World Record : 404907 websites hacked by iskorpitx (Turkish Hacker) !

404907 websites hacked by Iskorpitx (Turkish Hacker)

Type the word “Iskorpitx” into Google, and see what you get. Exactly the same word spit back at you, except from any number of different sites. That’s because Iskorpitx is the handle of a hacker who recently committed the biggest hacking incident in web-hosting history. Those search results are the graffiti he left.

Quote from zone-h.org:
"Turkish cracker going by the handle "Iskorpitx", succesfully hacked 21,549 websites in one shot (plus 17,000 as our last update) and defaced (on a secondary page) all of them with a message showing the Turkish flag (with AtaTurk face on it)"


Also, Iskorpitx was reportedly responsible for the largest defacement in web history, successfully hacking 21,549 websites in one shot in May 2006.

Biggest news was about NZ Parliament video site being hacked, and also sites hosted by A2Hosting and GoDaddy.But the attack was actually bigger than that, even some Estonian sites were attacked.

After doing a research, it appears to me that iSKORPiTX does this sort of thing from time to time, every 3-6 months or so. I found one place where someone said he attacked over 20,000 sites in under 24 hours. 


Iskorpitx has quite a reputation for this sort of thing. Since 2003, he's hacked an estimated 117,000 websites, not even including this latest round, and some of those were the sites of his own country's government. 


Based on Zone-H’s record which is always verified to be accurate, tens of thousands of GoDaddy customers were defaced.  Without some kind of investigation, we can’t be certain if GoDaddy knew what and when but if the forum thread from April 2005 is authentic and accurate, then we have a big problem that nothing was done in over a year which resulted in the biggest mass web defacement ever.  As a customer of GoDaddy hosting myself, I want to know the truth. 


It remains unknown whether the most recent attacks where made at the root or webserver level. Iskorpitx executes his hacks by creating subpages, regardless of what authorization level he achieves on the servers.

Iskorpitx's motivations are unclear. Although many of the Turkish hackers have religious agendas, he does not seem to share them. Whatever his reasons or inspiration, Iskorpitx is acting as a massive nuisance throughout the Web. 


Pakistan Law Website and 9 other Hacked By Team NUTS

Pakistan Law Website and 9 other Hacked By Team NUTS



Law website : http://nwfplaws.gon.pk/

Other websites Hacked are :

Genesco's Credit Card Processing System Hacked !

Specialty retailer Genesco Inc. said Friday that it suffered a criminal intrusion into the part of its computer network that processes payment card transactions and certain details of cards might have been compromised, but added that the intrusion was likely contained after the company took immediate steps to secure the affected part of its network. The company expressed confidence that customers can now safely use their credit and debit cards in its stores.

Nashville, Tennessee-based Genesco said that the portion of its computer network that processes payment card transactions for its United States Journeys, Journeys Kidz, Shi by Journeys and Johnston & Murphy stores, and for some of its Underground Station stores suffered a criminal intrusion. While the extent of the intrusion was not known at the current point of time, the company said it is conducting a probe with the help of an outside expert to determine the extent of any possible compromise of customer information that occurred in the intrusion.

Robert Dennis, Chairman, President and Chief Executive Officer of Genesco said, "Since we learned of the intrusion, we have worked diligently with outside experts to protect our customers' information and we are confident that they are safe shopping with their credit and debit cards at our stores. We recommend that our customers review their card statements and other account information carefully and immediately notify their card issuer if they suspect fraudulent use. We sincerely regret any inconvenience this attack on our network may cause our customers."
Genesco noted it was possible that the credit or debit card number, expiration date and card verification code contained on the magnetic stripe of some payment cards used at stores in the affected chains may have been compromised during the intrusion. However, the company said it currently has no reason to believe that personal information, such as names, addresses or Social Security numbers, was acquired by the intruder. Further, the company said that payment card transactions in any of its e-commerce or catalog businesses, Lids Sports businesses, or its Canadian stores did not seem to be affected by the intrusion.

Genesco said it has notified law enforcement authorities as well as the major payment card brands and is cooperating with them to identify those responsible for the intrusion. On Wednesday, Mastercard Inc. said its website was experiencing heavy traffic, but credit card use was not affected. The company made no comment on whether the website had been taken down by hackers. The media had earlier reported a series of hacker attacks on various websites belonging to organizations that have denied service to Wikileaks, the whistleblower website. Mastercard had said on Monday that 'it would no longer process donations" to Wikileaks, terming the site's activities "illegal".

Paypal, Visa Inc. and other banks previously connected to Wikileaks also severed their ties with Wikileaks. These companies withdrew services to the controversial website after it leaked secret U.S. diplomatic cables. In retaliation, hackers in support of Wikileaks brought down the websites of the credit card giants.

In Friday's regular trading session, GCO is trading at $38.86, up $0.20 or 0.52% on a volume of 1,580 shares. The stock has been trading in a range of $21.00-$41.20 in the past 52 weeks.

Cracking the BlackBerry


The showdown between the Indian government and Research in Motion, the Canadian company behind the BlackBerry service has reached a crescendo. Indian security agencies have always been leery of BlackBerry's walled garden approach. But after the UAE, Saudi Arabia and now Lebanon announced a ban on BlackBerry services, the Indian government seems to have been galvanised into action.
Is there really a security risk with the BlackBerry or is the government over-reacting? There are many ways to access email with your mobile device. Most smartphones are designed to integrate the mobile device with the office network. To the server, the smartphone appears as just another computer which can pull emails from the server and users read emails on their phones in much the same way as they do on their laptops. The BlackBerry service, on the other hand, is designed so that all data sent by a BlackBerry device is compressed to a fraction of its original size before being sent to vast RIM server farms in Canada. These servers connect to individual BlackBerries using a "push" technology that allows email messages to reach the recipient device almost as soon as it hits the Canadian server. The compression also ensures that the message is encrypted, imparting, in addition to rock-steady reliability, an unparalleled privacy in email communication.
Now, while privacy is good — perhaps even necessary for the legitimate business user — it is a nightmare for law enforcement agencies constantly locking horns with tech-savvy terrorists. The inability to read email exchanges between individuals plotting anti-national activity is often the difference between preventing a crime and getting there too late.
Under Indian telecom licenses, the government has the right to require telcos to allow the government access to their networks. However, interception is of little use if the message being intercepted is itself encrypted. The encryption algorithms used by BlackBerries are designed to withstand decryption attempts by super-computers. Which is why the Indian government wants RIM to part with its encryption keys.
Even if RIM does agree to do this, of itself, this will not solve the problem. Even if the government has access to encryption keys in respect of all retail customers, it would still be unable to access emails sent from corporate BlackBerry accounts. Enterprise customers can buy their own BlackBerry servers with advanced security features. These private BlackBerry servers have their own encryption keys, over which RIM has no access, in order to assure customers that no one outside their organisation have access to their email. It is currently impossible for RIM to provide the government access to the many thousands of keys already issued to enterprise customers even if a decision is taken to do so going forward.
There is a third service that is potentially even more dangerous from a law enforcement perspective — BlackBerry Messenger. Anyone who has a BlackBerry device can share their PIN with any other BlackBerry owner and send messages between their respective devices instantly and without charge. This extremely popular application has a huge following in the Blackberry universe, but since it enables instant messaging, has real time implications for law enforcement.
There is little doubt that the fears of Indian law enforcement agencies are well founded. But practically, is there anything one can do about it?
The BlackBerry service provides an encrypted solution that protects customer emails without the need for customers to implement complex settings. However, encryption technology, of the high level used by the BlackBerry service, is not the exclusive preserve of RIM. Anyone with even moderate computer skills would be able to implement the same level of encryption to cloak email passing between personal computers or other mobile devices. It will be relatively easy for a terrorist armed with such devices and using the normal 3G or GPRS data connectivity to ensure that their messages are impossible to read, even if intercepted. What then will the government do next — ban all connected mobile devices? While there is every need to be vigilant and to constantly evolve our defences, we must be rational and measured in our reactions. There is a fine line between precaution and paranoia.
The writer is a Bangalore-based lawyer

RHS333 - Red Hat Enterprise Security and Network Services


Components of the Exam

The Enterprise Security: Network Services Expertise Exam is organized into two sections:
  • Centralized Authentication Security: 3.0 hours
  • Network Service Security: 3.0 hours
In order to earn the Enterprise Security: Network Services Certificate of Expertise, one must earn a score of 70 or higher on each section.

