve as a springboard for inspiring your own acts of data poisoning. However, as this guide is operating under the impression that most people currently do not actively engage in data poisoning, this guide also doubles as a stalker's companion. Pretty convenient, indeed.
Before You Begin
Before you're ready to engage in proactive data poisoning, you first need to do a wee bit of preliminary research. Pick a name for yourself, as well as a unique username (something that when searched for, will only return your name, not 50 million others), email address, as well as a birthday, location, pets, family, hobbies, car, political affiliation, and other basic demographic information. Keep in mind that your intention with this data is that each nugget can and should be used to track you, that is indeed your goal in the creation of this false front (i.e., if your new username is a reference to a television show which the real you would never watch, start posting on fan message boards and newsgroups for that show, this is discussed further in the section on fabricating your peripheral identity later in this text).
A key ingredient in the successful passing of illusion as reality is consistency. This means that once you pick your initial disinformative characteristics, you'll have to stick with them for all locales you later frequent (e.g., use the same username on all forums, and tell different people the same lies). After you have the initial information, here are a few more things you might want to take care of (again, these are just a couple examples to prod your own brain into thinking of more **** on its own):
~ Find a few photos of some unpopular person on social networking sites like MySpace or Facebook, or on public photo storage places akin to Flickr. These will now be your photos. Pick someone of average physical prowess, someone who doesn't have too many friends/contacts listed, doesn't live anywhere near you, doesn't frequent the same web fora that you do, and, most importantly, someone whom you and any of your legitimate contacts are not affiliated with in any way whatsoever.
- Try opening the photo file in a text or hex editor. If it is an unmodified file taken with a digital camera, you should see various nuggets of metadata imbedded in the file, such as the date the picture was taken, the resolution/camera settings, and, most importantly, the camera model. This will now be your camera. Find a forum for this camera, or failing that, a forum for amateur photography, and make a few posts asking some basic questions about the camera. When someone then searches for you and examines the metadata of your images, your identity will thus further be validated in their bloodthirsty, datahungry eyes.
--> Any data match serves to validate your illusory identity, any data discrepancy serves to question it.
- Once you have the photos, open them up and perform a minor modification such as adding an extra pixel. This is to change the MD5 checksum of the image file. Each file has a unique number that can be shown by using programs like ChaosMD5(Elgorithms :: Downloads :: Chaos MD5 the Free MD5 Generator). By modifying the file, you are also modifying the MD5 checksum. This is done so that, should anyone later be performing comparisons/searches by MD5, your stolen image will not be presented as a match, therefore improving the chances that your false identity will not be discovered.
~If you wish to, create a phone number for yourself, there are plenty of free services such as www.j2.com which give you a free voicemail box and fax number. Often times the free services do not let you pick your own area code, in which case you will have to make sure that your location matches the area code. If your free number requires a call every X days to be kept active, use a free service akin to phonemyphone.com :: Find your cell phone, escape boring meetings, free telephone reminders, wakeup calls to place the call. Websites such as Area codes locator - Area code lookup by number or city, US and Canada area code listings, area codes directory provide lists of area codes and the states to which they belong, while sites like Telephone Number Location Information allow you to locate the city within a state by using the prefix (the first three digits after the area code). When performing reverse phone lookups on site like Free Reverse Phone Number Lookup | WhitePages or Fone Finder query form, be aware that the phone service provider may also be visible. In keeping with our consistency motif, never contradict this data (with natural exceptions, such as if you're stating that you recently moved from X to Y in your fake blog, thus implicitly explaining the geographical discrepancy of the phone number's location and your present residence).
Creating the Core You
Once you have acquired what you feel is a sufficient amount of preliminary disinformation, it is time to start actively engaging in its proliferation; that is, the fun and tedious process of data poisoning. Ten years ago, I would've told you to create a personal homepage for yourself. Today, homepages are obsolete and unnecessary (though if you have the time, additional data poisoning can't hurt; that is, unless you half ass it). Instead, you should set up your core identity on social networking sites like MySpace and Facebook, as well as on blog sites like LiveJournal and Xanga. Create your personal pages using the fake data you generated in the step above: listing your name, email, birth date, hobbies, favorite music, photos, and so on. These are known as the core sites, because they will be the main websites that any bloodhound on your trail will discover first, and which will contain the greatest amount of information about you.
Creating the Periphery You
After you setup the core sites, you will need to extend your data poisoning to various periphery outposts to further entrench the legitimacy of your faux identity. Although the periphery you is secondary to the core, it is no less essential; indeed, perhaps more so. The role of the periphery is to dupe the meticulous bloodhound who will spend hours mining through search results, harvesting little **** nuggets here and there, and looking for any inconsistencies that might suggest duplicity. In other words, take the task of creating the periphery as seriously as the core.
Now then, to create the periphery you must cannibalize upon your initial information. If you said you like a certain band, start posting on the message boards for that band, being sure to indicate that you went to any relevant concerts close to your geographic area. If you said you have a certain exotic pet, start posting on newsgroups and message boards asking for advice on taking care of said pet. Rinse and repeat for all other periphery components of your identity: your car, favorite book/author/movie/pornstar, favorite hobby, sport team, and so on. Always post on all message boards with the same username. This will make you easier to track, and make the bloodhound :) when ze thinks that ze's just discovered that you not only like Korn, but also have a pet ferret and drive a pimped out Audi.
And lest you're by this point losing faith at the apparently humdrum meaninglessness of it all, keep in mind that there is no such thing as an insignificant detail. Every bit of information can be, and, indeed is, being harvested and subsequently has the potential for being used for tracking you the **** down. To give a (non)trivial example, someone who knows where you live, the car you drive, and the band you like, can then proceed to find you outside of a concert hall on the night that your band's playing. Copasetic?
Realtime Data Poisoning and Time Syncing
Once you have setup the core/periphery disinfo centres, your job isn't quite done yet. Indeed, data poisoning is a persistent process around which you must adapt all of your everyday actions, both online and offline. Each time you chat with friends over instant messaging or IRC, you are leaking data. Comments about the weather, current events, even your speech mannerisms, all serve to betray your identity, and therefore must all be modified. You must then engage in realtime data poisoning: consistently lying to anyone and everyone you communicate with about everything.
An extension of realtime poisoning is time syncing. If you say you have a 9 to 5 job in time zone X, then be sure that you're idle during those times, or explicitly mention that you have Internet access from work/school to present a resolution to the apparent time conflict. Do this proactively, meaning volunteer the information yourself, before the person on the other end becomes suspicious. Saying something like 'I just came back from watching Lesbian Scat Girls VII' when according to your time zone you should be at work/school can be disastrous to your identity (speaking of time zones, don't forget to set the appropriate zone on all of your forums). However, we all slip up and **** up here and there. Such discrepancies can then be explained away with relative ease by stating that you had the day off school or whatnot, as long as they don't accumulate to an excess over prolonged periods of time.
When chatting, it is further advantageous to initiate apparently accidental data slippages. Pretend that you thought you were talking to someone else, and share a seemingly intimate bit of information about yourself, and then follow it up with a 'oh ****, wrong person.' Similar techniques should be used by accidentally pasting private emails into instant messaging conversations, and then hurriedly explaining that your fershlugginer copy and paste keeps jamming, and urging your chat partner to pay the information no heed.
As aforementioned, your very speech patterns betray your identity. In the spirit of practicing what you preach, looking a few lines above you can see that I used a seemingly odd adjective, 'fershlugginer.' Doing a little bit of research, you'll undoubtedly find that it was a term popularized by MAD Magazine in the 70's, leading you to believe I must be an old school fan of that particular zine ;), which will in turn lead you to make now intrinsic assumptions about my age, nationality, and so forth. Therefore, you must always strive to saturate your everyday parlance with various cultural (and therefore also potentially geographic) references. If you are communicating via phone or voip, which is highly inadvisable as extensive forensic analysis of voiceprints can reveal your real identity even when you're attempting to adopt various masking techniques, you should nonetheless use a hardware or software voice modification application, at the very least.
Realtime data can further be poisoned by injecting false descriptions of everyday events. Saying you just got your hair highlighted, a spiffy new tattoo, or even a broken leg, are all as essential as the aforementioned core/periphery identity modifiers. Again, keep in mind the physical location you're supposed to be situated in, and after checking the weather for that day, make appropriate comments about how how/cold it is, and so on it goes... End of Part I Finally, keep in mind that if the so-called first rule of forensics is Locard's theory--every contact leaves a trace--then a necessary corollary is that every false contact leaves a false trace. Again: there is no such thing as innocuous data. Every little morsel of information is engorged with saliency, and every little morsel can likewise be manipulated to suit your needs; in our case, the poisoning of the unknowing bloodhounds on your illusory trail. Consistently lie your ass off to achieve the much- thought after ambrosia of anonymity.
Cheers.
Malware Removal Guide
Prerequisites:
Freeware (explained in tutorial)
Before I start, I want you to understand that this guide is not going to be using any of the tools from Geek Squad. All of the tools used in this tutorial are available for download as freeware. This guide is not going to give you a complete and total walkthrough of every single program, just an overview. I will be providing links to other websites if you wish to read more about each of these softwares. Neither I nor SoldierX hold any responsibility for your actions while following this guide, but simply offer it as a helping hand to get you to understand some of the ways that malware can infect your system while helping you remove them. Neither I nor SoldierX own or have created any of these tools, so you must accept each tool's licensing terms on your own behalf before you use them.
Before getting into the actual malware removal, I want you to understand that the only surefire way to get rid of any and all malware that is affecting your system is to replace your hard drive's MBR (Master Boot Record), use a utility such as DBAN (Darik's Boot And Nuke) to wipe the drive, and then reinstall your operating system.
So, now that I have gotten the legal stuff out of the way, let's get right down to business. This guide is going to cover many different things including, but not limited to: removing malware from an infected computer, the tools used to do the removals, extra utilities to help protect yourself from future attacks, and some fixes that you can do to repair some of the damage caused by removing malware from an infected system. These fixes are not always guaranteed to be correct, but simply are the most common ways to fix the problems caused by removing malware from a system.
Now, you have backed up all of your files, let's get to the tools needed to do the job correctly. Note that not all of these tools are required clean your system, I am just listing all of the tools I have used in the past to get rid of different types of malware. If you want to be as thorough as absolutely possible, you should run ever single one of these tools on the computer you are trying to clean. This will ensure that you have effectively removed most of the traces. I am not going to go in-depth and explain how to use each of these softwares. If you would like to know more about one of these tools, a quick Google search should on the name of the product should bring up a full listing of anything related to that software. Listed below, not in any particular order, are the softwares I use while doing malware removal and the links to each website so you can download them:
1. SmitFraudFix - http://www.bleepingcomputer.com/files/smitfraudfix.php
2. Kaspersky AVZ Antiviral Toolkit - http://www.softpedia.com/get/Antivirus/AVZ-Antiviral-Toolkit.shtml
3. Avira Antivir Removal Tool - http://www.free-av.com/en/tools/3/avira_antivir_removal_tool.html
4. ClamWin Portable - http://portableapps.com/apps/utilities/clamwin_portable
5. McAfee Stinger - http://vil.nai.com/vil/stinger/
6. A-Squared HiJack Free - http://www.hijackfree.com/en/
7. A-Squared Emergency USB - http://www.emsisoft.com/en/software/stick/
8. 1-2-3 Spyware Free USB - http://www.pendriveapps.com/1-2-3-spyware-free/
9. AVG VCleaner - http://free.avg.com/us-en/virus-removal
10. Avast! Portable Virus Cleaner - http://www.pendriveapps.com/avast-virus-cleaner-virus-and-worm-removal-t...
11. SpyDLLRemover - http://rootkitanalytics.com/userland/spy-dll-remover.php
12. Microsoft's Autoruns - http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
13. Kapersky's AVP Tool - http://www.brothersoft.com/kaspersky-avp-tool-190975.html
14. Microsoft's Rootkit Revealer - http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
15. Malwarebyte's Antimalware - http://www.malwarebytes.org/mbam.php (Special note for Malwarebytes. Make sure that when you download the executable, you rename it to something not-related to Malwarebytes or mbam-setup.exe. Most malware now will block mbam or anything related to it from even running. I usually end up naming it MBRemovalTool.exe)
16. Norman Malware Cleaner - http://www.norman.com/support/support_tools/58732/en
17. About Buster - http://www.malwarebytes.org/aboutbuster.php
18. ADS Spy - http://www.bleepingcomputer.com/files/adsspy.php
19. ATF Cleaner - http://www.atribune.org/index.php?option=com_content&task=view&id=25&Ite...
20. AIM Fix - http://www.jayloden.com/aimfix.htm
21. Avira Anti-Rootkit - http://www.free-av.com/en/tools/4/avira_antirootkit_tool.html
22. Avira Boot Sector Repair Tool - http://www.free-av.com/en/tools/9/avira_boot_sector_repair_tool.html
23. Trend Micro's Rootkit Buster - http://free.antivirus.com/rootkit-buster/
24. Trend Micro's CWS Shredder - http://free.antivirus.com/cwshredder/
25. Dial-A-Fix - http://www.softpedia.com/progDownload/Dial-a-fix-Download-27328.html
26. F-Secure BlackLight Anti-Rootkit - http://www.f-secure.com/en_EMEA/products/technologies/blacklight/
27. GMER Anti-Rootkit - http://www.gmer.net/
28. Trend Micro's Hijack This! - http://free.antivirus.com/hijackthis/
29. Kazaa Spyware Removal - http://majorgeeks.com/Kazaa_Spyware_Removal_d3110.html
30. Look2Me Destroyer - http://www.softpedia.com/get/Antivirus/Look2Me-Destroyer.shtml
31. QooFix - http://www.malwarebytes.org/qoofix.php
32. Vundo Fix - http://vundofix.atribune.org/
33. CCleaner - http://www.ccleaner.com/
34. Registry Mechanic - http://www.pctools.com/registry-mechanic/
35. JV16 Power Tools - http://www.macecraft.com/jv16powertools2009-info/
36. Windows Malicious Software Removal Tool - http://www.microsoft.com/downloads/details.aspx?FamilyID=ad724ae0-e72d-4...
37. Dr. Web's CureIt - http://download.cnet.com/Dr-Web-CureIt/3000-2239_4-128071.html
38. SuperAntiSpyware - http://www.superantispyware.com/
39. Defraggler - http://www.piriform.com/defraggler
40. Trend Micro's Rootkit Buster - http://free.antivirus.com/rootkit-buster/
41. Spybot Search & Destroy - http://www.safer-networking.org/en/download/
42. Combofix - http://www.bleepingcomputer.com/combofix/how-to-use-combofix
43. USB Write Protector - http://techie-buzz.com/utilites/usb-write-protector-shields-your-usb-fla...
44. 7-Zip Portable - http://portableapps.com/apps/utilities/7-zip_portable
45. Microsoft Installer CleanUp - http://support.microsoft.com/kb/290301 (Windows XP only)
46. Microsoft Auto Play Fix - http://www.microsoft.com/downloads/details.aspx?familyid=C680A7B6-E8FA-4... (Windows XP only)
47. Winsock Fix - http://windowsxp.mvps.org/winsock.htm (Windows XP only)
Step 1 --> Backups
First thing is first, you are going to want to backup all the files you absolutely can not lose to a flash drive or external hard drive. Also, make sure you backup the registry in-case it is corrupted beyond repair so that you do not have to reinstall your operating system. To learn how to back up your registry, follow the instructions on the following website (ignore the system restore option):
http://windowsxp.mvps.org/registry.htm
Step 2 --> Preparations
Now it is time to move on to the preparations for the removals. The first thing you are going to want to do is to get another USB flash drive. It is probably best to use at least a 2GB drive, but you can get away with a 1GB stick if you don't download all of the tools and store them on there. Personally, I use an 8GB flash drive so that I can store other stuff on it as well. Now, let's do a little preparation before we start the actual removals. First, on the clean computer that you are downloading all of the tools, plug in your flash drive. Follow the directions on the relevant website to install 1-2-3 Spyware Free, A-Squared Hijack Free, A-Squared USB, 7-Zip Portable, and ClamWin Portable onto the flash drive. None of these softwares require registry entries to run. They have all their relevant information they need in configuration files located in the same folders where the programs will be located on your flash drive. Once those softwares are installed, go ahead and transfer over the other utilities that you would like to use. I personally have all of the utilities on my flash drive, along with a few other softwares for other uses. Once you have transferred over all of the utilities that you want to use, make sure you have the entire USB Write Protector folder somewhere on your flash drive. Make sure that you run each of the utilities that require updates (A-Squared USB, 123 Spyware Free, and ClamWinPortable) on the clean computer so that you have the latest definitions. Just one more step and we will get to actually removing the malware. The last step you need to do is use that utility I described to you, USB Write Protector. All you need to do is launch the executable located in the folder and click where it says to "Enable Write Protection." The reason this software is so crucial is because some worms and trojans have the ability to infect flash drives. This software ensures that nothing can write to the flash drive while it is plugged into any computer. Now that the write protection is enabled, we can start the actual removals. Make sure that you close out of the USB Write Protector software and eject your flash drive from the computer. The first thing you need to do on the infected computer is to disable System Restore and delete all of the System Restore Points because a lot of malware likes to hide in these restore points because those restore points are ignored by 99% of malware scanners. Once you have done this, you are ready to move on to the next step.
