Sysadmin News

A typical scenario might be:
1. Information Gathering
An attacker will normally start by finding out as much information as possible on his target. At this point the attacker will want to be as stealthy as possible and will usually make use of less direct methods. Some of these methods include doing a whois lookup and DNS Zone transfers as well as normal browsing of websites gathering e-mail addresses and similar important information belonging to the target.
2. Further Information Gathering
In an attempt to gather more information an attacker will usually perform ping sweeps, port scanning and check Web servers for vulnerable CGI scripts. The intruder will also check the versions of running applications and services on your host - normally done using Banner Grabbing techniques. Typically banner grabbing consists of connecting to a service (for example SMTP on port 25) and parsing the response. In the response one would usually get the version of the application or a typical pattern of that application. A good IDS will catch some of this activity.
3. Attack!!
Having a list of possible loopholes, the intruder will start trying out different attacks on the system. He will for example try to launch the UNICODE attack if he previously found out that the target has IIS installed. Apart from launching exploits for well known vulnerable software, a typical attacker will also try to find out misconfigured running services. For example he will try to guess passwords for known users on the system.
4. Successful intrusion
After a successful intrusion, attackers will usually install their own backdoors in the system and delete log files in order to hide their tracks. They may install ‘toolkits’ such as rootkits that give them access, replace existing services with their own Trojan horses that have backdoor passwords, or create their own user accounts. System Integrity Checkers such as Tripwire have the task of detecting this kind of activity and alerting the administrator. From here an attacker will usually launch further attacks to other hosts especially those that are trusted by the compromised machine.
5. Fun and profit
Different classes of system intruders have different goals. Some steal confidential information such as Credit cards, passwords etc: while others just use the compromised host to launch further attacks on sites (such as DDoS attacks). A few others will just deface a website.
A growing trend is to make use of a different pattern of attack. Intruders are increasingly randomly scanning internet addresses looking for a specific hole or number of holes. For example an intruder may scan for hosts having port 80 open and running a misconfigured / unpatched IIS server. Attackers will make a list of the vulnerable hosts and then launch attacks against each one of the hosts.

Intruders get passwords in various ways. These are some of the most popular methods being used by the hackers nowadays:
Sniffing: Data passing on Ethernet or Wireless networks can usually be intercepted. This is done by making use of a protocol analyzer, which sets the network card to promiscuous mode - meaning that it is able to pass all data on the network to the operating system without filtering. Passwords are typically “sniffed” off clear text protocols. Such protocols include Pop3, FTP and Telnet. In these cases passwords flow through the network without making use of any encryption. Many new protocols now make use of encryption. Although encryption makes the task of sniffing passwords more difficult, it is still possible to get the passwords from the encrypted data by making use of Dictionary and Brute force attacks.
Sniffing is a very effective method for hackers and attackers since it is usually a passive attack and therefore more stealthy and more difficult to detect.
Replay attack: In some cases, intruders do not need to decrypt the password. They can use the encrypted form instead in order to login to systems. Tools are also available to make this kind of attack easier. This kind of attack is very popular against web applications.
Password file stealing: System passwords are usually stored in files or in the Windows registry. On Windows NT 2000 and XP, the passwords are stored in encrypted form on the SAM file. On UNIX systems the password is usually stored in the /etc/passwd or /etc/shadow. Once an attacker gets his hand on the password file he can launch a dictionary or brute force attack against the encrypted passwords.
Observation: A very well known and traditional password stealing attack is dubbed “shoulder surfing” - which is basically when an intruder watches someone type in a password. Observation can also be done by going through a victim’s personal objects. Typically passwords are written on small pieces of paper - and can also be written on sticky notes attached to the monitor itself!
Social Engineering: Many successful hackers and attackers make use of human weaknesses - one such well-known hacker is Kevin Mitnick. A common (successful) technique is to simply call the user and say, “Hi, this is Bob from Some-Company. We have problems within the network and they appear to be coming from your machine. Can you give me your password?” Many users will happily supply this sensitive information without thinking twice.
Default Passwords: Sometimes it is not even required to guess the passwords, since the system would have default passwords put in by the system vendor. A lot of network devices such as switches and hardware routers will have default passwords allowing an attacker to easily gain access.

Hackers are often categorized as either Whitehat or Blackhat. Both Whitehats and Blackhats have the know-how to penetrate a system but their motives are different. A whitehat’s aim is to know a system’s loopholes to secure the system. On the other hand, blackhats make use of this knowledge for personal gain and other selfish and un-ethical purposes.
Some Computer Security consultants are described as Whitehat, while “script kiddies” are also sometimes described as Blackhat. Script kiddies are known to be less sophisticated hackers who launch attacks against computer systems such as port scanning, defacing a website or launching a Denial of Service attack.

An intruder is also referred to as a hacker or a cracker. A hacker is basically someone who hacks a system - he could do this because he finds it interesting or because he wants to access your system. In the latter case he would be a cracker.
In any case, hackers and crackers are both intruders and can be classified as external or internal intruders (outsiders or insiders).
External/Outsiders
Intruders from outside your network. They attack your web servers, email servers and may also attempt to go bypass the firewall to attack machines on the internal network. Outside intruders may come from the Internet, dial-up lines, physical break-ins, or from a partner (vendor, customer, reseller, etc.) network that is linked to your corporate network.
Internal/Insiders
Intruders that are using your internal network legitimately. These include users who misuse privileges or who attempt to get higher rights or use another users privileges. Internal intruders are often overlooked - most security breaches (80%) are done by insiders.

This deals with what action is to be taken (during a reboot) after a power failure or an incomplete shutdown of a Linux system due to any reason. This problem seems to be very common since many newcomers install Linux and get all the various softwares/hardwares working under Linux and suddenly one day the power fails. There are a few things that you can try to get Linux back on track..