Study Points for the Exam

Prerequisite skills for the Exam

Candidates must be a Red Hat Certified Engineer on a release that is considered current in order to take this exam.

Enterprise Security: Network Services

Candidates should be able to perform the tasks listed below.

Centralized Authentication Security

  • configure an NIS server to provide directory services
  • configure Kerberos to provide user authentication
  • configure NFSv4 server
  • configure a network client to use NIS for directory information
  • configure a network client to use Kerberos for authentication
  • configure a network client to mount an NFSv4 export
  • configure r-clients (rlogin, rcp, etc.) and telnet to use Kerberos

Network Services Security

  • Use xinetd and TCP wrappers to restrict access to network services
  • Configure Postfix and Sendmail to:
    • filter mail based on message characteristics
    • use TLS for secure communication
    • use the Real-time Blackhole List (RBL) via DNS
  • Configure POP/IMAP to use SSL/TLS for secure communication
  • Configure the following aspects of DNS:
    • master domain
    • slave domain
    • views
    • forwarders
    • blackhole lists (RBL)
    • TSIG
  • Use GPG tools to:
    • generate key pairs
    • sign documents
    • encrypt documents
    • decrypt documents
    • verify document signatures
  • configure a certificate authority (CA) and sign certificate requests
  • configure httpd to use a SSL certificate signed by a certifying authority
  • configure httpd to use passwords and/or network location to restrict access to content
  • configure FTP security to
    • support FTP only users
    • implement host based access restrictions
As with all Red Hat performance-based exams, configurations must persist after reboot without intervention.


Broadband ADSL/PPPoE Client (RP-PPPoE)

How to install Broadband ADSL/PPPoE Client (RP-PPPoE)

wget -c http://www.roaringpenguin.com/files/download/rp-pppoe-3.8.tar.gz
sudo tar zxvf rp-pppoe-3.8.tar.gz -C /opt/
sudo chown -R root:root /opt/rp-pppoe-3.8/
gksudo gedit /usr/share/applications/RP-PPPoE.desktop
  • Insert the following lines into the new file
[Desktop Entry]
Name=RP-PPPoE
Comment=RP-PPPoE
Exec=gksudo /opt/rp-pppoe-3.8/go-gui
Icon=pppoeconf.xpm
Terminal=false
Type=Application
Categories=Application;Network;
  • Save the edited file
  • Applications -> Internet -> RP-PPPoE

Backdoor.Win32.BO.a

Backdoor.Win32.BO.a


Aliases
Backdoor.Win32.BO.a (Kaspersky Lab) is also known as: Backdoor.BO.a (Kaspersky Lab), Orifice.svr (McAfee),   W32.HLLP.Clay.dr (Symantec),   BackDoor.BOrifice (Doctor Web),   Troj/Orifice-A (Sophos),   Backdoor:Win32/BOClay (RAV),   BKDR_BO.58880 (Trend Micro),   Boserve-01 (H+BEDV),   W32/Back_Orifice.124928 (FRISK),   Win32:Trojan-gen. (ALWIL),   BackDoor.BackOrifice (Grisoft),   Backdoor.BackOrifice.A (SOFTWIN),   Trojan.Bo (ClamAV),   Trj/BOr (Panda),   Back_Orifice.Dropper (Eset)
Description added Feb 20 2002
Behavior Backdoor
Technical details
This Trojan (also known as Back Orifice Trojan) is a network-administration utility that allows for the controlling of computers on the network. "'Back Orifice' is a remote administration system, which allows a user to control a computer across a tcpip connection using a simple console or gui application. On a local line or across the internet, BO gives its user more control of the remote Windows machine than the person at the keyboard of the remote machine has," reads the advertising banner on a distribution Web-site.
The only feature classifying this utility as malicious Trojan software is the silent installation and execution. When this program is run, it installs itself into the system and then monitors it without any requests or messages. If you already have it installed on your computer, you cannot find this application in the task list. The Trojan also does not indicate its activity in any way.
The Trojan is distributed in a package of several programs and documentations. All programs in a package were written in C++ and compiled by Microsoft Visual C++ compiler. The date stamp on the EXE files that we have displays that all files in the package were compiled from the end of July through the first week of August 1998. All the programs in the package have Portable Executable formats and can be run under Win32 only.
The main executable in a package is the BOSERVE.EXE file that might be found with different names on an infected computer. This is the Trojan itself. It is the "server" part of the Trojan that might be summoned by clients from a remote computer.
The second file is the BOCONFIG.EXE utility that can configure the server as well as attach it to other executable files in the same style as viruses do. While attaching (infecting), the host file is moved down and the Trojan code is placed at the top of file. When "infected" files are run, the Trojan extracts the original file image and spawns it without any side effects.
There are two "client" parts of the Trojan (console and window), and they operate with the "server" from a remote computer. Two other executable files in a package are used by the Trojan while compressing/decompressing files on the "server".
When the Trojan is executed on the computer, it first of all detects its status: is it the original Trojan code or attached to some host file, i.e., modified by the BOCONFIG.EXE utility. In this case, the Trojan locates the customized options in the host file and reads them.
The Trojan then initializes the Windows sockets, creates the WINDLL.DLL file in the Windows system directory (this file is stored as a resource in the Trojan), then obtains several KERNEL32.DLL APIs addresses for future needs, searches for a Trojan process already run and terminates it (upgrades the Trojan process), copies itself to the Windows system directory and registers this copy in the system registry as the auto-run service:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Creates a TCP/IP datagram socket, assigns a port number 31337 (by default) to this socket and opens this port for listening. The Trojan then runs standard Windows DispatchMessage loop, i.e., stays in Windows memory as a process with a hidden attribute (it has no active window and is not visible in task manager).
The main Trojan routine then listens for commands from the remote client. The commands travel in encrypted form and start with the "*!*QWTY?" (without " characters) ID-string.
Depending on the command, the Trojan is able to perform a set of actions:
  • obtain and send computer name, user name and system info: processor type, memory size, Windows OS version, installed drives and free space on them;
  • share selected drives;
  • list disk contents or search for a specific file;
  • send/receive files (read and write them), as well as delete, copy, rename and run them (including updating itself);
  • create/delete directories;
  • compress/decompress files;
  • log off current user;
  • halt the computer;
  • enumerate and send active processes;
  • enumerate and connect to network resources;
  • terminate selected process;
  • obtain and send cashed passwords (passwords that were used during current session), then look for the ScreenSaver password (decrypt and send them);
  • display message boxes;
  • access the system registry;
  • open and redirect other TCP/IP sockets;
  • support HTTP protocols and emulate the Web-server, so one may access the Trojan by Web browser;
  • play sound files;
  • hook, store and send keyboard input while the user is logging in (see below).
While installing into the system, the Trojan creates the WINDLL.DLL file (it keeps this file image in its resources). In case of need, the Trojan loads this DLL into the memory and initializes it, the DLL then hooks the keyboard and console (device console) input and stores the hooked data to the BOFILEMAPPINGKEY and BOFILEMAPPINGCON files that are then available for the main Trojan routine.
The Trojan can also expand its abilities by using plug-ins. They can be sent to the "server" and installed as the Trojan's plug-in. The features and main functions (including possible malicious ones) are at its author's discretion.

