Saturday, November 17, 2007

Busy...

I've been kind of busy these days, so there has been no posting. But i'm working on a big article so just wait on! It will be worth it.

Wednesday, November 7, 2007

The joy of being an Ubuntu Linux user

Yep! That's right. Finally got two Gutsy cd's in my mailbox. It took about a month to arrive and totally free of charge. Could it be better than this? Well, it could actually if they changed that silly cover...

Tuesday, November 6, 2007

WTF? apt-get install apt ?!



I was messing around with Ubuntu, when suddenly got a boot problem. Amazingly when the maintenance shell tried to start, it could not find some commands and so automatically tried to install them using apt-get, but it could not also find apt-get so the final output was the brilliant: "The program apt-get is currently not installed. You can install it by typing apt-get install apt". Nice tip! I'm going to write it down so I don't forget it! :P

(click the photo to enlarge)

How to delete log files - Part I

As you read this post's title you might think that it has evil purposes. Well, it may have or not, it depends on what you'll do with the content. It's up to your responsibility. I provide this information just for educational purposes.

This is a short tutorial about the methods used by hackers (please cut the bullshit, I'll use the term hacker for either the good or bad ones) to erase tracks on a compromised machine.
On this first part of the tutorial I'll only show a common type of tool used to complete the above task quickly. It's a simple log eraser written in perl and with it you may see the folders to check in Linux machines for logs. Tomorrow, on part II I'll explain folder by folder and log by log on Linux and Windows machines.

---> logeraser.pl <---


Monday, November 5, 2007

Bug in OS X Leopard leads to possible data loss!

It was found a nasty bug in the directory moving code of Leopard's Finder. It seems that if a destination volume disappears during a moving operation, all data is lost. This happens regardless of the type of destination (local, USB, Firewire or SMB).
It's also being said that this bug is present in Tiger and Panther too, but with no real proof so far.
You can read more about this here, and watch a video of the bug in action here.

Thursday, November 1, 2007

New OS X malware...

Yes, it's true! There is a new malware for OS X. It's not a virus, because it can't self-propagate from one machine to another but it sure is tricky.

This malware, named OSX.RSPlug.A Trojan Horse, is "hidden" in video files on the web (what are the most searched video files on the web about? ;) ) and when you try to open that file it will ask you to download a needed codec. You will see a disk image being downloaded and after you mount it and install it you'll be asked for the administrator password so that the codec is "correctly" installed on the system.

What will happen next? You won't see any video, because there is no video and no codec was installed. Your DNS will be changed to point to malicious machines, and as you type www.[your_home_banking_website].com, you will be redirected to a clone of the site, ready to get your username and password and send it to who knows... This is just an example, now it's up to you to imagine all the possible scenarios and up to the malicious machine's configuration. But that's not all... also a cron job (scheduled task) will run every minute to restore those DNS configurations, just in case you find and change them.

Now the most important part, how to detect this little bastard? Just take a look at your DNS settings, check to see if the entries are correct. Also go to /Library -> Internet Plug-Ins folder and check to see if there is any plugin.settings file. If it's there, you are probably infected. But beware, chances are that the file name may change. So if in doubt check also for the presence of a root cron job. Just open a terminal and type sudo crontab -l and if the output looks like this:

* * * * * "/Library/Internet Plug-Ins/plugins.settings">/dev/null 2>

You're infected. And finally one more (effective) way to detect this trojan is to run scutil in a terminal. After entering scutil just type show State:/Network/Global/DNS and it will output all your DNS entries being used in OS X. If you find any DNS IP unkown, then once again... you're infected!

Now what? It's not like it's the end of the world... (unless you have used home banking, or paypal or other websites alike while infected).
To remove the trojan just delete the file plugin.settings (be sure to delete it from garbage too :P), then do a sudo crontab -r to remove all the cron jobs for root and finally retype the DNS you need in the Network System Preferences. How simple is that?
OS X malware is lame, and it also takes lame users to insert the admin password to untrusted software install.

Saturday, October 27, 2007

Facebook users: no privacy for you!


Those of you who use Facebook, think about it twice... Does it really justifies having all your life exposed to this possible threats?