←April→
| Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
| |
|
1 |
2 |
3 |
4 |
5 |
| 6 |
7 |
8 |
9 |
10 |
11 |
12 |
| 13 |
14 |
15 |
16 |
17 |
18 |
19 |
| 20 |
21 |
22 |
23 |
24 |
25 |
26 |
| 27 |
28 |
29 |
30 |
|
|
|
|
|
Fri, Mar 28, 2025 9:22 pm
Windows Files Flagged as Malware by Avira Rescue System Scan
Some antivirus companies provide "rescue system" software that you can
download for free and used to create bootable DVDs or
flash drives to
boot a PC outside of windows and scan the system for viruses and other
malware. The software can be used if a system won't boot because of the
malware.
Avira, a German
antivirus company, provides
Avira Rescue System antivirus software that can be used to scan a system
running a Microsoft Windows
operating system.
The
ISO file
that you download to create a bootable DVD or flash drive
contains the
Ubuntu
Linux operating system, but you don't need to be familiar with a
Linux operating
system to use the software.
[ More Info ]
[/security/antivirus/avira]
permanent link
Sun, Apr 14, 2024 9:21 pm
NortonLifeLock Scam
Earlier this week, a user forwarded me an email she received purporting
to be a notification regarding an automatic renewal of a subscription to
"Norton Life-Lock" wondering if it was legitimate and she would be charged
$399 for the product.
The message included the following text:
This email confirms that your subscription has been renewed for another
1 year with Norton Life-Lock for $399.00 on April 11th,2024.
This subscription will Auto-Renew every year unless you turn it OFF. No
later than 24 hour before the end of the subscription period.
To cancel this subscription,
Call: +1(844)962-1087
An online search of the 844-962-1087 number showed it is not a number
associated with Norton LifeLock, a clear indication that the email was a
scam where the scammer attempts to get people to call a number to cancel an
expensive "subscription" for a well-known product or company. I assume those
who call the number will be asked to provide their credit or debit card
information, so someone pretending to be a customer service representative for
the company can supposedly look up the account information to "cancel" the
subscription. If credit card information is provided, the scammer can then use
it for fraudulent charges or sell the information to others. Another indicator
that a message such as this is fraudulent is poor English. E.g., "...unless you
turn if OFF. No later than 24 hour before the end of the subscription period."
Proper English would be "...unless you turn it OFF no later than 24 hours
before the end of the subscription period." I.e., there should not be
a period before "No later" and "hours" should be used rather than "hour."
Another indication that the email is a fraud attempt in this case is
that the sender hyphenated the product name, i.e., "Life-Lock" whereas if
you go to the Norton website and
look at their consumer products or visit the
NortonLifeLock website, you can
see that the name of the product is listed as "LifeLock" not "Life-Lock." The
Wikipedia LifeLock page
also shows the product name is not hyphenated. Such phishing
emails purporting to be notifications of upcoming charges for
NortonLifeLock have been prevalent for years — the NortonLifeLock
website has a January 11, 2022 article
"
Keep an eye out for Norton email scams" warning people about such
attempts and showing similar scam messages regarding their product.
Unfortunately, such scams can deceive enough people to make sending
such messages profitable for scammers. People anxious to avoid a
charge of several hundred dollars for a product they may not even be using
may call the number and provide credit/debit card or banking information
that the scammer may use to fraudulently charge their credit or debit card
or steal money from a banking account.
[/security/phishing]
permanent link
Mon, Mar 04, 2024 9:46 pm
Accessing ClamWin scan results when the option to save a report is grayed out
I ran a scan with
ClamWin,
a free and open-source antivirus program for Microsoft Windows systems,
on a user's system recently when she thought the system
might be infected with malware. I ran the ClamWin scan after I scanned the
system with McAfee AntiVirus, the active antivirus program on the system
providing real-time protection, which did not find any malware. The scan,
which ran for many hours, flagged many files as containing malware. It was
difficult to note the names and locations of files flagged as containing
malware when they were flagged as the results would scroll quickly by as the
program went on to scan other files. As I assumed I would be able to save
the results to a file when the scan completed, that did not concern me. However,
when the scan completed I was unable to save the results to a file because
the button that would allow me to save the results was grayed out.
You can still access the results of a scan in such cases, though, because when
you exit from viewing the scan results, the program automatically appends the
results to C:\ProgramData\.clamwin\log\ClamScanLog.txt. The
ProgamData directory is a hidden directory that you won't see in the
Windows File Explorer
unless you have configured it to display hidden files and folders. You
can see the directory is present if you
open a command prompt window
and issue the command dir /ah — the "/ah" tells the
dir command to display files and folders with the attribute "hidden."
