Posts Tagged ‘Viruses’

Newer Entries »

Cleaning Packard Bell Hera GL laptop running Windows XP from Viruses and Spyware (Viruses / Spyware which can make CD drive and Wireless seem unworking)

Tuesday, December 13th, 2011

Packard Bell Hera GL Fixing Broken RaLink Wireless

Yesterday, one (girl)friend of mine brought me one Packard Bell notebook, which had a 2 years old Windows installed on it.
As one can imagine Windows XP on it is full of Spyware and Viruses. Besides the software problems the notebook had some hardware problems with the CD / DVD which is not reading CD / DVDs at all.

Initially I thought, the CD unable to read problems are caused by the infected Windows, however even restarting the PC with a bootable Hirens BootCD and a Whoppix liveCD and trying to boot from it failed this convinced me its a CD / DVD combo drive hardware failure.

By the way, I’ve just recently found out about Nixory – Is a nice Free Software Open Source AntiSpyware tool for Firefox, IE and Chrome.

Nixory Windows XP Screenshot

I hope it will get a sharp development and soon, when some friend asks me to fix his stupid non free-Windows PC, I would not have to use a trial version of Malware Bytes but directly use only Nixory

Anyways after using Nixory, MalwareBytes and Avira and thoroughfully scanned the system in Safe Mode and found and deleted some 15 Spyware / Viruses and tampered a bit with the Wireless Driver settings all the notebook devices started working fine again.

The wireless had also one really odd problem on this Packard BellHera GL, even though the notebook wireless antenna was capable of detecting all the wireless networks it couldn’t properly connect to any of it but failed to get proper IP addresses.
Partially the unable to grab an IP via wireless router dhcp server got fixed by using the Wireless restart Button (located on the Notebook corpus).
However even after cleaning up the Virus and Spyware the Wireless Networks connectivity problems on this Packard Bell continued, until I changed also few settings in the Control PanelI never thought Viruses / Spyware infected can have some bad impact on Wireless Card and CD drive make them unsusable though they showed like working correctly in Windows Control Panel -> System ??

In the meantime I reinstalled the Wireless Driver for the notebook, the Wireless card on the notebook was showing up itself under the name of Ralink 802.11n Wireless Lan Card in Windows Device Manager

After re-installing the wireless driver I had to also change few settings for the Wireless Network Connection using the menus Properties -> Configure -> Extended; therein everywhere for each Value I make it be Enable and for Power Saving Mode , I’ve choose the Value option of CAM

After a system reboot, everything started working finally fine. One last thing to add is that before I fixed the Ralink wireless to work under Windows, I tried to use a Bootable Linux LiveCD but even there the wireless was failing to connect to the wireless networks (maybe this shit wireless device has some issues with its Linux drivers).

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in System Administration, Windows | No Comments »

Hello I’m Mr. GNU. Let me make your business go free!

Tuesday, November 8th, 2011

Mr. GNU in a suit

Did you ever think, the tons of money your business has spend paying for buggy and unreliable non-free software?
Having problems with your Windows Network, being tortured by Viruses, a failure after windows upgrade, unexpected system crashes? Don’t worry MR. GNU will help you to change your business go free ;))

Tags: , , , , , , , , , , , , , ,
Posted in Entertainment, Everyday Life, Linux, Linux and FreeBSD Desktop, Various | 1 Comment »

Scanning shared hosting servers to catch abusers, unwanted files, phishers, spammers and script kiddies with clamav

Friday, August 12th, 2011

Clamav scanning shared hosting servers to catch abusers, phishers, spammers, script kiddies etc. logo

I’m responsible for some GNU/Linux servers which are shared hosting and therefore contain plenty of user accounts.
Every now and then our company servers gets suspended because of a Phishing websites, Spammers script kiddies and all the kind of abusers one can think of.

To mitigate the impact of the server existing unwanted users activities, I decided to use the Clamav Antivirus – open source virus scanner to look up for potentially dangerous files, stored Viruses, Spammer mailer scripts, kernel exploits etc.

The Hosting servers are running latest CentOS 5.5. Linux and fortunately CentOS is equipped with an RPM pre-packaged latest Clamav release which of the time of writting is ver. (0.97.2).

