Category: Linux Application

Running a server using Django

Running a server using Django is pretty easy. Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Built by experienced developers, it takes care of much of the hassle of Web development, so you can focus on writing your app without needing to reinvent the wheel. It’s free and open source. – Django.

Screenshot from 2016-04-23 18-59-12

1.To start with you will need to have Python which is already there by default on your linux machine. You will need to install Pip with the command. As I am on a Ubuntu machine im using the following commands.

apt-get install python-pip 

2. I am also running komodo-edit as editor. You easily install it with the following commands

add-apt-repository ppa:mystic-mirage/komodo-edit
apt-get update
apt-get install komodo-edit

3. Then, you will need to install django.

pip install django

4. Point yourself to a directory where you want to create your Django projects with the following commands. You would need to create a project. Here my project name is linuxproject. You would notice that a directory called linuxproject is created.

django-admin.py linuxproject

5. Get into the project directory. Here in my case its linuxproject. You should notice a manage.py file and a directory containing the project.

6. Now, open Komodo-edit. Create a new project in the same directory where your project has been created. Save the Django project with Komodo. It should looks something like this:

Screenshot from 2016-04-23 22-01-27

Save the project. launch the following command from terminal.

python manage.py migrate

Now, you can start your server with the following command

python manage.py runserver

You can now navigate to http://127.0.0.1:8000 In future articles, I will get into details of Django.

 

Tips:

  • You can also perform offline installation by downloading the Django Package and launch the following command for installation: python setup.py install
  • To create a password for the admin interface use the following command: python manage.py createsuperuser
  • In case you have encountered the “Invalid HTTP_HOST header error, you will need to add your IP in the settings.py file. Example is ALLOWED_HOSTS = [‘172.10.10.1’, ‘localhost’, ‘127.0.0.1’]

Analysing an attack from WordPress Hello Dolly plugin

You might notice a heavy CPU usage consumption on your machine. Some may be a natural cause, for example, a known script being executed at a specific time whilst others may be due to a simple attack. Even if the attack is not a successful one, you may encounter a high CPU usage of your server which may eventually cause several kernels hangs or even cause other applications to be deprived of CPU usage. What I mean is that the goal of the attacker though it has not been reached, you may encounter a worse situation on your server.

Let’s see a brief analysis of an attack caused by a WordPress plugin known as “Hello Dolly”. The event started with a high CPU consumption on a server. Of course, by viewing the Htop or Atop processes, you can determine processes consuming more CPU.

Photo credits: Komodosec.com
Photo credits: Komodosec.com

1. Here is an idea of the Processes consuming more CPU by firing a simple ps command. The processes 829 and 4416 were the one consuming more CPU.

[[email protected]:/www/website.com/htdocs/wp-content]# ps aux|grep php

apache     829  6.2  0.5 351212 97492 ?        S    Oct05 127:36 php -q /tmp/tmp

apache    3459  0.3  0.3 416340 60080 ?        S    Oct06   1:43 php-fpm: pool www                                                                                            

apache    4416  7.2  0.5 336860 82656 ?        D    Oct05 146:43 php -q /tmp/tmp

apache    4753  0.2  0.3 420176 64048 ?        S    Oct06   1:20 php-fpm: pool www                                                                                            

root      7539  0.0  0.0 103248   868 pts/3    S+   06:55   0:00 grep php

2. We can notice that the process php -q /tmp/tmp emanate from a plugin on the server. For example, the PID 4416 corroborate with the lsof command.

[[email protected]:/www/website.com/htdocs/wp-content]# lsof plugins/

COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF      NODE NAME

php       829 apache  cwd    DIR   0,20     4096 168820763 plugins

php      4416 apache  cwd    DIR   0,20     4096 168820763 plugins

bash    22664   root  cwd    DIR   0,20     4096 168820763 plugins

php     29199 apache  cwd    DIR   0,20     4096 168820763 plugins

php     29304 apache  cwd    DIR   0,20     4096 168820763 plugins

php     30153 apache  cwd    DIR   0,20     4096 168820763 plugins

3. If we make a strace -p of 2919 we can notice that it is trying to open the /etc/hosts file. 

[[email protected]:/www/website.com/htdocs/wp-content/plugins]# strace -p 29199

Process 29199 attached - interrupt to quit

socket(PF_NETLINK, SOCK_RAW, 0)         = -1 EMFILE (Too many open files)

open("/etc/hosts", O_RDONLY|O_CLOEXEC)  = -1 EMFILE (Too many open files)

socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = -1 EMFILE (Too many open files)

socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = -1 EMFILE (Too many open files)

alarm(0)                                = 15

rt_sigaction(SIGALRM, {SIG_DFL, [], SA_RESTORER, 0x7f66381729a0}, NULL, 8) = 0

poll([{fd=3447, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout)