E.g.:
C:\>dir /ah
Volume in drive C is OS
Volume Serial Number is 4445-F6ED
Directory of C:\
08/21/2022 07:38 PM <DIR> $Recycle.Bin
07/08/2017 03:45 PM <DIR> $Windows.~WS
02/14/2024 10:43 AM <DIR> $WinREAgent
10/30/2015 02:18 AM 1 BOOTNXT
08/21/2022 01:01 PM 112 bootTel.dat
02/28/2024 03:54 PM <DIR> Config.Msi
11/04/2011 01:20 AM 30,425 dell.sdr
07/14/2009 12:08 AM <JUNCTION> Documents and Settings [C:\Users]
03/03/2024 11:51 PM 8,192 DumpStack.log.tmp
03/04/2024 03:51 PM 6,373,736,448 hiberfil.sys
01/30/2012 09:36 PM <DIR> MSOCache
03/03/2024 11:51 PM 8,589,934,592 pagefile.sys
03/03/2024 09:48 AM <DIR> ProgramData
10/11/2023 09:00 AM <DIR> Recovery
03/03/2024 11:51 PM 268,435,456 swapfile.sys
01/28/2012 08:26 PM <DIR> System Recovery
03/04/2024 08:00 PM <DIR> System Volume Information
7 File(s) 15,232,145,226 bytes
10 Dir(s) 795,701,448,704 bytes free
C:\>>Though the log file containing scan results is beneath a hidden directory,
you can access it from a text editor such as
Windows Notepad
by typing in the directory path and file name, i.e.,
C:\ProgramData\.clamwin\log\ClamScanLog.txt when you choose
Open to open a file, or you could open it from a command prompt
window as shown below.
C:\&>notepad C:\ProgramData\.clamwin\log\ClamScanLog.txt
C:\&>
The ClamScanLog.txt file will contain the results of all scans run on the
system, unless it was edited to remove prior results, with the results of
the latest scan at the bottom of the file.
[/security/antivirus/clamav]
permanent link
Tue, Apr 05, 2022 6:05 pm
Let's Encrypt Problem binding to port 80: Could not bind to IPv4 or IPv6
A couple of users notified me that they were receiving warning messages
regarding the security certificate on their email server when they were
checking email with
Microsoft Outlook. I checked the expiration date on the security
certificate for the email server with the
OpenSSL command
openssl s_client -connect pop3.moonpoint.com:995 (the
system is using
Dovecot, which
is an
open-source
IMAP/
POP3
software program providing users with the ability to download their email).
Dovecot listens on
TCP
port 995 for
POP3S secure
email connections for downloading email.
I could see the certificae was expired and I issued the
quit
command when I saw the "OK Dovecot ready" prompt.
The email security certificate on the system is provided by
Let's Encrypt,
so I then tried renewing the certificate from the root account with the
letsencrypt renew command, but was unsuccessful.
I found the solution was to stop the
Apache web server
software running on the system, thanks to a post by JuergenAuer at
Renewing certificate getting error: Problem binding to port 80: Could not bind
to IPv4 or IPv6. After I stopped the web server software, I was able to
reissue the letsencrypt command to renew the certificate without the
"Problem binding to port 80" error message. I then restarted the Apache web
server software and Dovecot.
[ More Info ]
[/security/encryption/openssl]
permanent link
Sun, Oct 24, 2021 12:58 pm
Counting SSH break-in attempts by country
Yesterday, I installed
Fail2Ban on a
CentOS 7 server after
noticing SSH break-in
attempts by password guessing. Today, I checked the fail2ban log to see how
many IP addresses were banned and whether after being banned for an hour there
were any subsequent password guessing attempts from the same IP address. I saw
that 40 IP addresses had been banned since I installed Fail2Ban last night and
that some of those addresses had been banned multiple times. You can count
the number of times an IP address has been banned by using the
awk command
awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c
| sort -n. You can pipe the output of that command to the
wc command
wc -l to count the total number of lines which tells you the number
of IP addresses that have been banned as explained at
Fail2ban logging.