Note: For removal of rogue security products (ex. Antivirus 2009, Security Tool, Internet Security 2010, etc), begin with the next step. If you are just trying to clean a computer of general malware, please skip to Step 4.
Step 3 --> Removal of rogue antivirus softwares
This is going to give some of our scanners the chance to fully get the most malware removed from your system. We are going to start by trying to kill the infected processes so you will not be as impeded by the popups and other messages. Open up SpyDLLRemover and click on "Start Scan" to start the automated scanner. While that is scanning, click on the "Process Viewer" tab. You will see a more advanced version of the Windows Task Manager. Go ahead and scroll down to where you see the executable that is the main file for your particular rogue security product. This will be easy to see because most of the executables will be similar in name to what the program is named. For example, Personal Antivirus's executable is named PAV.exe. Once you click on the running process, you will see a list of all of the DLL's that are attached to that particular executable. As a side note, write down the name and file path of each of the DLL's that are attached to the running process because each of those are probably infected as well. I will touch on that later on. Once you have written down all of that information, click on the DLL's that are attached to the running process by clicking on their names in the bottom section and then click on the button at the bottom of the window labeled "Remove DLL." If anything prompts you if you are sure of this, click OK. Once you have removed all of the DLL's attached to the executable, you can now kill the running process by clicking on the executable in the top portion of the window and then clicking the button labeled "Kill Process." Now that you have done this, you should have no more popups while you do the rest of your work. By this time, the automated scan you started a few minutes ago should be finished. If the scan has found any of the DLL's that were on your list you made a few minutes ago which were attached to the rogue antivirus software's executable, then click on the DLL's name and below it should pop up and list all of the processes that utilize that DLL. If the only process that utilizes the DLL is the executable from the rogue antivirus software, then click on the button labeled "Remove DLL." If you are unsure as to what to do here, don't do anything. Just write down all of names and file paths so that you make sure that you don't delete a main system file DLL that is required for the computer usage. Once that is complete, you should run SmitFraudFix. If you have any questions on how to use this software, make sure you read the full guide on the same page as where you downloaded the file from. Once this is complete, move on to Step 4.
Step 4 --> Installing software on the computer
To start out, go ahead and run the Malwarebytes Anti-Malware executable to install the program onto the computer. When it prompts you to restart your computer, don't do it because there are a few other things we need to do first. Once Malwarebytes is installed on the computer, install SuperAntiSpyware. Make sure that during the setup of SuperAntiSpyware that you tell it that you do NOT want to enable the proactive defenses, just be able to scan the computer. Lastly, install Spybot Search & Destroy and make sure this one is also configured so that it does not give you proactive threat detection. Once those softwares are installed, you can go ahead and restart your computer. Once your computer has been restarted, go back up to Step 3 and then continue on to Step 5.
Step 5 --> Running the scans on the computer (simultaneously or one after another)
This is the part of the removal process that is the easiest and most automated. First start off by loading up Malwarebytes and starting a scan on the computer's hard drive. Go ahead and minimize the window once the scan is started and load up SuperAntiSpyware. Do the same for SuperAntiSpyware and minimize that scan as well. (Note: Make sure that you are only targeting the hard drive and not your flash drive. Some of the utilities are recognized as malware by the scanners and the scanners will get hung up on trying to remove them from your write-protected flash drive.) If you are working on a slower computer, I would let the two scanners which are running right now finish before going any further. Now, load up A-Squared Free or A-Squared Command Line scanner (read documentation included with this tool for tips on how to use the command-line scanner) and start a scan with either of those tools. Once that is running, load up 1-2-3 Spyware Free and run a scan on the computer with it. Now, load up Spybot Search & Destroy and run a scan with it as well. The last scanner you need to start is Kaspersky's AVZ Antiviral Toolkit. Load up the AVZ.exe file. When the window pops up, make sure the box next to your hard drive is checked. Click on the "File types" tab and make sure that the scanner is set to scan "All files" and that the box next to "Do not scan archives larger than" is unchecked. Next, click on the "Search parameters" tab and under the "Heuristic analysis" group, drag the bar to the top and check the box next to "Extended analysis." Make sure that the boxes next to "Fix SPI/LSP errors automatically," "Search for TCP/UDP ports used by Trojan horses," and "Fix system errors automatically" are checked. Under the "Automatic actions" field, check the box next to "Enable malware removal mode" and make sure that all the drop-down boxes are set to "Remove." Once all of those have been started, click on the button labeled "Start" to start the malware scan. Now, go grab yourself some food or go do something else for about an hour or two while these scanners go to work. Some of the other scanners that you should run afterwards are AvastPortableAntivirus, AviraAntivirRemoval, McAfeeStinger, Norman Malware Cleaner, Kaspersky AVP Tool, and AVG vCleaner.
Special Note: If a particular rogue antivirus software has not been removed from your system after the scanners have run, then make sure that you run SmitFraudFix. To learn how to use it, refer to the site where you download it from.
Step 6 --> Cleanups after automated scanners
Once the scanners have completed, review each of the scan results. If any of the scanners failed to remove or clean a file, ensure that you write down the file and location so you can delete it later using 7-Zip. Once the scanners have been run, you are going to want to restart your computer and boot it into safe mode. Once you have booted into safe mode, you are going to need to run Hijack This. If you are not sure about what to remove using Hijack This, then when you run Hijack This, click on "Do a System Scan and Save a Log File." If you are sure of how to use Hijack This, just click on "Just Do a System Scan" and then remove what you need to. The reason you should not just remove everything on the list is that you can seriously screw up your computer. If you are unaware as to what to remove from this list, you can post your log file at http://www.hijackthis.de/ and they can either analyze it automatically, or you can post in the forums and someone will give you the list as to what exactly to remove from your computer. Now, once you have finished doing that, load up Autoruns from Microsoft. This program is going to allow you to see every single file that is set to autorun when the computer turns on. If there are any of the files that were not deleted when the malware scanners completed, now would be the time to look for those files and stop them from auto-running. Next time you restart the operating system, you should then be able to delete the infected file with no other problems. Once you have stopped all of the items that you did not want starting up on your computer, then your computer should also be running faster. At this point in time, are are welcome to run any of the following utilities, such as: ADS Spy, Dial-A-Fix (Windows XP only), CWSShredder, E2TakeOut, QooFix, Look2Me Destroyer, AboutBuster, VundoFix, and ATF-Cleaner. Make sure you run ATF-Cleaner after all of the other softwares have been run. At this point, I would suggest downloading an antivirus program like Kaspersky, Webroot, Spyware Doctor, or Norton 2010.
Step 7 --> Registry cleanup and repair
This part of the cleanup is relatively easy. The first thing you need to do is install CCleaner. When you start CCleaner, click on the "Cleaner" tab on the left-hand side of the window. Next, click on the "Analyze" button. When the analyze has completed, click on "Run Cleaner." Next, click on the "Registry" tab on the left-hand side of the window. Click on the "Scan for Issues" button. When the scan is complete, click on the button labeled "Fix selected issues..." Make sure that you fix all of the selected issues. You can choose to backup the changes if you want, but I have never had a problem with what CCleaner fixes. When you are done with CCleaner, you can uninstall it from your computer. Do the same things for Registry Mechanic and JV16 Power Tools. Just run the registry cleaners under each of those programs. Once each of these are done, feel free and tweak the registry to your liking. I will be making a post in the forums under Windows Software with some of the registry fixes that I have. If you would like to tweak your registry to your own liking, you can do a quick Google search and you should be able to find the registry fixes for whatever operating system you are using.
Step 8 --> Operating system repair and cleanup
Over the course of the malware removals, the operating system tends to get screwed up. The following fixes should repair the operating system back to a working condition. If there is a particular problem that you are having, a quick Google search should bring up the correct fix for it. Open up a command prompt window. Type in "CHKDSK /R" (without the quotes) and then when it states that CHKDSK can not run in the operating system, type in "SFC /SCANNOW". Once that has completed, restart your computer. Upon restart of your computer, CHKDSK is going to start and verify that there are no bad sectors that are being used. If there are, then the operating system will ignore those sectors so you do not have problems with your operating system. Once that is completed, if you have Windows XP, run the Microsoft Installer CleanUp utility. This will fix any problems that a piece of malware has modified in the Windows Installer that will cause a program not to install correctly or the Windows Installer to not even launch. Also, if you have Windows XP, run the Microsoft Auto Play Fix as well to find any defective AutoPlay settings and then it attempts to fix the ones it finds. Finally, the last fix for Windows XP is to make sure you run the Winsock XP Fix to make sure that there are no traces of malware left in the Windows Winsock.
Note: The last problem that a lot of people usually have after they have completed malware removals on their computer is that they have no internet connection afterwards. This last step is meant only to help those people who have this problem.
Step 9 --> Reconnecting to the internet
First we are going to check the internet connection settings before we start messing with any registry/operating system repairs. First thing is first, make sure that you have your drivers installed. If you have XP, click on "Start," and then click on "Run." If you have Vista, click on "Start," and then type in the blank space under "All Programs." In either of those spaces, type in "devmgmt.msc" and hit Enter. If you look under your network drivers and there are drivers that need to be reinstalled, please download your drivers on another computer and reinstall them. Once you have done that, the next step is to check the network's device settings. To do this, click on "Start," right-click on "Network," then left-click on "Properties." On the left-hand side, click on "Manage Network Connections." In the window that pops up, you should see the network devices that are installed on your computer. The next few steps should be the same for both/any/all of your network devices. Right-click on the network device and then left-click on "Properties." In the next window that pops up, click on "Internet Protocol..." and click on the button to the bottom-right labeled "Properties." Make sure that the two boxes next to "Obtain DNS server address automatically" next to BOTH places in that window. Then click on "OK" and go ahead and close out of all of the network windows. Now, open up Internet Explorer (yes, even if you don't use it) and open up the "Internet Options" that is listed under the "Tools" menu (if you can't see it on Vista, click somewhere in the web browser and hit the Alt key on your keyboard and you will see the menus pop up). If your internet is being redirected, here you can change your homepage. Click on the "Security" tab at the top, then click on the "Internet, Local Intranet, Trusted sites, Restricted sites" and make sure that each of them is set to the "Default level" by clicking the button as you click on each one. Under the "Privacy" tab, do the same thing and make sure it is set to "Default" by clicking on the button labeled as such. Lastly, click on the "Connections" tab, then click on the button labeled "LAN settings" and make sure that the box next to "Automatically detect settings" is checked. Now, close out of Internet Explorer and open up a command prompt window. When you have it open, type in "ipconfig /release" and then "ipconfig /renew". This will force your network card to refresh the network settings that you have just changed. If none of these fixes have worked, then you should do some research into Group Policies. If you have Windows XP, you can use Dial-A-Fix to scan for restrictive policies. If you have any other operating system, you should look at http://technet.microsoft.com/en-us/library/cc960596.aspx to refer how to remove restrictive group policies. Now, the Winsock needs to be reset. If you are running Windows XP, then you need to run the Winsock XP Fix that I had you download earlier. If you are running Windows Vista or 7, then open the command prompt as an administrator and type "netsh windsock reset". After that is complete, type in "ipconfig /release". Once that has completed, type in "ipconfig /renew". When those 3 command have completed, restart your computer. Upon the restart of your computer, you should be able to connect to the internet.
Once you have completed all of these steps, your computer should be clean (for the most part). There is no true way to know for sure that your computer is fully clean unless you reinstall your operating system and replace your MBR. If you have completed all of the steps above and have run all of the softwares listed in this, then your computer should be as clean as you can possibly get it. I will be posting more in-depth guides at a later date on how to use some of the software which was not explained in this particular guide.
Freeware (explained in tutorial)
Before I start, I want you to understand that this guide is not going to be using any of the tools from Geek Squad. All of the tools used in this tutorial are available for download as freeware. This guide is not going to give you a complete and total walkthrough of every single program, just an overview. I will be providing links to other websites if you wish to read more about each of these softwares. Neither I nor SoldierX hold any responsibility for your actions while following this guide, but simply offer it as a helping hand to get you to understand some of the ways that malware can infect your system while helping you remove them. Neither I nor SoldierX own or have created any of these tools, so you must accept each tool's licensing terms on your own behalf before you use them.
Before getting into the actual malware removal, I want you to understand that the only surefire way to get rid of any and all malware that is affecting your system is to replace your hard drive's MBR (Master Boot Record), use a utility such as DBAN (Darik's Boot And Nuke) to wipe the drive, and then reinstall your operating system.
So, now that I have gotten the legal stuff out of the way, let's get right down to business. This guide is going to cover many different things including, but not limited to: removing malware from an infected computer, the tools used to do the removals, extra utilities to help protect yourself from future attacks, and some fixes that you can do to repair some of the damage caused by removing malware from an infected system. These fixes are not always guaranteed to be correct, but simply are the most common ways to fix the problems caused by removing malware from a system.
Now, you have backed up all of your files, let's get to the tools needed to do the job correctly. Note that not all of these tools are required clean your system, I am just listing all of the tools I have used in the past to get rid of different types of malware. If you want to be as thorough as absolutely possible, you should run ever single one of these tools on the computer you are trying to clean. This will ensure that you have effectively removed most of the traces. I am not going to go in-depth and explain how to use each of these softwares. If you would like to know more about one of these tools, a quick Google search should on the name of the product should bring up a full listing of anything related to that software. Listed below, not in any particular order, are the softwares I use while doing malware removal and the links to each website so you can download them:
1. SmitFraudFix - http://www.bleepingcomputer.com/files/smitfraudfix.php
2. Kaspersky AVZ Antiviral Toolkit - http://www.softpedia.com/get/Antivirus/AVZ-Antiviral-Toolkit.shtml
3. Avira Antivir Removal Tool - http://www.free-av.com/en/tools/3/avira_antivir_removal_tool.html
4. ClamWin Portable - http://portableapps.com/apps/utilities/clamwin_portable
5. McAfee Stinger - http://vil.nai.com/vil/stinger/
6. A-Squared HiJack Free - http://www.hijackfree.com/en/
7. A-Squared Emergency USB - http://www.emsisoft.com/en/software/stick/
8. 1-2-3 Spyware Free USB - http://www.pendriveapps.com/1-2-3-spyware-free/
9. AVG VCleaner - http://free.avg.com/us-en/virus-removal
10. Avast! Portable Virus Cleaner - http://www.pendriveapps.com/avast-virus-cleaner-virus-and-worm-removal-t...
11. SpyDLLRemover - http://rootkitanalytics.com/userland/spy-dll-remover.php
12. Microsoft's Autoruns - http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
13. Kapersky's AVP Tool - http://www.brothersoft.com/kaspersky-avp-tool-190975.html
14. Microsoft's Rootkit Revealer - http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
15. Malwarebyte's Antimalware - http://www.malwarebytes.org/mbam.php (Special note for Malwarebytes. Make sure that when you download the executable, you rename it to something not-related to Malwarebytes or mbam-setup.exe. Most malware now will block mbam or anything related to it from even running. I usually end up naming it MBRemovalTool.exe)
16. Norman Malware Cleaner - http://www.norman.com/support/support_tools/58732/en
17. About Buster - http://www.malwarebytes.org/aboutbuster.php
18. ADS Spy - http://www.bleepingcomputer.com/files/adsspy.php
19. ATF Cleaner - http://www.atribune.org/index.php?option=com_content&task=view&id=25&Ite...
20. AIM Fix - http://www.jayloden.com/aimfix.htm
21. Avira Anti-Rootkit - http://www.free-av.com/en/tools/4/avira_antirootkit_tool.html
22. Avira Boot Sector Repair Tool - http://www.free-av.com/en/tools/9/avira_boot_sector_repair_tool.html
23. Trend Micro's Rootkit Buster - http://free.antivirus.com/rootkit-buster/
24. Trend Micro's CWS Shredder - http://free.antivirus.com/cwshredder/
25. Dial-A-Fix - http://www.softpedia.com/progDownload/Dial-a-fix-Download-27328.html
26. F-Secure BlackLight Anti-Rootkit - http://www.f-secure.com/en_EMEA/products/technologies/blacklight/
27. GMER Anti-Rootkit - http://www.gmer.net/
28. Trend Micro's Hijack This! - http://free.antivirus.com/hijackthis/
29. Kazaa Spyware Removal - http://majorgeeks.com/Kazaa_Spyware_Removal_d3110.html
30. Look2Me Destroyer - http://www.softpedia.com/get/Antivirus/Look2Me-Destroyer.shtml
31. QooFix - http://www.malwarebytes.org/qoofix.php
32. Vundo Fix - http://vundofix.atribune.org/
33. CCleaner - http://www.ccleaner.com/
34. Registry Mechanic - http://www.pctools.com/registry-mechanic/
35. JV16 Power Tools - http://www.macecraft.com/jv16powertools2009-info/
36. Windows Malicious Software Removal Tool - http://www.microsoft.com/downloads/details.aspx?FamilyID=ad724ae0-e72d-4...
