Category Archives: Computers

Spyware, Keyloggers and SERIOUS problems

Story on Keyloggers at SpywareInfo.Com! link is now gone — but it was a good article!

There are some serious concerns here. If you even THINK you’ve been jacked by a keylogger, Install a SOFTWARE FIREWALL IMMEDIATELY. Change the passwords on ALL your bank, email and other accounts from a DIFFERENT, KNOWN-CLEAN computer. Oh, and DON’T USE INTERNET EXPLORER.
]]>

Almost back up….

]]>

More downtime

I have re-uploaded the nailfix.zip and nailfix.exe files from my original sources in the event that the downloads were compromised, and have temporarily disabled the rest of the downloads on this site until I can replace them with known good copies. *grrr* why can’t people find better, more constructive things to do with their time instead of attacking people? (or their servers?)]]>

Nail/Aurora Fix

NOTE: These instructions have been superseded with updated procedures for the nailfix installer and a new version of Ewido. Please post a HijackThis Log in the Malware Removal Assistance forum here or at any of the ASAP Member Sites.

The following are instructions to run the Nail/Aurora popups fix. This can be recognized by the following lines in HijackThis:

F2 – REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O23 – Service: System Startup Service (SvcProc) – Unknown owner – C:\WINDOWS\svcproc.exe

I ALWAYS recommend starting this fix by posting a HijackThis log at one of the forums listed in the Spyware Help Forums FIX LINK! section.

Please download, install, and update the free version of Ewido trojan scanner:

  1. When installing, under “Additional Options” uncheck “Install background guard” and “Install scan via context menu”.
  2. When you run ewido for the first time, you will get a warning “Database could not be found!”. Click OK. We will fix this in a moment.
  3. From the main ewido screen, click on update in the left menu, then click the Start update button.
  4. After the update finishes (the status bar at the bottom will display “Update successful”)
  5. Exit Ewido. DO NOT scan yet.

Download CCleaner and install, but do not run it yet.

Please download the Nail/Aurora Spyware Fix from NoIdea.US.

Unzip it to the desktop but do NOT run yet.

Reboot into Safe Mode. To do this with Windows XP, you can follow these steps from Microsoft:

  1. Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
  2. Select an option when the Windows Advanced Options menu appears, and then press ENTER.
  3. When the Boot menu appears again, and the words “Safe Mode” appear in blue at the bottom, select the installation that you want to start, and then press ENTER.

Once in Safe Mode, please double-click on nailfix.cmd that you unzipped earlier. Your desktop and icons will disappear and reappear, and a window should open and close very quickly — this is normal.

Next, run Ewido again.

  1. Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack….
  2. If ewido finds anything, it will pop up a notification. You can select “clean” and check the boxes “Perform action with all infections” and “Create encrypted backup” before clicking on OK.
  3. When the scan finishes, click on “Save Report”. This will create a text file. Make sure you know where to find this file again.

Then run HijackThis, click Scan, and place a checkmark by the following item:

F2 – REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Now, run CCleaner.

  1. Uncheck “Cookies” under “Internet Explorer”.
  2. if running Firefox: then click on the “Applications” tab and uncheck “Cookies” under “Firefox”.
  3. Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.

Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.]]>

Setting up Thunderbird



To configure Thunderbird for the domains hosted here:

Start Thunderbird. If you have never set up accounts in thew program before, you will start with the Account Wizard. If not, click on the Tools menu, then Account Settings.


Select Email account, then Next.


Enter your name and email address in the appropriate fields, then click Next.


Select IMAP, and type in the names of the incoming and outgoing mail servers. Click Next.


Enter your full email address as the Incoming User Name and click Next.


Enter a descriptive Account Name or take the default entry, and click Next.


Confirm that all the settings are correct, and click Finish.


Back at the Account Settings window, select Outgoing Server(SMTP) from the left menu, then check Use name and password and enter your full email address in the User Name field.


Select Server Settings (for the account you just created) from the left menu. Check Use secure connection (SSL) and set the Check for new messages settings to your preferences.


Finally, select Composition & Addressing from the left menu. Uncheck Compose message in HTML format, and set the quoting options to your perferences, then click OK to exit the Account Settings screen.


That’s it!
]]>

Work in progress – UPDATED

Updated 27 Feb 2005: Grrr…I got the two Shuttle boxes (SV24 and SV25), only to discover that both have blown motherboards and power supplies. I’m working on the means to get them in usable order, but it’s going to take some fundage that I don’t currently have….can anyone help?


UPDATED 12 FEB 2005: I know people are waiting on this document! Gomennasai…but I will hopefully be much closer after this weekend. I should be picking up two shuttle systems this weekend, one of which will be my new mail server. I will be using this to finalize all the steps I will take to make this document finally useful.

I have Amavisd-new, SpamAssassin,ClamAV and Maia Mailguard all running now. I still need to get Mailman list manager tested and Squirrelmail running on https, but I promise! it’s getting closer!


UPDATED 13 OCT 2004: getting closer! See the bottom for the newest info…

Wednesday, September 29 2004 @ 12:02 AM CDT
Just a little heads-up…I’m currently working on a test mail server, incorporating Fedora Core 1, Postfix, Dovecot Imap, fetchmail, amavisd, and Maia Mailguard, with full SSL and virtual domain/user support tied into a MySQL database.


Like the title says, it’s a work in progress, so I don’t have a whole lot to give you yet, but I do have some success:
  1. Postfix is working to receive mail to users who only exist in the MySQL database.
  2. Dovecot will authenticate users via SSL, logging into the database.
  3. I can perform all IMAP functions with Dovecot and Mozilla Thunderbird as the client.
  4. I had to build custom RPMS for Postfix and Dovecot to incorporate the features I wanted (and remove Postgres support from Dovecot…grrrr)
Still to come:
  1. Installing and setting up Amavis, SpamAssassin, and ClamAV, and tying it into Maia Mailguard for per-user configuration.
  2. Setting up Fetchmail to POP several external accounts.
  3. Setting up name-based virtual hosting on Apache2.
  4. Probably other issues as they come up.
  5. Writing up coherent documentation on the process.

Doesn’t sound like much, really, but it’s been a big accomplishment for me so far, especially considering how badly certain applications (*cough*dovecot*cough*) are documented. To be fair, it is a fairly new app, and the userbase is not what it could be (many people sticking with Courier and Cyrus out of familiarity, I’m sure). I’m going to attempt to do my part by creating documentation on the process here, so others can benefit from my experimentation.

I’ll be writing up a static document for this site once everything is in place, so be watching for it!


UPDATE 13 OCT 2004: Process/Progress

Requirements:

  • SMTP-AUTH
  • IMAPS
  • all auth to sqldb
  • anti-spam
  • antivirus
  • web managable
  • virtual domain hosting
  • per-user config for antispam

Implementation:


  • Fedora Core 1
  • MySQL 3.23.58
  • Postfix 2.1.5 w/ pcre, MySQL, sasl2, tls, vda support
  • Dovecot 0.99.11 with MySQL support
  • Maildir-formatted mailboxes

Done and Notes:

  • OS – Fedora Core 1 and updates
  • MySQL
  • Postfix
    • set up SMTP via SASL/Pam for auth over TLS.
    • Requires Pam-mysql 0.5 module
    • User passwords in db must be in MySQL-Crypt format
    • Maildir mailbox format in /home/postbox/%domain/%name/

  • Dovecot
    • configured to only offer IMAPS for encrypted comms
    • User passwords in DB must be in PLAIN-MD5 format

  • PostfixAdmin
    • Web interface for virtual domains in Postfix
    • can set passwords in several formats. Set to md5crypt.
    • added new $CONF[‘postfix_smtp_pw’] set to mysql crypt for smtp-auth

  • PHPMyAdmin
    • MySQL administrator for the web.
    • simplified testing password crypt methods.


ToDo:

  • Amavis/SpamAssassin/ClamAV
  • Maia Mailguard
  • Fetchmail (for POPping external mailboxes)
  • Squirrelmail webmail client
]]>

SpywareInfo Helper

SpywareInfo.Com’s Support Forums! This means that they think I known enough to not endanger anyone when it comes to cleaning malware off computers. If you need assistance with your computer, you are more than welcome to visit SWI. The volunteer helpers there certainly do their best to help you.

I’ve also been accepted for membership in the Alliance of Security Analysis Professionals. “ASAP is made up of website/forum owners and administrators, forum staff, individuals, companies and various organizations who all provide security related support to computer end users.”]]>

Creating a Mail Gateway for Microsoft Exchange

Setting Up a Spam-Filtering Mail Gateway


For Microsoft Exchange


Using Fedora Core 1, Postfix 2.0.19,


Amavisd-New and Razor2


If you find this document useful, or have any additions or corrections, please send a message to the Webmaster.

Document Conventions


Configuration filename–link to example file Command prompt Command typed by user Comments Input to text editor

Install Fedora Core 1


Use “server” configuration

(need to detail this…)

Install Fedora Core 1 Updates


[root]# rpm -ivh http://ftp.freshrpms.net/pub/freshrpms/fedora/linux/1/apt/apt-0.5.15cnc3-0.1.fr.i386.rpm [root]# vi /etc/apt/sources.list

add the lines: rpm http://apt.sw.be redhat/fc1/en/i386 dag

rpm-src http://apt.sw.be redhat/fc1/en/i386 dag

rpm http://ftp.WL0.org apt/fedora/fc1/i386 postfix

rpm-src http://postfix.WL0.org ftp/apt/fedora/fc1/i386 postfix

[root]# apt-get remove sendmail sendmail-cf [root]# apt-get update [root]# apt-get upgrade You may have to run this multiple times. After APT updates the first time, you may get an error about not finding sources.list. If so, do: [root]# mv /etc/apt/sources.list.rpmsave /etc/apt/sources.list (you can ignore errors about duplicate sources).

Compile and Install Postfix


[root]# apt-get source postfix [root]# apt-get install rpm-build gcc gawk sed ed patch [root]# apt-get install mysql mysql-devel (if using mysql) [root]# cd /usr/src/redhat/SOURCES [root]# export POSTFIX_MYSQL_REDHAT=1 (if using mysql) [root]# export POSTFIX_PCRE=1 [root]# export POSTFIX_SASL=2 (if using SASL for SMTP AUTH) [root]# export POSTFIX_TLS=1 (for SMTP AUTH) [root]# export POSTFIX_SMTPD_MULTILINE_GREETING=1 [root]# sh make-postfix.spec [root]# cd ../SPECS [root]# rpmbuild -ba postfix.spec you will probably get some errors about needed RPM devel packages. for each one, do: [root]# apt-get install [root]# cd ../RPMS/i386 [root]# rpm -ivh postfix.*.rpm (or: rpm -Uvh postfix.*.rpm if postfix is already installed) [root]# chkconfig postfix off [root]# postfix stop [root]# cd /etc/postfix [root]# vi main.cf (linked file) [root]# vi master.cf (linked file) [root]# ./postfix-chroot.sh enable

Install Amavisd-New and Pflogsumm (Postfix Log Summarizer)


[root]# apt-get install pflogsumm amavisd-new [root]# chkconfig amavisd off [root]# service amavisd stop [root]# vi /etc/amavisd.conf (linked file) [root]# vi /var/spool/amavis/notify-spam-sender.txt
(linked file) [root]# mkdir -p /var/spool/amavis/tmp [root]# mkdir -p /var/spool/amavis/lookups [root]# cd lookups [root]# touch blacklist_sender whitelist_sender
(edit as necessary) [root]# vi spam_lovers add: postmaster@domain.com abuse@domain.com [root]# vi virus_lovers (same thing – add postmaster and abuse) [root]# cd ../.. [root]# chown -R amavis:amavis amavis

Install Razor2


[root]# cd ~ [root]# wget http://aleron.dl.sourceforge.net/sourceforge/razor/razor-agents-2.40.tar.gz [root]# perl -MCPAN -e shell cpan> install Net::Ping cpan> install Net::DNS cpan> install Time::HiRes cpan> install Digest::SHA1 cpan> install GetOpt::Long cpan> install File::Copy cpan> install Digest::Nilsimsa cpan> install URI::Escape cpan> quit [root]# tar xvfz razor-agents-2.40.tar.gz [root]# cd razor-agents-2.40 [root]# perl Makefile.PL [root]# make [root]# make test [root]# make install [root]# su amavis [amavis]$ razor-client [amavis]$ razor-admin -create [amavis]$ razor-admin -register [amavis]$ cd /var/spool/amavis/.razor [amavis]$ vi razor-agent.conf debuglevel=1 [amavis]$ exit

Configure reporting tools


[root]# cd /usr/local/sbin [root]# vi pflogs.sh (attached file)

[root]# vi rejections.sh (attached file)

[root]# chmod a+x pflogs.sh
rejections.sh
[root]# cd /etc/logrotate.d [root]# vi maillog
add before “endscript”:
/usr/local/sbin/rejections.sh”

/usr/local/sbin/pflogs.sh

Configure SpamAssassin Rule updates


[root]# wget http://maxime.ritter.eu.org/Spam/rule-get [root]# vi rule-get change: my $real_path=”/etc/mail/spamassassin” [root]# chmod a+x rule-get [root]# cd /etc/mail/spamassassin [root]# rule-get get-rules [root]# rule-get install BackHair Weeds2 ChickenPox BigEvil TripWire EvilNumbers

Yahoo Protocol changes – business, bluster or bull?

Gaim chat client, so AOL, ICQ and Yahoo are in one easy-to-use, and free, program). Yahoo pulled a nice stunt on Thursday, changing the chat protocol so that “that spammers will be blocked from abusing our system to spam our
users”. Unfortunately, they failed to take into account that spammers will always find a way. They’re kinda like roaches. Click to read my letter to messenger-security@yahoo-inc.com, and the response I received….

Here’s what I sent to the email address I could find. For some reason, “messenger-security” seems like an appropriate recipient, as they’re claiming that the blocking is a “security measure”…. To: messenger-security[at]yahoo-inc.com Subject: Blocking third-party clients — bogus “security” argument is shameful The latest argument being used by Yahoo to block third-party clients from their IM service is one of the biggest crocks of bullhockey that I’ve heard. Security? Anti-spim? That’s already taken care of by the client, when the user chooses to accept messages only from his buddies. This sounds like another case of greed getting the better of the users’ (and thus the CUSTOMERS’) experience.

I have had a Yahoo! account for years (at least four, possibly closer to seven). I didn’t start using Yahoo’s Messenger services until I discovered a client I liked (Gaim, in this case) that allowed me to open ICQ, AIM, and Yahoo! together. If the client hadn’t been able to talk to Yahoo messaging protocol, I would still not be using Yahoo for messaging because having to download and install yet another chat client simply wasn’t worth my time.

If you want to increase the value of your instant messaging system, add features (such as AmiKai’s AmiChat: http://www.amikai.com/products/portal/amichat.jsp) instead of acting like the three-year-old who takes his ball and goes home when the game doesn’t go his way. The way to survive is to adapt and be open to changes that benefit you AND your customers.

Robert Cooper

quoted from:
http://news.com.com/Yahoo+to+Trillian%3A+Talk+to+the+hand/2100-1032_3-5245821.html “This time, however, Yahoo said it will continue changing its protocols to prevent clients such as Trillian from finding new ways to incorporate Yahoo. Again, the measure was cited by Yahoo as a way to prevent IM spam.

“By making frequent protocol changes, it is our expectation that spammers will be blocked from abusing our system to spam our users,” [Yahoo spokeswoman Mary] Osako said.”

-=-=-=-=- And the response I received…. -=-=-=-=-

Followup to my email to Yahoo. Here is their reply….

Hello,

Thank you for writing to Yahoo! Messenger.

Yahoo! does not support third-party applications. Please contact the manufacturer directly in regard to this issue.

Thank you again for contacting Yahoo! Customer Care.

Regards,

Minnie

Yahoo! Customer Care

-=-=-=-=-

Sounds like issue avoidance to me. I thought my message was pretty clear.
]]>

Anti-Virus and Spyware Resources

Cleaning up Spyware and Viruses

First, gather the proper tools:


(Each of these is discussed in more detail below.)

Now, you’re going to run the listed tools. Each one performs a different function (although several of them are similar).

If you run into any problems with this process, visit any of the forums listed at the Alliance of Security Analysis Professionals.

The first tool to run is McAfee’s Stinger utility. Stinger is a stand-alone antivirus scanner that is regularly updated by McAfee that will catch and clean the most current viruses and worms. Simply double-click the S-T-I-N-G-E-R.EXE file, then click the Scan Now icon. Let the scanner run to completion.

As a checkpoint, now run HijackThis. It’s also a stand-alone utility that will scan for certain anomolies and make a list that can be analyzed. Double-click the HijackThis.exe icon, the click the Scan button. When the scan finishes, click the same button (now labeled Save Log) and save the file somewhere you can find it. Then you can exit the HijackThis utility.

The third step is to install and run Lavasoft’s Ad-Aware. Double-click the aawpersonal.exe file and click Next four times, then Finish. The installation program will put an icon on your desktop.

Close all open windows, especially any Explorer and Internet Explorer windows. Double-click the icon, then click on the Check for updates now link. In the update window, click the Connect button, then click OK to update the signature file. (Keep in mind the dates in this program are in European format, DAY.MO.YEAR.) After the update is done, click Finish, then Start and Next. When the scan finishes, click Next twice and say OK when prompted. After that, you can close Ad-Aware.

Step four: Spybot Search & Destroy. Double-click the spybotsd14.exe icon. click Next, Read and accept the license agreement and click Next twice. On the “Select Components” screen, uncheck everything except the “Main Files” component, then click Next twice. On the “Select Additional Tasks” screen, uncheck the “Create a Quick Launch icon”, then Next and Finish.

Double-click the Spybot – Search & Destroy icon. Select the language (English is the white flag with the red cross). On the next two dialog boxes, read the warnings and click OK. Then, click the Search for updates button. Install any updates found; the program will restart on it’s own. After it restarts, click
Check for problems.
When the scan finishes, click Fix selected problems and remove everything selected by default.

Last, run HijackThis again, and save the second log file with a new name (“hijack2.log” for example”). Then, if you have any questions or concerns about anything else installed on your computer, post the contents of the second log file to one of the ASAP member forums.

The last four tools, CWShredder is designed to clean up a specific strain of spyware, known under the name “Cool Web Search”. BHODemon, Startup Control Panel and MyTop are not specifically spyware or virus removal tools, but are useful for diagnostics.

CWShredder

From the original author of HijackThis: CWShredder is “a small utility for removing CoolWebSearch (aka CoolWwwSearch, YouFindAll, White-Pages.ws and a dozen other names)….This program is updated to remove the new variants once they come out.
Read my article with documentation on Coolwebsearch here.”
From Intermute: “CWShredder´┐Ż finds and destroys traces of CoolWebSearch. CoolWebSearch is a name given to a wide range of different browser hijackers. Though the code is very different between variants, they are all used to redirect users to coolwebsearch.com and other sites affiliated with its operators.”

BHODemon

From the author: “BHODemon scans your Registry for BHOs (Browser Helper Objects), and presents any it finds in a list. By highlighting a BHO in this list, and clicking the “Details” button, you can see information about this BHO, and even disable it if you wish.”

Startup Control Panel

From the Author: “Startup Control Panel is a nifty control panel applet that allows you to easily configure which programs run when your computer starts. It’s simple to use and, like all my programs, is very small and won’t burden your system. A valuable tool for system administrators!”

MyTop

Handy utility, especially with Windows 95/98 (and possibly ME) which do not have a task manager. MyTop lists all currently running processes on your computer and gives you the ability to kill them, without having to give a CTRL-ALT-DEL. Windows NT, 2000 and XP all have a built-in utility that performs the same function, the Task Manager, which can be accessed by either pressing CTRL-ALT-DEL and clicking “Task List”, right-clicking on the Taskbar and selecting “Task Manager”, or pressing SHIFT-CTRL-ESC.

Process Explorer

From the Author: “The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.”
Root Kit Detector

aports.exe

This set of tools is useful in removing a newer, nasty version of CoolWebSearch that uses a malicious hacker tool called Hacker Defender to prevent removal of it’s files and hide the processes and other means of identifying the offender. Instructions can be found at This page at the University of Wales at Swansea.

]]>