Identifying and Investigating Network-Bound Software in a Linux Server

Posted on March 31, 2023 by schatzi

In this article we will learn how to correlate open ports with software running in a Linux server and understand why this knowledge is critical to operating and maintaining a secure environment. When a server is compromised, the result is not always as rash as complete data loss. Often the hacker will use the compromised host to perpetrate his primary goal, which is maintaining anonymity. One method to achieve this is install and operate software which proxies network traffic. Due to this, the ability to generate a list of network-bound software and audit each is important.

This information is not limited to analyzing compromised or servers with security issues, as understanding what software running in your server that accepts input over the network (internet) is vital to keeping your server secure.

After ssh’ing to our server as root, lets check which software is listening on tcp sockets.

# netstat -alntp | grep LIST
tcp 0 0 10.100.10.10:322 0.0.0.0:* LISTEN 9653/sshd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 8118/mysqld
tcp 0 0 10.100.10.10:80 0.0.0.0:* LISTEN 5266/httpd
tcp 0 0 10.100.10.10:80 0.0.0.0:* LISTEN 15404/openvpn
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 10065/perl
tcp 0 0 10.100.10.10:18081 0.0.0.0:* LISTEN 5266/httpd
tcp 0 0 127.0.0.1:8118 0.0.0.0:* LISTEN 23952/privoxy
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 9301/exim4
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 9664/tor
#

Each row represents an open socket, possibly to the internet. The fourth column tell us the IP address and port on our server the software is listening for connections on. 0.0.0.0 means all IP addresses. If the server does not have a firewall, one can assume that packets from the internet will be processed by the software listening on the appropriate port. Even with a firewall, it is worthwhile to ensure that software is secure. This is because software firewalls can be disabled/malfunction and hardware firewalls can be removed from the network without notice. The last column is in the format X/Y. X is the process ID or PID of the network-bound software. Y represents the name of the running program (this “name” is controllable by the program itself, and thus cannot be relied upon to know what that program actually is). It is critical that you are able to correlate an open socket in your server with a program (PID) in your Linux server.

The first row tells us that “sshd” is running at PID 9653 and listening on IP address 10.100.10.10 port 322. This means tcp connections to 10.100.10.10 port 322 are handled by “sshd”. We can see that “httpd” is listening on ports 80 and 18081. The first port makes sense, this is the default port for http traffic. Port 18081 is a little strange, as it is an uncommon port number. To verify the authenticity of PID 5266, we can start by running this command to determine the absolute path to the binary which is network bound:

# ls -al /proc/5266/exe
lrwxrwxrwx 1 root root 0 Jun 24 20:34 /proc/5266/exe -> /usr/sbin/httpd

This tells us “httpd” is actually /usr/sbin/httpd. This makes sense because this is the normal path and name of the Apache webserver in CentOS. To verify that /usr/sbin/httpd is the true Apache binary, we can run two RPM commands:

# rpm -qf /usr/sbin/httpd
httpd-2.2.3-31.el5.centos.2
# rpm -V httpd-2.2.3-31.el5.centos.2
S.5….T c /etc/httpd/conf/httpd.conf

The first command uses flags “-qf” to query a file; the output is the package which the file belongs to. We then use the “-V” flag to verify the authenticity of that package in the system. The output consists of any modified files. In this case, we learn that httpd.conf has been modified. This makes sense and is common, as the default apache configuration is not very useful for most organizations.

If /usr/sbin/httpd had been replaced with another binary, we see an immediate sign that the server could be compromised. We will simulate this by placing another binary in place of httpd.

# mv /usr/sbin/httpd /usr/sbin/httpd.real
# cp /bin/ls /usr/sbin/httpd
# rpm -V httpd-2.2.3-31.el5.centos.2
S.5….T c /etc/httpd/conf/httpd.conf
S.5….T /usr/sbin/httpd

In this case, /usr/sbin/httpd fails in three areas (periods represent passed tests):

S is the file size.
5 is the MD5 checksum of the file.
T is the modification time of the file.
We can see that it makes sense for /etc/httpd/conf/httpd.conf to fail S and T, since the file was modified (modification time and file size changed). A failed md5 checksum in this case tells us that /usr/sbin/httpd is not the file which Centos provided us with.