37. Dr. Web's CureIt - http://download.cnet.com/Dr-Web-CureIt/3000-2239_4-128071.html
38. SuperAntiSpyware - http://www.superantispyware.com/
39. Defraggler - http://www.piriform.com/defraggler
40. Trend Micro's Rootkit Buster - http://free.antivirus.com/rootkit-buster/
41. Spybot Search & Destroy - http://www.safer-networking.org/en/download/
42. Combofix - http://www.bleepingcomputer.com/combofix/how-to-use-combofix
43. USB Write Protector - http://techie-buzz.com/utilites/usb-write-protector-shields-your-usb-fla...
44. 7-Zip Portable - http://portableapps.com/apps/utilities/7-zip_portable
45. Microsoft Installer CleanUp - http://support.microsoft.com/kb/290301 (Windows XP only)
46. Microsoft Auto Play Fix - http://www.microsoft.com/downloads/details.aspx?familyid=C680A7B6-E8FA-4... (Windows XP only)
47. Winsock Fix - http://windowsxp.mvps.org/winsock.htm (Windows XP only)
Step 1 --> Backups
First thing is first, you are going to want to backup all the files you absolutely can not lose to a flash drive or external hard drive. Also, make sure you backup the registry in-case it is corrupted beyond repair so that you do not have to reinstall your operating system. To learn how to back up your registry, follow the instructions on the following website (ignore the system restore option):
http://windowsxp.mvps.org/registry.htm
Step 2 --> Preparations
Now it is time to move on to the preparations for the removals. The first thing you are going to want to do is to get another USB flash drive. It is probably best to use at least a 2GB drive, but you can get away with a 1GB stick if you don't download all of the tools and store them on there. Personally, I use an 8GB flash drive so that I can store other stuff on it as well. Now, let's do a little preparation before we start the actual removals. First, on the clean computer that you are downloading all of the tools, plug in your flash drive. Follow the directions on the relevant website to install 1-2-3 Spyware Free, A-Squared Hijack Free, A-Squared USB, 7-Zip Portable, and ClamWin Portable onto the flash drive. None of these softwares require registry entries to run. They have all their relevant information they need in configuration files located in the same folders where the programs will be located on your flash drive. Once those softwares are installed, go ahead and transfer over the other utilities that you would like to use. I personally have all of the utilities on my flash drive, along with a few other softwares for other uses. Once you have transferred over all of the utilities that you want to use, make sure you have the entire USB Write Protector folder somewhere on your flash drive. Make sure that you run each of the utilities that require updates (A-Squared USB, 123 Spyware Free, and ClamWinPortable) on the clean computer so that you have the latest definitions. Just one more step and we will get to actually removing the malware. The last step you need to do is use that utility I described to you, USB Write Protector. All you need to do is launch the executable located in the folder and click where it says to "Enable Write Protection." The reason this software is so crucial is because some worms and trojans have the ability to infect flash drives. This software ensures that nothing can write to the flash drive while it is plugged into any computer. Now that the write protection is enabled, we can start the actual removals. Make sure that you close out of the USB Write Protector software and eject your flash drive from the computer. The first thing you need to do on the infected computer is to disable System Restore and delete all of the System Restore Points because a lot of malware likes to hide in these restore points because those restore points are ignored by 99% of malware scanners. Once you have done this, you are ready to move on to the next step.
Note: For removal of rogue security products (ex. Antivirus 2009, Security Tool, Internet Security 2010, etc), begin with the next step. If you are just trying to clean a computer of general malware, please skip to Step 4.
Step 3 --> Removal of rogue antivirus softwares
This is going to give some of our scanners the chance to fully get the most malware removed from your system. We are going to start by trying to kill the infected processes so you will not be as impeded by the popups and other messages. Open up SpyDLLRemover and click on "Start Scan" to start the automated scanner. While that is scanning, click on the "Process Viewer" tab. You will see a more advanced version of the Windows Task Manager. Go ahead and scroll down to where you see the executable that is the main file for your particular rogue security product. This will be easy to see because most of the executables will be similar in name to what the program is named. For example, Personal Antivirus's executable is named PAV.exe. Once you click on the running process, you will see a list of all of the DLL's that are attached to that particular executable. As a side note, write down the name and file path of each of the DLL's that are attached to the running process because each of those are probably infected as well. I will touch on that later on. Once you have written down all of that information, click on the DLL's that are attached to the running process by clicking on their names in the bottom section and then click on the button at the bottom of the window labeled "Remove DLL." If anything prompts you if you are sure of this, click OK. Once you have removed all of the DLL's attached to the executable, you can now kill the running process by clicking on the executable in the top portion of the window and then clicking the button labeled "Kill Process." Now that you have done this, you should have no more popups while you do the rest of your work. By this time, the automated scan you started a few minutes ago should be finished. If the scan has found any of the DLL's that were on your list you made a few minutes ago which were attached to the rogue antivirus software's executable, then click on the DLL's name and below it should pop up and list all of the processes that utilize that DLL. If the only process that utilizes the DLL is the executable from the rogue antivirus software, then click on the button labeled "Remove DLL." If you are unsure as to what to do here, don't do anything. Just write down all of names and file paths so that you make sure that you don't delete a main system file DLL that is required for the computer usage. Once that is complete, you should run SmitFraudFix. If you have any questions on how to use this software, make sure you read the full guide on the same page as where you downloaded the file from. Once this is complete, move on to Step 4.
Step 4 --> Installing software on the computer
To start out, go ahead and run the Malwarebytes Anti-Malware executable to install the program onto the computer. When it prompts you to restart your computer, don't do it because there are a few other things we need to do first. Once Malwarebytes is installed on the computer, install SuperAntiSpyware. Make sure that during the setup of SuperAntiSpyware that you tell it that you do NOT want to enable the proactive defenses, just be able to scan the computer. Lastly, install Spybot Search & Destroy and make sure this one is also configured so that it does not give you proactive threat detection. Once those softwares are installed, you can go ahead and restart your computer. Once your computer has been restarted, go back up to Step 3 and then continue on to Step 5.
Step 5 --> Running the scans on the computer (simultaneously or one after another)
This is the part of the removal process that is the easiest and most automated. First start off by loading up Malwarebytes and starting a scan on the computer's hard drive. Go ahead and minimize the window once the scan is started and load up SuperAntiSpyware. Do the same for SuperAntiSpyware and minimize that scan as well. (Note: Make sure that you are only targeting the hard drive and not your flash drive. Some of the utilities are recognized as malware by the scanners and the scanners will get hung up on trying to remove them from your write-protected flash drive.) If you are working on a slower computer, I would let the two scanners which are running right now finish before going any further. Now, load up A-Squared Free or A-Squared Command Line scanner (read documentation included with this tool for tips on how to use the command-line scanner) and start a scan with either of those tools. Once that is running, load up 1-2-3 Spyware Free and run a scan on the computer with it. Now, load up Spybot Search & Destroy and run a scan with it as well. The last scanner you need to start is Kaspersky's AVZ Antiviral Toolkit. Load up the AVZ.exe file. When the window pops up, make sure the box next to your hard drive is checked. Click on the "File types" tab and make sure that the scanner is set to scan "All files" and that the box next to "Do not scan archives larger than" is unchecked. Next, click on the "Search parameters" tab and under the "Heuristic analysis" group, drag the bar to the top and check the box next to "Extended analysis." Make sure that the boxes next to "Fix SPI/LSP errors automatically," "Search for TCP/UDP ports used by Trojan horses," and "Fix system errors automatically" are checked. Under the "Automatic actions" field, check the box next to "Enable malware removal mode" and make sure that all the drop-down boxes are set to "Remove." Once all of those have been started, click on the button labeled "Start" to start the malware scan. Now, go grab yourself some food or go do something else for about an hour or two while these scanners go to work. Some of the other scanners that you should run afterwards are AvastPortableAntivirus, AviraAntivirRemoval, McAfeeStinger, Norman Malware Cleaner, Kaspersky AVP Tool, and AVG vCleaner.
Special Note: If a particular rogue antivirus software has not been removed from your system after the scanners have run, then make sure that you run SmitFraudFix. To learn how to use it, refer to the site where you download it from.
Step 6 --> Cleanups after automated scanners
Once the scanners have completed, review each of the scan results. If any of the scanners failed to remove or clean a file, ensure that you write down the file and location so you can delete it later using 7-Zip. Once the scanners have been run, you are going to want to restart your computer and boot it into safe mode. Once you have booted into safe mode, you are going to need to run Hijack This. If you are not sure about what to remove using Hijack This, then when you run Hijack This, click on "Do a System Scan and Save a Log File." If you are sure of how to use Hijack This, just click on "Just Do a System Scan" and then remove what you need to. The reason you should not just remove everything on the list is that you can seriously screw up your computer. If you are unaware as to what to remove from this list, you can post your log file at http://www.hijackthis.de/ and they can either analyze it automatically, or you can post in the forums and someone will give you the list as to what exactly to remove from your computer. Now, once you have finished doing that, load up Autoruns from Microsoft. This program is going to allow you to see every single file that is set to autorun when the computer turns on. If there are any of the files that were not deleted when the malware scanners completed, now would be the time to look for those files and stop them from auto-running. Next time you restart the operating system, you should then be able to delete the infected file with no other problems. Once you have stopped all of the items that you did not want starting up on your computer, then your computer should also be running faster. At this point in time, are are welcome to run any of the following utilities, such as: ADS Spy, Dial-A-Fix (Windows XP only), CWSShredder, E2TakeOut, QooFix, Look2Me Destroyer, AboutBuster, VundoFix, and ATF-Cleaner. Make sure you run ATF-Cleaner after all of the other softwares have been run. At this point, I would suggest downloading an antivirus program like Kaspersky, Webroot, Spyware Doctor, or Norton 2010.
Step 7 --> Registry cleanup and repair
This part of the cleanup is relatively easy. The first thing you need to do is install CCleaner. When you start CCleaner, click on the "Cleaner" tab on the left-hand side of the window. Next, click on the "Analyze" button. When the analyze has completed, click on "Run Cleaner." Next, click on the "Registry" tab on the left-hand side of the window. Click on the "Scan for Issues" button. When the scan is complete, click on the button labeled "Fix selected issues..." Make sure that you fix all of the selected issues. You can choose to backup the changes if you want, but I have never had a problem with what CCleaner fixes. When you are done with CCleaner, you can uninstall it from your computer. Do the same things for Registry Mechanic and JV16 Power Tools. Just run the registry cleaners under each of those programs. Once each of these are done, feel free and tweak the registry to your liking. I will be making a post in the forums under Windows Software with some of the registry fixes that I have. If you would like to tweak your registry to your own liking, you can do a quick Google search and you should be able to find the registry fixes for whatever operating system you are using.
Step 8 --> Operating system repair and cleanup
Over the course of the malware removals, the operating system tends to get screwed up. The following fixes should repair the operating system back to a working condition. If there is a particular problem that you are having, a quick Google search should bring up the correct fix for it. Open up a command prompt window. Type in "CHKDSK /R" (without the quotes) and then when it states that CHKDSK can not run in the operating system, type in "SFC /SCANNOW". Once that has completed, restart your computer. Upon restart of your computer, CHKDSK is going to start and verify that there are no bad sectors that are being used. If there are, then the operating system will ignore those sectors so you do not have problems with your operating system. Once that is completed, if you have Windows XP, run the Microsoft Installer CleanUp utility. This will fix any problems that a piece of malware has modified in the Windows Installer that will cause a program not to install correctly or the Windows Installer to not even launch. Also, if you have Windows XP, run the Microsoft Auto Play Fix as well to find any defective AutoPlay settings and then it attempts to fix the ones it finds. Finally, the last fix for Windows XP is to make sure you run the Winsock XP Fix to make sure that there are no traces of malware left in the Windows Winsock.
Note: The last problem that a lot of people usually have after they have completed malware removals on their computer is that they have no internet connection afterwards. This last step is meant only to help those people who have this problem.
Step 9 --> Reconnecting to the internet
First we are going to check the internet connection settings before we start messing with any registry/operating system repairs. First thing is first, make sure that you have your drivers installed. If you have XP, click on "Start," and then click on "Run." If you have Vista, click on "Start," and then type in the blank space under "All Programs." In either of those spaces, type in "devmgmt.msc" and hit Enter. If you look under your network drivers and there are drivers that need to be reinstalled, please download your drivers on another computer and reinstall them. Once you have done that, the next step is to check the network's device settings. To do this, click on "Start," right-click on "Network," then left-click on "Properties." On the left-hand side, click on "Manage Network Connections." In the window that pops up, you should see the network devices that are installed on your computer. The next few steps should be the same for both/any/all of your network devices. Right-click on the network device and then left-click on "Properties." In the next window that pops up, click on "Internet Protocol..." and click on the button to the bottom-right labeled "Properties." Make sure that the two boxes next to "Obtain DNS server address automatically" next to BOTH places in that window. Then click on "OK" and go ahead and close out of all of the network windows. Now, open up Internet Explorer (yes, even if you don't use it) and open up the "Internet Options" that is listed under the "Tools" menu (if you can't see it on Vista, click somewhere in the web browser and hit the Alt key on your keyboard and you will see the menus pop up). If your internet is being redirected, here you can change your homepage. Click on the "Security" tab at the top, then click on the "Internet, Local Intranet, Trusted sites, Restricted sites" and make sure that each of them is set to the "Default level" by clicking the button as you click on each one. Under the "Privacy" tab, do the same thing and make sure it is set to "Default" by clicking on the button labeled as such. Lastly, click on the "Connections" tab, then click on the button labeled "LAN settings" and make sure that the box next to "Automatically detect settings" is checked. Now, close out of Internet Explorer and open up a command prompt window. When you have it open, type in "ipconfig /release" and then "ipconfig /renew". This will force your network card to refresh the network settings that you have just changed. If none of these fixes have worked, then you should do some research into Group Policies. If you have Windows XP, you can use Dial-A-Fix to scan for restrictive policies. If you have any other operating system, you should look at http://technet.microsoft.com/en-us/library/cc960596.aspx to refer how to remove restrictive group policies. Now, the Winsock needs to be reset. If you are running Windows XP, then you need to run the Winsock XP Fix that I had you download earlier. If you are running Windows Vista or 7, then open the command prompt as an administrator and type "netsh windsock reset". After that is complete, type in "ipconfig /release". Once that has completed, type in "ipconfig /renew". When those 3 command have completed, restart your computer. Upon the restart of your computer, you should be able to connect to the internet.