4. Another interesting information to know which website or URL does the intrusion emanating from is by firing a lsof -p on the PID:

[[email protected]:/www/website.com/logs]# lsof -p 29304

COMMAND   PID   USER   FD   TYPE     DEVICE SIZE/OFF       NODE NAME

php     29304 apache  cwd    DIR       0,20     4096  168820763 /www/website.com/htdocs/wp-content/plugins 

php     29304 apache  rtd    DIR      253,0     4096          2 /

php     29304 apache  txt    REG      253,2  4105624      16544 /usr/bin/php

5. If we now try to analyze the log by sorting only the bot, we can find some “POST” being carried out which comes from IP 92.62.129.97 . At first glimpse, it looks like a google bot. Are we sure?

92.62.129.97 - - [05/Oct/2015:20:45:49 -0400] "POST /wp-content/plugins/index.php?cookie=1 HTTP/1.0" 200 13 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com

/bot.html)"

92.62.129.97 - - [05/Oct/2015:21:20:43 -0400] "POST /wp-content/plugins/index.php?cookie=1 HTTP/1.0" 200 13 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com

/bot.html)"

6. Who is 92.62.129.97 ?

92.62.129.97

GeoIP Country Edition: LT, Lithuania

GeoIP City Edition, Rev 1: LT, N/A, N/A, N/A, N/A, 56.000000, 24.000000, 0, 0

GeoIP ASNum Edition: AS42549 UAB Baltnetos komunikacijos

7. Did we notice that this IP is well reputed for attacks?

Check out this website https://cleantalk.org/blacklists/92.62.129.97. You would notice that there were attacks even on some Windows server reported by some people.

8. After more research, we can conclude that several WordPress users have encountered the same situation where the Hello Dolly plugin was causing a heavy load on their servers. After they have removed it, things have changed. Ref:

We can deduce how unknown plugins on WordPress can be dangerous if the codes are not properly audited by security experts. An analysis is very important before using such kind of plugins.

Note: This information might be incomplete in some sort as it may happen that the Hello Dolly was already compromised prior to the attack. The aim of the article is to get show an analysis methodology due to a high CPU consumption.


KIWI – Cross-distro images on the cloud with OpenSUSE

Rest assured, Kiwi is neither a bird nor a fruit in the OpenSUSE world! Kiwi is an open source project licensed under the the GPLv2 and it is written in Perl. The project is sponsored by SUSE to build OS image and Appliance. “The KIWI Image System provides a complete operating system image solution for Linux supported hardware platforms as well as for virtualisation systems like KVM (Qemu), Xen, or VMware. KIWI is a command line tool and is the backend of SUSE Studio. The project is sponsored by SUSE. “ – OpenSUSE. OS images are heavily used in cloud environment whether you need  a .vmdk .img .ovf or even a raw file etc.. In brief, Kiwi provides a raw disk images with no additional configuration needed. The idea of the Kiwi project is to maintain efficiency duing the development , building, testing and deployment phases

Screenshot from 2016-04-03 13-48-57

The kiwi tool itself is a command line tool, however, the SUSE Studio web app provides the GUI facility. Let’s now get on some basic commands.

1.To check packages installed on your machine for Kiwi do a zypper se kiwi. These are the packages I got for ‘S’ in means state in the first columns and ‘I’ for installed

Screenshot from 2016-04-03 14-07-56

2. To list all templates available, do a kiwi -l As you can see i have templates for the RHEL and SUSE environments. There are other templates available on the Open build service repository.

Screenshot from 2016-04-03 14-10-48

3. The template locations on an OpenSUSE machine will usually be at /usr/share/kiwi/image where you will find another directory say rhel-06.6-jeOS and some configuration files are found there for the boot process. The file config.xml will gave your an overall idea of which repository, packages etc.. you are going to use with your templates.