Backdoor.Throd.a

Backdoor.Throd.a


Aliases
Backdoor.Throd.a (Kaspersky Lab) is also known as: BackDoor-CEV (McAfee),   Backdoor.Sysdot (Symantec),   BackDoor.Throda (Doctor Web),   Troj/BDThr-A (Sophos),   Backdoor:Win32/Throd.A (RAV),   BDS/Throd.A.2.B (H+BEDV),   Win32:BMP-SYS (ALWIL),   BackDoor.Throd.A (Grisoft),   Backdoor.Throd.A (SOFTWIN),   Bck/Throd.A (Panda),   Win32/Throd.A (Eset)
Description added May 13 2004
Behavior Backdoor
Technical details
Throd is a Trojan that allows a 'master' to use the zombie machine as a proxy server. Throd is written in Delphi for Windows, is about 23 KB in size (about 80 KB unpacked)and comes packed by UPX.

Installation

The Trojan copies itself in the Windows system folder under a randomly combined multi-partite name:
ms
svc
win

16
32
64

mes
prn
reg
"ms16prn.exe", for example.
In order to auto-launch, the Trojan creates a key in the system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
with one of the following names chosen at random:
MS Driver Management
Synchronization Messager
System Directory Service
System Service Control
Windows Messaging System
Throd then attempts to connect to several remote servers and onpass ID information, including IP address and so forth, to the virus coder.
Throd accepts commands from the remote 'master' collets email addresses from the MS Outlook address book in to the mseml.dll file and uses an http commands to send them to the same remote sites.
Throd can install and launch random files on command.
Throd also works as a proxy server and is capable of accepting and sending any type of data.

Backdoor.SdBot.gen

Backdoor.SdBot.gen


Aliases
Backdoor.SdBot.gen (Kaspersky Lab) is also known as: W32/Lolol.worm.gen (McAfee),   W32.Spybot.Worm (Symantec),   Win32.IRC.Bot.based (Doctor Web),   W32/Spybot-CQ (Sophos),   Win32/HLLW.SpyBot (RAV),   Worm/SpyBot.#3 (H+BEDV),   Win32:SpyBot-GEN (ALWIL),   Worm/Spybot (Grisoft),   Backdoor.SDBot.Gen (SOFTWIN),   Trojan.Spybot.gen-3 (ClamAV),   W32/Spybot.BE.worm (Panda),   Win32/SpyBot.AFL (Eset)
Description added Aug 21 2002
Behavior Backdoor
Technical details
This is a family of backdoor malicious programs, which provide the user with remote control over victim machines. This is achieved by sending commands via IRC channels.

Installation

Depending upon the program version, the backdoor either copies itself either to the Windows System directory or to other directories located in the System directory. The program also registers a copy of itself in the system registry, which ensures that it will be executed when Windows is started:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
The registry value will vary according to which version of the backdoor has infected the machine.

Payload

Backdoor.SdBot connects to a range of IRC servers, then connects with a channel that is hard coded into its body. It is then ready to receive remote commands, such as downloading and executing remote files, acting as an IRC proxy server, joining IRC channels, sending messages via IRC, and sending UDP and ICMP packets to remote computers.

Backdoor.Rbot.gen

Backdoor.Rbot.gen



Aliases
Backdoor.Rbot.gen (Kaspersky Lab) is also known as: IRC-Sdbot (McAfee),   W32.Spybot.Worm (Symantec),   Win32.HLLW.MyBot (Doctor Web),   W32/Rbot-BY (Sophos),   Backdoor:Win32/Rbot (RAV),   Worm/Sdbot.39936.B (H+BEDV),   Win32:SdBot-194-B (ALWIL),   IRC/BackDoor.SdBot.28.F (Grisoft),   Backdoor.SDBot.Gen (SOFTWIN)
Description added Aug 06 2004
Behavior Backdoor
Technical details
Backdoor.Rbot is a family of Trojan programs for Windows, which offer the user remote access to victim machines. The Trojans are controlled via IRC, and have the following functions:

  • monitor networks for interesting data packets (i.e. those containing passwords to FTP servers, and e-payment systems such as PayPal etc.)
  • scan networks for machines which have unpatched common vulnerabilties (RPC DCOM, UPnP, WebDAV and others); for machines infected by Trojan programs (Backdoor.Optix, Backdoor.NetDevil, Backdoor.SubSeven and others) and by the Trojan components of worms (I-Worm.Mydoom, I-Worm.Bagle); for machines with weak system passwords
  • conduct DoS attacks
  • launch SOCKS and HTTP servers on infected machines
  • send the user of the program detailed information about the victim machine, including passwords to a range of computer games
 

Backdoor.Perl.AEI.16

Backdoor.Perl.AEI.16




Aliases
Backdoor.Perl.AEI.16 (Kaspersky Lab) is also known as: BackDoor-AEI.php (McAfee),   Backdoor.Trojan (Symantec),   Troj/Bdoor-AEI (Sophos),   PERL/AEI.16* (RAV),   PERL_AEI.16 (Trend Micro),   Perl.Backdoor.RevTunnel.A (SOFTWIN),   Backdoor Program (Panda),   Perl/AEI.16 (Eset)
Description added Nov 28 2007
Behavior Backdoor
  • Technical details
  • Payload
  • Removal instructions
Technical details
This Trojan program is designed to provide remote management of systems running UNIX-type operating systems. It is a Perl scenario. It is approximately 12KB in size.

Payload
This Trojan has two parts, a server and a client. The execution depends on the parameters with which the Trojan is launched.
The server part opens a port which is specified in the body of the Trojan. The Trojan waits for a connection to this port and attempts to use the command line interpreter to run all commands received from the remote client.
The client is a shell for sending commands to the server part and for getting service messages.

Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  2. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Backdoor.Perl.AEI.20

Backdoor.Perl.AEI.20



Aliases
Backdoor.Perl.AEI.20 (Kaspersky Lab) is also known as: BackDoor-AEI.php (McAfee),   Backdoor.Trojan (Symantec),   Troj/Bdoor-AEI (Sophos),   PHP/RevTunnel.20* (RAV),   PHP_REVTUNNEL.A (Trend Micro),   Perl/AEI.20 (H+BEDV),   Unix/Aei.trojan (FRISK),   UNIX:Malware (ALWIL),   Perl.Backdoor.RevTunnel.A (SOFTWIN),   Backdoor Program (Panda),   PHP/RevTun.20 (Eset)
Description added Nov 28 2007
Behavior Backdoor
  • Technical details
  • Payload
  • Removal instructions
Technical details
This Trojan program is designed to provide remote management of systems running UNIX-type operating systems. It is a Perl scenario. It is approximately 14KB in size.
Payload
This Trojan has two parts, a server and a client. The execution depends on the parameters with which the Trojan is launched.
The server part opens a port which is specified in the body of the Trojan. The Trojan waits for a connection to this port and attempts to use the command line interpreter to run all commands received from the remote client.
The client is a shell for sending commands to the server part and for getting service messages.
The Trojan can also function via a proxy server.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
  1. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  2. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Backdoor.PHP.C99Shell.w

Backdoor.PHP.C99Shell.w




Detection added Sep 12 2007 10:29 GMT
Description added Aug 04 2008
Behavior Backdoor
  • Technical details
  • Payload
  • Removal instructions
Technical details
This Trojan provides a remote malicious user with access to the victim machine. It is a PHP script. It is 229051 bytes in size.

Installation

This backdoor can be installed on a web server by a remote malicious user by uploading it via FTP, using the administrator's log-in details which have already been stolen. It can also be used to exploit a range of web site vulnerabilities which make it possible to upload a random file to the directory which contains the site scripts. Once this has been done, a hidden page appears on the site. Opening this page makes it possible for the malicious user to launch the backdoor and make use of its malicious functionality.