[root@moonpoint ~]# awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | s
ort | uniq -c | sort -n
1 103.50.219.194
1 104.200.134.181
1 104.244.77.37
1 107.189.14.174
1 107.189.14.230
1 107.189.14.41
1 107.189.1.96
1 107.189.31.223
1 107.189.8.233
1 183.157.169.70
1 183.195.121.197
1 205.185.123.33
1 205.185.124.131
1 209.141.42.29
1 221.131.165.50
1 221.131.165.56
1 221.181.185.151
1 221.181.185.198
1 222.186.30.112
1 222.187.254.41
1 64.225.49.153
1 71.9.165.219
2 104.244.76.64
2 107.189.12.163
2 209.141.36.75
2 209.141.40.64
2 221.131.165.65
2 222.186.30.76
2 222.187.232.39
3 107.189.13.104
3 45.61.184.115
3 70.62.137.84
4 187.149.76.88
4 189.85.145.113
4 205.185.122.239
4 209.141.57.74
4 210.73.207.44
4 222.186.42.137
5 209.141.34.165
5 89.211.207.62
[root@moonpoint ~]# awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n | wc -l
40
[root@moonpoint ~]#
[More Info]
[/security/attacks]
permanent link
Sat, Oct 23, 2021 7:36 pm
Break-in attempts via SSH from 221.131.165.50
While checking on a problem on a test CentOS Linux system today, I issued the
command journalctl -xe from the root account to get more
details on the problem. Among the results displayed was an indication of
attempts to break into the system by guesses for the password of the root
account on the system.
# journalctl -xe
Oct 23 16:20:23 moonpoint systemd[1]: Unit mariadb.service entered failed state.
Oct 23 16:20:23 moonpoint systemd[1]: mariadb.service failed.
Oct 23 16:20:23 moonpoint polkitd[1684]: Unregistered Authentication Agent for u
Oct 23 16:21:35 moonpoint sshd[4558]: pam_unix(sshd:auth): authentication failur
Oct 23 16:21:35 moonpoint sshd[4558]: pam_succeed_if(sshd:auth): requirement "ui
Oct 23 16:21:37 moonpoint sshd[4558]: Failed password for root from 221.131.165.
Oct 23 16:21:38 moonpoint sshd[4558]: pam_succeed_if(sshd:auth): requirement "ui
Oct 23 16:21:40 moonpoint sshd[4558]: Failed password for root from 221.131.165.
Oct 23 16:21:40 moonpoint sshd[4558]: pam_succeed_if(sshd:auth): requirement "ui
Oct 23 16:21:42 moonpoint sshd[4558]: Failed password for root from 221.131.165.
Oct 23 16:21:42 moonpoint sshd[4558]: Received disconnect from 221.131.165.50 po
Oct 23 16:21:42 moonpoint sshd[4558]: Disconnected from 221.131.165.50 port 4518
Oct 23 16:21:42 moonpoint sshd[4558]: PAM 2 more authentication failures; lognam
Oct 23 16:21:55 moonpoint sshd[4561]: pam_unix(sshd:auth): authentication failur
Oct 23 16:21:55 moonpoint sshd[4561]: pam_succeed_if(sshd:auth): requirement "ui
Oct 23 16:21:57 moonpoint sshd[4561]: Failed password for root from 221.131.165.
Oct 23 16:21:57 moonpoint sshd[4561]: pam_succeed_if(sshd:auth): requirement "ui
Oct 23 16:21:59 moonpoint sshd[4561]: Failed password for root from 221.131.165.
Oct 23 16:21:59 moonpoint sshd[4561]: pam_succeed_if(sshd:auth): requirement "ui
Oct 23 16:22:01 moonpoint sshd[4561]: Failed password for root from 221.131.165.
Oct 23 16:22:02 moonpoint sshd[4561]: Received disconnect from 221.131.165.50 po
Oct 23 16:22:02 moonpoint sshd[4561]: Disconnected from 221.131.165.50 port 4175
Oct 23 16:22:02 moonpoint sshd[4561]: PAM 2 more authentication failures; lognam
[root@moonpoint ~]#
When I checked the number of password guesses the attacker had tried by
searching for the IP address in /var/log/secure, I found 183
attempts to log in.
[root@moonpoint ~]# grep "221.131.165.50" /var/log/secure | grep -c "Failed password"
183
[root@moonpoint ~]#
When I checked the location for the IP address 221.131.165.50 with the
geoiplookup program, a program that is provided by the GeoIP package, I found
the address allocated to an entity in China:
[root@moonpoint ~]# geoiplookup 221.131.165.50
GeoIP Country Edition: CN, China
[root@moonpoint ~]#
A check of the IP address on DShield at showed that IP address has been
associated with many attempts at unauthorized access to systems by password
guessing - see
SSH Source Summary. The DShield
IP Info: 221.131.165.50 report for the system currently lists 82,133
reports with 283 targets with activity first reported on 2021-09-26.