4. So, lets create a  suse-13.2 vmx file file with kiwi. The following command is building the image. The parameter -d is the destination and the –type is simply the type of the image. I also created a directory /kiwi Point youself in the directory /usr/share/kiwi and launch

kiwi –build image/suse13.2-JeOS -d /kiwi –type vmx

5. Once the build is finished, you can use the .vmx file to run your machine.

There is also a KIWI cookbook free for you at this link made by Marcus Schäfer which is really interesting. The SUSE Cloud stack will also give you several tools to run and test your images. The OpenSUSE stack environment provides facilities for mixed distros.  The SUSE Studio is a collection of tools designed to improve the efficiency of building managing and maintaining software virtual and cloud applications.


Install, Setup and Create DB on PostgreSQL

PostgreSQL is yet another open source object relational database system. Its compatible with almost all operating system including BSD, Windows and Linux. I will be using a Centos7 machine to install a PostgreSQL and set up some basics of PostgreSQL. In a next article, i will give some idea of something more robust you can do with PostgreSQL.

Photo Credits: postgresql.org
Photo Credits: postgresql.org

1.You can install PostgreSQL from the repository with the following command

yum install postgresql-server postgresql-contrib

2. Now the first action you need to perform after PostgreSQL server installation is to initialize the database by creating a new database cluster

postgresql-setup initdb

3. You can now start the postgresql service. Postgres will be listening on port 5432

systemctl start postgresql

4. Now that we have PostgreSQL installed on our machine, we can create the first super user with following command. Let’s called the user test. Its a practice to use the username having sudo privilege on the machine itself.

sudo -u postgres createuser --superuser  test

5. To connect on the Postgres command line use the following. postgres is the default user and psql is what u what to run

sudo -u postgres psql

6. You should have something similar to this.

Screenshot from 2016-03-30 21-21-11

7. Now you can set the password for the superuser that you have just created. In my case it is user ‘test’ at step 4

\password test

8. Once you have been prompted to enter the password twice means that you have already set up PostgreSQL. You can exit with the command

\q

9. To connect to the default postgres database you simply need to use the command. To quit follow step6

psql postgres

10. Lets create a database with the superuser. You might need to add your user to the group postgres with the command usermod -g test postgres as postgres will need permission to access your home directory to drop the .psql_history file

sudo -u postgres createdb test

11. To get on the command line you just need to type psql which should show you something similar to this

Screenshot from 2016-03-30 21-25-49 


Converting a deb into rpm using alien on openSUSE

The alien command is used by almost all system administrators. You might come across situations where you may need to install a .deb package on an OpenSUSE machine. You will need to convert it to a .rpm prior to doing the installation. The alien command is simply a way to convert or install an alien binary package.

Photo credits: comicvine.com
Photo credits: comicvine.com

Installing Alien on OpenSUSE Leap

A general idea of how to install a .deb package on an OpenSUSE by converting it to a .rpm file can be done with the command alien. If you have freshly install OpenSUSE Leap, you might notice that command zypper install alien gives you the following error.

Screenshot from 2016-03-29 16-37-48

This can be solved easily as there is no repositories available. You can just jump on the Kamikaz Repo of the openSUSE factory. and fire the following commands :

zypper addrepo http://download.opensuse.org/repositories/home:KAMiKAZOW/openSUSE_Leap_42.1/home:KAMiKAZOW.repo
zypper refresh
zypper install alien

You  would have a result similar to this with all the dependencies installed.

Screenshot from 2016-03-29 16-43-42

You can finally launched the zypper install alien which will look similar to this.

Screenshot from 2016-03-29 16-44-24

Let’s now convert a .deb into a .rpm

I will take the example of the nmap tool. I have downloaded the nmap .deb file from the Ubuntu repo. You can choose your own deb file. This is the link to download the nmap from the Ubuntu repo.

wget http://mirrors.kernel.org/ubuntu/pool/main/n/nmap/nmap_7.01-2ubuntu1_amd64.deb

So to convert the file into a .rpm you need to launch the following command

alien --to-rpm <deb file name here>

Of course, on an openSUSE machine you would need the spec file. Here is an idea what kind of error you might came across.

Screenshot from 2016-03-29 16-56-07

Solving the error

The error “rpmbuild not found” clearly give a hint that the package rpmbuild is not found on the machine. Just install in with :

zypper install rpmbuild

Now that the rpmbuild package is installed with all the dependencies you can relaunch the command which in my case is

alien --to-rpm nmap_7.01-2ubuntu1_amd64.deb 

A nice message message where the package.rpm is generated will be prompted. I have just taken the nmap package as a example. It’s generally inadvisable to run alien on a machine having both RPMs and DEBs package because the two systems do not share installed-file database information. You can chose your own .deb file. Have funs with aliens.