Payload
This backdoor is designed to provide remote, unauthorised administration of web servers. When the backdoor is launched, the malicious user is shown the backdoor interface:

The backdoor is able to conduct the following actions on the remote server:

  1. provide full access to files on the hard disk
  2. Calculate a range of hashes for strings
  3. launch the command interpreter and bind its standard input/ output to a specific TCP port
  4. bind the standard input/ output of the command interpreter to data from the IRC server (datapipe)
  5. view a list of processes launched on the server
  6. execute random PHP code
  7. download/ upload files from/to the server
  8. search the server's hard disk for files with specific content
  9. manage mysql databases (view/ create/ edit databases/tables)
  10. run shell commands
  11. scan FTP server accounts for weak passwords (e.g. where the account name and password co-incide)
  12. delete the copy of itself from the server hard disk on command
  13. create a user account without password
  14. view active users in the system
  15. delete records of its own activity from Apache server logs
  16. exploit a range of Linux kernel and bash command interpreter vulnerabilies
  17. run via the proxy server shown below
    http://*****faced.org/proxy/index.php?q=
hiding the address of the remote malicious user.

Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Delete the original backdoor file (the location will depend on how the program originally penetrated the victim machine).
  2. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Backdoor.PHP.C99Shell.an

Backdoor.PHP.C99Shell.an



Detection added Jun 16 2008 02:05 GMT
Update released Jun 16 2008 06:12 GMT
Description added Oct 20 2008
Behavior Backdoor
Technical details
This Trojan provides a remote malicious user with access to the victim machine. It is a PHP script. It is 149170 bytes in size.

Installation

This backdoor can be installed on a web server by a remote malicious user by uploading it via FTP, using the administrator's log-in details which have already been stolen. It can also be used to exploit a range of web site vulnerabilities which make it possible to upload a random file to the directory which contains the site scripts. Once this has been done, a hidden page appears on the site. Opening this page makes it possible for the malicious user to launch the backdoor and make use of its malicious functionality.

Payload
This backdoor is designed to provide remote, unauthorised administration of web servers. When the backdoor is launched, the malicious user is shown the backdoor interface:

The backdoor is able to conduct the following actions on the remote server:

  1. provide full access to files on the hard disk
  2. calculate a range of hashes for strings
  3. launch the command interpreter and bind its standard input/ output to a specific TCP port
  4. bind the standard input/ output of the command interpreter to data from the IRC server (datapipe)
  5. View the list of processes launched on the server
  6. execute random PHP code
  7. download/ upload files from/to the server
  8. search the server's hard disk for files with specific content
  9. manage mysql databases (view/ create/ edit databases/ tables)
  10. run shell commands
  11. scan FTP server accounts for weak passwords (e.g. where the account name and password co-incide)
  12. delete the copy of itself from the server hard disk on command
  13. create a user account without password
  14. view active users in the system
  15. delete records of its own activity from Apache server logs
Patches
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Delete the original backdoor file (the location will depend on how the program originally penetrated the victim machine).
  2. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Backdoor.Netbus

Aliases
Backdoor.Netbus (Kaspersky Lab) is also known as: NetBus.reg (McAfee),   Troj/NetBus-REG (Sophos),   REG_NETBUP.A (Trend Micro)
Description added Feb 21 2002
Behavior Backdoor
Technical details
This is a hidden (hacker's) remote administration utility similar to the known Backdoor.BO (a.k.a. Back Orifice) Trojan. It allows to administrate infected computers from a remote console, to steal files, to damage installed software etc. See Backdoor.BO Trojan.

Backdoor.Agobot.gen

Backdoor.Agobot.gen



Aliases
Backdoor.Agobot.gen (Kaspersky Lab) is also known as: W32/Gaobot.worm.gen.d (McAfee),   W32.HLLW.Gaobot.gen (Symantec),   Win32.HLLW.Agobot.3 (Doctor Web),   W32/Agobot-BV (Sophos),   Win32/Gaobot.gen! (RAV),   WORM_AGOBOT.RM (Trend Micro),   Worm/Sdbot.39936.B (H+BEDV),   Win32:Gaobot-268 (ALWIL),   Worm/Agobot (Grisoft),   Backdoor.Agobot.3.Gen (SOFTWIN)
Description added Jan 09 2004
Behavior Backdoor
Technical details
This is a classical backdoor and allows a 'master' to control the victim machine remotely by sending commands via IRC channels.

Installation

Agobot copies itself into the Windows directory under random names and then registers itself in the system registry auto-run keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

Manifestations

Agobot connects to various IRC servers opening channels identified in the body of the worm. It is then ready to receive commands from the 'master', who can now download and launch files on the victim machine, scan other computers for vulnerabilities and install itself on these vulnerable machines.

Trojan Programs

Trojan Programs

Trojans can be classified according to the actions which they carry out on victim machines.
  • Backdoors
  • General Trojans
  • PSW Trojans
  • Trojan Clickers
  • Trojan Downloaders
  • Trojan Droppers
  • Trojan Proxies
  • Trojan Spies
  • Trojan Notifiers
  • ArcBombs
  • Rootkits

Backdoors

Today backdoors are the most dangerous type of Trojans and the most widespread. These Trojans are remote administration utilities that open infected machines to external control via a LAN or the Internet. They function in the same way as legal remote administration programs used by system administrators. This makes them difficult to detect.
The only difference between a legal administration tool and a backdoor is that backdoors are installed and launched without the knowledge or consent of the user of the victim machine. Once the backdoor is launched, it monitors the local system without the user's knowledge; often the backdoor will not be visible in the log of active programs.
Once a remote administration utilitiy has been successfully installed and launched, the victim machine is wide open. Backdoor functions can include:
  • Sending/ receiving files
  • Launching/ deleting files
  • Executing files
  • Displaying notification
  • Deleting data
  • Rebooting the machine
In other words, backdoors are used by virus writers to detect and download confidential information, execute malicious code, destroy data, include the machine in bot networks and so forth. In short, backdoors combine the functionality of most other types of Trojans in one package.
Backdoors have one especially dangerous sub-class: variants that can propagate like worms. The only difference is that worms are programmed to propagate constantly, whereas these 'mobile' backdoors spread only after a specific command from the 'master'.

General Trojans

This loose category includes a variety of Trojans that damage victim machines or threaten data integrity, or impair the functioning of the victim machine.
Multi-purpose Trojans are also included in this group, as some virus writers create multi-functional Trojans rather than Trojan packs.

PSW Trojans

This family of Trojans steals passwords, normally system passwords from victim machines. They search for system files which contain confidential information such as passwords and Internet access telephone numbers and then send this information to an email address coded into the body of the Trojan. It will then be retrieved by the 'master' or user of the illegal program.
Some PSW Trojans steal other types of information such as:
  • System details (memory, disk space, operating system details)
  • Local email client
  • IP-address
  • Registration details
  • Passwords for on-line games
Trojan-AOL are PSW Trojans that steal passwords for aol (American Online) They are contained in a sub-groups because they are so numerous.

Trojan Clickers

This family of Trojans redirects victim machines to specified websites or other Internet resources. Clickers either send the necessary commands to the browser or replace system files where standard Internet urls are stored (e.g. the 'hosts' file in MS Windows).
Clickers are used:
  • To raise the hit-count of a specific site for advertising purposes
  • To organize a DoS attack on a specified server or site
  • To lead the victim to an infected resource where the machine will be attacked by other malware (viruses or Trojans)

Trojan Downloaders

This family of Trojans downloads and installs new malware or adware on the victim machine. The downloader then either launches the new malware or registers it to enable autorun according to the local operating system requirements. All of this is done without the knowledge or consent of the user.
The names and locations of malware to be downloaded are either coded into the Trojan or downloaded from a specified website or other Internet location.

Trojan Droppers

These Trojans are used to install other malware on victim machines without the knowledge of the user. Droppers install their payload either without displaying any notification, or displaying a false message about an error in an archived file or in the operating system. The new malware is dropped to a specified location on a local disk and then launched.
Droppers are normally structured in the following way:
Main file
contains the dropper payload
File 1
first payload
File 2
second payload
...
as many files as the coder chooses to include
The dropper functionality contains code to install and execute all of the payload files.
In most cases, the payload contains other Trojans and at least one hoax: jokes, games, graphics and so forth. The hoax is meant to distract the user or to prove that the activity caused by the dropper is harmless, whereas it actually serves to mask the installation of the dangerous payload.
Hackers using such programs achieve two objectives:
  1. Hidden or masked installation of other Trojans or viruses
  2. Tricking antivirus solutions which are unable to analyse all components

Trojan Proxies

These Trojans function as a proxy server and provide anonymous access to the Internet from victim machines. Today these Trojans are very popular with spammers who always need additional machines for mass mailings. Virus coders will often include Trojan-proxies in Trojan packs and sell networks of infected machines to spammers.