1. While rebooting, Linux may print a message saying that there is a problem with the file system and it might force a check. It would do this for all Linux partitions. If the checks (they generally take around 30-60 seconds. also displays a rotating indicator) are successful then you are lucky. Linux should mostly continue booting and you should be back in business soon. If this is what happens then you may be under an impression that a direct switch off of a Linux machine leads to no problems. Please note that you were just lucky that you got away without any major problems.

2. While rebooting, Linux may not be successful in any of the file system checks. In this case, the booting stops abruptly with a message stating that you should run fsck manually without a few parameters. Once you reach the hash prompt (#) then run the fsck command as mentioned (fsck -a -p /dev/hdaX). The fsck command requires the partition which it has to check. So if you have installed Linux on /dev/hda1 then you have to run fsck as follows: fsck -a -p /dev/hda1.

When you run fsck it would mostly find some inode problems and ask you whether you want to fix them, Select the default option (yes). It would do so for all the problems found. Once this is over you can restart the machine using either “Ctlr+Alt+Del” or “shutdown -r 0″, whichever works. Now this time your Linux machine should boot properly.

3. It has so happened that once when the power failed, Linux simple failed to boot on my machine. It gave no errors at all, but the init process would just not get initiated. It would find my partitions, mount the ext2 file system as read only and then would simply display a prompt. Even with this prompt I wasn’t able to do a lot. Also I noticed that a few of the default directories were missing on the native partition. The only solution that I found to this was to Reinstall Linux.

Note: While reinstalling, the best and safest way for the above problem would be to insert the installation media (Redhat Linux 6.1 CD). And instead of selecting to install the OS once again, select to upgrade the existing installation. This would effectively replace all the damages areas of the OS and would also retain all your personal data and configurations in Linux (This should work in almost all cases).
Hence I would always advice an upgrade to the same version (If you originally had Redhat Linux 6.1, insert the CD and once again select to upgrade to Redhat Linux 6.1 itself). If the upgrade option doesn’t fix the problem, then you would have to do a reinstall after a reformat of the Linux partitions.

4. In one case when Linux refused to boot I noticed that a few of the main files / directories were missing. I found that the /sbin directory (which is a very important directory) wasn’t there in the root directory. I performed a search for this directory and found it to be within another directory. After some discussion I realized that my friend has accidentally moved this directory within his GUI when he was working in superuser mode. As long as he was working a few commands didn’t work but he did not bother about finding out why they didn’t work. Once he rebooted his machine the absence of this directory hung the booting process. So I suggest that you never work in superuser mode unless absolutely necessary. Even within the superuser mode prefer the shell, since you can hardly ever do anything accidentally in the shell. In my friend’s case I simply moved that directory back within the root directory and Linux booted without any problems.

Take the time to have a look at the file system and make a mental note of the directory structure which appears to be pretty complex.

Article Source: http://ezarticles.net

Should you stay clear of something in your computer that stirs up a bunch of hives every time you reboot?

The Windows Registry is such a creature, and while it is certainly true that you can’t be too cautious when accessing and editing Registry files, there are significant advantages to learning more about them.

A general understanding of the Registry and how it works can help you identify and fix many of the problems commonly associated with its degradation, or safely navigate its contents to customize and optimize your system’s performance.

The Registry’s Role in Windows

The Registry is unique to Windows, and varies a bit among its different versions. The basic Registry structure common to all versions since the introduction of Windows 95 is that of a central database containing all the information a computer needs to access and manage its individual components and user accounts.

It stores the configuration data and settings for all installed hardware, the location of application data and file type definitions for all installed software, and the security information and individual application preferences for all users.

Whenever system components are removed or installed, or adjustments are made to Control Panel settings and Windows System Policies, these changes are reflected in the Windows Registry.

Registry Storage and Structure

Much of the information contained in the Registry is stored on the computer’s hard drive as a set of binary data files, strangely and appropriately named “hives”.

The hives are permanent Registry components, serving as both supporting files from which Windows retrieves Registry data during system startup, and as backup files that the Registry writes to each time its supporting data is altered or changed.

Although you can’t open up the hive files directly, you can see the data stored inside them by opening up the Registry itself with a Registry Editor utility like REGEDIT.EXE or REGEDT32.exe.

These utilities display the Registry’s contents within a hierarchical structure of keys and subkeys, analogous to the directories and subdirectories you see in Windows Explorer.

At the top of this tree-like structure are the root keys, whose labels begin with “HKEY_”. Each of these root keys branches out, first into keys and then further into subkeys. At the end of these branches of keys and subkeys lay the Registry data, or value entries, corresponding to the data stored in the hive files.

Applications, INI Files, and the Registry

Applications can interact with the Registry in many ways. They can open and close existing keys, create new keys, and delete old keys in order to retrieve, add, change, or remove data from the Registry. In short, they can store all the information they need to launch and run within the centralized, hierarchical structure of the Registry.

Before the Windows Registry was introduced, applications looked to INI files to find the configuration information, user passwords and settings, and data paths required for their execution. Because INI files are simple text files, they can’t organize their data hierarchically and must be read line-by-line for their data to be accessed.

As text files they are also easier to access and edit than the Registry’s hive files or the Registry itself, but are more difficult and time-consuming to find, since they are generally stored in the folders of their associated applications.

With the introduction of Windows 95, the Registry replaced most of the text-based .INI files (including WIN.INI) that were used in Windows 3.x. The idea behind the Registry was to allow multiple applications to store the data needed for their execution in a single central location, with the binary hive files and hierarchical structure making the Registry more compact and easier to navigate.

Article Source: http://ezarticles.net