Installing Clamav on CentOS is a piece of cake and it comes to issuing:

[root@centos:/root]# yum -y install clamav
...

After the install is completed, I’ve used freshclam to update clamav virus definitions

[root@centos:/root]# freshclam
ClamAV update process started at Fri Aug 12 13:19:32 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
WARNING: getfile: daily-13357.cdiff not found on remote server (IP: 81.91.100.173)
WARNING: getpatch: Can't download daily-13357.cdiff from db.gb.clamav.net
WARNING: getfile: daily-13357.cdiff not found on remote server (IP: 163.1.3.8)
WARNING: getpatch: Can't download daily-13357.cdiff from db.gb.clamav.net
WARNING: getfile: daily-13357.cdiff not found on remote server (IP: 193.1.193.64)
WARNING: getpatch: Can't download daily-13357.cdiff from db.gb.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
Downloading daily.cvd [100%]
daily.cvd updated (version: 13431, sigs: 173670, f-level: 60, builder: arnaud)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 144, sigs: 41, f-level: 60, builder: edwin)
Database updated (1019925 signatures) from db.gb.clamav.net (IP: 217.135.32.99)

In my case the shared hosting hosted websites and FTP user files are stored in /home directory thus I further used clamscan in the following way to check report and log into file the scan results for our company hosted user content.

[root@centos:/root]# screen clamscan -r -i --heuristic-scan-precedence=yes --phishing-scan-urls=yes --phishing-cloak=yes --phishing-ssl=yes --scan-archive=no /home/ -l /var/log/clamscan.log
home/user1/mail/new/1313103706.H805502P12513.hosting,S=14295: Heuristics.Phishing.Email.SpoofedDomain FOUND/home/user1/mail/new/1313111001.H714629P29084.hosting,S=14260: Heuristics.Phishing.Email.SpoofedDomain FOUND/home/user1/mail/new/1305115464.H192447P14802.hosting,S=22663: Heuristics.Phishing.Email.SpoofedDomain FOUND/home/user1/mail/new/1311076363.H967421P17372.hosting,S=13114: Heuristics.Phishing.Email.SpoofedDomain FOUND/home/user1/mail/domain.com/infos/cur/859.hosting,S=8283:2,S: Heuristics.Phishing.Email.SSL-Spoof FOUND/home/user1/mail/domain.com/infos/cur/131.hosting,S=6935:2,S: Heuristics.Phishing.Email.SSL-Spoof FOUND

I prefer running the clamscan in a screen session, because it’s handier, if for example my ssh connection dies the screen session will preserve the clamscan cmd execution and I can attach later on to see how scan went.

clamscan of course is slower as it does not use Clamav antivirus daemon clamd , however I prefer running it without running the daemon, as having a permanently running clamd on the servers sometimes creates problems or hangs and it’s not really worthy to have it running since I’m intending to do a clamscan no more than once per month to see some potential users which might need to be suspended.

Also later on, after it finishes all possible problems are logged to /var/log/clamscan.log , so I can read the file report any time.

A good idea might also be to implement the above clamscan to be conducted, once per month via a cron job, though I’m still in doubt if it’s better to run it manually once per month to search for the malicious users content or it’s better to run it via cron schedule.

One possible pitfall with automating the above clamscan /home virus check up, might be the increased load it puts to the system. In some cases the Webserver and SQL server might be under a heavy load at the exactly same time the clamscan cron work is running, this might possible create severe issues for users websites, if it’s not monitored.
Thus I would probably go with running above clamscan manually each month and monitor the server performance.
However for people, who have “iron” system hardware and clamscan file scan is less likely to cause any issues, probably a cronjob would be fine. Here is sample cron job to run clamscan:

10 05 01 * * clamscan -r -i --heuristic-scan-precedence=yes --phishing-scan-urls=yes --phishing-cloak=yes --phishing-ssl=yes --scan-archive=no /home/ -l /var/log/clamscan.log >/dev/null 2>&1

I’m interested to hear if somebody already is using a clamscan to run on cron without issues, once I’m sure that running it on cron would not lead to server down-times, i’ll implement it via cron job.

Anyone having experience with running clamscan directory scan through crond? 🙂

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Linux, System Administration, Web and CMS | 2 Comments »

Newer Entries »