Going back to our netstat report, we find this open socket:

tcp 0 0 10.100.10.10:18081 0.0.0.0:* LISTEN 5266/httpd

We will now check out this “httpd”:

# ls -al /proc/5266/exe
lrwxrwxrwx 1 root root 0 Jun 25 05:29 /proc/20424/exe -> /tmp/.var/lib/httpd

This is a rogue process, as “programs” should not be stored in /tmp in any normal Linux server. This file should not belong to any package, as rpm can verify for us:

#rpm -qf /tmp/.var/lib/httpd
file /tmp/.var/lib/httpd is not owned by any package

At this point, we know there is some insecurity in this server, as sockets are open by software which we did not install. Tracing the source of this rogue network program is another topic. Deleting the file may solve the immediate issue but rest assured the file and process will return without solving the underlying insecurity.

We should continue to audit each network bound process in our server. PIDs 23952 and 9664 are of particular interest based on the process names. Network connections can also be established via UDP sockets. To generate a list of udp ports bound to programs running in your server, we can use command:

# netstat -alnp | grep udp
udp 0 0 0.0.0.0:53 0.0.0.0:* 18443/dnscache
udp 0 0 10.100.1.100:53 0.0.0.0:* 19029/named

The same procedure in identifying the responsible binary via the PID can be used.

When provisioning a new server, it is critical to understand and research each open socket. Disabling unnecessary network bound software is critical in limiting the entry points to the server, thus increasing security. After we identify each piece of software which may be exploited, we should check the version and configuration of that software to ensure it is not vulnerable to any known security issues.

Posted in Software | Tagged | Comments Off on Identifying and Investigating Network-Bound Software in a Linux Server

5 Social Media Tips for Local Business

Posted on March 30, 2023 by schatzi

Getting Started with Social Media
When I talk with owners of small and local businesses, and I frequently hear a similar question, “How can I make social media work for my business?” It seems a lot of local service providers (vets, doctors, dry cleaners, etc.) want to get start using social media, but just don’t know how.

Some businesses, like restaurants, bars and clubs, seem like a natural fit for social media. An active online presence is a great way to get your customers to attract their friends through on social media sites like Facebook, FourSquare and Twitter.

Even if your company doesn’t seem like an obvious fit, there are ways social media can add value for your business. Here are five simple tips on getting started:

1) Start Small – You don’t need to create an account on every social media site at once. Think about the sites your customers use that also fit your business. Foursquare is great for destinations, Twitter can help quickly get news and updates out to your followers, Facebook is wonderful for building community and sharing tips and advice. Pick the one that aligns with your business and start with that. Later, you can add more accounts and link them together to expand your presence.

2) Exercise Moderation – When you get started with social media, it’s easy to get excited about the potential to connect with ALL your customers and prospects. But you don’t want to over do it and have your efforts backfire. Show a little restraint and post or tweet only when you have something worthwhile to say. For some businesses, that’s once a day (not several times a day). More likely, you’ll want to post or tweet once or twice a week.

3) Be Relevant – If you have some good tips that are related to your business, share them. Having a sale? Let everyone know. You might even want to have special offers or incentives for your followers. Not sure what to post? Think about what interests your customers. They don’t want to be bombarded with promotional messages, but useful info is always appreciated. If you’re a pet sitter, you could provide suggestions on how to keep pets happy and healthy while their owners are away. A dry cleaner? Try stain removal tricks.

4) Keep it Brief – You don’t need to write a novel to be successful with social media. If you message is short and to the point, it will be read. One useful trick when drafting a message is to write what you want to say, then go back through your draft an cut words you don’t really need. Any fluff and filler words should go, making your message more concise and powerful.

5) Get Personal – People like to know there’s a human heart behind the companies they do business with. This is especially important with local businesses. If you’ve ever used the line, “I know the owner… ” you know what I mean! Showing your personality in your posts makes them more interesting to read, and more compelling for customers. This doesn’t mean to share everything, but a conversational tone with a few interesting tidbits about your hobbies, pets, likes and dislikes makes you – and your business – more approachable.