Trojan Spies

This family includes a variety of spy programs and key loggers, all of which track and save user activity on the victim machine and then forward this information to the master. Trojan-spies collect a range of information including:
  • Keystrokes
  • Screenshots
  • Logs of active applications
  • Other user actions
These Trojans are most often used to steal banking and other financial information to support online fraud.

Trojan Notifiers

These Trojans inform the 'master' about an infected machine. Notifiers confirm that a machine has been successfully infected, and send information about IP-address, open port numbers, the email address etc. of the victim machine. This information may be sent by email, to the master's website, or by ICQ.
Notifiers are usually included in a Trojan 'pack' and used only to inform the master that a Trojan has been successfully installed on the victim machine.

Rootkits

A rootkit is a collection of programs used by a hacker to evade detection while trying to gain unauthorized access to a computer. This is done either by replacing system files or libraries, or by installing a kernel module. The hacker installs the rootkit after obtaining user-level access: typically this is done by cracking a password or by exploiting a vulnerability. This is then used to gather other user IDs until the hacker gains root, or administrator, access to the system.
The term originated in the Unix world, although it has since been applied to the techniques used by authors of Windows-based Trojans to conceal their actions. Rootkits have been used increasingly as a form of stealth to hide Trojan activity, something that is made easier because many Windows users log in with administrator rights.

ArcBombs

These Trojans are archived files coded to sabotage the de-compressor when it attempts to open the infected archived file. The victim machine will slow or crash when the Trojan bomb explodes, or the disk will be filled with nonsense data. ArcBombs are especially dangerous for servers, particularly when incoming data is initially processed automatically: in such cases, an ArcBomb can crash the server.
There are three types of ArcBombs: incorrect header in the archive, repeating data and a series of identical files in the archive.
An incorrect archive header or corrupted data can both cause the de-compressor to crash when opening and unpacking the infected archive.
A large file containing repeating data can be packed into a very small archive: 5 gigabytes will be 200 KB when packed using RAR and 480 KB in ZIP format.
Moreover, special technologies exist to pack an enormous number of identical files in one archive without significantly affecting the size of the archive itself: for instance, it is possible to pack 10100 identical files into a 30 KB RAR file or a 230 KB ZIP fil

Protect your computer from hackers!

Protect your computer from hackers! Learn how to prevent yourself from being a victim and a distributor of computer email viruses and worms. Take these simple precautions:
  1. NEVER open an attachment in an email UNLESS you are sure you understand what it is and why it's been sent to you. When in doubt, delete. You can always write back to the person who sent it and ask if they intended to send an attachment and to please explain what it was and then resend it. Most viruses are triggered by unwitting victims opening an attachment.
       
  2. INSTALL PROTECTION SOFTWARE -- NOW! Once you have it, you will help stop the spread of viruses. If you don't have it, you will sooner or later regret leaving yourself so vulnerable. It is absolutely worth the money spent for it! (See the list of anti-virus software on the right.)
       
  3. BLOCK PORN and other spam, as well as viruses, with a program called MailWasher Pro. For a very low price, MailWasher will look inside your mailbox before you run your email program, identify the porn and spam and viruses, and delete it for you. It will even help you fight back by sending a bounce message that tells the spammer that your address is invalid (so that it's removed from their mailing list). Then you can safely open your email.
      
  4. Find out what's NOT a virus and don't clog up the internet spreading false alarms. When you get word of a virus, take a minute to check it out first, before forwarding the message to others and embarrassing yourself. Here's a great site for this research:
    urbanlegends.miningco.com/library/blhoax.htm
       
  5. BEWARE OF SPIES, HACKERS & KEY LOGGERS!
    There are programs that can spy into your computer. It happens when people download a program (such as a game) that comes bundled with "Sputnik" or "VX2" or another brand of spyware. It installs itself silently on your computer and then monitors your "clickstream" as you navigate around the web, sending information about your activities (including credit card numbers!), back to the originator. Disclaimers claim that credit card info will not be used (sooo -- why get it then?)

    To make matters worse, there seems to be a connection between this and an increase of popup ads while surfing the Internet!
    You can tell if you're infected with VX2 by searching for the "VX2.dll" file on your system. Instructions for uninstalling the software are located at http://www.vx2.cc
  6. Always be careful about what you download. Is it from a trustworthy software manufacturer? But since "trust" is only a guess, the best advice is to extend your anti-virus protection to include anti-spyware (to block your personal information from being taken without your permission), anti-hacker-tools (to prevent hijackers from accessing your PC), anti-key-loggers (to safeguard your passwords and other private stuff) and anti-worms (to hack away at hacker tools that can exploit your computer even after they're gone).

Google Public DNS Servers Launched

Today, Google has announced the launch of their free DNS resolution service. Many ISPs and 3rd party provider such as OpenDNS snoops around or send traffic to ad servers. However, Google promises not to play with end users and send the exact response his or her computer expects without performing any blocking, filtering, or redirection that may hamper a user's browsing experience. In other words Google will not hijacking your traffic on non-existent domain name and it will follow strict RFC standard.

From the blog post:
The DNS protocol is an important part of the web's infrastructure, serving as the Internet's "phone book". Every time you visit a website, your computer performs a DNS lookup. Complex pages often require multiple DNS lookups before they complete loading. As a result, the average Internet user performs hundreds of DNS lookups each day, that collectively can slow down his or her browsing experience.

Google DNS Server IP Addresses

The Google Public DNS IP addresses are as follows:
8.8.8.8
8.8.4.4

How Do I Add Google DNS Server IP Address Under Linux?

Simple edit the /etc/resolv.conf file and add above two ip address:
nameserver 8.8.8.8
nameserver 8.8.4.4

Google DNS Server vs Your ISP Server

CDN servers will not work correctly and they will return a list close to Google's DNS servers.
host i.dell.com 8.8.8.8
Sample outputs:
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases: 

i.dell.com is an alias for img.dell-cidr.akadns.net.
img.dell-cidr.akadns.net is an alias for ccdn-global.dell.com.edgesuite.net.globalredir.akadns.net.
ccdn-global.dell.com.edgesuite.net.globalredir.akadns.net is an alias for a1058.g.akamai.net.
a1058.g.akamai.net has address 203.106.85.169
a1058.g.akamai.net has address 203.106.85.170
203.106.85.169 & 203.106.85.170 located somewhere in KUALA LUMPUR.
host i.dell.com 202.56.250.5
Using domain server:
Name: 202.56.250.5
Address: 202.56.250.5#53
Aliases: 

i.dell.com is an alias for img.dell-cidr.akadns.net.
img.dell-cidr.akadns.net is an alias for ccdn-global.dell.com.edgesuite.net.globalredir.akadns.net.
ccdn-global.dell.com.edgesuite.net.globalredir.akadns.net is an alias for a1058.g.akamai.net.
a1058.g.akamai.net has address 122.166.109.9
a1058.g.akamai.net has address 122.166.109.11
122.166.109.9 & 122.166.109.11 located in India. This also applies to NTP pool servers.

Speed

Ping-pong timings:
  • Ping times (ISP dns servers) - 20ms
  • Ping times (Google dns servers) - 116ms
  • Ping times (OpenDNS servers) - 190ms
Resolving timings (use dig @dns-server.address domainname.com):
  • ISP DNS Server - 41 msec
  • Google DNS Server - 262 msec
  • OpenDNS server - 213 msec
In other words I will use my ISPs server instead of Google or OpenDNS due to speed issue and incorrect handling of CDN servers. If you own a small LAN, I recommend setting up a caching dns server called dnsmasq.