Once you have completed all of these steps, your computer should be clean (for the most part). There is no true way to know for sure that your computer is fully clean unless you reinstall your operating system and replace your MBR. If you have completed all of the steps above and have run all of the softwares listed in this, then your computer should be as clean as you can possibly get it. I will be posting more in-depth guides at a later date on how to use some of the software which was not explained in this particular guide.
Clearing Tracks on Windows
Its been a long time since i have dumped something on this page so here goes.
This particular article was written by my mentor cisc0ninja way back in 2008
The first thing I would recommend is writing some scripts when you're at home and putting them in hidden locations on the computer.
For instance deep down in weird system directories where people don't normally visit.
example: c:\windows\system32\wbem or oobe or some weird folder that not many people know what's supposed to be there and what's not.
You can write scripts to do whatever you want, but the main things you want to write are ways of covering your tracks, aka deleting any info that you were ever there, as well as possibly turning off any monitoring or logging while you're logged in.
98% of the time if they're logging or watching they will be using some sort of 3rd party software so you'll have to figure out what it is and how to disable it on your own, if there is a specific type that you need help with and I get enough people asking me to right a doc on bypassing a particular software I may. For right now we'll stick with windows logs.
There's this thing called "Event Viewer", which may, more than likely, be running.
You only want to clear this when you absolutely think it is necessary, because if a systems admin see's it's clear, they're gonna know something was going on here. And what sucks about it is that it only gives you the option of clearing everything or nothing, not just one or two lines.
There may be a registry setting somewhere I don't know about to allow just the clearing of one or two lines, but I wouldn't get my hopes up.
You can view/clear the event viewer logs by right-clicking on "my computer" and going to the "manage" option.
You will see it under Computer Management(local) and then System Tools, then Event Viewer.
Notice there are 3 different types of logs, Application, Security, and System.
(if you clear one you might as well clear them all because one could potentially help the admin find out who it was that cleared the other)
The majority of ways that windows logs you is by logging your internet traffic. Cookies, temp files, temporary internet files, browser history, your "recent" aka recently accessed files. All this stuff should be deleted. You can actually speed up your computer by deleting a lot of this regularly thus preventing a lot of malware/spyware and other b.s. from mucking up your machine by doing this. So leaves less tracks and makes the computer all nice and clean. Who wants to have root/admin on a box that's already all f**** up anyways?
This particular article was written by my mentor cisc0ninja way back in 2008
The first thing I would recommend is writing some scripts when you're at home and putting them in hidden locations on the computer.
For instance deep down in weird system directories where people don't normally visit.
example: c:\windows\system32\wbem or oobe or some weird folder that not many people know what's supposed to be there and what's not.
You can write scripts to do whatever you want, but the main things you want to write are ways of covering your tracks, aka deleting any info that you were ever there, as well as possibly turning off any monitoring or logging while you're logged in.
98% of the time if they're logging or watching they will be using some sort of 3rd party software so you'll have to figure out what it is and how to disable it on your own, if there is a specific type that you need help with and I get enough people asking me to right a doc on bypassing a particular software I may. For right now we'll stick with windows logs.
There's this thing called "Event Viewer", which may, more than likely, be running.
You only want to clear this when you absolutely think it is necessary, because if a systems admin see's it's clear, they're gonna know something was going on here. And what sucks about it is that it only gives you the option of clearing everything or nothing, not just one or two lines.
There may be a registry setting somewhere I don't know about to allow just the clearing of one or two lines, but I wouldn't get my hopes up.
You can view/clear the event viewer logs by right-clicking on "my computer" and going to the "manage" option.
You will see it under Computer Management(local) and then System Tools, then Event Viewer.
Notice there are 3 different types of logs, Application, Security, and System.
(if you clear one you might as well clear them all because one could potentially help the admin find out who it was that cleared the other)
The majority of ways that windows logs you is by logging your internet traffic. Cookies, temp files, temporary internet files, browser history, your "recent" aka recently accessed files. All this stuff should be deleted. You can actually speed up your computer by deleting a lot of this regularly thus preventing a lot of malware/spyware and other b.s. from mucking up your machine by doing this. So leaves less tracks and makes the computer all nice and clean. Who wants to have root/admin on a box that's already all f**** up anyways?
Thursday, January 6, 2011
Anonymous FTP FAQ
How to Set up a Secure Anonymous FTP Site
The following is a FAQ on setting up a secure FTP Site. FTP sites are known for much abuse by transferring illegal files. They also open many oppurtunities for intruders to gain access via misconfigured setups. And lastly many versions of ftp servers have had security holes. This FAQ is intended to clean up this abuse by allowing administrators to go through this check list of steps to make sure their FTP is correctly configured and that they are running the most current ftp daemon.
This is organized in the following fashion, I am breaking into several parts as follows:
1. General Description of Setting up an "anonymous" ftp server.
Create the user ftp in /etc/passwd. Use a misc group. The user's home directory will be ~ftp where ~ftp is the root you wish anonymous users to see. Creating this user turns on anonymous ftp.
Use an invalid password and user shell for better security. The entry in the passwd file should look something like:
ftp:*:400:400:Anonymous FTP:/home/ftp:/bin/true
Create the home directory ~ftp. Make the directory owned by root (NOT ftp) with the same group as ftp. Thus, owner permissions are for root and group permissions are for the anonymous users. Set the permissions for ~ftp to 555 (read, nowrite, execute).
Warning: Some MAN pages recommend making the ~ftp directory owned by ftp. This is a big NO-NO, if you want any type of security on your system.
Create the directory ~ftp/bin. This directory is owned by root (group e.g. wheel) with permissions 111 (noread, nowrite, execute).
Copy the program ls into ~ftp/bin. ls is owned by root with permissions 111 (noread, nowrite, execute). Any other commands you put in ~ftp/bin should have the same permissions as well.
Make the directory ~ftp/etc. This directory is owned by root with permissions 111.
Create from scratch the files /etc/passwd and /etc/group in ~ftp/etc. These files should be mode 444. The passwd file should only contain root, daemon, uucp, and ftp. The group file must contain ftp's group. Use your /etc/passwd and /etc/group files as a template for creating passwd and group files going to ~ftp/etc. You may even change the user names in this file, they are used only for 'ls' command. So for example if all files in your ~ftp/pub/linux hierarchy will be maintained by a real user 'balon' with uid=156 you may put
linux:*:156:120:Kazik Balon::
in the ~ftp/etc/passwd file (regardless of his real username). Leave only these users who will own files under ftp hierarchy (e.g. root, daemon, ftp...) and definitely remove *ALL* passwords by replacing them with '*' so the entry looks like:
root:*:0:0:Ftp maintainer::
ftp:*:400:400: Anonymous ftp::
For more security, you can just remove ~ftp/etc/passwd and ~ftp/etc/group (the effect is that ls -l will not show the directories' group names). Wuarchive ftp daemon (and some others) have some extensions based on the contents of the group/passwd files, so read the appropriate documentation.
Make the directory ~ftp/pub. This directory is owned by you and has the same group as ftp with permissions 555. On most systems (like SunOS) you may want to make this directory 2555, ie. set-group-id, in order to create new files with the same group ownership.
Files are left here for public distribution. All folders inside ~ftp/pub should have the same permissions as 555.
Warning: Neither the home directory (~ftp) nor any directory below it should be owned by ftp! No files should be owned by ftp either. Modern ftp daemons support all kinds of useful commands, such as chmod, that allow outsiders to undo your careful permission settings. They also have configuration options like the following (WuFTP) to disable them:
# all the following default to "yes" for everybody
delete no guest,anonymous # delete permission?
overwrite no guest,anonymous # overwrite permission?
rename no guest,anonymous # rename permission?
chmod no anonymous # chmod permission?
umask no anonymous # umask permission?
If you wish to have a place for anonymous users to leave files, create the directory ~ftp/pub/incoming. This directory is owned by root with permissions 733. Do a 'chmod +t ~ftp/pub/incoming'. The ftp daemon will normally not allow an anonymous user to overwrite an existing file, but a normal user of the system would be able to delete anything. By setting the mode to '1733' you prevent this from happening. In wuftpd you may configure the daemon to create new files with permissions '600' owned by root or any other user. Many times, incoming directories are abused by exchanging pirated and pornographic material. Abusers often create hidden directories there for this purpose. Making the incoming directory unreadable by anonymous ftp helps to some extent. With ordinary ftp severs there is no way to prevent directories being created in incoming. The WUarchive ftp server can limit uploads to certain directories and can restrict characters used in file names like this:
# specify the upload directory information
upload /var/spool/ftp * no
upload /var/spool/ftp /incoming yes ftp staff 0600 nodirs
# path filters # path-filter...
path-filter anonymous /etc/msgs/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
path-filter guest /etc/msgs/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
Suggestion: Create an extra file-system for your ftp-area (or at least for your incoming-area) to prevent a denial-of-service attack by filling your disk with garbage (inside your incoming directory).
If you have wuftpd you may want to add some ftp extensions like compression/decompression 'on the fly' or creation of tar files for the directory hierarchies. Get the appropriate sources (gzip, gnutar, compress), compile them and link statically, put in the ~ftp/bin directory and edit the appropriate file containing the definitions of the allowed conversions. /usr/bin/tar is already statically-linked. You may wish to use gnu tar anyway.
Gary Mills wrote a small program to support the following:
To do tar and compress, he wrote a tiny program called `pipe', and statically-linked it. His /etc/ftpconversions file looks like this:
#strip prefix:strip postfix:addon prefix:addon postfix:external command:
#types:options:description
:.Z: : :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
:-z: : :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
: : :.Z:/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS
: : :.tar:/bin/tar cf - %s:T_REG|T_DIR:O_TAR:TAR
: : :.tar.Z:/bin/pipe /bin/tar cf - %s | /bin/compress -c:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
: : :.tar:/bin/gtar -c -f - %s:T_REG|T_DIR:O_TAR:TAR
: : :.tar.Z:/bin/gtar -c -Z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
: : :.tar.gz:/bin/gtar -c -z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP
Here it is:
-----------------8<-------------cut--------------- /* pipe.c: exec two commands in a pipe */ #define NULL (char *)0 #define MAXA 16 main(argc, argv) int argc; char *argv[]; { char *av1[MAXA], *av2[MAXA]; int i, n, p[2], cpid; i = 0; n = 0; while ( ++i < argc && n < MAXA ) { if ( *argv[i] == '|' && *(argv[i]+1) == '\0' ) break; av1[n++] = argv[i]; } if ( n == 0 ) uexit(); av1[n] = NULL; n = 0; while ( ++i < argc && n < MAXA ) av2[n++] = argv[i]; if ( n == 0 ) uexit(); av2[n] = NULL; if ( pipe(p) != 0 ) exit(1); if ( ( cpid = fork() ) == (-1) ) exit(1); else if ( cpid == 0 ) { (void)close(p[0]); (void)close(1); (void)dup(p[1]); (void)close(p[1]); (void)execv(av1[0], av1); _exit(127); } else { (void)close(p[1]); (void)close(0); (void)dup(p[0]); (void)close(p[0]); (void)execv(av2[0], av2); _exit(127); } /*NOTREACHED*/ } uexit() { (void)write(2, "Usage: pipe | \n", 34); exit(1); } -------- CUT HERE ------------ Other things to do: as root: touch ~ftp/.rhosts touch ~ftp/.forward chmod 400 ~ftp/.rhosts chmod 400 ~ftp/.forward ie. make these files zero-length and owned by root. Due to the last /bin/mail bugs in SunOS: touch /usr/spool/mail/ftp; chmod 400 /usr/spool/mail/ftp Consider an email-alias for the ftp-admin(s) to provide an email-address for problems-reports. If you are mounting some disks from other machines (or even your own) to the ~ftp hierarchy, mount it read-only. The correct entry for the /etc/fstab (on the host with ftpd) is something like: other:/u1/linux /home/ftp/pub/linux nfs ro,noquota,nosuid,intr,bg 1 0 This mounts under /home/ftp/pub/linux the disk from host 'other' with no quota, no 'suid' programs (just in case), interruptible (in case 'other' goes down) and 'bg' - so if 'other' is down when you reboot it will not stop you trying to mount /home/ftp/pub/linux all over again. -------------------------------------------------------------------------------- 2. Setting up a chrooted Secure Anonymous ftp server. This part was contributed by Marcus J Ranum
Build a statically linked version of ftpd and put it in ~ftp/bin. Make sure it's owned by root.
Build a statically linked version of /bin/ls if you'll need one. Put it in ~ftp/bin. If you are on a Sun, and need to build one, there's a ported version of the BSD net2 ls command for SunOs on ftp.tis.com: pub/firewalls/toolkit/patches/ls.tar.Z Make sure it's owned by root.
Chown ~ftp to root and make it mode 755 THIS IS VERY IMPORTANT
Set up copies of ~ftp/etc/passwd and ~ftp/etc/group just as you would normally, EXCEPT make 'ftp's home directory '/' -- make sure they are owned by root.
Write a wrapper to kick ftpd off and install it in /etc/inetd.conf The wrapper should look something like: (assuming ~ftp = /var/ftp)
main()
{
if(chdir("/var/ftp")) {
perror("chdir /var/ftp");
exit(1);
}
if(chroot("/var/ftp")) {
perror("chroot /var/ftp");
exit(1);
}
/* optional: seteuid(FTPUID); */
execl("/bin/ftpd","ftpd","-l",(char *)0);
perror("exec /bin/ftpd");
exit(1);
}
Options:
You can use 'netacl' from the toolkit or tcp_wrappers to achieve the same effect.
We use 'netacl' to switch so that a few machines that connect to the FTP service *don't* get chrooted first. This makes transferring files a bit less painful.
You may also wish to take your ftpd sources and find all the places where it calls seteuid() and remove them, then have the wrapper do a setuid(ftp) right before the exec. This means that if someone knows a hole that makes them "root" they still won't be. Relax and imagine how frustrated they will be.
If you're hacking ftpd sources, I suggest you turn off a bunch of the options in ftpcmd.y by unsetting the "implemented" flag in ftpcmd.y. This is only practical if your FTP area is read-only.
As usual, make a pass through the FTP area and make sure that the files are in correct modes and that there's nothing else in there that can be executed.
Note, now, that your FTP area's /etc/passwd is totally separated from your real /etc/passwd. This has advantages and disadvantages.
Some stuff may break, like syslog, since there is no /dev/log. Either build a version of ftpd with a UDP-based syslog() routine or run a second syslogd based on the BSD Net2 code, that maintains a unix-domain socket named ~ftp/dev/log with the -p flag.
REMEMBER:
If there is a hole in your ftpd that lets someone get "root" access they can do you some damage even chrooted. It's just lots harder. If you're willing to hack some code, making the ftpd run without permissions is a really good thing. The correct operation of your hacked ftpd can be verified by connecting to it and (while it's still at the user prompt) do a ps-axu and verify that it's not running as root.
--------------------------------------------------------------------------------
3. OS Specific needed information and suggestions.
These machines may need dev/tcp:
Older SVR2 and SVR3 system
RTU 6.0 (Masscomp, now Concurrent Real Time UNIX),
AT&T 3B1 and 3B2 machines
[dev/tcp]
These ftpd implementations may require a ~ftp/dev/tcp in order for anonymous ftp to work.
You have to create a character special device with the appropriate major and minor device numbers. The appropriate major and minor numbers of ~ftp/dev/tcp are what the major and minor numbers of /dev/tcp are.
The ~ftp/dev is a directory and ~ftp/dev/tcp is a character special device. Make them owned and grouped by root. Permissions for ~ftp/dev is root read/write/exec and other & group read and exec. The permissions for ~ftp/dev/tcp is root read/write, other & group read.
HPUX
[Logging] If you're using HP's native ftpd, the line in /etc/inetd.conf should execute ftpd -l, which does extra logging.
Solaris 2.x
[Script] Solaris' man page contains a script for installing anonymous ftpd which saves time. You may still want to check over your anonymous ftpd for vulnerabilities.
Command for reading the man page is:
$ man ftpd
SunOS
[Libraries] To set up SunOS to use its shared dynamic libraries, follow these steps:
Create the directory ~ftp/usr. This directory is owned by root with permissions 555.
Create the directory ~ftp/usr/lib. This directory is owned by root with permissions 555.