Posted in Social Media | Tagged | Comments Off on 5 Social Media Tips for Local Business

Mobile Feedback Grows As Smartphone Usage Grows

Posted on March 29, 2023 by schatzi

Mobile feedback is the new method of tracking customer loyalty for customer experience management experts. No longer are small business owners, restaurant managers, and retail stores relying on comment cards and paper surveys. Many are looking to mobile feedback for a way to monitor the sentiment around their brands, incorporate loyalty programs, and even engage with customers at the point of sale. A lot of this mobile feedback is coming from non-app based tools. Regular mobile feedback apps can include sites/tools that are downloaded onto a person’s smartphone. These frequently-visited recommendation sites are often used by customers to leave public feedback about a business — restaurants, retail stores, doctors and dentists, etc.

And while they are valuable tools to restaurant and retail managers who want to measure the sentiment of their customers, it also often falls prey to overinflation of complaints and people who believe that outraged indignation is a birthright, as well as completely falsified complaints and attacks by unscrupulous competitors.

The other alternative that restaurants and retail establishments can take advantage of are text-based mobile surveys, and special survey websites that use a mobile device, but are more private and will only solicit the opinions of actual customers, not people who make up complaints because they have an axe to grind.

Imagine having a dedicated mobile feedback web page that can only be accessed at the point of sale via a QR code. Ask customers to scan it as they pay for their purchases, or scan it when they receive their bill at their table, and they can take a mobile feedback survey on their phone while they wait.

Or try using a text-based mobile survey. Have the waitstaff or sales staff point out the number to dial to receive a four-question survey about their experience just by texting their answers back, or leave it on a table tent in a restaurant or flyer around the store. This can be done on a smartphone or regular flip phone.

In both cases, the mobile feedback answers will be compiled and aggregated into an overall satisfaction score. But they can also be used to alert management as soon as there is a problem.

For example, at a restaurant, a customer can take the survey while they wait for their bill to arrive. They give a low score for their experience, and the manager is immediately alerted. He or she can visit the customer’s table, help solve any problems, and offer a discount or free dessert to improve the customer’s satisfaction, thus ensuring they become repeat customers.

Using non-app based mobile feedback helps managers immediately identify problems and help improve customer satisfaction without waiting for a person’s issues to reach the web where everyone can see them. With the right mobile feedback system, managers can help improve customer satisfaction enough so that if the customer does visit a recommendation site, they will leave a positive review instead.

Posted in Mobile Apps | Tagged | Comments Off on Mobile Feedback Grows As Smartphone Usage Grows

The New Career Prospects For National Game Testers

Posted on March 28, 2023 by schatzi

Game testing is the process of analyzing video games for software defects and falls under the quality control process in the development of a video game. A standard video and computer games takes many years to develop depending on its scale. But the testing begins late in the development process. It takes place only upon 75 percent completion of the game. As a result, national game testers get new fractions from the developers on a particular schedule and each version demands a unique identification in order to detect errors in them.

If you are exceptionally good at playing video games, it is not necessary that you can play the role of game tester perfectly too. The testing for a game does demand topmost levels of play, but it’s utmost requirement from testers is to think like a player who has just started playing. They have to be in the shoes of a regular player making small mistakes and try to imagine the possible pitfalls and errors made by them.

Career in Game Testing

Once you’ve familiarized yourself with the industry and the various game design companies, you can look forward to getting the educational back up. After achieving the degree, you can look for video game design career information at most information portals like trade shows & publications, internet and college campus.

As games have become much complex, a larger pool of quality assessment resources is necessary. And most publishers have a large QA staff who test various games from different developers. Normally, a group of testers work on one to two games at a time, depending on each game’s scale. When a game reaches its completion, they focus intensely on it as the QA requirements escalate.

You will be able to find endless amounts of information with every major publisher at these events. Just like events happen in different countries, for example- the Tokyo game show, or the Game Developers’ Conference in Japan, you can also look for your own National game show or Game tester fair that offers plenty of opportunities. These provide a proper channel to step in, grab information and meet the best designers with their best prospects.

Do not miss the chance to join such events which are often publicized either through school or press credentials or through networking with industry insiders. They can land you a great job of designing video games and game testing.

Posted in Game | Tagged | Comments Off on The New Career Prospects For National Game Testers