MoonPoint Support Weblog

Jubril Udeh Scam

I received a variant of the "pose as some deceased tycoon's next of kin and get rich" email messages today. This one purports to be from "Jubril Udeh Manager of Credit and Accounts Department of North Atlantic Securities Sarls Lome-Togo Republic" in regards to millions that belonged to the now deceased "Mr Levy Shimony a Lebanese Import and Export Tycoon here in Lome Togo." The message was purportedly sent to me because of my "high repute and trust worthiness", characteristics one supposes make me an ideal partner for participating in a fraudlent scheme where I would pose as the deceased's next of kin.

Are there people foolish enough to fall for such ruses? Unfortunately, the answer is "yes". There have apparently been quite a few people who have fallen for such scams. One I read about was an accountant for a law office who used her employer's funds to cover the scammer's "transaction fees". She apparently thought she could cover the money she took from her employer out of the large sum of money she was sure to receive. What she did receive was a prison sentence, since, of course, no funds were forthcoming from the scammer.

One recipient of one of these messages decided to scam the scammer. He actually got the scammer to send him money, which he donated to charity. For an amusing tale of how this scambaiter got the scammer to join his "Holy Church of The Order of The Red Breast", see The Tale of The Painted Breast.

[/security/scams] permanent link

Example Virus Messages

Examples of messages containing various worms, viruses, and trojans.

[/security/viruses] permanent link

BHODemon

Adware/spyware may insert itself on your system using a Browser Helper Object (BHO). One tool that can show you the BHOs that are enabled on your system is BHODemon from Definitive Solutions.

See Installing and Using BHODemon for additional download links and information on installing and using the program.

[/security/spyware] permanent link

Clam Antivirus (ClamAV)

A free antivirus package for Linux systems, Clam Antivirus, is available from http://www.clamav.net/.

I downloaded the Clam AntiVirus package with wget http://crash.fce.vutbr.cz/crash-hat/2/clamav/clamav-0.75.1-1.i386.rpm. I then installed the package on a mail server running Fedora Core 2 Linux.

rpm --install clamav-0.75.1-1.i386.rpm warning: clamav-0.75.1-1.i386.rpm: V3 DSA signature: NOKEY, key ID 6cdf2cc1

The warning message can be prevented by using the command rpm --import http://crash.fce.vutbr.cz/Petr.Kristof-GPG-KEY prior to installing the package.

To use up2date to update the package, add the lines below to /etc/sysconfig/rhn/sources if you are using Fedora Core 1. You can add them after the other yum lines:

yum crash-hat http://crash.fce.vutbr.cz/crash-hat/1 #yum crash-test http://crash.fce.vutbr.cz/crash-hat/testing/1

If you are using Fedora Core 2, use the lines below:

yum crash-hat http://crash.fce.vutbr.cz/crash-hat/2 #yum crash-test http://crash.fce.vutbr.cz/crash-hat/testing/2

Otherwise, you will get the error message below when you try up2date clamav:

The following packages you requested were not found: clamav

Once you have added the line to /etc/sysconfig/rhn/sources, you can then use up2date -u clamav to update the software to a later version when one becomes available.

If you are using another version of Linux, see http://www.clamav.net/binary.html#pagestart for information. Clam AntiVirus will run on other operating systems as well. Supported platforms are listed below (tested platforms in parentheses):

GNU/Linux - all versions and platforms
Solaris - all versions and platforms
FreeBSD - all versions and platforms
OpenBSD 3.0/1/2 (Intel/SPARC)
AIX 4.1/4.2/4.3/5.1 (RISC 6000)
HPUX 11.0
SCO UNIX
IRIX 6.5.20f
Mac OS X
BeOS
Cobalt MIPS boxes (RAQ1, RAQ2, QUBE2)
Windows/Cygwin
Windows Services for Unix 3.5 (Interix)

Some features may not be available on all operating systems.

If you install the package with the rpm or up2date commands, a new group and a new user account will be created, both named clamav. The clamav configuration file will be located in /etc/clamav.conf. The virus database updater program is called "freshclam". Freshclam's configuration file is /etc/freshclam.conf. You can control how often freshclam checks for new virus signatures by adjusting the Checks value in the /etc/freshclam.conf file. The log file for clamav is /var/log/clamav/clamd.log and the log file for freshclam is in /var/log/clamav/freshclam.log.