Copy the runtime loader ld.so into ~ftp/usr/lib for use by ls. ld.so is owned by root with permissions 555.
Copy the latest version of the shared C library, libc.so.* into ~ftp/usr/lib for use by ls.
libc.so.* is owned by root with permissions 555.
Note: 4.1.2(or above) users: you also need to copy /usr/lib/libdl.so.* to ~ftp/lib.
Create the directory ~ftp/dev. This directory is owned by root with permissions 111.
~ftp/dev/zero is needed by the runtime loader. Move into the directory ~ftp/dev and create it with the command:
mknod zero c 3 12
chown ~ftp/dev/zero to root. Make sure it's readable.
Warning: For novices: Don't try to copy /dev/zero to ~ftp/dev/zero! This is an endless file of zeroes and it will completely fill your filesystem!
If you want to have the local time showing when people connect, create the directory ~ftp/usr/share/lib/zoneinfo and copy /usr/share/lib/zoneinfo/localtime
If you are bothered by the need for copying your libraries so that you can use Sun's 'ls', which is dynamically linked, you can try to get a statically linked copy of 'ls' instead. The CD-ROM that contains Sun's OS has a statically-linked version of ls. In this case, you can dispense with steps #6-8.
Statically linked versions may be available from the following sources:
If you want a statically linked "ls" get the GNU fileutils off a archive site near you and statically link it.
[Logging] Sun's standard ftpd logs *all* password information. To correct it, install patch:
101640-03 SunOS 4.1.3: in.ftpd logs password info when -d option is
used.
In /etc/inetd.conf find the line that starts with "ftp". At the end of that line, it should read "in.ftpd". Change that to "in.ftpd -dl". In /etc/syslog.conf, add a line that looks like:
daemon.* /var/adm/daemonlog
The information can be separated (or like SunOs4.1.1 does not recognize daemon.* so it requires the following form), such as:
daemon.info /var/adm/daemon.info
daemon.debug /var/adm/daemon.debug
daemon.err /var/adm/daemon.err
Note that the whitespace between the two columns must include at least one TAB character, not just spaces, or it won't work. Of course your log file could be anything you want. Then, create the logfile (touch /var/adm/daemonlog should do). Finally, restart inetd and syslogd, either individually, or by rebooting the system. You should be good to go. If you do not install the patch, make sure the log file is owned by root and mode 600, as the ftp daemon will log *everything*, including users' passwords.
Warning: You want to make all logs root only readable for security reasons If a user mistypes his password for his username, it could be compromised if anyone can read the log files.
--------------------------------------------------------------------------------
4. Where to get other FTP daemons
Wuarchive FTP 2.4- A secure FTP daemon that allows improved access-control, logging, pre-login banners, and is very configurable:
Can be ftp'd from ftp.uu.net in "/networking/ftp/wuarchive-ftpd" directory. Be certain to verify the checksum information to confirm that you have retrieved a valid copy. [Warning: Older versions of Wu-FTP are extremely insecure and in some cases have been trojaned.]
BSD SVR4
File Checksum Checksum MD5 Digital Signature
----------------- -------- --------- --------------------------------
wu-ftpd-2.4.tar.Z 38213 181 20337 362 cdcb237b71082fa23706429134d8c32e
patch_2.3-2.4.Z 09291 8 51092 16 5558a04d9da7cdb1113b158aff89be8f
For DECWRL ftpd, sites can obtain version 5.93 via anonymous FTP from gatekeeper.dec.com in the "/pub/misc/vixie" directory.
BSD SVR4
File Checksum Checksum MD5 Digital Signature
----------------- -------- --------- --------------------------------
ftpd.tar.gz 38443 60 1710 119 ae624eb607b4ee90e318b857e6573500
For BSDI systems, patch 005 should be applied to version 1.1 of the BSD/386 software. You can obtain the patch file via anonymous FTP from ftp.bsdi.com in the "/bsdi/patches-1.1" directory.
BSD SVR4
File Checksum Checksum MD5 Digital Signature
----------------- -------- --------- --------------------------------
BU110-005 35337 272 54935 543 1f454d4d9d3e1397d1eff0432bd383cf
Public Domain Sources:
ftp.uu.net ~ftp/systems/unix/bsd-sources/libexec/ftpd
gatekeeper.dec.com ~ftp/pub/DEC/gwtools/ftpd.tar.Z
--------------------------------------------------------------------------------
5. How to Know if your Anonymous FTP Server is Secure
This section is intended for the administrator to go down a small check list of things to make sure his server is not easily compromised.
Check to make sure your ftp server does not have SITE EXEC command by telneting to port 21 and typing SITE EXEC. If your ftp daemon has SITE EXEC make sure it is the most current version (ie, Wu-FTP 2.4). In older versions this allows anyone to gain shell via port 21.
Check to make sure no one can log in and make files or directories in the main directory. If anyone can log in as anonymous FTP and make files such as .rhosts and .forward, instant access is granted to any intruder.
Check to make sure the main directory is NOT owned by ftp. If it is owned by FTP, an intruder could SITE CHMOD 777 the main directory and then plant files to give him instant access. SITE CHMOD command should be removed because anonymous users do not need any extra priviledges.
Check to make sure NO files or directories are owned by ftp. If they are, it is possible an intruder could replace them with his own trojan versions.
There were several bugs in old daemons, so it is very important to make sure you are running the most current ftp daemons.
--------------------------------------------------------------------------------
6. Archie
Searches FTP sites for programs. Login into these sites as archie or use client software for faster access. To get your own anonymous site added to Archie's search list, e-mail archie-updates@bunyip.com.
archie.ac.il 132.65.20.254 (Israel server)
archie.ans.net 147.225.1.10 (ANS server, NY (USA))
archie.au 139.130.4.6 (Australian Server)
archie.doc.ic.ac.uk 146.169.11.3 (United Kingdom Server)
archie.edvz.uni-linz.ac.at 140.78.3.8 (Austrian Server)
archie.funet.fi 128.214.6.102 (Finnish Server)
archie.internic.net 198.49.45.10 (AT&T server, NY (USA))
archie.kr 128.134.1.1 (Korean Server)
archie.kuis.kyoto-u.ac.jp 130.54.20.1 (Japanese Server)
archie.luth.se 130.240.18.4 (Swedish Server)
archie.ncu.edu.tw 140.115.19.24 (Taiwanese server)
archie.nz 130.195.9.4 (New Zealand server)
archie.rediris.es 130.206.1.2 (Spanish Server)
archie.rutgers.edu 128.6.18.15 (Rutgers University (USA))
archie.sogang.ac.kr 163.239.1.11 (Korean Server)
archie.sura.net 128.167.254.195 (SURAnet server MD (USA))
archie.sura.net(1526) 128.167.254.195 (SURAnet alt. MD (USA))
archie.switch.ch 130.59.1.40 (Swiss Server)
archie.th-darmstadt.de 130.83.22.60 (German Server)
archie.unipi.it 131.114.21.10 (Italian Server)
archie.univie.ac.at 131.130.1.23 (Austrian Server)
archie.unl.edu 129.93.1.14 (U. of Nebraska, Lincoln (USA))
archie.univ-rennes1.fr (French Server)
archie.uqam.ca 132.208.250.10 (Canadian Server)
archie.wide.ad.jp 133.4.3.6 (Japanese Server)
The following is a FAQ on setting up a secure FTP Site. FTP sites are known for much abuse by transferring illegal files. They also open many oppurtunities for intruders to gain access via misconfigured setups. And lastly many versions of ftp servers have had security holes. This FAQ is intended to clean up this abuse by allowing administrators to go through this check list of steps to make sure their FTP is correctly configured and that they are running the most current ftp daemon.
This is organized in the following fashion, I am breaking into several parts as follows:
1. General Description of Setting up an "anonymous" ftp server.
Create the user ftp in /etc/passwd. Use a misc group. The user's home directory will be ~ftp where ~ftp is the root you wish anonymous users to see. Creating this user turns on anonymous ftp.
Use an invalid password and user shell for better security. The entry in the passwd file should look something like:
ftp:*:400:400:Anonymous FTP:/home/ftp:/bin/true
Create the home directory ~ftp. Make the directory owned by root (NOT ftp) with the same group as ftp. Thus, owner permissions are for root and group permissions are for the anonymous users. Set the permissions for ~ftp to 555 (read, nowrite, execute).
Warning: Some MAN pages recommend making the ~ftp directory owned by ftp. This is a big NO-NO, if you want any type of security on your system.
Create the directory ~ftp/bin. This directory is owned by root (group e.g. wheel) with permissions 111 (noread, nowrite, execute).
Copy the program ls into ~ftp/bin. ls is owned by root with permissions 111 (noread, nowrite, execute). Any other commands you put in ~ftp/bin should have the same permissions as well.
Make the directory ~ftp/etc. This directory is owned by root with permissions 111.
Create from scratch the files /etc/passwd and /etc/group in ~ftp/etc. These files should be mode 444. The passwd file should only contain root, daemon, uucp, and ftp. The group file must contain ftp's group. Use your /etc/passwd and /etc/group files as a template for creating passwd and group files going to ~ftp/etc. You may even change the user names in this file, they are used only for 'ls' command. So for example if all files in your ~ftp/pub/linux hierarchy will be maintained by a real user 'balon' with uid=156 you may put
linux:*:156:120:Kazik Balon::
in the ~ftp/etc/passwd file (regardless of his real username). Leave only these users who will own files under ftp hierarchy (e.g. root, daemon, ftp...) and definitely remove *ALL* passwords by replacing them with '*' so the entry looks like:
root:*:0:0:Ftp maintainer::
ftp:*:400:400: Anonymous ftp::
For more security, you can just remove ~ftp/etc/passwd and ~ftp/etc/group (the effect is that ls -l will not show the directories' group names). Wuarchive ftp daemon (and some others) have some extensions based on the contents of the group/passwd files, so read the appropriate documentation.
Make the directory ~ftp/pub. This directory is owned by you and has the same group as ftp with permissions 555. On most systems (like SunOS) you may want to make this directory 2555, ie. set-group-id, in order to create new files with the same group ownership.
Files are left here for public distribution. All folders inside ~ftp/pub should have the same permissions as 555.
Warning: Neither the home directory (~ftp) nor any directory below it should be owned by ftp! No files should be owned by ftp either. Modern ftp daemons support all kinds of useful commands, such as chmod, that allow outsiders to undo your careful permission settings. They also have configuration options like the following (WuFTP) to disable them:
# all the following default to "yes" for everybody
delete no guest,anonymous # delete permission?
overwrite no guest,anonymous # overwrite permission?
rename no guest,anonymous # rename permission?
chmod no anonymous # chmod permission?
umask no anonymous # umask permission?
If you wish to have a place for anonymous users to leave files, create the directory ~ftp/pub/incoming. This directory is owned by root with permissions 733. Do a 'chmod +t ~ftp/pub/incoming'. The ftp daemon will normally not allow an anonymous user to overwrite an existing file, but a normal user of the system would be able to delete anything. By setting the mode to '1733' you prevent this from happening. In wuftpd you may configure the daemon to create new files with permissions '600' owned by root or any other user. Many times, incoming directories are abused by exchanging pirated and pornographic material. Abusers often create hidden directories there for this purpose. Making the incoming directory unreadable by anonymous ftp helps to some extent. With ordinary ftp severs there is no way to prevent directories being created in incoming. The WUarchive ftp server can limit uploads to certain directories and can restrict characters used in file names like this:
# specify the upload directory information
upload /var/spool/ftp * no
upload /var/spool/ftp /incoming yes ftp staff 0600 nodirs
# path filters # path-filter...
path-filter anonymous /etc/msgs/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
path-filter guest /etc/msgs/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
Suggestion: Create an extra file-system for your ftp-area (or at least for your incoming-area) to prevent a denial-of-service attack by filling your disk with garbage (inside your incoming directory).
If you have wuftpd you may want to add some ftp extensions like compression/decompression 'on the fly' or creation of tar files for the directory hierarchies. Get the appropriate sources (gzip, gnutar, compress), compile them and link statically, put in the ~ftp/bin directory and edit the appropriate file containing the definitions of the allowed conversions. /usr/bin/tar is already statically-linked. You may wish to use gnu tar anyway.
Gary Mills wrote a small program to support the following:
To do tar and compress, he wrote a tiny program called `pipe', and statically-linked it. His /etc/ftpconversions file looks like this:
#strip prefix:strip postfix:addon prefix:addon postfix:external command:
#types:options:description
:.Z: : :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
:-z: : :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
: : :.Z:/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS
: : :.tar:/bin/tar cf - %s:T_REG|T_DIR:O_TAR:TAR
: : :.tar.Z:/bin/pipe /bin/tar cf - %s | /bin/compress -c:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
: : :.tar:/bin/gtar -c -f - %s:T_REG|T_DIR:O_TAR:TAR
: : :.tar.Z:/bin/gtar -c -Z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
: : :.tar.gz:/bin/gtar -c -z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP
Here it is:
-----------------8<-------------cut--------------- /* pipe.c: exec two commands in a pipe */ #define NULL (char *)0 #define MAXA 16 main(argc, argv) int argc; char *argv[]; { char *av1[MAXA], *av2[MAXA]; int i, n, p[2], cpid; i = 0; n = 0; while ( ++i < argc && n < MAXA ) { if ( *argv[i] == '|' && *(argv[i]+1) == '\0' ) break; av1[n++] = argv[i]; } if ( n == 0 ) uexit(); av1[n] = NULL; n = 0; while ( ++i < argc && n < MAXA ) av2[n++] = argv[i]; if ( n == 0 ) uexit(); av2[n] = NULL; if ( pipe(p) != 0 ) exit(1); if ( ( cpid = fork() ) == (-1) ) exit(1); else if ( cpid == 0 ) { (void)close(p[0]); (void)close(1); (void)dup(p[1]); (void)close(p[1]); (void)execv(av1[0], av1); _exit(127); } else { (void)close(p[1]); (void)close(0); (void)dup(p[0]); (void)close(p[0]); (void)execv(av2[0], av2); _exit(127); } /*NOTREACHED*/ } uexit() { (void)write(2, "Usage: pipe | \n", 34); exit(1); } -------- CUT HERE ------------ Other things to do: as root: touch ~ftp/.rhosts touch ~ftp/.forward chmod 400 ~ftp/.rhosts chmod 400 ~ftp/.forward ie. make these files zero-length and owned by root. Due to the last /bin/mail bugs in SunOS: touch /usr/spool/mail/ftp; chmod 400 /usr/spool/mail/ftp Consider an email-alias for the ftp-admin(s) to provide an email-address for problems-reports. If you are mounting some disks from other machines (or even your own) to the ~ftp hierarchy, mount it read-only. The correct entry for the /etc/fstab (on the host with ftpd) is something like: other:/u1/linux /home/ftp/pub/linux nfs ro,noquota,nosuid,intr,bg 1 0 This mounts under /home/ftp/pub/linux the disk from host 'other' with no quota, no 'suid' programs (just in case), interruptible (in case 'other' goes down) and 'bg' - so if 'other' is down when you reboot it will not stop you trying to mount /home/ftp/pub/linux all over again. -------------------------------------------------------------------------------- 2. Setting up a chrooted Secure Anonymous ftp server. This part was contributed by Marcus J Ranum
Build a statically linked version of ftpd and put it in ~ftp/bin. Make sure it's owned by root.
Build a statically linked version of /bin/ls if you'll need one. Put it in ~ftp/bin. If you are on a Sun, and need to build one, there's a ported version of the BSD net2 ls command for SunOs on ftp.tis.com: pub/firewalls/toolkit/patches/ls.tar.Z Make sure it's owned by root.
Chown ~ftp to root and make it mode 755 THIS IS VERY IMPORTANT
Set up copies of ~ftp/etc/passwd and ~ftp/etc/group just as you would normally, EXCEPT make 'ftp's home directory '/' -- make sure they are owned by root.
Write a wrapper to kick ftpd off and install it in /etc/inetd.conf The wrapper should look something like: (assuming ~ftp = /var/ftp)
main()
{
if(chdir("/var/ftp")) {
perror("chdir /var/ftp");
exit(1);
}
if(chroot("/var/ftp")) {
perror("chroot /var/ftp");
exit(1);
}
/* optional: seteuid(FTPUID); */
execl("/bin/ftpd","ftpd","-l",(char *)0);
perror("exec /bin/ftpd");
exit(1);
}
Options:
You can use 'netacl' from the toolkit or tcp_wrappers to achieve the same effect.
