Linux Commandline Magic (JAB15)

>LinuxCommandLineMagic

by Peter Martin www.db8.nl / @pe7er

1

1.Introduction

2.Commands

3.Basics

4.Connecting

5.Scripts

Linux Command Line Magic

6.Backup

7.Finding Files

8.Recover hack

9.In a Box

1. Introduction

Linux Cross-platform operating system Open Source & Free Very stable

Multi user Multi tasking

Popular Majority of Internet servers

Origin Minix (Unix-like operating system)

Debian .deb Debian Ubuntu

Distributions Red Hat .rpm

Fedora CentOS

Other Slackware Arch Linux Gentoo

Commercial BSD/OS Solaris Mac OS

Unix Free

FreeBSD NetBSD OpenBSD

2. Commands

man

On-line reference manualsman man

ls

List directory contentsls -al

List deviceslsusb

lspci

lsmod

mkdir

Make directorymkdir jab15

(rmdir = remove directory)

cd

Change directorycd jab15

cd ..

cd ~

cd /var/www/

cat

Display (= concatenate files & print) filecat configuration.php

nano

Edit filenano configuration.php

cp

Copy filecp somefile.txt newcopiedfile.txt

mv

Move filemv newcopiedfile.txt new-copied-file.txt

rm

Remove file/directory (be careful !)rm /var/www/joomla-cms/configuration.phprm -R /var/www/joomla-cms/installation

chmod

Change permissionssudo chmod +x somescript.sh

chown

Change ownershipsudo chown someone:group example_file.txt

3. Basics

Files

Linux = everything = file

Files are us

Files / folders

Access Rights: Permissions

read (4), write (2), and execute (1) Ownership on 3 levels:

Owner Username / name of process

(e.g. Apache = www-data) Group

Users assigned to same group have same permissions Public

File

-rw-r--r-- 1 peter pc 1174 Nov 7 15:50 example_file.txt

read (4)write (2)execute (1)

ownerrw-

r(4)+w(2)

groupr--

r(4)

publicr--

r(4)

= 644

Users

Users Regular users: username@computer:~$ Root user: root@computer:~# whoami

Change user: su some_username su root, or just su

Run command

Command + parameters

Run sh script: somescript.shpermissions executable OR ./somescript.sh

Run under user as root Sudo [command]

Basics

~ tilde = default direcory (sort of my documents)

cd ~

> greater-than sign = write output to new file

ls -al > file-with-list-of-directory.txt

>> double greater-than = add output to existing file

ls -al ~ >> file-with-list-of-directory.txt

Basics

| pipe = to chain commands

ls | less

[email protected]:/var/www/joomla-cms$ cat configuration.php | grep password

public $password = 'my-secret-db-password';

Symbolic links

Create symbolic link: ln ln -s [TARGET DIR/FILE] [SHORTCUT]

[email protected]:~$ ln -s /var/www/joomla-cms joomla-test

[email protected]:~$ ls -aldrwxr-xr-x 2 peter pc 4096 Oct 26 20:34 .drwxr-xr-x 56 peter pc 4096 Oct 26 19:29 ..-rw-r--r-- 1 peter pc 0 Nov 7 15:50 example_file.txtlrwxrwxrwx 1 peter pc Nov 7 15:50 joomla-test -> /var/www/joomla-cms

4. Connecting

Terminal

Text TerminalTTY TeleTYpewriter

Terminal

Windows Client program for SSH: PuTTY

Mac OSX Built in Terminal

Linux Built in Terminal Emulator

SSH

Secure Shelluses public-key cryptography (Authenticate & Secure data communication)

peter@computer:~$ ssh [email protected]

SSH

peter@computer:~$ ssh [email protected]

The authenticity of host 'example.com (93.184.216.119)' can't be established.RSA key fingerprint is 10:51:ab:f5:d7:[..]:17:16:1f:22:33.Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'example.com,93.184.216.119' (RSA) to the list of known [email protected]'s password:

[email protected] ~ $

Keyless login

Generate public/private rsa authentication key pair:

$ ssh-keygen -t rsa

On computer: private key: ~/.ssh/id_rsa

public key: ~/.ssh/id_rsa.pub

Install public key on the server:ssh-copy-id [email protected]

5. Scripts

Automation Automate repetitive tasks

Automate a bunch of commands Use variables & input / output

Automatic automation based on time?Crontab (aka cronjob)

Shell vs bash

ShellThe Bourne shell (sh) command-line interpreter

Scripts start with: #!/bin/sh

Often symbolic link to bash

BashBourne-again shell, free replacement for Bourne shell (sh) with more features and better syntax

Scripts start with: #!/bin/bash

Dash?