When I ran the journalctl command again later, I saw evidence of attempts
from other IP addresses to gain unauthorized access to the system via SSH,
so I installed
fail2ban to automatically block IP addresses when a specific number of
failed SSH login attempts have been detected from IP addresses.
Related
-
Blocking SSH break-in attempts with fail2ban
Date: October 23, 2021
-
Finding which package provided a file on a CentOS Linux system
Date: October 23, 2021
-
Fail2ban Logging
Date: April 9, 2016
[/security/attacks]
permanent link
Mon, Oct 05, 2020 9:25 pm
Your electricity will be cut off in 30 minutes
At 11:55 AM EDT this morning, my wife received a recorded call stating our
electricity would be cut off by Delmarva Power, our electric utility, in
thirty minutes. She called for me to pick up the phone, but by the time I got
to a phone in another room, the call was disconnected. She said the message
had instructed her to hit "1" to speak to someone. The call sounded like a
scam to me, since I didn't know of any issue with our electicity payments and
also because I would have expected a letter well before a cutoff date and
more than 30 minutes to pay any past due payment if someone called. It seemed
to me an obvious attempt to panic a called party into providing a credit card
to a scammer engaged in fraud, but I checked our bank account anyway and saw
the last payment due had been deducted from our checking account about two
weeks before the call and when I logged into Delmarva's website to check the
status of our account, I saw the last payment credited and a balance of zero
dollars.
Using *69, I was able to determine the listed calling number was
1-443-739-1747, but a search online for accounts of others receiving a call
from a scammer using that number did not reveal other such activity. I called
the number back to see how the scammer operated or to see if it might be
a spoofed number, but just got a recorded message that the called party
was not available, so I should leave a message. It sounded like a generic
voicemail message. So, perhaps, the scammer spoofed the calling number
as they often do to make it difficult to track down their identity.
[/security/scams]
permanent link
Thu, Aug 27, 2020 9:30 pm
Turning off McAfee AntiVirus Plus realtime protection temporarily
To temporarily turn off the realtime antivirus protection in McAfee
AntiVirus Plus, e.g., so you could move a file to another system for analysis
that it might deem malware or to scan the system with other antivirus
software, you can take the following steps:
-
Open the program and click on the gear (cog) icon at the upper, right-hand
corner of the window.
-
Under the PC Security section of the Settings, you will
see "Real-Time Scanning." When you click on "Real-Time Scanning" you will
have the option of turning off the real-time monitoring for 15 minute intervals
from 15 to 60 minutes or you can select "When I restart my PC" or "Never."
If you select a timed option, the protection will automatically turn back
on after that period of time. You can also turn on protection again
prior to that time by modifying the "Real-Time Scanning" setting again.
If you wish to view or restore items McAfee AntiVirus Plus has quarantined,
you can click on "Quarantined items" under Settings, which will show
you all files in the quarantine area, if any.
Note: these steps were tested on McAfee® AntiVirus Plus version 16.0
[/security/antivirus/mcafee]
permanent link
Thu, Jun 18, 2020 7:44 pm
Verifying a website's security certificate with openssl
You can verify a website's security certificate from a command line
interface (CLI), such as a shell prompt, by using
OpenSSL, which is
available for Linux, macOS, Microsoft Windows and other operating systems
— for a Windows version, see the instructions at
How to install the most recent version of OpenSSL on Windows 10 in 64 Bit.
To check a certificate, you can issue the command openssl s_client
-connect example.com:443 -showcerts, substituting the
fully
qualified domain name (FQDN) of the site you wish to check for
example.com. The output for example.com is shown below.
$ openssl s_client -connect example.com:443 -showcerts CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, OU = Technology, CN = www.example.org
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Los Angeles/O=Internet Corporation for Assigned Names and Numbers/OU=Technology/CN=www.example.org
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
-----BEGIN CERTIFICATE-----
MIIHQDCCBiigAwIBAgIQD9B43Ujxor1NDyupa2A4/jANBgkqhkiG9w0BAQsFADBN
<text snipped>
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 907C391C745555481A141A04D65B7CD175BD5E052FF39EFD17B30848D535F0D1
Session-ID-ctx:
Master-Key: 9DC337D789BB8DB7CCE82BBC3EAD28C4A9E98016C98D35AD9A6B737C0B76AE3118881303F7E7890BEE0567FFC402B5F9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - b1 7d 3a 56 0e 17 8f 5a-37 b0 4b 03 dd de 8d 98 .}:V...Z7.K.....
0010 - 59 36 bb 73 43 e2 95 2a-9b 2e de ef 99 5e 92 d8 Y6.sC..*.....^..