We use 'netacl' to switch so that a few machines that connect to the FTP service *don't* get chrooted first. This makes transferring files a bit less painful.
You may also wish to take your ftpd sources and find all the places where it calls seteuid() and remove them, then have the wrapper do a setuid(ftp) right before the exec. This means that if someone knows a hole that makes them "root" they still won't be. Relax and imagine how frustrated they will be.
If you're hacking ftpd sources, I suggest you turn off a bunch of the options in ftpcmd.y by unsetting the "implemented" flag in ftpcmd.y. This is only practical if your FTP area is read-only.
As usual, make a pass through the FTP area and make sure that the files are in correct modes and that there's nothing else in there that can be executed.
Note, now, that your FTP area's /etc/passwd is totally separated from your real /etc/passwd. This has advantages and disadvantages.
Some stuff may break, like syslog, since there is no /dev/log. Either build a version of ftpd with a UDP-based syslog() routine or run a second syslogd based on the BSD Net2 code, that maintains a unix-domain socket named ~ftp/dev/log with the -p flag.
REMEMBER:
If there is a hole in your ftpd that lets someone get "root" access they can do you some damage even chrooted. It's just lots harder. If you're willing to hack some code, making the ftpd run without permissions is a really good thing. The correct operation of your hacked ftpd can be verified by connecting to it and (while it's still at the user prompt) do a ps-axu and verify that it's not running as root.
--------------------------------------------------------------------------------
3. OS Specific needed information and suggestions.
These machines may need dev/tcp:
Older SVR2 and SVR3 system
RTU 6.0 (Masscomp, now Concurrent Real Time UNIX),
AT&T 3B1 and 3B2 machines
[dev/tcp]
These ftpd implementations may require a ~ftp/dev/tcp in order for anonymous ftp to work.
You have to create a character special device with the appropriate major and minor device numbers. The appropriate major and minor numbers of ~ftp/dev/tcp are what the major and minor numbers of /dev/tcp are.
The ~ftp/dev is a directory and ~ftp/dev/tcp is a character special device. Make them owned and grouped by root. Permissions for ~ftp/dev is root read/write/exec and other & group read and exec. The permissions for ~ftp/dev/tcp is root read/write, other & group read.
HPUX
[Logging] If you're using HP's native ftpd, the line in /etc/inetd.conf should execute ftpd -l, which does extra logging.
Solaris 2.x
[Script] Solaris' man page contains a script for installing anonymous ftpd which saves time. You may still want to check over your anonymous ftpd for vulnerabilities.
Command for reading the man page is:
$ man ftpd
SunOS
[Libraries] To set up SunOS to use its shared dynamic libraries, follow these steps:
Create the directory ~ftp/usr. This directory is owned by root with permissions 555.
Create the directory ~ftp/usr/lib. This directory is owned by root with permissions 555.
Copy the runtime loader ld.so into ~ftp/usr/lib for use by ls. ld.so is owned by root with permissions 555.
Copy the latest version of the shared C library, libc.so.* into ~ftp/usr/lib for use by ls.
libc.so.* is owned by root with permissions 555.
Note: 4.1.2(or above) users: you also need to copy /usr/lib/libdl.so.* to ~ftp/lib.
Create the directory ~ftp/dev. This directory is owned by root with permissions 111.
~ftp/dev/zero is needed by the runtime loader. Move into the directory ~ftp/dev and create it with the command:
mknod zero c 3 12
chown ~ftp/dev/zero to root. Make sure it's readable.
Warning: For novices: Don't try to copy /dev/zero to ~ftp/dev/zero! This is an endless file of zeroes and it will completely fill your filesystem!
If you want to have the local time showing when people connect, create the directory ~ftp/usr/share/lib/zoneinfo and copy /usr/share/lib/zoneinfo/localtime
If you are bothered by the need for copying your libraries so that you can use Sun's 'ls', which is dynamically linked, you can try to get a statically linked copy of 'ls' instead. The CD-ROM that contains Sun's OS has a statically-linked version of ls. In this case, you can dispense with steps #6-8.
Statically linked versions may be available from the following sources:
If you want a statically linked "ls" get the GNU fileutils off a archive site near you and statically link it.
[Logging] Sun's standard ftpd logs *all* password information. To correct it, install patch:
101640-03 SunOS 4.1.3: in.ftpd logs password info when -d option is
used.
In /etc/inetd.conf find the line that starts with "ftp". At the end of that line, it should read "in.ftpd". Change that to "in.ftpd -dl". In /etc/syslog.conf, add a line that looks like:
daemon.* /var/adm/daemonlog
The information can be separated (or like SunOs4.1.1 does not recognize daemon.* so it requires the following form), such as:
daemon.info /var/adm/daemon.info
daemon.debug /var/adm/daemon.debug
daemon.err /var/adm/daemon.err
Note that the whitespace between the two columns must include at least one TAB character, not just spaces, or it won't work. Of course your log file could be anything you want. Then, create the logfile (touch /var/adm/daemonlog should do). Finally, restart inetd and syslogd, either individually, or by rebooting the system. You should be good to go. If you do not install the patch, make sure the log file is owned by root and mode 600, as the ftp daemon will log *everything*, including users' passwords.
Warning: You want to make all logs root only readable for security reasons If a user mistypes his password for his username, it could be compromised if anyone can read the log files.
--------------------------------------------------------------------------------
4. Where to get other FTP daemons
Wuarchive FTP 2.4- A secure FTP daemon that allows improved access-control, logging, pre-login banners, and is very configurable:
Can be ftp'd from ftp.uu.net in "/networking/ftp/wuarchive-ftpd" directory. Be certain to verify the checksum information to confirm that you have retrieved a valid copy. [Warning: Older versions of Wu-FTP are extremely insecure and in some cases have been trojaned.]
BSD SVR4
File Checksum Checksum MD5 Digital Signature
----------------- -------- --------- --------------------------------
wu-ftpd-2.4.tar.Z 38213 181 20337 362 cdcb237b71082fa23706429134d8c32e
patch_2.3-2.4.Z 09291 8 51092 16 5558a04d9da7cdb1113b158aff89be8f
For DECWRL ftpd, sites can obtain version 5.93 via anonymous FTP from gatekeeper.dec.com in the "/pub/misc/vixie" directory.
BSD SVR4
File Checksum Checksum MD5 Digital Signature
----------------- -------- --------- --------------------------------
ftpd.tar.gz 38443 60 1710 119 ae624eb607b4ee90e318b857e6573500
For BSDI systems, patch 005 should be applied to version 1.1 of the BSD/386 software. You can obtain the patch file via anonymous FTP from ftp.bsdi.com in the "/bsdi/patches-1.1" directory.
BSD SVR4
File Checksum Checksum MD5 Digital Signature
----------------- -------- --------- --------------------------------
BU110-005 35337 272 54935 543 1f454d4d9d3e1397d1eff0432bd383cf
Public Domain Sources:
ftp.uu.net ~ftp/systems/unix/bsd-sources/libexec/ftpd
gatekeeper.dec.com ~ftp/pub/DEC/gwtools/ftpd.tar.Z
--------------------------------------------------------------------------------
5. How to Know if your Anonymous FTP Server is Secure
This section is intended for the administrator to go down a small check list of things to make sure his server is not easily compromised.
Check to make sure your ftp server does not have SITE EXEC command by telneting to port 21 and typing SITE EXEC. If your ftp daemon has SITE EXEC make sure it is the most current version (ie, Wu-FTP 2.4). In older versions this allows anyone to gain shell via port 21.
Check to make sure no one can log in and make files or directories in the main directory. If anyone can log in as anonymous FTP and make files such as .rhosts and .forward, instant access is granted to any intruder.
Check to make sure the main directory is NOT owned by ftp. If it is owned by FTP, an intruder could SITE CHMOD 777 the main directory and then plant files to give him instant access. SITE CHMOD command should be removed because anonymous users do not need any extra priviledges.
Check to make sure NO files or directories are owned by ftp. If they are, it is possible an intruder could replace them with his own trojan versions.
There were several bugs in old daemons, so it is very important to make sure you are running the most current ftp daemons.
--------------------------------------------------------------------------------
6. Archie
Searches FTP sites for programs. Login into these sites as archie or use client software for faster access. To get your own anonymous site added to Archie's search list, e-mail archie-updates@bunyip.com.
archie.ac.il 132.65.20.254 (Israel server)
archie.ans.net 147.225.1.10 (ANS server, NY (USA))
archie.au 139.130.4.6 (Australian Server)
archie.doc.ic.ac.uk 146.169.11.3 (United Kingdom Server)
archie.edvz.uni-linz.ac.at 140.78.3.8 (Austrian Server)
archie.funet.fi 128.214.6.102 (Finnish Server)
archie.internic.net 198.49.45.10 (AT&T server, NY (USA))
archie.kr 128.134.1.1 (Korean Server)
archie.kuis.kyoto-u.ac.jp 130.54.20.1 (Japanese Server)
archie.luth.se 130.240.18.4 (Swedish Server)
archie.ncu.edu.tw 140.115.19.24 (Taiwanese server)
archie.nz 130.195.9.4 (New Zealand server)
archie.rediris.es 130.206.1.2 (Spanish Server)
archie.rutgers.edu 128.6.18.15 (Rutgers University (USA))
archie.sogang.ac.kr 163.239.1.11 (Korean Server)
archie.sura.net 128.167.254.195 (SURAnet server MD (USA))
archie.sura.net(1526) 128.167.254.195 (SURAnet alt. MD (USA))
archie.switch.ch 130.59.1.40 (Swiss Server)
archie.th-darmstadt.de 130.83.22.60 (German Server)
archie.unipi.it 131.114.21.10 (Italian Server)
archie.univie.ac.at 131.130.1.23 (Austrian Server)
archie.unl.edu 129.93.1.14 (U. of Nebraska, Lincoln (USA))
archie.univ-rennes1.fr (French Server)
archie.uqam.ca 132.208.250.10 (Canadian Server)
archie.wide.ad.jp 133.4.3.6 (Japanese Server)
Anonymous FTP FAQ
How to Set up a Secure Anonymous FTP Site
The following is a FAQ on setting up a secure FTP Site. FTP sites are known for much abuse by transferring illegal files. They also open many oppurtunities for intruders to gain access via misconfigured setups. And lastly many versions of ftp servers have had security holes. This FAQ is intended to clean up this abuse by allowing administrators to go through this check list of steps to make sure their FTP is correctly configured and that they are running the most current ftp daemon.
This is organized in the following fashion, I am breaking into several parts as follows:
1. General Description of Setting up an "anonymous" ftp server.
Create the user ftp in /etc/passwd. Use a misc group. The user's home directory will be ~ftp where ~ftp is the root you wish anonymous users to see. Creating this user turns on anonymous ftp.
Use an invalid password and user shell for better security. The entry in the passwd file should look something like:
ftp:*:400:400:Anonymous FTP:/home/ftp:/bin/true
Create the home directory ~ftp. Make the directory owned by root (NOT ftp) with the same group as ftp. Thus, owner permissions are for root and group permissions are for the anonymous users. Set the permissions for ~ftp to 555 (read, nowrite, execute).
Warning: Some MAN pages recommend making the ~ftp directory owned by ftp. This is a big NO-NO, if you want any type of security on your system.
Create the directory ~ftp/bin. This directory is owned by root (group e.g. wheel) with permissions 111 (noread, nowrite, execute).
Copy the program ls into ~ftp/bin. ls is owned by root with permissions 111 (noread, nowrite, execute). Any other commands you put in ~ftp/bin should have the same permissions as well.
Make the directory ~ftp/etc. This directory is owned by root with permissions 111.
Create from scratch the files /etc/passwd and /etc/group in ~ftp/etc. These files should be mode 444. The passwd file should only contain root, daemon, uucp, and ftp. The group file must contain ftp's group. Use your /etc/passwd and /etc/group files as a template for creating passwd and group files going to ~ftp/etc. You may even change the user names in this file, they are used only for 'ls' command. So for example if all files in your ~ftp/pub/linux hierarchy will be maintained by a real user 'balon' with uid=156 you may put
linux:*:156:120:Kazik Balon::
in the ~ftp/etc/passwd file (regardless of his real username). Leave only these users who will own files under ftp hierarchy (e.g. root, daemon, ftp...) and definitely remove *ALL* passwords by replacing them with '*' so the entry looks like:
root:*:0:0:Ftp maintainer::
ftp:*:400:400: Anonymous ftp::
For more security, you can just remove ~ftp/etc/passwd and ~ftp/etc/group (the effect is that ls -l will not show the directories' group names). Wuarchive ftp daemon (and some others) have some extensions based on the contents of the group/passwd files, so read the appropriate documentation.
Make the directory ~ftp/pub. This directory is owned by you and has the same group as ftp with permissions 555. On most systems (like SunOS) you may want to make this directory 2555, ie. set-group-id, in order to create new files with the same group ownership.
Files are left here for public distribution. All folders inside ~ftp/pub should have the same permissions as 555.
Warning: Neither the home directory (~ftp) nor any directory below it should be owned by ftp! No files should be owned by ftp either. Modern ftp daemons support all kinds of useful commands, such as chmod, that allow outsiders to undo your careful permission settings. They also have configuration options like the following (WuFTP) to disable them:
# all the following default to "yes" for everybody
delete no guest,anonymous # delete permission?
overwrite no guest,anonymous # overwrite permission?
rename no guest,anonymous # rename permission?
chmod no anonymous # chmod permission?
umask no anonymous # umask permission?
If you wish to have a place for anonymous users to leave files, create the directory ~ftp/pub/incoming. This directory is owned by root with permissions 733. Do a 'chmod +t ~ftp/pub/incoming'. The ftp daemon will normally not allow an anonymous user to overwrite an existing file, but a normal user of the system would be able to delete anything. By setting the mode to '1733' you prevent this from happening. In wuftpd you may configure the daemon to create new files with permissions '600' owned by root or any other user. Many times, incoming directories are abused by exchanging pirated and pornographic material. Abusers often create hidden directories there for this purpose. Making the incoming directory unreadable by anonymous ftp helps to some extent. With ordinary ftp severs there is no way to prevent directories being created in incoming. The WUarchive ftp server can limit uploads to certain directories and can restrict characters used in file names like this:
# specify the upload directory information
upload /var/spool/ftp * no
upload /var/spool/ftp /incoming yes ftp staff 0600 nodirs
# path filters # path-filter...
path-filter anonymous /etc/msgs/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
path-filter guest /etc/msgs/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
Suggestion: Create an extra file-system for your ftp-area (or at least for your incoming-area) to prevent a denial-of-service attack by filling your disk with garbage (inside your incoming directory).
If you have wuftpd you may want to add some ftp extensions like compression/decompression 'on the fly' or creation of tar files for the directory hierarchies. Get the appropriate sources (gzip, gnutar, compress), compile them and link statically, put in the ~ftp/bin directory and edit the appropriate file containing the definitions of the allowed conversions. /usr/bin/tar is already statically-linked. You may wish to use gnu tar anyway.
