Archive: November, 2007

About the /proc and -xdev parameter for ‘find’

Check out this article about About the /proc and -xdev parameter for ‘find’. Please tell me what you think about it. You can contact me anytime!

/proc is a pseudo-filesystem used to access process information from the kernel. It doesn’t use any storage space and uses little memory. On Linux, you can sometimes make modifications to the running kernel by modifying “files” in /proc.

If / is full, run a command similar to the following to sort all files in the / file system by size:

find / -xdev -ls | sort -n -k 7

“-xdev” limits the find command to the root file system.

This will only look for files found in the root and will not includes those partitions that are defined in /etc/vfstab | /etc/fstab file, those listed when `df -k` is executed:

/dev/md/dsk/d0 2058319 1016097 980473 51% /
/dev/md/dsk/d3 2058319 1801793 194777 91% /var
etc .. etc..

Thanks Brandon!

Brandon H. – Senior UNIX Systems Engineer for an application services provider in Minneapolis, MN.

Difference Between NFS, DNS, NIS+, and NIS

Check out this article about Difference Between NFS, DNS, NIS+, and NIS. Please tell me what you think about it. You can contact me anytime!

NFS, DNS, NIS and NIS+… that’s a lot of acronyms!

Network File System

NFS is Sun’s Networked File System, and by now, more or less, the de facto method of sharing file systems between computers.

Domain Name Service

DNS is the Domain Name Service, which is the way information about hostnames and addresses are shared across the Intenet.

Network Information (Name) Service

NIS stands for Network Information Name Service. It was original called Yellow Pages, which is why many of the commands for NIS start with yp (such as ypbind, ypcat, etc.) NIS was developed by Sun, and is, like NFS, more or less the default way of sharing system information between UNIX machines.

NIS+

NIS+ is Sun’s re-implementation of NIS. It attempts to address some of the problems with NIS, but the implementers of NIS+ have made a series of bad choices in the design of NIS+, so it has seen only limited usage compared to the other types of services you asked about.

All About Virtual Interface in Solaris

Check out this article about All About Virtual Interface in Solaris. Please tell me what you think about it. You can contact me anytime!

Solaris (and other OS) allows the use of Virtual IP. Virtual interface or logical interface allows an Operating system with only one (1) network device to have multiple numbers of IP address.

The Problem

Got a page today, just now that one of our managed server went down. It’s a ping/connectivity page.

Logged in to console and investigate. It turns out that the UNIX box is multi-IP’d box. It has a virtual IP and looks like the one that gave out the ping notification is the virtual IP.

Corrective Action

Simple create the missing IP address using a virtual interface. Virtual interface allow a single ethernet interface to listen on additional IP addresses.

Check the existing network IP configuration of the UNIX box:

UNIX-Box(AP)#ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
qfe0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 165.20.21.4 netmask fffffff0 broadcast 65.201.212.47
ether 0:3:ba:3d:ba:99
qfe3: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 12.3.55.22.6 netmask ffff0000 broadcast 172.31.255.255
ether 0:3:ba:3d:ba:99

You have to have the info you need to re-create the virtual IP. In this case, it’s the network IP: 12.3.55.22.12To create the Virtual interface:

 ifconfig qfe0:1 plump
ifconfig qfe0:1  12.3.55.22.12 up

You can set the IP address of the interface to 192.168.1.15 and turn on the interface with the following command:ifconfig hme0:1 192.168.1.15 up

Unless you do some additional nonstandard things in your network, all of the subinterfaces on a physical interface need to be in the same subnet.

To make the virtual interface persist following a reboot, you can add the ip address or hostame from /etc/hosts in the file /etc/hostname.hme0:1

Disabling / Removing Virtual Interface

The example above shows how to create a virtual interface using the ‘plumb‘ command. In the same way, in order to remove a virtual interface (and subsequently the IP) the interface is unplumbed using the ‘unplumb’ directive.
To remove the virtual interface eri1:7, run the following command as root:

ifconfig eri1:7 unplumb

 Final Words

Any other things we can do with virtual IP?

Cover Your Tracks After Hacking A UNIX Box

Check out this article about Cover Your Tracks After Hacking A UNIX Box. Please tell me what you think about it. You can contact me anytime!

In the Monitoring User Login post, the commands and files that are related in tracking user activities are discussed.

Here are some ways of covering your fingerprints on a server using the files that monitors user logins.