On Ubuntu/Debian:

~$ ls -al /bin/sh

lrwxrwxrwx 1 root root 4 Mar 1 2012 /bin/sh -> dash

= Debian Almquist shell = default for /bin/sh

Bash is the default login shell for interactive use

Example

Example.sh

#!/bin/bash

# declare STRING variableSTRING="Hello Joomla!"

#print variable on a screenecho $STRING

6. Backup

Backup files

Remote synchronization rsync from source to destination

$ rsync -arv [email protected]:~/joomla-cms/ /var/www/joomla-cms-backup/

username @ server : folder

username @ server : folder

Backup database

MySQL Dump

$ mysqldump -u username -p dbname > some-sql-outputname.txt

7. Finding Files

Search

find find files

locate find files quicker (stored in database)

whereis locates source/binary and manuals

which returns the pathnames of a file

Lost files

Find specific filefind /var/www/ -name configuration.php

Biggest files

Show 15 biggest files:$ find . -type f -exec du -Sh {} + | sort -rh | head -n 15

Recent new files

Created in last 7 days:find . -type f -ctime -7

Recent edited files

Changed in last 7 to 3 days:find . -type f -mtime -7 ! -mtime -3

Unused images

Scan for unused images: 1. create SQL dump & 2. compare files in /images/ with SQL dump

Script "jfindfiles" from Rene Kreijveldhttps://gist.github.com/renekreijveld/

8. Recover Hack

Recover Hack Backup current situation (See 6. Backup) Analysis

Hacked files Log files server

Remove vulnerability Clean Files

Find New files (last 10 days)

find images/ -name "*.php" -mtime -10

New files during hacker activityfind . -type f -newermt 2014-03-09 ! -newermt 2014-03-11

file date & time can be modified....

Find Search for hacker scripts

grep -r "eval" /var/www/joomla-cms | grep "base64_decode"

can be concealed...

NeoPi

Detection of hidden web shell codeNeeds Python 2.6

Install

$ git clone https://github.com/Neohapsis/NeoPI.git

Run

$ /var/www/NeoPI/neopi.py -Aa /var/www/joomla-cms

9. In a box

VirtualBox

Computer within Computer

Download https://www.virtualbox.org/

Start Virtualbox

Install Operating system e.g. using .iso image Installing takes a lot of time

Vagrant

Creating and configuring virtual development environments wrapper around virtualization software

Download http://www.vagrantup.com/ Install on Debian Linux:

$ sudo dpkg i vagrant_1.5.2_x86_64.deb

Vagrant

Use Vagrant:

folder + configuration file Vagrantfile

Vagrant Cloud

Ready-built virtual environments

Find ready made environment https://vagrantcloud.com/

e.g. Debian 7 64 bithttps://vagrantcloud.com/chef/boxes/debian-7.8

Install Vagrant Box

$ vagrant box add chef/debian-7.8

Install Vagrant Box

Folder for each projecte.g. ~/Vagrant/jab15

Initialize Vagrant Box

$ vagrant init chef/debian-7.8

Configuration: Vagrantfileconfig.vm.box = "chef/debian-7.8"

config.vm.network "forwarded_port", guest: 80, host: 8080

Vagrant Box

Start Vagrant Box

$ vagrant up

Log in on Vagrant Box

$ vagrant ssh

Apache

Manual installation$ sudo apt-get install apache2

Start/stop/restart$ sudo service apache2 start $ sudo service apache2 stop $ sudo service apache2 restart

Installation mod rewrite$ sudo a2enmod rewrite

Apache

Mod Rewrite not working?$ sudo nano /etc/apache2/sites-enabled/000-default

AllowOverride None AllowOverride All

Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName

$ echo "ServerName localhost" | sudo tee /etc/apache2/conf.d/fqdn

Apache ownership issues

Run Apache under user vagrant (not on live site!)