Linux Cluster

Node hardware

32 machines have the following setup each:

  • 2 XEON 2.66GHZ 533FSB CPUs
  • Supermicro 6013A-T 1u case and motherboard
  • 2 512MB PC2100 DDR REG ECC RAM
  • 1 80GB SEA 7200 SATA HD
  • 1 250GB SEA 7200 SATA HD
32 machines have the following setup each:

  • 2 XEON 2.4GHZ 533FSB CPUs
  • Supermicro X5DPR-1G2 motherboard
  • 2 512MB PC2100 DDR REG ECC RAM
  • 1 40GB SEA 7200 HD
  • 1 120GB SEA 7200 HD
  • Supermicro Slim 24X CDROM
  • CSE-812 400 C/B 1U case
32 machines have the following setup each:

  • 2 AMD Palamino MP XP 2000+ 1.67 GHz CPUs
  • Asus A7M266-D w/LAN Dual DDR motherboard
  • 2 Kingston 512mb PC2100 DDR-266MHz REG ECC RAM
  • 1 41 GB Maxtor 7200rpm ATA100 HD
  • 1 120 GB Maxtor 5400rpm ATA100 HD
  • Asus CD-A520 52x CDROM
  • 1.44mb floppy drive
  • ATI Expert 2000 Rage 128 32mb
  • IN-WIN P4 300ATX Mid Tower case
  • Enermax P4-430ATX power supply
32 machines have the following setup each:

  • 2 AMD Palamino MP XP 1800+ 1.53 GHz CPUs
  • Tyan S2460 Dual Socket-A/MP motherboard
  • Kingston 512mb PC2100 DDR-266MHz REG ECC RAM
  • 1 20 GB Maxtor UDMA/100 7200rpm HD
  • 1 120 GB Maxtor 5400rpm ATA100 HD
  • Asus CD-A520 52x CDROM
  • 1.44mb floppy drive
  • ATI Expert 98 8mb AGP video card
  • IN-WIN P4 300ATX Mid Tower case
  • Intel PCI PRO-100 10/100Mbps network card
  • Enermax P4-430ATX power supply
32 machines have the following setup each:

  • 2 Pentium III 1 GHz Intel CPUs
  • Supermicro 370 DLE Dual PIII-FCPGA motherboard
  • 2 256 MB 168-pin PC133 Registered ECC Micron RAM
  • 1 20 GB Maxtor ATA/66 5400 RPM HD
  • 1 40 GB Maxtor UDMA/100 7200 RPM HD
  • Asus CD-S500 50x CDROM
  • 1.4 MB floppy drive
  • ATI Expert 98 8 MB PCI video card
  • IN-WIN P4 300ATX Mid Tower case

 hardware

Two servers for external use (dissemination of information) with the following setups:

  • 2 AMD Opteron 240 1.4 GHz CPUs
  • RIOWORKS HDAMB DUAL OPTERON motherboard
  • 4 KINGSTON 512MB PC3200 REG ECC RAM
  • 80GB MAX 7200 UDMA 133 HD
  • 6 200GB WD 7200 8MB HD
  • ASUS 52X CD-A520 CDROM
  • 1.44mb floppy drive
  • Antec 4U22ATX550EPS 4u case

  • 2 AMD Palamino MP XP 2000+ 1.67 GHz CPUs
  • Asus A7M266-D w/LAN Dual DDR
  • 4 Kingston 512mb PC2100 DDR-266MHz REG ECC RAM
  • Asus CD-A520 52x CDROM
  • 1 41 GB Maxtor 7200rpm ATA100 HD
  • 6 120 GB Maxtor 5400rpm ATA100 HD
  • 1.44mb floppy drive
  • ATI Expert 2000 Rage 128 32mb
  • IN-WIN P4 300ATX mid tower case
  • Enermax P4-430ATX power supply

 Desktop and terminal hardware

We have identified at least two kinds of users of our cluster: those that need (i.e., take advantage of) permanent local processing power and disk space in conjunction with the cluster to speed up processing, and those that just need only the cluster processing power. The former are assigned "desktops" which are essentially high-performance machines, and the latter are assigned dumb "terminals". Our desktops are usually dual or quad processor machines with the current high-end CPU being a 1.6 GHz Opteron, having as much as 10 GB of RAM, and over 1 TB of local disk space. Our terminals are essentially machines where a user can log in and then run jobs on our farm. In this setup, people may also use laptops as dumb terminals.

 Miscellaneous/accessory hardware

We generally use/prefer Viewsonic monitors, Microsoft Intellimouse mice, and Microsoft Natural keyboards. These generally have worked quite reliably for us.

 Putting-it-all-together hardware

For visual access to the nodes, we initially used to use KVM switches with a cheap monitor to connect up and "look" at all the machines. While this was a nice solution, it did not scale. We currently wheel a small monitor around and hook up cables as needed. What we need is a small hand held monitor that can plug into the back of the PC (operated with a stylus, like the Palm).
For networking, we generally use Netgear and Cisco switches.

Costs

Our vendor is Hard Drives Northwest ( http://www.hdnw.com). For each compute node in our cluster (containing two processors), we paid about $1500-$2000, including taxes. Generally, our goal is to keep the cost of each processor to below $1000 (including housing it).


 Software

 Operating system: Linux, of course!

The following kernels and distributions are what are being used:

  • Kernel 2.2.16-22, distribution KRUD 7.0
  • Kernel 2.4.9-7, distribution KRUD 7.2
  • Kernel 2.4.18-10, distribution KRUD 7.3
  • Kernel 2.4.20-13.9, distribution KRUD 9.0
  • Kernel 2.4.22-1.2188, distribution KRUD 2004-05
These distributions work very well for us since updates are sent to us on CD and there's no reliance on an external network connection for updates. They also seem "cleaner" than the regular Red Hat distributions, and the setup is extremely stable.

 Networking software

We use Shorewall 1.3.14a (( http://www.shorewall.net) for the firewall.

 Parallel processing software

We use our own software for parallelising applications but have experimented with PVM and MPI. In my view, the overhead for these pre-packaged programs is too high. I recommend writing application-specific code for the tasks you perform (that's one person's view).

 Costs

Linux and most software that run on Linux are freely copiable.

 Set up, configuration, and maintenance

Disk configuration

This section describes disk partitioning strategies. Our goal is to keep the virtual structures of the machines organised such that they are all logical. We're finding that the physical mappings to the logical structures are not sustainable as hardware and software (operating system) change. Currently, our strategy is as follows:


farm/cluster machines:

partition 1 on system disk     - swap  (2 * RAM)
partition 2 on system disk     - /     (remaining disk space)
partition 1 on additional disk - /maxa (total disk)

servers:

partition 1 on system disk        - swap  (2 * RAM)
partition 2 on system disk        - /     (4-8 GB)
partition 3 on system disk        - /home (remaining disk space)
partition 1 on additional disk 1  - /maxa (total disk)
partition 1 on additional disk 2  - /maxb (total disk)
partition 1 on additional disk 3  - /maxc (total disk)
partition 1 on additional disk 4  - /maxd (total disk)
partition 1 on additional disk 5  - /maxe (total disk)
partition 1 on additional disk 6  - /maxf (total disk)
partition 1 on additional disk(s) - /maxg (total disk space)

desktops:

partition 1 on system disk        - swap   (2 * RAM)
partition 2 on system disk        - /      (4-8 GB)
partition 3 on system disk        - /spare (remaining disk space)
partition 1 on additional disk 1  - /maxa  (total disk)
partition 1 on additional disk(s) - /maxb  (total disk space)
Note that in the case of servers and desktops, maxg and maxb can be a single disk or a conglomeration of disks.

Package configuration

Install a minimal set of packages for the farm. Users are allowed to configure desktops as they wish, provided the virtual structure is kept the same described above is kept the same.