Gary Mills wrote a small program to support the following:
To do tar and compress, he wrote a tiny program called `pipe', and statically-linked it. His /etc/ftpconversions file looks like this:
#strip prefix:strip postfix:addon prefix:addon postfix:external command:
#types:options:description
:.Z: : :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
:-z: : :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
: : :.Z:/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS
: : :.tar:/bin/tar cf - %s:T_REG|T_DIR:O_TAR:TAR
: : :.tar.Z:/bin/pipe /bin/tar cf - %s | /bin/compress -c:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
: : :.tar:/bin/gtar -c -f - %s:T_REG|T_DIR:O_TAR:TAR
: : :.tar.Z:/bin/gtar -c -Z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
: : :.tar.gz:/bin/gtar -c -z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP
Here it is:
-----------------8<-------------cut--------------- /* pipe.c: exec two commands in a pipe */ #define NULL (char *)0 #define MAXA 16 main(argc, argv) int argc; char *argv[]; { char *av1[MAXA], *av2[MAXA]; int i, n, p[2], cpid; i = 0; n = 0; while ( ++i < argc && n < MAXA ) { if ( *argv[i] == '|' && *(argv[i]+1) == '\0' ) break; av1[n++] = argv[i]; } if ( n == 0 ) uexit(); av1[n] = NULL; n = 0; while ( ++i < argc && n < MAXA ) av2[n++] = argv[i]; if ( n == 0 ) uexit(); av2[n] = NULL; if ( pipe(p) != 0 ) exit(1); if ( ( cpid = fork() ) == (-1) ) exit(1); else if ( cpid == 0 ) { (void)close(p[0]); (void)close(1); (void)dup(p[1]); (void)close(p[1]); (void)execv(av1[0], av1); _exit(127); } else { (void)close(p[1]); (void)close(0); (void)dup(p[0]); (void)close(p[0]); (void)execv(av2[0], av2); _exit(127); } /*NOTREACHED*/ } uexit() { (void)write(2, "Usage: pipe | \n", 34); exit(1); } -------- CUT HERE ------------ Other things to do: as root: touch ~ftp/.rhosts touch ~ftp/.forward chmod 400 ~ftp/.rhosts chmod 400 ~ftp/.forward ie. make these files zero-length and owned by root. Due to the last /bin/mail bugs in SunOS: touch /usr/spool/mail/ftp; chmod 400 /usr/spool/mail/ftp Consider an email-alias for the ftp-admin(s) to provide an email-address for problems-reports. If you are mounting some disks from other machines (or even your own) to the ~ftp hierarchy, mount it read-only. The correct entry for the /etc/fstab (on the host with ftpd) is something like: other:/u1/linux /home/ftp/pub/linux nfs ro,noquota,nosuid,intr,bg 1 0 This mounts under /home/ftp/pub/linux the disk from host 'other' with no quota, no 'suid' programs (just in case), interruptible (in case 'other' goes down) and 'bg' - so if 'other' is down when you reboot it will not stop you trying to mount /home/ftp/pub/linux all over again. -------------------------------------------------------------------------------- 2. Setting up a chrooted Secure Anonymous ftp server. This part was contributed by Marcus J Ranum
Build a statically linked version of ftpd and put it in ~ftp/bin. Make sure it's owned by root.
Build a statically linked version of /bin/ls if you'll need one. Put it in ~ftp/bin. If you are on a Sun, and need to build one, there's a ported version of the BSD net2 ls command for SunOs on ftp.tis.com: pub/firewalls/toolkit/patches/ls.tar.Z Make sure it's owned by root.
Chown ~ftp to root and make it mode 755 THIS IS VERY IMPORTANT
Set up copies of ~ftp/etc/passwd and ~ftp/etc/group just as you would normally, EXCEPT make 'ftp's home directory '/' -- make sure they are owned by root.
Write a wrapper to kick ftpd off and install it in /etc/inetd.conf The wrapper should look something like: (assuming ~ftp = /var/ftp)
main()
{
if(chdir("/var/ftp")) {
perror("chdir /var/ftp");
exit(1);
}
if(chroot("/var/ftp")) {
perror("chroot /var/ftp");
exit(1);
}
/* optional: seteuid(FTPUID); */
execl("/bin/ftpd","ftpd","-l",(char *)0);
perror("exec /bin/ftpd");
exit(1);
}
Options:
You can use 'netacl' from the toolkit or tcp_wrappers to achieve the same effect.
We use 'netacl' to switch so that a few machines that connect to the FTP service *don't* get chrooted first. This makes transferring files a bit less painful.
You may also wish to take your ftpd sources and find all the places where it calls seteuid() and remove them, then have the wrapper do a setuid(ftp) right before the exec. This means that if someone knows a hole that makes them "root" they still won't be. Relax and imagine how frustrated they will be.
If you're hacking ftpd sources, I suggest you turn off a bunch of the options in ftpcmd.y by unsetting the "implemented" flag in ftpcmd.y. This is only practical if your FTP area is read-only.
As usual, make a pass through the FTP area and make sure that the files are in correct modes and that there's nothing else in there that can be executed.
Note, now, that your FTP area's /etc/passwd is totally separated from your real /etc/passwd. This has advantages and disadvantages.
Some stuff may break, like syslog, since there is no /dev/log. Either build a version of ftpd with a UDP-based syslog() routine or run a second syslogd based on the BSD Net2 code, that maintains a unix-domain socket named ~ftp/dev/log with the -p flag.
REMEMBER:
If there is a hole in your ftpd that lets someone get "root" access they can do you some damage even chrooted. It's just lots harder. If you're willing to hack some code, making the ftpd run without permissions is a really good thing. The correct operation of your hacked ftpd can be verified by connecting to it and (while it's still at the user prompt) do a ps-axu and verify that it's not running as root.
--------------------------------------------------------------------------------
3. OS Specific needed information and suggestions.
These machines may need dev/tcp:
Older SVR2 and SVR3 system
RTU 6.0 (Masscomp, now Concurrent Real Time UNIX),
AT&T 3B1 and 3B2 machines
[dev/tcp]
These ftpd implementations may require a ~ftp/dev/tcp in order for anonymous ftp to work.
You have to create a character special device with the appropriate major and minor device numbers. The appropriate major and minor numbers of ~ftp/dev/tcp are what the major and minor numbers of /dev/tcp are.
The ~ftp/dev is a directory and ~ftp/dev/tcp is a character special device. Make them owned and grouped by root. Permissions for ~ftp/dev is root read/write/exec and other & group read and exec. The permissions for ~ftp/dev/tcp is root read/write, other & group read.
HPUX
[Logging] If you're using HP's native ftpd, the line in /etc/inetd.conf should execute ftpd -l, which does extra logging.
Solaris 2.x
[Script] Solaris' man page contains a script for installing anonymous ftpd which saves time. You may still want to check over your anonymous ftpd for vulnerabilities.
Command for reading the man page is:
$ man ftpd
SunOS
[Libraries] To set up SunOS to use its shared dynamic libraries, follow these steps:
Create the directory ~ftp/usr. This directory is owned by root with permissions 555.
Create the directory ~ftp/usr/lib. This directory is owned by root with permissions 555.
Copy the runtime loader ld.so into ~ftp/usr/lib for use by ls. ld.so is owned by root with permissions 555.
Copy the latest version of the shared C library, libc.so.* into ~ftp/usr/lib for use by ls.
libc.so.* is owned by root with permissions 555.
Note: 4.1.2(or above) users: you also need to copy /usr/lib/libdl.so.* to ~ftp/lib.
Create the directory ~ftp/dev. This directory is owned by root with permissions 111.
~ftp/dev/zero is needed by the runtime loader. Move into the directory ~ftp/dev and create it with the command:
mknod zero c 3 12
chown ~ftp/dev/zero to root. Make sure it's readable.
Warning: For novices: Don't try to copy /dev/zero to ~ftp/dev/zero! This is an endless file of zeroes and it will completely fill your filesystem!
If you want to have the local time showing when people connect, create the directory ~ftp/usr/share/lib/zoneinfo and copy /usr/share/lib/zoneinfo/localtime
If you are bothered by the need for copying your libraries so that you can use Sun's 'ls', which is dynamically linked, you can try to get a statically linked copy of 'ls' instead. The CD-ROM that contains Sun's OS has a statically-linked version of ls. In this case, you can dispense with steps #6-8.
Statically linked versions may be available from the following sources:
If you want a statically linked "ls" get the GNU fileutils off a archive site near you and statically link it.
[Logging] Sun's standard ftpd logs *all* password information. To correct it, install patch:
101640-03 SunOS 4.1.3: in.ftpd logs password info when -d option is
used.
In /etc/inetd.conf find the line that starts with "ftp". At the end of that line, it should read "in.ftpd". Change that to "in.ftpd -dl". In /etc/syslog.conf, add a line that looks like:
daemon.* /var/adm/daemonlog
The information can be separated (or like SunOs4.1.1 does not recognize daemon.* so it requires the following form), such as:
daemon.info /var/adm/daemon.info
daemon.debug /var/adm/daemon.debug
daemon.err /var/adm/daemon.err
Note that the whitespace between the two columns must include at least one TAB character, not just spaces, or it won't work. Of course your log file could be anything you want. Then, create the logfile (touch /var/adm/daemonlog should do). Finally, restart inetd and syslogd, either individually, or by rebooting the system. You should be good to go. If you do not install the patch, make sure the log file is owned by root and mode 600, as the ftp daemon will log *everything*, including users' passwords.
Warning: You want to make all logs root only readable for security reasons If a user mistypes his password for his username, it could be compromised if anyone can read the log files.
--------------------------------------------------------------------------------
4. Where to get other FTP daemons
Wuarchive FTP 2.4- A secure FTP daemon that allows improved access-control, logging, pre-login banners, and is very configurable:
Can be ftp'd from ftp.uu.net in "/networking/ftp/wuarchive-ftpd" directory. Be certain to verify the checksum information to confirm that you have retrieved a valid copy. [Warning: Older versions of Wu-FTP are extremely insecure and in some cases have been trojaned.]
BSD SVR4
File Checksum Checksum MD5 Digital Signature
----------------- -------- --------- --------------------------------
wu-ftpd-2.4.tar.Z 38213 181 20337 362 cdcb237b71082fa23706429134d8c32e
patch_2.3-2.4.Z 09291 8 51092 16 5558a04d9da7cdb1113b158aff89be8f
For DECWRL ftpd, sites can obtain version 5.93 via anonymous FTP from gatekeeper.dec.com in the "/pub/misc/vixie" directory.
BSD SVR4
File Checksum Checksum MD5 Digital Signature
----------------- -------- --------- --------------------------------
ftpd.tar.gz 38443 60 1710 119 ae624eb607b4ee90e318b857e6573500
For BSDI systems, patch 005 should be applied to version 1.1 of the BSD/386 software. You can obtain the patch file via anonymous FTP from ftp.bsdi.com in the "/bsdi/patches-1.1" directory.
BSD SVR4
File Checksum Checksum MD5 Digital Signature
----------------- -------- --------- --------------------------------
BU110-005 35337 272 54935 543 1f454d4d9d3e1397d1eff0432bd383cf
Public Domain Sources:
ftp.uu.net ~ftp/systems/unix/bsd-sources/libexec/ftpd
gatekeeper.dec.com ~ftp/pub/DEC/gwtools/ftpd.tar.Z
--------------------------------------------------------------------------------
5. How to Know if your Anonymous FTP Server is Secure
This section is intended for the administrator to go down a small check list of things to make sure his server is not easily compromised.
Check to make sure your ftp server does not have SITE EXEC command by telneting to port 21 and typing SITE EXEC. If your ftp daemon has SITE EXEC make sure it is the most current version (ie, Wu-FTP 2.4). In older versions this allows anyone to gain shell via port 21.
Check to make sure no one can log in and make files or directories in the main directory. If anyone can log in as anonymous FTP and make files such as .rhosts and .forward, instant access is granted to any intruder.
Check to make sure the main directory is NOT owned by ftp. If it is owned by FTP, an intruder could SITE CHMOD 777 the main directory and then plant files to give him instant access. SITE CHMOD command should be removed because anonymous users do not need any extra priviledges.
Check to make sure NO files or directories are owned by ftp. If they are, it is possible an intruder could replace them with his own trojan versions.
There were several bugs in old daemons, so it is very important to make sure you are running the most current ftp daemons.
--------------------------------------------------------------------------------
6. Archie
Searches FTP sites for programs. Login into these sites as archie or use client software for faster access. To get your own anonymous site added to Archie's search list, e-mail archie-updates@bunyip.com.
archie.ac.il 132.65.20.254 (Israel server)
archie.ans.net 147.225.1.10 (ANS server, NY (USA))
archie.au 139.130.4.6 (Australian Server)
archie.doc.ic.ac.uk 146.169.11.3 (United Kingdom Server)
archie.edvz.uni-linz.ac.at 140.78.3.8 (Austrian Server)
archie.funet.fi 128.214.6.102 (Finnish Server)
archie.internic.net 198.49.45.10 (AT&T server, NY (USA))
archie.kr 128.134.1.1 (Korean Server)
archie.kuis.kyoto-u.ac.jp 130.54.20.1 (Japanese Server)
archie.luth.se 130.240.18.4 (Swedish Server)
archie.ncu.edu.tw 140.115.19.24 (Taiwanese server)
archie.nz 130.195.9.4 (New Zealand server)
archie.rediris.es 130.206.1.2 (Spanish Server)
archie.rutgers.edu 128.6.18.15 (Rutgers University (USA))
archie.sogang.ac.kr 163.239.1.11 (Korean Server)
archie.sura.net 128.167.254.195 (SURAnet server MD (USA))
archie.sura.net(1526) 128.167.254.195 (SURAnet alt. MD (USA))
archie.switch.ch 130.59.1.40 (Swiss Server)
archie.th-darmstadt.de 130.83.22.60 (German Server)
archie.unipi.it 131.114.21.10 (Italian Server)
archie.univie.ac.at 131.130.1.23 (Austrian Server)
archie.unl.edu 129.93.1.14 (U. of Nebraska, Lincoln (USA))
archie.univ-rennes1.fr (French Server)
archie.uqam.ca 132.208.250.10 (Canadian Server)
archie.wide.ad.jp 133.4.3.6 (Japanese Server)
The following is a FAQ on setting up a secure FTP Site. FTP sites are known for much abuse by transferring illegal files. They also open many oppurtunities for intruders to gain access via misconfigured setups. And lastly many versions of ftp servers have had security holes. This FAQ is intended to clean up this abuse by allowing administrators to go through this check list of steps to make sure their FTP is correctly configured and that they are running the most current ftp daemon.
This is organized in the following fashion, I am breaking into several parts as follows:
1. General Description of Setting up an "anonymous" ftp server.
Create the user ftp in /etc/passwd. Use a misc group. The user's home directory will be ~ftp where ~ftp is the root you wish anonymous users to see. Creating this user turns on anonymous ftp.
Use an invalid password and user shell for better security. The entry in the passwd file should look something like:
ftp:*:400:400:Anonymous FTP:/home/ftp:/bin/true
Create the home directory ~ftp. Make the directory owned by root (NOT ftp) with the same group as ftp. Thus, owner permissions are for root and group permissions are for the anonymous users. Set the permissions for ~ftp to 555 (read, nowrite, execute).
Warning: Some MAN pages recommend making the ~ftp directory owned by ftp. This is a big NO-NO, if you want any type of security on your system.
Create the directory ~ftp/bin. This directory is owned by root (group e.g. wheel) with permissions 111 (noread, nowrite, execute).
Copy the program ls into ~ftp/bin. ls is owned by root with permissions 111 (noread, nowrite, execute). Any other commands you put in ~ftp/bin should have the same permissions as well.
Make the directory ~ftp/etc. This directory is owned by root with permissions 111.
Create from scratch the files /etc/passwd and /etc/group in ~ftp/etc. These files should be mode 444. The passwd file should only contain root, daemon, uucp, and ftp. The group file must contain ftp's group. Use your /etc/passwd and /etc/group files as a template for creating passwd and group files going to ~ftp/etc. You may even change the user names in this file, they are used only for 'ls' command. So for example if all files in your ~ftp/pub/linux hierarchy will be maintained by a real user 'balon' with uid=156 you may put
linux:*:156:120:Kazik Balon::
in the ~ftp/etc/passwd file (regardless of his real username). Leave only these users who will own files under ftp hierarchy (e.g. root, daemon, ftp...) and definitely remove *ALL* passwords by replacing them with '*' so the entry looks like:
root:*:0:0:Ftp maintainer::
ftp:*:400:400: Anonymous ftp::
For more security, you can just remove ~ftp/etc/passwd and ~ftp/etc/group (the effect is that ls -l will not show the directories' group names). Wuarchive ftp daemon (and some others) have some extensions based on the contents of the group/passwd files, so read the appropriate documentation.
Make the directory ~ftp/pub. This directory is owned by you and has the same group as ftp with permissions 555. On most systems (like SunOS) you may want to make this directory 2555, ie. set-group-id, in order to create new files with the same group ownership.
Files are left here for public distribution. All folders inside ~ftp/pub should have the same permissions as 555.