The program doesn't start automatically when you install it with the rpm or up2date commands. You can start it with /etc/init.d/clamd start or by rebooting the system.

If you left the TCP listening port to be the default of 3310, you can see whether it is running by using the netstat command netstat -at | grep 3310. You should see the system is listening for connections on that port.

tcp        0      0 *:3310                  *:*                     LISTEN

Or you can use the ps command to check on whether it is running:

[root@mail root]# ps aux | grep clamd | grep -v "grep"
clamav    2315  0.0  6.1 18024 15628 ?       S    00:13   0:00 /usr/sbin/clamd

You can use the clamscan command to scan a directory or file for viruses. E.g. a scan of the files in the directory where clamav test files are stored might produce output such as that shown below:

[root@mail root]# clamscan /usr/share/doc/clamav-0.75.1/test /usr/share/doc/clamav-0.75.1/test/test-failure.rar: RAR module failure /usr/share/doc/clamav-0.75.1/test/test-failure.rar: OK /usr/share/doc/clamav-0.75.1/test/README: OK /usr/share/doc/clamav-0.75.1/test/test.bz2: ClamAV-Test-Signature FOUND /usr/share/doc/clamav-0.75.1/test/test.zip: ClamAV-Test-Signature FOUND /usr/share/doc/clamav-0.75.1/test/test-zip-noext: ClamAV-Test-Signature FOUND /usr/share/doc/clamav-0.75.1/test/test.msc: ClamAV-Test-Signature FOUND /usr/share/doc/clamav-0.75.1/test/test.rar: ClamAV-Test-Signature FOUND /usr/share/doc/clamav-0.75.1/test/test: ClamAV-Test-Signature FOUND ----------- SCAN SUMMARY ----------- Known viruses: 24009 Scanned directories: 1 Scanned files: 8 Infected files: 6 Data scanned: 0.00 MB I/O buffer size: 131072 bytes Time: 5.640 sec (0 m 5 s)

The files in the clamav test directory are actually harmless, but the scan shows you the clamav scanning program is working. If you want to test with an actual worm, you can use the following example of Worm.SomeFool.P, aka W32.Netsky.P@mm.

Worm.SomeFool.P

If you want to scan just a particular file, you can use put the file name after the command, e.g. clamscan corrected_doc.pif.

If you wish to manually update the virus defintions, issue the command freshclam.

Clam AntiVirus 0.75.1-1 Package and Download Information

Milter package for use with sendmail
Clam AntiVirus 0.75.1-1 Milter Package and Download Information

[/security/antivirus/clamav] permanent link

Logrotate PPP Error

After first setting up a Linux server with Fedora Core 2 Linux, I received the following error message in an email message sent to root:

Date: Sun, 12 Sep 2004 19:00:42 -0400
From: root@mail.somewhere001.us (Anacron)
To: root@mail.somewhere001.us
Subject: Anacron job 'cron.daily'

/etc/cron.daily/logrotate:

error: stat of /var/log/ppp/connect-errors failed: No such file or directory

According to Bugzilla Bug 126771: logrotate error because of non-existent /var/log/ppp/connect-errors this error can be prevented by adding a missingok to /etc/logrotate.d/ppp. The problem occurs if PPP isn't used, which means there won't be a log file for it in /var/log/ppp. By adding the missingok to /etc/logrotate.d/ppp, you indicate that an error message shouldn't be produced if the log file is missing and so can't be rotated.

According to Bug 122911 - Logrotate problem if ppp isn't used and there isn't a logfile in /var/log, the problem is present in version 2.4.2 release 2 of the ppp package. I didn't add the missingok line, but instead upgraded the ppp package (use up2date --install ppp). I now have version 2.4.2 release 3.FC2.1 of ppp, which added the missingok line.