Operating system installation and maintenance

Personal cloning strategy

I believe in having a completely distributed system. This means each machine contains a copy of the operating system. Installing the OS on each machine manually is cumbersome. To optimise this process, what I do is first set up and install one machine exactly the way I want to. I then create a tar and gzipped file of the entire system and place it on a bootable CD-ROM which I then clone on each machine in my cluster.
The commands I use to create the tar file are as follows:


tar -czvlps --same-owner --atime-preserve -f /maxa/slash.tgz /
I use a script called go that takes a machine number as its argument and untars the slash.tgz file on the CD-ROM and replaces the hostname and IP address in the appropriate locations. A version of the go script and the input files for it can be accessed at: http://www.ram.org/computing/linux/linux/cluster/. This script will have to be edited based on your cluster design.
To make this work, I use Martin Purschke's Custom Rescue Disk ( http://www.phenix.bnl.gov/~purschke/RescueCD/) to create a bootable CD image containing the .tgz file representing the cloned system, as well as the go script and other associated files. This is burned onto a CD-ROM.
There are several documents that describe how to create your own custom bootable CD, including the Linux Bootdisk HOWTO ( http://www.linuxdoc.org/HOWTO/Bootdisk-HOWTO/), which also contains links to other pre-made boot/root disks.
Thus you have a system where all you have to do is insert a CDROM, turn on the machine, have a cup of coffee (or a can of coke) and come back to see a full clone. You then repeat this process for as many machines as you have. This procedure has worked extremely well for me and if you have someone else actually doing the work (of inserting and removing CD-ROMs) then it's ideal. In my system, I specify the IP address by specifying the number of the machine, but this could be completely automated through the use of DHCP.
Rob Fantini ( rob@fantinibakery.com) has contributed modifications of the scripts above that he used for cloning a Mandrake 8.2 system accessible at http://www.ram.org/computing/linux/cluster/fantini_contribution.tgz.

Cloning and maintenance packages

FAI

FAI ( http://www.informatik.uni-koeln.de/fai/) is an automated system to install a Debian GNU/Linux operating system on a PC cluster. You can take one or more virgin PCs, turn on the power and after a few minutes Linux is installed, configured and running on the whole cluster, without any interaction necessary.

SystemImager

SystemImager ( http://systemimager.org) is software that automates Linux installs, software distribution, and production deployment.

DHCP vs. hard-coded IP addresses

If you have DHCP set up, then you don't need to reset the IP address and that part of it can be removed from the go script.
DHCP has the advantage that you don't muck around with IP addresses at all provided the DHCP server is configured appropriately. It has the disadvantage that it relies on a centralised server (and like I said, I tend to distribute things as much as possible). Also, linking hardware ethernet addresses to IP addresses can make it inconvenient if you wish to replace machines or change hostnames routinely.

 Known hardware issues

The hardware in general has worked really well for us. Specific issues are listed below:
The AMD dual 1.2 GHz machines run really hot. Two of them in a room increase the temperature significantly. Thus while they might be okay as desktops, the cooling and power consumption when using them as part of a large cluster is a consideration. The AMD Palmino configuration described previously seems to work really well, but I definitely recommend getting two fans in the case--this solved all our instability problems.

 Known software issues

Some tar executables apparently don't create a tar file the nice way they're supposed to (especially in terms of referencing and de-referencing symbolic links). The solution to this I've found is to use a tar executable that does, like the one from RedHat 7.0.

Performing tasks on the cluster

This section is still being developed as the usage on my cluster evolves, but so far we tend to write our own sets of message passing routines to communicate between processes on different machines.
Many applications, particularly in the computational genomics areas, are massively and trivially parallelisable, meaning that perfect distribution can be achieved by spreading tasks equally across the machines (for example, when analysing a whole genome using a technique that operates on a single gene/protein, each processor can work on one gene/protein at a time independent of all the other processors).
So far we have not found the need to use a professional queueing system, but obviously that is highly dependent on the type of applications you wish to run.

Rough benchmarks

For the single most important program we run (our ab initio protein folding simulation program), using the Pentium 3 1 GHz processor machine as a frame of reference, on average:


Xeon    1.7 GHz processor is about 22% slower
Athlon  1.2 GHz processor is about 36% faster
Athlon  1.5 GHz processor is about 50% faster
Athlon  1.7 GHz processor is about 63% faster
Xeon    2.4 GHz processor is about 45% faster
Xeon    2.7 GHz processor is about 80% faster
Opteron 1.4 GHz processor is about 70% faster
Opteron 1.6 GHz processor is about 88% faster
Yes, the Athlon 1.5 GHz is faster than the Xeon 1.7 GHz since the Xeon executes only six instructions per clock (IPC) whereas the Athlon executes nine IPC (you do the math!). This is however an highly nonrigourous comparison since the executables were each compiled on the machines (so the quality of the math libraries for example will have an impact) and the supporting hardware is different.

 Uptimes

These machines are incredibly stable both in terms of hardware and software once they have been debugged (usually some in a new batch of machines have hardware problems), running constantly under very heavy loads. One common example is given below. Reboots have generally occurred when a circuit breaker is tripped.


2:29pm  up 495 days,  1:04,  2 users,  load average: 4.85, 7.15, 7.72

WEB VPN IN ASA

Introduction

Clientless SSL VPN (WebVPN) allows for limited but valuable secure access to the corporate network from any location. Users can achieve secure browser-based access to corporate resources at anytime. This document provides a straightforward configuration for the Cisco Adaptive Security Appliance (ASA) 5500 series to allow Clientless SSL VPN access to internal network resources.
The SSL VPN technology can be utilized in three ways: Clientless SSL VPN, Thin-Client SSL VPN (Port Forwarding), and SSL VPN Client (SVC Tunnel Mode). Each has its own advantages and unique access to resources.
1. Clientless SSL VPN
A remote client needs only an SSL-enabled web browser to access http- or https-enabled web servers on the corporate LAN. Access is also available to browse for Windows files with the Common Internet File System (CIFS). A good example of http access is the Outlook Web Access (OWA) client.
2. Thin-Client SSL VPN (Port Forwarding)
A remote client must download a small, Java-based applet for secure access of TCP applications that use static port numbers. UDP is not supported. Examples include access to POP3, SMTP, IMAP, SSH, and Telnet. The user needs local administrative privileges because changes are made to files on the local machine. This method of SSL VPN does not work with applications that use dynamic port assignments, for example, several FTP applications.
Refer to Thin-Client SSL VPN (WebVPN) on ASA using ASDM Configuration Example in order to learn more about the Thin-Client SSL VPN.
3. SSL VPN Client (SVC-Tunnel Mode)
The SSL VPN Client downloads a small client to the remote workstation and allows full, secure access to the resources on the internal corporate network. The SVC can be downloaded permanently to the remote station, or it can be removed after the secure session ends.
Clientless SSL VPN can be configured on the Cisco VPN Concentrator 3000 and specific Cisco IOS® routers with Version 12.4(6)T and higher. Clientless SSL VPN access can also be configured on the Cisco ASA at the Command Line Interface (CLI) or with the Adaptive Security Device Manager (ASDM). The ASDM usage makes configurations more straightforward.
Clientless SSL VPN and ASDM must not be enabled on the same ASA interface. It is possible for the two technologies to coexist on the same interface if changes are made to the port numbers. It is highly recommended that ASDM is enabled on the inside interface, so WebVPN can be enabled on the outside interface.
Refer to SSL VPN Client (SVC) on ASA Using ASDM Configuration Example in order to know more details about the SSL VPN Client.
Clientless SSL VPN enables secure access to these resources on the corporate LAN:
  • OWA/Exchange
  • HTTP and HTTPS to internal web servers
  • Windows file access and browsing
  • Citrix Servers with the Citrix thin client
The Cisco ASA adopts the role of a secure proxy for client computers which can then access pre-selected resources on the corporate LAN.
This document demonstrates a simple configuration with ASDM to enable the use of Clientless SSL VPN on the Cisco ASA. No client configuration is necessary if the client already has an SSL-enabled web browser. Most web browsers already have the capability to invoke SSL/TLS sessions. The resultant Cisco ASA command lines are also shown in this document.