0020 - 3a 16 b6 4d 78 2b c6 a4-58 a5 5b 2e c0 8a 1f a6 :..Mx+..X.[.....
0030 - e6 35 dd 8d 77 fb 4e 09-82 94 c0 8c 6e f8 56 41 .5..w.N.....n.VA
0040 - 9a bb 82 a6 b1 30 5d bc-38 24 00 9c a6 a3 10 c5 .....0].8$......
0050 - 6f cc e8 c8 25 62 6f e0-8f 7d 1a d9 18 6a db 32 o...%bo..}...j.2
0060 - 48 07 df b0 15 fc 98 a0-5d 27 93 df 20 4c 6c ae H.......]'.. Ll.
0070 - cf 95 23 49 d0 c0 57 10-c1 8b 12 fa b0 c4 33 41 ..#I..W.......3A
0080 - 2f 21 cf df dc 9a 1f 44-68 a3 76 81 0f b8 04 ab /!.....Dh.v.....
0090 - 59 e7 c4 29 79 28 f9 45-43 82 b9 a0 5a e5 6d 5a Y..)y(.EC...Z.mZ
Start Time: 1592522720
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
$If you wish to check on whether a particular
cipher is supported, you
can use the command openssl s_client -cipher followed by the
particular cipher for which you wish to connect and then -connect
followed by the FQDN, a colon, and then the HTTPS port, port 443, as shown
below for example.com. If you see the response "handshake failure" as in the
example below, the cipher is not supported.
$ openssl s_client -cipher 'ECDHE-ECDSA-AES256-SHA' -connect example.com:443
CONNECTED(00000003)
140497569793952:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1592522976
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
$If the cipher is supported, you will see "connected" instead, as shown
below.
$ openssl s_client -cipher 'ECDHE-RSA-AES128-GCM-SHA256' -connect example.com:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, OU = Technology, CN = www.example.org
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Los Angeles/O=Internet Corporation for Assigned Names and Numbers/OU=Technology/CN=www.example.org
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
<text snipped>
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 27 d3 5d a3 cf ac 34 0b-92 af c6 00 17 0d 15 bc '.]...4.........
0010 - 6b be b4 92 dc 1a 01 97-98 9c f4 2b 68 f7 fd 69 k..........+h..i
0020 - 1c fd 25 16 21 ba aa f9-43 2b 1a 4b 54 d8 48 37 ..%.!...C+.KT.H7
0030 - 90 f7 2f 3f 76 d1 88 22-cf db 43 77 55 40 d2 41 ../?v.."..CwU@.A
0040 - c8 3a 8c f5 75 02 9b 88-92 92 38 f3 53 46 e7 48 .:..u.....8.SF.H
0050 - 9a bf 2d db 78 00 cd 12-2c 30 fc f8 81 20 e9 89 ..-.x...,0... ..
0060 - c0 8f 3c e3 e6 22 69 af-cb cd b0 ec dd 06 1b c9 ..<.."i.........
0070 - f3 82 cb ee 85 f1 c8 6a-27 29 5b 42 7e bb 87 60 .......j')[B~..`
0080 - c3 17 4a ff 54 41 b3 1a-8e 3b e3 30 b6 48 fa 9d ..J.TA...;.0.H..
0090 - b3 50 a5 2b 73 8d 59 16-4c fd b4 24 54 48 14 08 .P.+s.Y.L..$TH..
Start Time: 1592523392
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
$
[/security/encryption/openssl]
permanent link
Fri, Jun 05, 2020 5:22 pm
Call from 616-465-0071 purporting to be from Amazon
My wife received a call today that was a recorded message purportedly about
a suspicous Amazon charge for an
iPhone.
She asked me to pick up the phone, but by the time I got to the phone the
call was disconnected. I used *69 to determine the calling number was
1-616-465-0071, though of course the number may have been spoofed. I
searched online and didn't find anyone else reporting a fraudulent call
from that number purporting to be from Amazon. I checked our Amazon
account just to be certain there was no recent charge for something
neither of us ordered, but I didn't see anything ordered after a recent purchase
of ink for my wife's printer. I tried calling the number using *69 just to see
whether I could get anyone at the other end or any identifying voice
message, but only got the message "I'm sorry we can not connect your
call at this time." Subsequent attempts I made to call the number resulted
in a busy signal. At this point, I'm presuming the call was an attempt
by a scammer to obtain information about our Amazon account or a credit
card number associated with the account.
[/security/scams]
permanent link
Privacy Policy
Contact