Warning: Neither the home directory (~ftp) nor any directory below it should be owned by ftp! No files should be owned by ftp either. Modern ftp daemons support all kinds of useful commands, such as chmod, that allow outsiders to undo your careful permission settings. They also have configuration options like the following (WuFTP) to disable them:
# all the following default to "yes" for everybody
delete no guest,anonymous # delete permission?
overwrite no guest,anonymous # overwrite permission?
rename no guest,anonymous # rename permission?
chmod no anonymous # chmod permission?
umask no anonymous # umask permission?
If you wish to have a place for anonymous users to leave files, create the directory ~ftp/pub/incoming. This directory is owned by root with permissions 733. Do a 'chmod +t ~ftp/pub/incoming'. The ftp daemon will normally not allow an anonymous user to overwrite an existing file, but a normal user of the system would be able to delete anything. By setting the mode to '1733' you prevent this from happening. In wuftpd you may configure the daemon to create new files with permissions '600' owned by root or any other user. Many times, incoming directories are abused by exchanging pirated and pornographic material. Abusers often create hidden directories there for this purpose. Making the incoming directory unreadable by anonymous ftp helps to some extent. With ordinary ftp severs there is no way to prevent directories being created in incoming. The WUarchive ftp server can limit uploads to certain directories and can restrict characters used in file names like this:
# specify the upload directory information
upload /var/spool/ftp * no
upload /var/spool/ftp /incoming yes ftp staff 0600 nodirs
# path filters # path-filter...
path-filter anonymous /etc/msgs/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
path-filter guest /etc/msgs/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
Suggestion: Create an extra file-system for your ftp-area (or at least for your incoming-area) to prevent a denial-of-service attack by filling your disk with garbage (inside your incoming directory).
If you have wuftpd you may want to add some ftp extensions like compression/decompression 'on the fly' or creation of tar files for the directory hierarchies. Get the appropriate sources (gzip, gnutar, compress), compile them and link statically, put in the ~ftp/bin directory and edit the appropriate file containing the definitions of the allowed conversions. /usr/bin/tar is already statically-linked. You may wish to use gnu tar anyway.
Gary Mills wrote a small program to support the following:
To do tar and compress, he wrote a tiny program called `pipe', and statically-linked it. His /etc/ftpconversions file looks like this:
#strip prefix:strip postfix:addon prefix:addon postfix:external command:
#types:options:description
:.Z: : :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
:-z: : :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
: : :.Z:/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS
: : :.tar:/bin/tar cf - %s:T_REG|T_DIR:O_TAR:TAR
: : :.tar.Z:/bin/pipe /bin/tar cf - %s | /bin/compress -c:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
: : :.tar:/bin/gtar -c -f - %s:T_REG|T_DIR:O_TAR:TAR
: : :.tar.Z:/bin/gtar -c -Z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
: : :.tar.gz:/bin/gtar -c -z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP
Here it is:
-----------------8<-------------cut--------------- /* pipe.c: exec two commands in a pipe */ #define NULL (char *)0 #define MAXA 16 main(argc, argv) int argc; char *argv[]; { char *av1[MAXA], *av2[MAXA]; int i, n, p[2], cpid; i = 0; n = 0; while ( ++i < argc && n < MAXA ) { if ( *argv[i] == '|' && *(argv[i]+1) == '\0' ) break; av1[n++] = argv[i]; } if ( n == 0 ) uexit(); av1[n] = NULL; n = 0; while ( ++i < argc && n < MAXA ) av2[n++] = argv[i]; if ( n == 0 ) uexit(); av2[n] = NULL; if ( pipe(p) != 0 ) exit(1); if ( ( cpid = fork() ) == (-1) ) exit(1); else if ( cpid == 0 ) { (void)close(p[0]); (void)close(1); (void)dup(p[1]); (void)close(p[1]); (void)execv(av1[0], av1); _exit(127); } else { (void)close(p[1]); (void)close(0); (void)dup(p[0]); (void)close(p[0]); (void)execv(av2[0], av2); _exit(127); } /*NOTREACHED*/ } uexit() { (void)write(2, "Usage: pipe | \n", 34); exit(1); } -------- CUT HERE ------------ Other things to do: as root: touch ~ftp/.rhosts touch ~ftp/.forward chmod 400 ~ftp/.rhosts chmod 400 ~ftp/.forward ie. make these files zero-length and owned by root. Due to the last /bin/mail bugs in SunOS: touch /usr/spool/mail/ftp; chmod 400 /usr/spool/mail/ftp Consider an email-alias for the ftp-admin(s) to provide an email-address for problems-reports. If you are mounting some disks from other machines (or even your own) to the ~ftp hierarchy, mount it read-only. The correct entry for the /etc/fstab (on the host with ftpd) is something like: other:/u1/linux /home/ftp/pub/linux nfs ro,noquota,nosuid,intr,bg 1 0 This mounts under /home/ftp/pub/linux the disk from host 'other' with no quota, no 'suid' programs (just in case), interruptible (in case 'other' goes down) and 'bg' - so if 'other' is down when you reboot it will not stop you trying to mount /home/ftp/pub/linux all over again. -------------------------------------------------------------------------------- 2. Setting up a chrooted Secure Anonymous ftp server. This part was contributed by Marcus J Ranum
Build a statically linked version of ftpd and put it in ~ftp/bin. Make sure it's owned by root.
Build a statically linked version of /bin/ls if you'll need one. Put it in ~ftp/bin. If you are on a Sun, and need to build one, there's a ported version of the BSD net2 ls command for SunOs on ftp.tis.com: pub/firewalls/toolkit/patches/ls.tar.Z Make sure it's owned by root.
Chown ~ftp to root and make it mode 755 THIS IS VERY IMPORTANT
Set up copies of ~ftp/etc/passwd and ~ftp/etc/group just as you would normally, EXCEPT make 'ftp's home directory '/' -- make sure they are owned by root.
Write a wrapper to kick ftpd off and install it in /etc/inetd.conf The wrapper should look something like: (assuming ~ftp = /var/ftp)
main()
{
if(chdir("/var/ftp")) {
perror("chdir /var/ftp");
exit(1);
}
if(chroot("/var/ftp")) {
perror("chroot /var/ftp");
exit(1);
}
/* optional: seteuid(FTPUID); */
execl("/bin/ftpd","ftpd","-l",(char *)0);
perror("exec /bin/ftpd");
exit(1);
}
Options:
You can use 'netacl' from the toolkit or tcp_wrappers to achieve the same effect.
We use 'netacl' to switch so that a few machines that connect to the FTP service *don't* get chrooted first. This makes transferring files a bit less painful.
You may also wish to take your ftpd sources and find all the places where it calls seteuid() and remove them, then have the wrapper do a setuid(ftp) right before the exec. This means that if someone knows a hole that makes them "root" they still won't be. Relax and imagine how frustrated they will be.
If you're hacking ftpd sources, I suggest you turn off a bunch of the options in ftpcmd.y by unsetting the "implemented" flag in ftpcmd.y. This is only practical if your FTP area is read-only.
As usual, make a pass through the FTP area and make sure that the files are in correct modes and that there's nothing else in there that can be executed.
Note, now, that your FTP area's /etc/passwd is totally separated from your real /etc/passwd. This has advantages and disadvantages.
Some stuff may break, like syslog, since there is no /dev/log. Either build a version of ftpd with a UDP-based syslog() routine or run a second syslogd based on the BSD Net2 code, that maintains a unix-domain socket named ~ftp/dev/log with the -p flag.
REMEMBER:
If there is a hole in your ftpd that lets someone get "root" access they can do you some damage even chrooted. It's just lots harder. If you're willing to hack some code, making the ftpd run without permissions is a really good thing. The correct operation of your hacked ftpd can be verified by connecting to it and (while it's still at the user prompt) do a ps-axu and verify that it's not running as root.
--------------------------------------------------------------------------------
3. OS Specific needed information and suggestions.
These machines may need dev/tcp:
Older SVR2 and SVR3 system
RTU 6.0 (Masscomp, now Concurrent Real Time UNIX),
AT&T 3B1 and 3B2 machines
[dev/tcp]
These ftpd implementations may require a ~ftp/dev/tcp in order for anonymous ftp to work.
You have to create a character special device with the appropriate major and minor device numbers. The appropriate major and minor numbers of ~ftp/dev/tcp are what the major and minor numbers of /dev/tcp are.
The ~ftp/dev is a directory and ~ftp/dev/tcp is a character special device. Make them owned and grouped by root. Permissions for ~ftp/dev is root read/write/exec and other & group read and exec. The permissions for ~ftp/dev/tcp is root read/write, other & group read.
HPUX
[Logging] If you're using HP's native ftpd, the line in /etc/inetd.conf should execute ftpd -l, which does extra logging.
Solaris 2.x
[Script] Solaris' man page contains a script for installing anonymous ftpd which saves time. You may still want to check over your anonymous ftpd for vulnerabilities.
Command for reading the man page is:
$ man ftpd
SunOS
[Libraries] To set up SunOS to use its shared dynamic libraries, follow these steps:
Create the directory ~ftp/usr. This directory is owned by root with permissions 555.
Create the directory ~ftp/usr/lib. This directory is owned by root with permissions 555.
Copy the runtime loader ld.so into ~ftp/usr/lib for use by ls. ld.so is owned by root with permissions 555.
Copy the latest version of the shared C library, libc.so.* into ~ftp/usr/lib for use by ls.
libc.so.* is owned by root with permissions 555.
Note: 4.1.2(or above) users: you also need to copy /usr/lib/libdl.so.* to ~ftp/lib.
Create the directory ~ftp/dev. This directory is owned by root with permissions 111.
~ftp/dev/zero is needed by the runtime loader. Move into the directory ~ftp/dev and create it with the command:
mknod zero c 3 12
chown ~ftp/dev/zero to root. Make sure it's readable.
Warning: For novices: Don't try to copy /dev/zero to ~ftp/dev/zero! This is an endless file of zeroes and it will completely fill your filesystem!
If you want to have the local time showing when people connect, create the directory ~ftp/usr/share/lib/zoneinfo and copy /usr/share/lib/zoneinfo/localtime
If you are bothered by the need for copying your libraries so that you can use Sun's 'ls', which is dynamically linked, you can try to get a statically linked copy of 'ls' instead. The CD-ROM that contains Sun's OS has a statically-linked version of ls. In this case, you can dispense with steps #6-8.
Statically linked versions may be available from the following sources:
If you want a statically linked "ls" get the GNU fileutils off a archive site near you and statically link it.
[Logging] Sun's standard ftpd logs *all* password information. To correct it, install patch:
101640-03 SunOS 4.1.3: in.ftpd logs password info when -d option is
used.
In /etc/inetd.conf find the line that starts with "ftp". At the end of that line, it should read "in.ftpd". Change that to "in.ftpd -dl". In /etc/syslog.conf, add a line that looks like:
daemon.* /var/adm/daemonlog
The information can be separated (or like SunOs4.1.1 does not recognize daemon.* so it requires the following form), such as:
daemon.info /var/adm/daemon.info
daemon.debug /var/adm/daemon.debug
daemon.err /var/adm/daemon.err
Note that the whitespace between the two columns must include at least one TAB character, not just spaces, or it won't work. Of course your log file could be anything you want. Then, create the logfile (touch /var/adm/daemonlog should do). Finally, restart inetd and syslogd, either individually, or by rebooting the system. You should be good to go. If you do not install the patch, make sure the log file is owned by root and mode 600, as the ftp daemon will log *everything*, including users' passwords.
Warning: You want to make all logs root only readable for security reasons If a user mistypes his password for his username, it could be compromised if anyone can read the log files.
--------------------------------------------------------------------------------
4. Where to get other FTP daemons
Wuarchive FTP 2.4- A secure FTP daemon that allows improved access-control, logging, pre-login banners, and is very configurable:
Can be ftp'd from ftp.uu.net in "/networking/ftp/wuarchive-ftpd" directory. Be certain to verify the checksum information to confirm that you have retrieved a valid copy. [Warning: Older versions of Wu-FTP are extremely insecure and in some cases have been trojaned.]
BSD SVR4
File Checksum Checksum MD5 Digital Signature
----------------- -------- --------- --------------------------------
wu-ftpd-2.4.tar.Z 38213 181 20337 362 cdcb237b71082fa23706429134d8c32e
patch_2.3-2.4.Z 09291 8 51092 16 5558a04d9da7cdb1113b158aff89be8f
For DECWRL ftpd, sites can obtain version 5.93 via anonymous FTP from gatekeeper.dec.com in the "/pub/misc/vixie" directory.
BSD SVR4
File Checksum Checksum MD5 Digital Signature
----------------- -------- --------- --------------------------------
ftpd.tar.gz 38443 60 1710 119 ae624eb607b4ee90e318b857e6573500
For BSDI systems, patch 005 should be applied to version 1.1 of the BSD/386 software. You can obtain the patch file via anonymous FTP from ftp.bsdi.com in the "/bsdi/patches-1.1" directory.
BSD SVR4
File Checksum Checksum MD5 Digital Signature
----------------- -------- --------- --------------------------------
BU110-005 35337 272 54935 543 1f454d4d9d3e1397d1eff0432bd383cf
Public Domain Sources:
ftp.uu.net ~ftp/systems/unix/bsd-sources/libexec/ftpd
gatekeeper.dec.com ~ftp/pub/DEC/gwtools/ftpd.tar.Z
--------------------------------------------------------------------------------
5. How to Know if your Anonymous FTP Server is Secure
This section is intended for the administrator to go down a small check list of things to make sure his server is not easily compromised.
Check to make sure your ftp server does not have SITE EXEC command by telneting to port 21 and typing SITE EXEC. If your ftp daemon has SITE EXEC make sure it is the most current version (ie, Wu-FTP 2.4). In older versions this allows anyone to gain shell via port 21.
Check to make sure no one can log in and make files or directories in the main directory. If anyone can log in as anonymous FTP and make files such as .rhosts and .forward, instant access is granted to any intruder.
Check to make sure the main directory is NOT owned by ftp. If it is owned by FTP, an intruder could SITE CHMOD 777 the main directory and then plant files to give him instant access. SITE CHMOD command should be removed because anonymous users do not need any extra priviledges.
Check to make sure NO files or directories are owned by ftp. If they are, it is possible an intruder could replace them with his own trojan versions.
There were several bugs in old daemons, so it is very important to make sure you are running the most current ftp daemons.
--------------------------------------------------------------------------------
6. Archie
Searches FTP sites for programs. Login into these sites as archie or use client software for faster access. To get your own anonymous site added to Archie's search list, e-mail archie-updates@bunyip.com.
archie.ac.il 132.65.20.254 (Israel server)
archie.ans.net 147.225.1.10 (ANS server, NY (USA))
archie.au 139.130.4.6 (Australian Server)
archie.doc.ic.ac.uk 146.169.11.3 (United Kingdom Server)
archie.edvz.uni-linz.ac.at 140.78.3.8 (Austrian Server)
archie.funet.fi 128.214.6.102 (Finnish Server)
archie.internic.net 198.49.45.10 (AT&T server, NY (USA))
archie.kr 128.134.1.1 (Korean Server)
archie.kuis.kyoto-u.ac.jp 130.54.20.1 (Japanese Server)
archie.luth.se 130.240.18.4 (Swedish Server)
archie.ncu.edu.tw 140.115.19.24 (Taiwanese server)
archie.nz 130.195.9.4 (New Zealand server)
archie.rediris.es 130.206.1.2 (Spanish Server)
archie.rutgers.edu 128.6.18.15 (Rutgers University (USA))
archie.sogang.ac.kr 163.239.1.11 (Korean Server)
archie.sura.net 128.167.254.195 (SURAnet server MD (USA))
archie.sura.net(1526) 128.167.254.195 (SURAnet alt. MD (USA))
archie.switch.ch 130.59.1.40 (Swiss Server)
archie.th-darmstadt.de 130.83.22.60 (German Server)
archie.unipi.it 131.114.21.10 (Italian Server)
archie.univie.ac.at 131.130.1.23 (Austrian Server)
archie.unl.edu 129.93.1.14 (U. of Nebraska, Lincoln (USA))
archie.univ-rennes1.fr (French Server)
archie.uqam.ca 132.208.250.10 (Canadian Server)
archie.wide.ad.jp 133.4.3.6 (Japanese Server)
Subscribe to:
Posts (Atom)