We want to erase any trace that will show that we were inside the box. In doing so we’ll just:

cat /dev/null > <file>

Lastlog file

Clear out the last log file if you’re using an existing user from the box. Lastlogin file shows when and where a particular user last login from.

login: razile
Password:

Last login: Fri Oct 21 21:50:02 2007 from 210.2.9.1
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
razile@unix-box %

Erase that if you don’t want the admin see where you last login from (IP, hostname, time etc)

cat /dev/null > /var/adm/lastlogin

After clearing the lastlog file, comparing the first login and the second one:

(first login)

Last login: Thu Nov  1 21:33:41 2007 from 210.23.109.1
Sun Microsystems Inc.   SunOS 5.9       Generic May 2002
user@server->

(after deletion)

 Sun Microsystems Inc.   SunOS 5.9       Generic May 2002
bash: unalias: `e’: not an alias
user@server->

wtmpx/tmpx files

If you want to check those users who logged in to a Unix box, type in ‘last’

UnixBox# last | more
root        pts/21       101.221.224.61    Sat Nov  3 11:38   still logged in
sitescp   pts/20       19.168.128.132  Sat Nov  3 07:00   still logged in
root        pts/23       101.221.224.51    Sat Nov  3 05:05   still logged in
root        pts/22       101.221.224.51    Sat Nov  3 05:05   still logged in
paladel    pts/22       14.122.4.99     Fri Nov  2 14:33 – 15:32  (00:59)
boy1        pts/26       14.122.4.67     Fri Nov  2 13:22 – 14:50  (01:28)
boy2        pts/26       14.122.4.67     Fri Nov  2 13:20 – 13:22  (00:02)

You’ll see the user who was logged in, the terminal used, the IP where he came from the date or duration of his activity in the server.

That is a lot of information, so in covering up your track, delete or zero out the files that stores these information

cat /dev/null > /var/adm/wtmpx
cat /dev/null > /var/adm/tmpx

After doing so, you’ll get this when doing ‘last’

# cat /dev/null > /var/adm/wtmpx
# last | more

wtmp begins Sun Nov  4 00:41
#

You could also zero out the /var/adm/messages if you’re really paranoid.

Of course doing these is like shouting and telling the whole universe that you were there.

These are just a few to cover you track… Do you have any additions? Or any tips in covering the intrusion without knowing that you were there?

UNIX Quick Tip: Changing The Time Stamp Of A File

Check out this article about UNIX Quick Tip: Changing The Time Stamp Of A File. Please tell me what you think about it. You can contact me anytime!

This tip is a give away. Everyone knows this, but for those who doesn’t or forgot…  here’s refresher…

Here’s a typical output of a file listing using `ls -l` on a directory:

[root@unix-box icons]# ls -l | more
total 636
-rw-r–r–    1 elizar root          246 Aug 26  2005 a.gif
-rw-r–r–    1 elizar root          242 Aug 26  2005 alert.black.gif
-rw-r–r–    1 elizar root          279 Aug 26  2005 alert.black.png
-rw-r–r–    1 elizar root          247 Aug 26  2005 alert.red.gif
-rw-r–r–    1 elizar root          298 Aug 26  2005 alert.red.png
-rw-r–r–    1 elizar root         2326 Aug 26  2005 apache_pb.gif
-rw-r–r–    1 elizar root         1385 Aug 26  2005 apache_pb.png
-rw-r–r–    1 elizar root          293 Aug 26  2005 a.png

When using the -l (dash ‘el’) option of ls, the output will display a more detailed listing of the files. Here you’ll see the file properties/permission (-rw-r–r–) the number of links, the owner of the file, the group of the user, file size, the date/time stamp and finally the file name. That’s 7 column.

Changing The Time Stamp Of A File

To change the time stamp of a file (the 6th column in the `ls -l` listing), we use the UNIX command touch.

From the Man Pag:

NAME
touch – change file timestamps

SYNOPSIS
touch [OPTION]… FILE…
touch [-acm] MMDDhhmm[YY] FILE… (obsolescent)

There are many options for the touch command, but the one I use fairly often is the -t option

       -t STAMP;    use [[CC]YY]MMDDhhmm[.ss]

Example:

 [root@unix-box icons]#  touch -t 200607161201 a.gif
[root@unix-box icons]# ls -l | more
total 636
-rw-r–r–    1 elizar root          246 Jul 16  2006 a.gif
-rw-r–r–    1 elizar root          242 Aug 26  2005 alert.black.gif

Other options that you  may find useful are -a (change access time only) -m (modification time only) and others. Consult the man page for more details

Cheers!