# Logrotate file for ppp RPM

/var/log/ppp/connect-errors {
        missingok
        compress
        notifempty
        daily
        rotate 5
        create 0600 root root
}

[/os/unix/linux/sysmgmt] permanent link

Daily Rotation of Mail Logs

For a Linux mail server I set up, I want to have sendmail's log file, which is /var/log/maillog, rotated daily rather than once a week. With the default setting for logrotate, the file maillog will be closed and become maillog.1 after a week. If there is a maillog.1 it becomes maillog.2, etc. I want this to occur at midnight every night. To achieve the daily rotation, log in under the root account and edit the file /etc/logrotate.d/syslog, removing /var/log/maillog from the line where it is listed with all of the other log files that get rotated. Then create a new logrotate control file, e.g. /etc/maillogrotate.conf. Don't put it in the /etc/logrotate.d directory. My maillogrotate.conf file contains the following lines:

# Begin maillogrotate control file
/var/log/maillog {
   daily
   rotate 14
   sharedscripts
   create 0600 root root
   missingok
   postrotate
   /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
   endscript
}
# End maillogrotate control file

The meaning of the lines is as follows:

Comment
Specifies the file to be rotated, /var/log/maillog
Indicates the file should be rotated on a daily basis
rotate 14 indicates 14 previous versions (2 weeks worth of logs) should be kept, i.e. there will be a maillog file as well as maillog.1 through maillog.14
sharedscripts means that the postrotate script will only be run once, not for every file that is rotated.
create 0600 root root indicates that immediately after logrotate has rotated the file, it should create a new file with the same name as the one just rotated, in this case maillog. The permissions for the file, 0600, indicate that the owner will have read and write access to the file, but no one else will be given any access to the file. After access is specified, the owner and group for the file are each set to root (the format is create mode owner group.
missingok indicates that if the log file is missing, proceed to the next one without issuing an error message.
Any lines between postrotate and endscript will be executed after the rotation is completed. In this case, the syslog process will be restarted. The process id for syslog is stored in /var/run/syslog.pid, so cat /var/run/syslogd.pid displays the contents of syslogd.pid. The 2> /dev/null at the end indicates that STDERR (error messages) will be redirected to /dev/null, which means that they are discarded. The backticks around this command (be certain to use the ` character, which is on the key to the left of the 1 key not the single quote, ' here) mean take the output of this command and use it as an argument to /bin/kill -HUP, which kills the syslog process, which will get automatically restarted. The second 2> /dev/null means that any error messages generated from the kill command are also discarded. The || true at the end means that if there is a problem with the kill command then still mark this part of the script as successful, i.e. don't abort with an error message. The || means "or" and true always returns a successful exit status.

You then need to create a crontab entry with crontab -e. This will open the crontab file in the vi editor. The crontab file can be used to run commands on a scheduled basis. Hit the i key to put the vi editor in insert mode then type the following command:

0 0 * * * /usr/sbin/logrotate /etc/maillogrotate.conf 1>/dev/null 2>/dev/null

Then hit the : (colon) key and type wq to save the file and exit from the editor.

The crontab file consists of 6 fields:

minute	A number from 0 to 59 indicating the minute the command will run
hour	A number from 0 to 23 indicating the hour for the command to be run
day of month	A number from 1 to 31 indicating the day of the month to run the command
month	A number from 1 to 12 indicating the month to run the command
day of week	A number from 0 to 6 (Sunday to Saturday) for the command to be run
command	The command to be run

So the listed crontab entry will run the /usr/sbin/logrotate program at midnight every day (the asterisks means use all possible values for the field). The logrotate program will use the file I created, /etc/maillog.conf, to determine what it should do. Any output, whether standard output or error messages, are sent to /dev/null, i.e. discarded.

In addition to keeping two weeks worth of logs in the /var/log/maillog directory, I like to archive mail logs in a separate directory to be parsed by statistics generation programs. If I add new programs, I can run them on all the old log files to generate statistics for the entire year. So I create a /root/maillog directory to hold the maillog files and a program, copy-maillog, which will copy the previous day's maillog to that directory with that day's date appended to the filename. I place the copy-maillog file in /root/bin and make it executable.

mkdir /root/maillog mkdir /root/bin

The copy-maillog program contains the following lines:

#!/bin/bash cp -a /var/log/maillog.1 /root/maillog/maillog.$(date --date=yesterday +%m%d%y)

This will copy the previous day's maillog file, maillog.1 to the /root/maillog/ directory. The $(date --date=yesterday +%m%d%y) extension means append yesterday's date formated as month, day, year, e.g. maillog.091604 for the September 16, 2004 mail log file.

