22 November 2005

Sony schützt seine Rechte - Per Rootkit! - Security Forum

Damn! I never thought I'd be bagging Sony for underhanded operations. However it's now proven that they (and most of the anti-virus world including Microsoft antispyware) have been playing with our innermost, and very private parts. (those that only get exposed in the shower)

here's how to suck the sony "thing" out of your computer. No thanks to me by the way. This is a cut and paste job to spread the wealth.

The makers of BoClean are the ones to thank, and/or bow down to. The link above takes you to some one called zitat, who's copied test from Kevin McAleavey's page. (I guess this makes me a third hand copier?)

Handyperson's guide to removal of SONY ROOTKIT!

BEFORE you read this, it's important to note that we're EXTREMELY busy right now with far more serious issues than the media's attention to the "SONY ROOTKIT" phenomenon, and that handling panicked people over this has consumed huge amounts of our time already to the detriment of more important issues. As we near release of BOClean 4.20, all of our attention is focused on that right now. Emails regarding this issue or instant messages will have to wait until AFTER Thanksgiving. Therefore, should you respond to this offering, please don't be offended if I don't have time to respond to those at this time. I encourage further discussion and possible corrections of the advice offered below, but am not in a position to assist owing to far more pressing urgencies. I hope folks will understand the difficult situation that I'm in.

Having found some time to go back and play with the SONY rootkit has been difficult to come by, and our attorneys have been unable to obtain a definitive answer from the justice department as to our creating a specific solution to the SONY "rootkit" problem. However, I have been told that I have a right to my opinion, and as long as I express this as "my opinion" and not that of our company, (I did this on my own time) I should be free to share a chuckle with folks as to the pathetic nature of this "rootkit." And in doing so, I can explain WHY I think it's pathetic as well! So let's have at it, folks can learn from my rant to follow how to take care of this all by themselves!

The "rootkit" indeed hides the uber-secret "$sys$filesystem" folder, which is a subfolder of the WINNT (NT and 2000) or WINDOWS (XP) "SYSTEM32" folder. The rootkit sadly, is UNABLE to hide itself from being accessed directly from a COMMAND PROMPT (found in the start menu/programs/accessories list).

So for chuckles, I opened a COMMAND prompt. I then went (on an XP box, NT and Win2000 would be a WINNT rather than WINDOWS) ...

CD\WINDOWS (enter)
CD SYSTEM32 (enter)
CD $sys$filesystem (enter)

Low and behold, on a machine infected by this, I got a PROMPT with $sys$filesystem present! (on an UNinfected machine, you'd get an error of "not found." Surprisingly, it let me HAVE it!) If this directory doesn't show, then you're NOT infected! You're finished right here.

IF $SYS$FILESYSTEM exists, then the first thing we'll want to do is lose the "cloak" and that is a file called ARIES.SYS ... this command will get rid of it, you can successfully delete it while it's running. It's NOT protected! Heh. This command loses the cloak:


Once you've done this, REBOOT!

At THIS point, you have done what everyone else (including antiviruses, Microsoft and everyone else) is going to do as their FINAL solution - you have successfully "uncloaked" and prevented any further possible exploits of your system. Color it done unless you're brave enough to continue. In going further, a COMPLETE removal is necessary. Here's what I discovered ...


After you've rebooted, some services (which are not really services) will run again, particularly the $sys$DRMServer. Trying NET STOP won't work as it's not REALLY a service. You'll get a system error. However, you can now SEE the files when you use the "My computer" file explorer and you'll be able to SEE the "$sys$filesystem" folder now under the SYSTEM32 folder.

You should now be able to move to the formerly-hidden $sys$filesystem folder and it should now be visible after the reboot.

BEFORE you do anything else, you now have to consider if you're brave enough to do manual registry editing, because if you remove anything else and don't clean up the registry, your CDROM and possibly your hard disk(s) *WILL* vanish if "crater.sys" and "$sys$cor.sys" are removed. So if you're uncomfortable with registry editing, STOP NOW! You're DONE!!!

If you do the CD\WINDOWS, CD SYSTEM32, CD $sys$fileystem trick again, you will note that two things that weren't there before will now appear. Those are $sys$DRMServer and $sys$parking. LEAVE THEM ALONE! And there are MORE back in the SYSTEM32 folder. Leave THOSE $sys$*.* files alone for now ALSO!

The $sys$DRMServer.exe file will still be running and cannot be stopped without registry removal and another reboot. So ON to the next step(s) ...


Because the rootkit modifies registry permissions, a TEMPORARY trick needs to be applied in order to be successful.

FIRST ... run REGEDT32 (*NOT* REGEDIT) and navigate down to the HKEY_LOCAL_MACHINE key. RIGHT click it and select PERMISSIONS from the dropdown menu.

Click on "everyone" and make sure that FULL CONTROL is checked before proceeding. After you're done, be SURE to come back here and UNcheck it or your machine will be at risk. This elevated privilege is required in order to successfully edit and/or delete the remains, and it's CRUCIAL that you reset this after you're done!

Use the FIND item to locate anything that matches "$sys$" ... there's going to be a PILE of them all over the place, and failure to carry out this portion of it will cause drives to no longer work!

Using FIND, have it search for $sys$ ... certain registry entries can simply be deleted, certain ones must be EDITED, and here's where it gets tricky ...

First things you'll encounter are under the HKEY_LOCAL_MACHINE files, under the SOFTWARE key ... you'll want to delete outright these three:

$sys$reference (right click, DELETE!)
ECDDiskProducers (byebye)
SONYBMG (hasta la vista!)

Then, as you continue to FIND more $sys$ items, BE CAREFUL! Some can be deleted, SOME HAVE TO BE EDITED!!! To find the next, simply hit the F3 key!

In "WBEM\WDM" you'll spot some UUID's and there will be crater.sys. Any such references that DON'T have IMAPI are safe to just delete. This will be the first one you encounter after the above. DELETE. Same for the one in WBEM\WDM\DREDGE ... DELETE!

This qwap also copies itself all over the "CurrentControlSet" keys, and does up ALL of them.

So next stop will be under various "ControlSet00x" keys. You'll stop at the "CoDeviceInstallers" ... for each "$sys$caj.dll" you encounter. On OUR lab rats, it was the first UUID entry and the last. Look for the $sys$caj.dll entry and remove ONLY that particular value for a UUID where it appears and do NOT touch anything else in there!


Next stop is the "Enum" area - IDE or SCSI depending on what you have. HERE, we need to EDIT rather than DELETE! Look for an entry on the right side that says "LowerFilters" ... DO NOT DELETE!!!!! You need to double-click on the "LowerFilters" name. That will bring up an EDIT screen.

In this EDIT screen, what you need to do is move the cursor up where it says "$sys$crater" and CAREFULLY remove that, and pull any lines below it up. NORMALLY the line below will be IMAPI.SYS but could be something else, and more following. The OBJECTIVE is to remove the $sys$crater ONLY and then pull the line below it up to where the crater.sys WAS. Objective is to leave everything ELSE intact and JUST lose $sys$crater!

Should you encounter a "LowerFilters" that *ONLY* contains "$sys$crater," then you can DELETE it, but usually the "LowerFilters" has another item. Make certain that the top item isn't blank!

Next stop in your search will result in "UpperFilters" and here, what you want to remove is "$sys$cor." If "$sys$cor is the ONLY entry, then you can delete that item. If there is anything ELSE in there, then you must edit OUT the "$sys$cor" as was done with "$sys$crater." Each system is different and thus the uncertainty here. You ONLY want to get rid of "$sys$crater" and "$sys$cor" and LEAVE EVERYTHING ELSE INTACT or your drives will vanish.

$sys$cor will show up in other places, under the name "ActiveChannel." You can DELETE that whole value too. ANY place where only $sys$cor or $sys$crater shows up as a value can be DELETED as LONG AS there are no other "dependencies" listed. If there are other items, you MUST edit OUT the $sys$whatever and LEAVE THE OTHERS INTACT by removing the entire line which contains either $sys$crater or $sys$cor ...

NEXT STOP, "ROOT" entries! You'll see the following KEYS which need to be deleted:


Just delete the entire KEYS themselves, so the above are GONE.

NEXT STOP, "SERVICES" entries! You'll see the following keys next:


Same deal as above ...

That completes the "CurrentControlSet" ... expect to go through a repeat of the above for EACH user's individual "ControlSet" until you've done them all. How many depends on how many "users" on the machine.

Once done, BE SURE TO GO BACK and CORRECT the security change to the registry that was necessary to do this - REMOVE the checkbox for "everybody" that granted "everyone" "FULL CONTROL." You DON'T want to leave that permission granted!

And finally, REBOOT!

When the system comes back up, GO to that $sys$filesystem folder and delete the remainder - you'll now have permissions to do so. And finally, wipe THESE files from your SYSTEM32 folder:


You're done!


1. Disable "autostart" (google for how)
2. Install BOClean (sorry, I *work* for a living and if I didn't, I wouldn't have KNOWN this answer.)

Permission granted to redistribute and expand upon, please include the original source though - Kevin McAleavey (kevinmca at nsclean.com), makers of BOClean. If I'm going to be sued for this, the least I've earned is credit for the answer.

And once again, I apologize if I'm unable to find time to respond to folks until after Thanksgiving, we're INSANELY busy here with far deeper things than this. Hopefully, if there are unanswered questions, some of the "helpers" who have already done this can step in and assist if folks delete the wrong thing and their CDROM is no more. Just a matter of CORRECT registry editing if that's the case.

(edited a second time, MORE typos fixed)

Kevin McAleavey support@nsclean.com (Makers of BOClean - BOClean means never having to do an HJT log again)

19 November 2005

SSH Login Attacks: "SSH Login Attacks"

An article by Jon Scully detailing a way to configure a system of "port knocking" designed for securing a port from attack by hiding it until a pattern of attempted connections occurs.
Using sudo: "Using sudo"

This site has much good stuff on it. :-)

This tutorial is the best I've yet found on the configuration and use of the sudo command in Linux.

30 October 2005

This page shows how to convert from using wbel linux updates to CentOS of the same version. The advantages are faster update releases and a larger number and faster speed of download mirror sites. It is essentially a snapshot of the above URL, and related comments on that page. Just in case the page dies and I need it. Please visit the link above for a better view of the original contents, complete with all links and details.

How do I migrate a system from WBEL (White Box Enterprise Linux) to CentOS?

Note: This process has been tested and reviewed on i686 platforms. I'm looking for a x86_64 tester and someone who wants to try on a i586 class system. {I tested it with x86_64 and i586, both worked ok (hughesjr)} It also works to move from RHEL-3 or Taolinux-1.0 to CentOS-3.

Migrating from WBEL-3 is a simple process. The procedures here are designed to laterally move your system from WBEL-3 to CentOS 3. The immediate benefits are numerous; timely updates of RHEL errata, developers are reachable, and active community support.

Each step below should be run as root and should be entered as a single command in a terminal window. Dynamically sized browser windows may wrap lines.

1) yum features a "clean" option that will clean up various things in the yum cache directory. This command is optional, but recommended.

Optionally Execute: yum clean

2) This step install the CentOS package signing key. To verify the authenticity of the CentOS 3 package signing key please see this FAQ item.

Execute: rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-3

3) This step installs the CentOS specific -release file; this obsoletes the package whitebox-release. (The whitebox-release package is automatically removed, so you need not concern yourself with it's removal).

Execute: rpm -Uvh http://mirror.centos.org/centos/3/os/i386/RedHat/RPMS/centos-release-3-5.3.i386.rpm


Note: Substitute x86_64 for i386 in the above statement to upgrade an x86_64 arch machine

4) This step installs the CentOS version of yum and a suitable yum.conf file.

Execute: rpm -Uvh http://mirror.centos.org/centos/3/os/i386/RedHat/RPMS/yum-2.0.8-1.centos.7.noarch.rpm

rpm -Uvh http://mirror.centos.org/centos/3/os/i386/RedHat/RPMS/centos-yumcache-3.1-0.20050526.3.noarch.rpm

rpm -Uvh http://mirror.centos.org/centos/3/os/i386/RedHat/RPMS/centos-yumconf-1-11.noarch.rpm


Note: in steps 3 and 4, the version numbers can change for the packages yum, centos-yumconf, centos-yumcache, and centos-release ... so open your web browser to http://mirror.centos.org/centos/3/os/i386/RedHat/RPMS/ and find the packages yum, centos-yumconf, centos-yumcache, and centos-release for the latest version information if the link doesn't work.

5) Depending on the version of your WBEL install, your existing yum.conf may have been moved to /etc/yum.conf-SAVE and the CentOS yum.conf placed in /etc or the CentOS specific yum.conf was installed as etc/yum.conf.rpmnew and your yum.conf was unaltered. If your original yum.conf file was NOT moved save your current yum.conf and replace it with the freshly installed CentOS yum.conf. For now just to get your system working with the default CentOS yum.conf. The following steps will get the CentOS yum.conf accessible by yum.

If Necessary:
cd /etc
mv yum.conf yum.conf.mysaved
cp yum.conf.rpmnew yum.conf
cd -

6) To verify that your yum.conf file is accurate and to see what packages yum wants to upgrade we strongly encourage you to use yum's list updates feature to display it's intentions before attempting to upgrade your system. NOTE: Version 2.0.x of yum will download many package headers as part of the update process. Yum is not downloading each package, so do not be alarmed by the amount of screen traffic yum is generating.

Optionally Execute: yum list updates

Execute: yum update

7) At this point your box is upgraded. A reboot is suggested (to verify the reboot process works and to use any new kernel that was installed). If you were previously using a custom yum.conf file you will want to add your custimization back to the current CentOs /etc/yum.conf file.

Performing this process will not remove or upgrade any packages where CentOS and Whitebox share the same version number. This allows you to "convert" your box to CentOS and subsequently use CentOS repositories for updates, etc.

We also recommend that you join the CentOS discussion and information mailing list.



Confirmation of steps
Just to confirm that these steps work - I have tested and moved a bunch of live production servers from wbel to Centos using these steps.

Another thing that you might want to keep in mind is that third part repositories that worked for WBEL will continue to work for Centos ( Dag, Kde-Redhat etc ) - however you will need to re-add them to the /etc/yum.conf file,


using up2date after the migration
Once the above mentioned Migration has run through you will need to replace the WhiteBox up2date with the Centos up2date systems ( they both use different setups ).

On a non-GUI machine the commands to achieve this replacement use these commands :
rpm -e up2date firstboot
yum install up2date

On a GUI based machine
rpm -e up2date up2date-gnome rhn-applet firstboot
yum install up2date up2date-gnome rhn-applet

( in most cases firstboot can be left out since its not going to be run anymore )

If you have problems - Ask on IRC


Migration to 3.4
I successfully used the above procedure to upgrade my WBEL 3 RS1 to CentOS 3.4, with the below modifications.

Step 3: Changed the url in the rpm command to use the 3.4 release package from -> http://mirror.centos.org/centos/3.4/os/i386/RedHat/RPMS/centos-release-3-4.2.i386.rpm

Step 4: Changed the url in the rpm command to use yum from the 3.4 distro -> http://mirror.centos.org/centos/3.4/os/i386/RedHat/RPMS/yum-2.0.8-1.centos.7.noarch.rpm

I also used the steps to reinstall up2date as suggested by z00dax in his comment.

Everything works great. And now I have timely updates.


Dealing with unwriteable filesystems
When upgrading from WBEL I ran into an issue with an unwritable NFS mount in /usr/local and the filesystem rpm, the second command shows how to exclude a path while manually installing so rpm doesn't barf on it.

[root@hiddenvalley RPMS]# rpm -Uvh filesystem-2.2.1-3.centos.1.i386.rpm
Preparing... ########################################### [100%]
1:filesystem ########################################### [100%]
error: unpacking of archive failed on file /usr/local: cpio: chown failed - Operation not permitted

[root@hiddenvalley RPMS]# rpm -Uvh --excludepath /usr/local filesystem-2.2.1-3.centos.1.i386.rpm
Preparing... ########################################### [100%]
1:filesystem ########################################### [100%]


Incorrect URLs for keys above!
The above article has the incorrect URL in step 2. The article currently says:

2) This step install the CentOS package signing key. To verify the authenticity of the CentOS 3 package signing key please see this FAQ item.

Execute: rpm --import http://mirror.centos.org/centos-3/RPM-GPG-KEY-CentOS-3

However, the correct URL for the CentOS-3 key is http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-3 .

Therefore, the correct command is:

rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-3


29 October 2005

Here is why server 2003 NTP agent w32tm doesn't work as expected.


09 October 2005

Yahoo Finance and others.

Share prices and info on listed Companies.

This site will parse and analyse your hijackthis log file and tell you what is good and bad in the entries.