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:
  • Client-SSL enabled browser, for example, Internet Explorer, Netscape, and Mozilla
  • ASA with Version 7.1 or higher
  • TCP port 443, which must not be blocked along the path from the client to the ASA

Components Used

The information in this document is based on these software and hardware versions:
  • Cisco ASA Software Version 7.2(1)
  • Cisco ASDM 5.2(1)
    Note: Refer to Allowing HTTPS Access for ASDM in order to allow the ASA to be configured by the ASDM.
  • Cisco ASA 5510 series
The information in this document was created from the devices in a specific lab environment. All the devices used in this document began with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

At this stage, you can issue the https://inside _IP Address from a web browser to access the ASDM application. Once ASDM has loaded, begin the configuration for WebVPN.
This section contains the information needed to configure the features described within this document.
Note: Use the Command Lookup Tool ( registered customers only) to obtain more information about the commands used in this section.

Network Diagram

This document uses this network setup:
webvpnasa1-1.gif

Procedure

Configure the WebVPN on the ASA with four major steps:
  • Enable the WebVPN on an ASA interface.
  • Create a list of servers and/or URLs for WebVPN access.
  • Create a group policy for WebVPN users.
  • Apply the new group policy to a Tunnel Group.
  1. In ASDM, choose Configuration > VPN > WebVPN > WebVPN Access.
    webvpnasa2-2.gif
    Choose the interface to terminate WebVPN users > Enable > Apply.
    webvpnasa3-3.gif
  2. Choose Servers and URLs > Add.
    webvpnasa4-4.gif
    Enter a name for the list of servers accessible by WebVPN. Click the Add button. The Add Server or URL dialogue box displays. Enter the name of each server. This is the name that the client sees. Choose the URL drop-down menu for each server and choose the appropriate protocol. Add servers to your list from the Add Server or URL dialogue box and click OK.
    webvpnasa5-5.gif
    Click Apply > Save.
  3. Expand General in the left menu of ASDM. Choose Group Policy > Add.
    webvpnasa6-6.gif
    webvpnasa7-7.gif
    webvpnasa11-11.gif
  4. Choose the Tunnel Group in the left column. Click the Edit button.
    webvpnasa8-8.gif
    Click the Group Policy drop-down menu. Choose the policy that was created in Step 3.
    webvpnasa12-12.gif
    It is important to note that if new Group Policies and Tunnel Groups are not created, the defaults are GroupPolicy 1 and DefaultWEBVPNGroup. Click the WebVPN tab.
    webvpnasa13-13.gif
    Choose NetBIOS Servers. Click the Add button. Fill in the IP address of the WINS/NBNS server. Click OK > OK. Follow the prompts Apply > Save > Yes to write the configuration.
    webvpnasa14-14.gif

Configuration

This configuration reflects the changes ASDM made to enable WebVPN:
Ciscoasa
ciscoasa#show running-config 
 Building configuration...
 
ASA Version 7.2(1) 
hostname ciscoasa
domain-name cisco.com
enable password 9jNfZuG3TC5tCVH0 encrypted
names
dns-guard
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 172.22.1.160 255.255.255.0 
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.2.2.1 255.255.255.0 
interface Ethernet0/2
 nameif DMZ1
 security-level 50
 no ip address
interface Management0/0
 description For Mgt only
 shutdown
 nameif Mgt
 security-level 0
 ip address 10.10.10.1 255.255.255.0 
 management-only
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name cisco.com
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu Mgt 1500
icmp permit any outside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.2.2.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.22.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
!

!--- group policy configurations
!
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 webvpn
  functions url-entry file-access file-entry file-browsing mapi port-forward filter 
   http-proxy auto-download citrix
username cisco password 53QNetqK.Kqqfshe encrypted
!

!--- asdm configurations
!
http server enable
http 10.2.2.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!

!--- tunnel group configurations
!
tunnel-group DefaultWEBVPNGroup general-attributes
 default-group-policy GroupPolicy1
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server 10.2.2.2 master timeout 2 retry 2
!
telnet timeout 5
ssh 172.22.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
!

!--- webvpn configurations
!
webvpn
 enable outside
 url-list ServerList "WSHAWLAP" cifs://10.2.2.2 1
 url-list ServerList "FOCUS_SRV_1" https://10.2.2.3 2
 url-list ServerList "FOCUS_SRV_2" http://10.2.2.4 3
!
prompt hostname context 
 !
 end

Clientless SSL VPN (WEBVPN) Macro Substitutions

Clientless SSL VPN macro substitutions let you configure users for access to personalized resources that contain the user ID and password or other input parameters. Examples of such resources include bookmark entries, URL lists, and file shares.
Note: For security reasons, password substitutions are disabled for file-access URLs (cifs://).
Note: Also for security reasons, use caution when you introduce password substitutions for web links, especially for non-SSL instances.
These macro substitutions are supported:
  1. CSCO_WEBVPN_USERNAME - SSL VPN user login ID
  2. CSCO_WEBVPN_PASSWORD - SSL VPN user login password
  3. CSCO_WEBVPN_INTERNAL_PASSWORD - SSL VPN user internal resource password
  4. CSCO_WEBVPN_CONNECTION_PROFILE - SSL VPN user login group drop-down, a group alias within the connection profile
  5. CSCO_WEBVPN_MACRO1 - Set through RADIUS/LDAP vendor-specific attribute
  6. CSCO_WEBVPN_MACRO2 - Set through RADIUS/LDAP vendor-specific attribute
In order to know more about macro substitutions, refer to Clientless SSL VPN Macro Substitutions.

Verify

Use this section to confirm that your configuration works properly.
Establish a connection to your ASA device from an outside client to test this:
https://ASA_outside_IP_Address
The client receives a Cisco WebVPN page that allows access to the corporate LAN in a secure fashion. The client is allowed only the access that is listed in the newly created group policy.
Authentication:A simple login and password was created on the ASA for this lab proof of concept. If a single and seamless sign-on to a domain for the WebVPN users is preferred, refer to this URL:
ASA with WebVPN and Single Sign-on using ASDM and NTLMv1 Configuration Example

Troubleshoot

This section provides information you can use to troubleshoot your configuration.
Note: Do not interrupt the Copy File to Server command or navigate to a different screen while the copy process is in progress. If the operation is interrupted, it can cause an incomplete file to be saved on the server.
Note: Users can upload and download the new files with the WEBVPN client, but the user is not allowed to overwrite the files in CIFS on WEB VPN with the Copy File to Server command. When the user attempts to replace a file on the server, the user receives this message: "Unable to add the file."

Procedures Used to Troubleshoot

Follow these instructions to troubleshoot your configuration.
  1. In ASDM, choose Monitoring > Logging > Real-time Log Viewer > View. When a client connects to the ASA, note the establishment and termination of SSL and TLS sessions in the real-time logs.
    webvpnasa9-9.gif
  2. In ASDM, choose Monitoring > VPN > VPN Statistics > Sessions. Look for the new WebVPN session. Be sure to choose the WebVPN filter and click Filter. If a problem occurs, temporarily bypass the ASA device to ensure that clients can access the desired network resources. Review the configuration steps listed in this document.
    webvpnasa10-10.gif

Commands Used to Troubleshoot

The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.
Note: Refer to Important Information on Debug Commands before the use of debug commands.
  • show webvpn ?—There are many show commands associated with WebVPN. In order to see the use of show commands in detail, refer to the command reference section of the Cisco Security Appliance.
  • debug webvpn ?—The use of debug commands can adversely impact the ASA. In order to see the use of debug commands in more detail, refer to the command reference section of the Cisco Security Appliance.

Problem - Unable to Connect More Than Three WEB VPN Users to PIX/ASA

Problem :
Only three WEB VPN clients can connect to ASA/PIX; the connection for the fourth client fails.
Solution :
In most cases, this issue is related to a simultaneous login setting within the group policy.
Use this illustration to configure the desired number of simultaneous logins. In this example, the desired value was 20.
ciscoasa(config)# group-policy Bryan attributes
ciscoasa(config-group-policy)# vpn-simultaneous-logins 20