To make the script executable, type chmod 700 copy-maillog.

I then create a crontab entry to run copy-maillog script at half past midnight every night. Use crontab -e again to edit the crontab file, then move the cursor to the end of the file and hit the a key to append data after the cursor. Hit the enter key to start a new line and insert the following:

30 0 * * * /root/bin/copy-maillog 1>/dev/null 2>/dev/null

Then hit the Esc key followed by the colon key. Type wq to save the modifications to the crontab file and exit from the editor. If you then type crontab -l to list the contents of the crontab file, you shold see something similar to the following:

[root@mail bin]# crontab -l # DO NOT EDIT THIS FILE - edit the master and reinstall. # (/tmp/crontab.8726 installed on Fri Sep 17 18:27:16 2004) # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $) 0 0 * * * /usr/sbin/logrotate /etc/maillogrotate.conf 1>/dev/null 2>/dev/null 30 0 * * * /root/bin/copy-maillog 1>/dev/null 2>/dev/null

References:

How to rotate maillogs daily on RedHat

[/network/email/sendmail] permanent link

Bandwidth Monitoring on a Linux System

On a Linux system, if you need information on how much bandwidth is being used and what type of traffic is consuming the bandwidth, two tools you can use that don't require a Graphical User Interface (GUI) are IPTraf and Linux Bandwidth Monitor (bwmon).

IPTraf description from Red Hat's IPTraf package:

IPTraf is a console-based network monitoring utility. IPTraf gathers data like TCP connection packet and byte counts, interface statistics and activity indicators, TCP/UDP traffic breakdowns, and LAN station packet and byte counts. IPTraf features include an IP traffic monitor which shows TCP flag information, packet and byte counts, ICMP details, OSPF packet types, and oversized IP packet warnings; interface statistics showing IP, TCP, UDP, ICMP, non-IP and other IP packet counts, IP checksum errors, interface activity and packet size counts; a TCP and UDP service monitor showing counts of incoming and outgoing packets for common TCP and UDP application ports, a LAN statistics module that discovers active hosts and displays statistics about their activity; TCP, UDP and other protocol display filters so you can view just the traffic you want; logging; support for Ethernet, FDDI, ISDN, SLIP, PPP, and loopback interfaces; and utilization of the built-in raw socket interface of the Linux kernel, so it can be used on a wide variety of supported network cards.

A ZDNet article, Police your network traffic with IPTraf explains how to use IPTraf to log and monitor IP traffic on your system.

You can download IPTraf from the developer's website or you may already have it with your distribution of Linux. An RPM is available from Red Hat or from this site.

The options when running bwmon are shown below:

Linux Network Bandwidth Monitor $Revision: 1.3 $
by Kimmo Nupponen (kimmoon@users.sourceforge.net)
$Date: 2002/05/08 06:33:09 $

usage: bwmon [-b] [-h] [-a] [-m] [-u seconds]
        -a Print bandwidth utiliasation in Kbytes rather than Kbits. The default
           is to use Kbits
        -a Print also average bandwidth since last boot per interface
        -m Print maximum bandwidth since launch of this utility
        -h Print this help message
        -u Update timeout (integer value)

        Use <space-bar> to refresh the screen before update timeout expires
        Use 'q' or 'Q' to exit this utility

Note that you have to have proc mounted to allow this software
to work!

bwmon Screenshot
IPTraf Screenshots

[/os/unix/linux/network] permanent link

Feature Comparison Between Adobe Acrobat 6.0 Standard and Professional

A chart is available at http://www.adobe.com.au/events/roadshows/pdfs/FeatureComparision.pdf comparing the features found in Adobe Acrobat 6.0 Standard and Professional versions. The chart also covers Adobe Reader 6.0 and Acrobat Elements 6.0.

[/os/windows/software/pdf] permanent link

Painting Plastic

If you want to paint cases, parts, or most plastics, you can use Fusion paint from Krylon. The paint dries in 15 minutes or less.

The paint comes in the following colors: