Archive for category Linux

Schedule tasks on Linux using crontab

If you’ve got a website that’s heavy on your web server, you might want to run some processes like generating thumbnails or enriching data in the background. This way it can not interfere with the user interface. Linux has a great program for this called cron. It allows tasks to be automatically run in the background at regular intervals. You could also use it to automatically create backups, synchronize files, schedule updates, and much more. Welcome to the wonderful world of crontab.
Crontab

The crontab (cron derives from chronos, Greek for time; tab stands for table) command, found in Unix and Unix-like operating systems, is used to schedule commands to be executed periodically. To see what crontabs are currently running on your system, you can open a terminal and run:

sudo crontab -l

To edit the list of cronjobs you can run:

sudo crontab -e

This wil open a the default editor (could be vi or pico, if you want you can change the default editor) to let us manipulate the crontab. If you save and exit the editor, all your cronjobs are saved into crontab. Cronjobs are written in the following format:

* * * * * /bin/execute/this/script.sh

Scheduling explained

As you can see there are 5 stars. The stars represent different date parts in the following order:

1. minute (from 0 to 59)
2. hour (from 0 to 23)
3. day of month (from 1 to 31)
4. month (from 1 to 12)
5. day of week (from 0 to 6) (0=Sunday)

Execute every minute

If you leave the star, or asterisk, it means every. Maybe that’s a bit unclear. Let’s use the the previous example again:

* * * * * /bin/execute/this/script.sh

They are all still asterisks! So this means execute /bin/execute/this/script.sh:

1. every minute
2. of every hour
3. of every day of the month
4. of every month
5. and every day in the week.

In short: This script is being executed every minute. Without exception.
Execute every Friday 1AM

So if we want to schedule the script to run at 1AM every Friday, we would need the following cronjob:

0 1 * * 5 /bin/execute/this/script.sh

Get it? The script is now being executed when the system clock hits:

1. minute: 0
2. of hour: 1
3. of day of month: * (every day of month)
4. of month: * (every month)
5. and weekday: 5 (=Friday)

Execute on weekdays 1AM

So if we want to schedule the script to run at 1AM every Friday, we would need the following cronjob:

0 1 * * 1-5 /bin/execute/this/script.sh

Get it? The script is now being executed when the system clock hits:

1. minute: 0
2. of hour: 1
3. of day of month: * (every day of month)
4. of month: * (every month)
5. and weekday: 1-5 (=Monday til Friday)

Execute 10 past after every hour on the 1st of every month

Here’s another one, just for practicing

10 * 1 * * /bin/execute/this/script.sh

Fair enough, it takes some getting used to, but it offers great flexibility.
Neat scheduling tricks

What if you’d want to run something every 10 minutes? Well you could do this:

0,10,20,30,40,50 * * * * /bin/execute/this/script.sh

But crontab allows you to do this as well:

*/10 * * * * /bin/execute/this/script.sh

Which will do exactly the same. Can you do the the math? ;)
Special words

If you use the first (minute) field, you can also put in a keyword instead of a number:

@reboot Run once, at startup
@yearly Run once a year “0 0 1 1 *”
@annually (same as @yearly)
@monthly Run once a month “0 0 1 * *”
@weekly Run once a week “0 0 * * 0″
@daily Run once a day “0 0 * * *”
@midnight (same as @daily)
@hourly Run once an hour “0 * * * *

Leave the rest of the fields empty so this would be valid:

@daily /bin/execute/this/script.sh

Storing the crontab output

By default cron saves the output of /bin/execute/this/script.sh in the user’s mailbox (root in this case). But it’s prettier if the output is saved in a separate logfile. Here’s how:

*/10 * * * * /bin/execute/this/script.sh 2>&1 >> /var/log/script_output.log

Explained

Linux can report on different levels. There’s standard output (STDOUT) and standard errors (STDERR). STDOUT is marked 1, STDERR is marked 2. So the following statement tells Linux to store STDERR in STDOUT as well, creating one datastream for messages & errors:

2>&1

Now that we have 1 output stream, we can pour it into a file. Where > will overwrite the file, >> will append to the file. In this case we’d like to to append:

>> /var/log/script_output.log

Mailing the crontab output

By default cron saves the output in the user’s mailbox (root in this case) on the local system. But you can also configure crontab to forward all output to a real email address by starting your crontab with the following line:

MAILTO=”yourname@yourdomain.com”

Mailing the crontab output of just one cronjob

If you’d rather receive only one cronjob’s output in your mail, make sure this package is installed:

aptitude install mailx

And change the cronjob like this:

*/10 * * * * /bin/execute/this/script.sh 2>&1 | mail -s “Cronjob ouput” yourname@yourdomain.com

Trashing the crontab output

Now that’s easy:

*/10 * * * * /bin/execute/this/script.sh 2>&1 > /dev/null

Just pipe all the output to the null device, also known as the black hole. On Unix-like operating systems, /dev/null is a special file that discards all data written to it.
Stay up to date

You can track my blog rss articles and rss comments. You may also find my rss bookmarks interesting. Or twitter Follow me on Twitter

No Comments

SPY Software, monitor software, activity monitor

http://www.refog.com/es/employee-monitoring.html

This PC monitoring solution ensures the productivity of your employees and protects company secrets from being stolen. It offers simple remote install over a network and real-time access to all reports and logs.

http://www.softactivity.com/

ACTIVITY MONITOR

With Activity Monitor, SoftActivity™ TS Monitor and SoftActivity™ Keylogger solutions you have your hand on the pulse of what is going on in your LAN. This unique spy software allows remote computer monitoring and keylogger recording in real time. The outstanding built-in keystroke recorder allows you to know everything user types in his emails, chats and other programs, including passwords. View and record Internet activity, trace all programs started and run by your network members.
Here are several popular ideas of how to use our computer monitoring software:

* Employee activity monitoring. Find out what they are doing when they are assumed to be working
* Control over students during the academic hours. Easily track their activity with our keystroke logger, so they will use network for the educational purposes only
* Parental control. Our powerful spy software will alert you when your child is into something suspicious

Our internet monitoring software works out the entire issue with immense effectiveness. Full statistics, detailed reports, real time computer monitoring. The completely invisible keylogger to track and record everything happening within the entire network.

No Comments

opendns with messenger

Always block:
adphilia.com
advantastar.us
alb.th3kings.net
bajame.net
bajateloz.com
batanga.com
beemp3.com
bibi.hamachi.cc
bmxxx.notengodominio.com
butterfly.sinip.es
chistes.com.py
contiadvertising.info
contiadvertising.name
crank.dontexist.com
dlzgajmas.com
dngwefc.me
dns.msftncsi.com
enocasionesveoseries.com
esmas.com
esmasplayer.com
hail.dns2go.com
hail2.dns2go.com
hotshows.org
hotword.com
i44.tinypic.com
images.habbohotel.com
img.mixplay.tv
irc.zief.pl
liquidlove.cc
logersgroup.net
logersgroup.org
masterofliquid.info
masterofliquidonline.info
media.eresmas.com
megaupload.com
metroflog.com
mscustrev.vo.llnwd.net
mx.starmedia.com
mydogbehaves.com
nadnadzzz.info
nhsjdsflsdf.estr.es
ns.ilatina.org
ns3.mclovin.org
panchitox.laweb.es
penchatox.sin-ip.es
photos-f.ak.fbcdn.net
ppihelper.com
premiumtv.co.uk
puercomex.noip.es
rapidshare.com
taringa.net
tassweq.com
update.dna.bittorrent.com
ustream.tv
view.atdmt.com
wbsv.dataviz.com
www.angelux.net
www.bannercash.biz
www.descubrewindowslive.com
www.facebook.com
www.gigasize.com
www.linkbucks.com
www.maldito-ocio.com
www.musica.com
www.nocturnabsas.com.ar
www.poosh.com.ar

Never block:
docs.google.com
dp.msnmessenger.akadns.com
get.live.com
google.com
google.com.mx
l.google.com
live.com
login.live.com
loginnet.passport.com
messenger.hotmail.com
msn2go.com
msnmessenger.akadns.com
nexus.passport.com
ssaspps.net
support.microsoft.com
svcs.microsoft.com
update.microsoft.com
vimeo.com
windowsupdate.microsoft.com
wordpress.org
youtube.com

No Comments

blog msn isa server

http://support.microsoft.com/kb/925120/en-us

 

http://forums.isaserver.org/m_2002015436/mpage_1/key_/tm.htm#2002021399

http://forums.isaserver.org/HTTP_Signatures_-_NO_QUESTIONS_-_JUST_SIGNATURES_PLEASE/m_2002015478/tm.htm

No Comments

hopster bypass firewalls

http://www.hopster.com/

Bypass Firewall – Bypass Proxy – HTTP tunnel
Chat with your friends using your favourite applications: MSN, AOL, Yahoo Messenger, ICQ, Miranda, Trillian, mIRC… Wherever your friends are, hopster will bypass a censoring firewall and take you right to your buddies.

Browse, Surf, Download & Chat Anonymously
Hide your real IP address and protect yourself from nosy people and wannabe-hackers. With hopster, there’s no way anyone will know where or who you are.

Try hopster for free!
Freedom is just five minutes away. With just little more than 1 MB, downloading hopster is just a matter of minutes. And it even configures itself – automatically. So, go get it! Demo version transfers files with 2 Kilobytes per second.

hopster requires no configuration! “

No Comments

Tracking TCP Connections With tcptrack

Basically, tcptrack is a sniffer which will show the information about TCP connections on a specific interface. tcptrack will watch all the connections that occur and show the information in a nice interface. Although it’s on a text user interface but it’s simple and easy to understand. tcptrack has been packaged on several popular Linux distributions. The latest version of tcptrack is 1.2.0 released on December 20, 2006. You can download the source code from the tcptrack website.

tcptrack provides some useful information for administrators to track every single connection to their servers. I use tcptrack to watch my proxy to make sure that every user gets an apropriate bandwidth, no one saturates the whole bandiwdth. It just gives me a way to watch the traffic. The information that tcptrack provides are:

  • source address and port
  • destination address and port
  • connection state
  • idle time
  • bandwidth usage

tcptrack also has a filtering feature, it uses the pcap filtering standard (it’s identic with the one used in tcpdump).

Installation

tcptrack installation is fairly easy, on Debian GNU/Linux or ubuntu you can simply use

apt-get install tcptrack

Searching on rpmfind.net I found the one matching my needs, tcptrack for CentOS. I use rpm for RHEL 4. I took the rpm and installed it manually. If you want to use yum, you have to enable the DAG repository. If you want to build it from source, you can read the INSTALL file in the package or read it online.

Using tcptrack

You have to be a superuser to run tcptrack, the basic usage of tcptrack is using such a command:

# tcptrack -i <networkInterface>

For example:

# tcptrack -i eth1

After invoking such a command tcptrack will run, capturing all TCP connections, and show it to you with an easy-to-understand interface. Another option that might be useful is -r and port. -r will make tcptrack wait for a given time (in seconds) before it deletes the closed connection from the screen. For example:

# tcptrack -i eth0 -r 10

port will do a filtering for you based on port number. For example:

# tcptrack -i eth1 port 22

You can read the manual for the complete options of tcptrack or read it online.

No Comments

“Best Practices” for an Internet Webserver

__________________________________________________________

The following a set of “Best Practices” for an Internet Webserver, based on my
own experience and advisory J-042 from the U.S. Department of Energy
Computer Incident Advisory Capability (CIAC)

__________________________________________________________

PROBLEM: Public web servers continue to be attractive targets for hackers seeking to embarrass organizations or promote a political agenda. Good security practices can protect your site from the risks such compromises create.
PLATFORM: Any UNIX platform or NT system being used as a web server.
DAMAGE: Damage can be anything from a denial-of-service attack, the placement of pornographic material, the posting of political messages, or the deletion of files or the placement of malicious software.

SOLUTION: Follow known best practices and apply software patches as soon as they are announced by your incident response team or your vendor.


BEST PRACTICES IN MANAGING WORLD WIDE WEB SERVER SECURITY:

    • Place your web server(s) in a DMZ. Set your firewall to drop connections to your web server on all ports but http (port 80) or https (port 443).
    • Remove all unneeded services from your web server, keeping FTP (but only if you need it) and a secure login capability such as secure shell. An unneeded service can become an avenue of attack.
    • Limit the number of persons having administrator or root level access.
    • Apply relevant security patches as soon as they are announced and tested on a pre-production system.

    • Disallow all remote administration unless it is done using a one-time password or an encrypted link.

    • If the machine must be administered remotely, require that a secure capability such as secure shell is used to make a secure connection. Do not allow telnet or non-anonymous ftp (those requiring a username and password) connections to this machine from any untrusted site. It would also be good to limit these connections only to a minimum number of secure machines and have those machines reside within your Intranet.
    • If you must use a GUI interface at the console, remove the commands that automatically start the window manager from the .RC startup directories and then create a startup command for the window manager. You can then use the window manager when you need to work on the system, but shut it down when you are done. Do not leave the window manager running for any extended length of time.
    • Run the web server in a chroot-ed part of the directory tree so it cannot access the real system files.
    • Run the anonymous FTP server (if you need it) in a chroot-ed part of the directory tree that is different from the web server’s tree.
    • Remove ALL unnecessary files such as phf from the scripts directory /cgi-bin.
    • Remove the “default” document trees that are shipped with Web servers such as IIS and ExAir.
    • Apply relevant security patches as soon as they are announced and tested on a pre-production system.
    • Do all updates from your Intranet. Maintain your web page originals on a server on your Intranet and make all changes and updates here; then “push” these updates to the public server through an SSH or SSL connection. If you do this on a hourly basis, you can avoid having a corrupted server exposed for a long period of time.
    • Write a script to download HTML pages and check against a template, if changes are noted, upload the correct version.
    • Scan your web server periodically with tools like ISS, nmap or Satan to look for vulnerabilities.
    • Have intrusion detection software monitor the connections to the server. Set the detector to alarm on known exploits and suspicious activities and to capture these sessions for review. This information can help you recover from an intrusion and strengthen your defenses.
  1. Network filtering:
  2. Host based security:
  3. Configuring the Web service/application:
  4. Auditing/logging:
    • Log all user activity and maintain those logs either in an encrypted form on the web server or store them on a separate machine on your Intranet, or write to “write-once” media.
    • Monitor system logs regularly for any suspicious activity.
    • Install some trap macros to watch for attacks on the server (such as the PHF attack).
    • Create macros that run every hour or so that would check the integrity of passwd and other critical files.
    • When the macros detect a change, they should send an e-mail to the system manager, write a message to logs, set off a pager, etc..
  5. Content management:
  6. Intrusion Detection:

BULLETINS PUBLISHED RELATING TO WEB SERVERS:

UNIX Systems

F-11: Unix NCSA httpd Vulnerability http://www.ciac.org/ciac/bulletins/f-11.shtml
H-01: Vulnerabilities in bash http://www.ciac.org/ciac/bulletins/h-01.shtml
I-024: CGI Security Hole in EWS1.1 Vulnerability http://www.ciac.org/ciac/bulletins/i-024.shtml
I-082: HP-UX Netscape Servers Vulnerability http://www.ciac.org/ciac/bulletins/i-082.shtml
I-040: SGI Netscape Navigator Vulnerabilities http://www.ciac.org/ciac/bulletins/i-040.shtml

Domino 4.6 may allow unauthorized writes to remote server drives and server configuration files. http://www.l0pht.com/advisories/domino2.txt

Excite 1.1 may set encrypted password files world writable. BUGTRAQ Mail Archives: “Security bugs in Excite for Web Servers 1.1″ at http://www.netspace.org/cgi-bin/wa?A2=ind9811e&L=bugtraq&F=&S=&P=519

ColdFusion Application Server and unauthorized access to web server data. http://www.excite.com/computers_and_internet/tech_news/zdnet/?article=/news/19990429/1014542.inp

Windows Systems

I-024: CGI Security Hole in EWS1.1 Vulnerability http://www.ciac.org/ciac/bulletins/i-024.shtml
I-025A: Windows NT based Web Servers File Access Vulnerability http://www.ciac.org/ciac/bulletins/i-025a.shtml

Microsoft bulletins can be found under the Microsoft Security Advisor web page at http://www.microsoft.com/security/default.asp The following bulletins appeared in “Current Security Bulletins” and “Security Bulletin Archives”:
MS99-013: Solution Available for File Viewers Vulnerability. (May 7, 1999)
MS99-012: MSHTML Update Available for Internet Explorer. (April 21, 1999)
MS99-011: Patch Available for “DHTML Edit” Vulnerability. (April 21, 1999)
MS98-019: Patch Available for IIS “GET” Vulnerability. (December 21, 1998)
MS98-016: Update available for “Dotless IP Address” Issue in Microsoft Internet Explorer 4. (October 23, 1998)
MS98-011: Update Available for “Window.External” JScript Vulnerability in Microsoft Internet Explorer 4.0. (August 17, 1998)
MS98-004: Unauthorized ODBC Data Access with Remote Data Services and Inernet Information Systems. (July 15, 1998)

“ISAPI Extension vulnerability allows to execute code as SYSTEM” at: http://www.ntbugtraq.com/page_archives_wa.asp?A2=ind9903&L= ntbugtraq&F=P&S=&P=2439

Internet Explorer 5.0 cached passwords can be reused by another user. http://www.zdnet.com/zdnn/stories/news/0,4586,1014586,00.html http://www.zdnet.com/anchordesk/story/story_3351.html

Internet Explorer (3.01, 3.02, 4.0, 4.01) may allow frame spoofing to trick the user Microsoft Knowledgebase Article ID: Q167614: “Update Available For “Frame Spoof” Security Issue” http://support.microsoft.com/support/kb/articles/q167/6/14.asp

Systems running NCSA HTTPD and Apache HTTPD

G-17: Vulnerabilities in Sample HTTPD CGIs http://ciac.llnl.gov/ciac/bulletins/g-17.shtml
G-20: Vulnerability in NCSA and Apache httpd Servers http://www.ciac.org/ciac/bulletins/g-20.shtml

Apache denial-of-service attack — Apache httpd (1.2.x, 1.3b3) http://www.netspace.org/cgi-bin/wa?A1=ind9712e&L=bugtraq#2 http://www.apache.org/dist/patches/apply_to_1.2.4/

no2slash-loop-fix.patch http://www.apache.org/dist/patches/apply_to_1.3b3/
no2slash-loop-fix.patch “HTTP REQUEST_METHOD flaw” http://www.netspace.org/cgi-bin/wa?A2=ind9901a&L=bugtraq&F=&S=&P=8530

Systems running Netscape Navigator

H-76: Netscape Navigator Security Vulnerability http://www.ciac.org/ciac/bulletins/h-76.shtml
I-082: HP-UX Netscape Servers Vulnerability http://www.ciac.org/ciac/bulletins/i-082.shtml
I-040: SGI Netscape Navigator Vulnerabilities http://www.ciac.org/ciac/bulletins/i-040.shtml

“Reading local files with Netscape Communicator 4.5″ at http://www.geocities.com/ResearchTriangle/1711/b6.html

Netscape Navigator may allow frame spoofing to trick the user Netscape Security Update: “The Frame-Spoofing Vulnerability” http://home.netscape.com/products/security/resources/bugs/framespoofing.html

System running cgi-bin routines

I-013: Count.cgi Buffer Overrun Vulnerability http://www.ciac.org/ciac/bulletins/i-013.shtml
I-014: Vulnerability in GlimpseHTTP and WebGlimpse cgi-bin Packages http://www.ciac.org/ciac/bulletins/i-014.shtml

IRIX webdist.cgi, handler and wrap programs ftp://sgigate.sgi.com/security/19970501-02-PX ftp://info.cert.org/pub/cert_advisories/CA-97.12.webdist

“Nlog 1.1b released – security holes fixed” http://www.netspace.org/cgi-bin/wa?A2=ind9812d&L=bugtraq&F=&S=&P=10302 http://owned.comotion.org/~spinux/index.html

Other useful documents

  • CIAC also published a document called Securing Internet Information Servers which has a chapter on Securing World Wide Web Servers http://www.ciac.org/ciac/documents/ciac2308.html
  • The first is a publication that was developed by SANS and The Intranet Institute after the web server at the U.S. Department of Justice was hacked–”Twelve Mistakes To Avoid In Managing Security-For the Web.” http://www.computerworld.com/home/online9697.nsf/all/971001secure.
  • SANS also publishes a document called “14 Steps to Avoiding Disaster with Your Web Site.”
  • Another web site that you should book mark is http://www.w3.org/Security/faq/. This is a web security FAQ (Frequently Asked Questions) that is maintained by The World Wide Web Consortium http://www.w3.org/. They have security sections for each of the major operating systems used today for web servers: http://www.w3.org/Security/faq/wwwsf8.html.
  • http://webcompare.internet.com compares how well different web servers compare to the standards.

IF YOUR WEB SITE HAS BEEN HACKED

CIAC recommends the following as you check your web servers:

1. Apply ALL security-related patches for the web server software as well as for the underlying Operating System.
2. Remove ALL unnecessary files such as phf from the scripts directory /cgi-bin. Remove the “default” document trees that are shipped with Web servers such as IIS and ExAir.
3. Validate ALL user accounts on the web server and ensure that they have strong passwords.
4. Validate ALL services and open ports on the web server to ensure there are no Trojanned services.
5. Look for suspicious files in the /dev, /etc, and /tmp directories.
______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide.

Previous CIAC notices, anti-virus software, and other information are  available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud)


Other references

Microsoft IIS 5.0:  “Secure Internet Information Services 5 Checklist” includes a few tweaks to the underlying Windows 2000 OS. www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=178&TB=news

No Comments

nmap open ports linux

There are two good methods to see what ports are open in Linux you can use
nmap which is a port scanner and you can use netstat.

nmap can be used to scan your machine to see whats ports are open issue the
following command to scan your computers machine:

CODE
nmap -sS -O 127.0.0.1

once the scan has finished you will get the following ouput:

CODE
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2005-01-16 05:48 GMT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1656 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
1241/tcp open  nessus
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.5.25 – 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7)
Uptime 1.985 days (since Fri Jan 14 06:10:41 2005)

Nmap run completed — 1 IP address (1 host up) scanned in 2.341 seconds

The second method was netstat. netstat can show hidden ports and what programs using
them issue the following command as root:

CODE
netstat -nap

This will show you the output of something similar to:

CODE

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 127.0.0.1:61931             0.0.0.0:*                   LISTEN      5277/wish
tcp        0      0 127.0.0.1:5335              0.0.0.0:*                   LISTEN      3920/mDNSResponder
tcp        0      0 0.0.0.0:1241                0.0.0.0:*                   LISTEN      31438/nessusd: wait
tcp        0      0 10.0.0.14:32776             194.109.129.220:6667        ESTABLISHED 5062/xchat
tcp        0      0 10.0.0.14:45731             207.46.107.146:1863         ESTABLISHED 5277/wish
tcp        0      0 10.0.0.14:33009             82.96.64.2:6667             ESTABLISHED 5062/xchat
tcp        0      0 :::80                       :::*                        LISTEN      4355/httpd
tcp        0      0 :::22                       :::*                        LISTEN      32372/sshd
tcp        0      0 :::443                      :::*                        LISTEN      4355/httpd
udp        0      0 0.0.0.0:68              0.0.0.0:*                           3614/dhclient
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           3920/mDNSResponder

No Comments

CLAMAV

ClamAV

ClamAV es un conjunto de herramientas antivirus para UNIX con licencia GPL (software libre).

Clamscan

Adicionalmente el programa clamscan, desde la línea de comandos puede detectar virus en nuestros archivos.

Te conectas a Espora.org vía SecureShell

~$ ssh usuario@espora.org

o bien usa PuTTY.

Ejectuas clamscan

Verifica en que directorio estás

usuaria@maquina:~$ pwd
/home/mi_usuaria

Detecta virus en tu $HOME

usuario@maquina:~$ clamscan -r ./
  • Descripción
    • clamscan : el antivirus
    • -r : opción ‘recursiva’, busca también en los subdirectorios
    • ./ : el directorio actual (tu $HOME)
  • Manual y ayuda
usuaria@maquina:~$ man clamscan      #el manual

usuaria@maquina:~$ clamscan --help   #la ayuda, lista de opciones

si tienes muchos archivos, puedes filtar la salida de clamscan con la opción i para que sólo muestre los archivos infectados.

usuaria@maquina:~$ clamscan -ri /home/mi_usuaria

Tendrás algo como esto:

LibClamAV Warning: ********************************************************
LibClamAV Warning: ***  This version of the ClamAV engine is outdated.  ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/faq.html ***
LibClamAV Warning: ********************************************************
LibClamAV Warning: ********************************************************
LibClamAV Warning: ***  This version of the ClamAV engine is outdated.  ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/faq.html ***
LibClamAV Warning: ********************************************************
/home/mi_usuaria/public_html/mi_archivo.php: PHP.Defash.B FOUND

----------- SCAN SUMMARY -----------
Known viruses: 35669
Engine version: 0.84
Scanned directories: 300
Scanned files: 139
Infected files: 1
Data scanned: 2.06 MB
Time: 13.793 sec (0 m 13 s)

En este ejemplo, /home/mi_usuaria/public_html/mi_archivo.php tiene un virus llamado PHP.Defash.B.

¿Qué hacer con los archivos infectados?

  • Borrarlos (clamscan borra el virus con todo y archivo. Tendrás que hacer de nuevo el archivo)
usuaria@maquina:~$ clamscan --remove -r nombre_archivo_infectado
    • Si es un archivo en texto, por ejemplo un HTML puedes editarlo y borrar sólo el virus.
  • Desinfectarlos con el antivirus que tengas en tu computadora y volverlos a subir.

No Comments

clam antivirus

Examples

(0) Scan a single file:
clamscan file

(1) Scan a current working directory:
clamscan

(2) Scan all files (and subdirectories) in /home:
clamscan -r /home

(3) Load database from a file and limit disk usage to 50 MB:
clamscan -d /tmp/newclamdb –max-space=50m -r /tmp

(4) Scan a data stream:
cat testfile | clamscan -

(5) Scan a mail spool directory:
clamscan -r /var/spool/mail

No Comments