$ sudo nano /etc/apache2/envvars

export APACHE_RUN_USER=vagrantexport APACHE_RUN_GROUP=vagrant

Restart Apache error?$ sudo rm -R /var/lock/apache2

Assign webroot & files to user vagrant:$ sudo chown -R vagrant:vagrant /var/www/

Server Script PHP

Installation PHP + MySQL part$ sudo apt-get install php5 php5-mysql mysql

Test:$ sudo nano /var/www/test.php

Database GUI phpMyAdmin

Installation$ sudo apt-get install phpmyadmin

Browserhttp://localhost:8080/phpmyadmin/

Joomla

Installation$ sudo wgethttps://github.com/joomla/joomla-cms/releases/download/3.4.1/Joomla_3.4.1-Stable-Full_Package.zip

Unzip$ sudo unzip Joomla_3.4.1-Stable-Full_Package.zip

Browserhttp://localhost:8080/joomla/

Check out...

Linux Containershttps://linuxcontainers.org/

one box per application & connect boxes

Dockerhttps://www.docker.com/

Conclusion

1.Introduction

2.Commands

3.Basics

4.Connecting

5.Scripts

Conclusion

6.Backup

7.Finding Files

8.Recover hack

9.In a Box

Questions?

Peter Martin

e-mail: info at db8.nl

website: www.db8.nl

twitter: @pe7er

Presentation: http://www.db8.nl

Used PhotosTitle sheet:

Magic Wand - Open Clip Art Library, 2011

http://commons.wikimedia.org/wiki/File:Magic_Wand.svg GNU Linux - "Wipes Windows in seconds!"

http://www.schnews.org.uk/images/560-linux-large.jpg Raspberry Pi Switched On Tech Design

http://www.sotechdesign.com.au/raspberry-pi-has-arrived/ Wikimedia Servers-0051 16, Helpameout, 2012

http://commons.wikimedia.org/wiki/File:Wikimedia_Servers-0051_16.jpg

1. Computer 1. General IBM Electronic Data Processing Machine - GPN-2000-001881, NASA, 1957 http://upload.wikimedia.org/wikipedia/commons/2/20/IBM_Electronic_Data_Processing_Machine_-

_GPN-2000-001881.jpg

2. Basics Lego Color Bricks, Alan Chia, 2007

http://commons.wikimedia.org/wiki/File:Lego_Color_Bricks.jpg

Used Photos3. Commands

US Navy 110913-N-DR144-348 Rig Captain Boatswain's Mate 2nd Class Christopher Cook gives orders as deck department Sailors launch a rigid hull infl - James R. Evans, 2011

http://commons.wikimedia.org/wiki/File:US_Navy_110913-N-DR144-348_Rig_Captain_Boatswain%27s_Mate_2nd_Class_Christopher_Cook_gives_orders_as_deck_department_Sailors_launch_a_rigid_hull_infl.jpg

CPM-Manual - Hubert Berberich, 2011

http://commons.wikimedia.org/wiki/File:CPM-Manual.jpg Red Book Dec 1915 Contents Page - Red Book Corporation, 1915

http://commons.wikimedia.org/wiki/File:Red_Book_Dec_1915_Contents_Page_-_Unbaited_Trap.jpg Archive boxes 2 - Effeietsanders, 2009

http://commons.wikimedia.org/wiki/File:Archive_boxes_2.JPG Touch to exit - Tom Rolfe, 2007

http://commons.wikimedia.org/wiki/File:Touch_to_exit.jpg Neon sign, "CHANGE" - Felix Burton, 2005

http://commons.wikimedia.org/wiki/File:Neon_sign,_%22CHANGE%22.jpg Cat November 2010-1a - Alvesgaspar, 2010

http://commons.wikimedia.org/wiki/File:Cat_November_2010-1a.jpg CSIRO ScienceImage 1342 Nanotechnology - division, CSIRO, 2003

http://commons.wikimedia.org/wiki/File:CSIRO_ScienceImage_1342_Nanotechnology.jpg Xerox Phaser 4600 - JackPotte, 2012

http://commons.wikimedia.org/wiki/File:Xerox_Phaser_4600.png

Used Photos Long Distance Movers - RoadWay Van Lines, 2014

http://commons.wikimedia.org/wiki/File:Long_Distance_Movers.jpg Vuilnisbak-Lebbeke - Volkov Vitaly, 2005

http://commons.wikimedia.org/wiki/File:Vuilnisbak-Lebbeke.JPG TRTC Taipei Main Station No-bicycle-access notice - Solomon203, 2013

http://commons.wikimedia.org/wiki/File:TRTC_Taipei_Main_Station_No-bicycle-access_notice_20130324.jpg Prva samopostrena trgovina v Mariboru na Partizanski cesti 1960 - Joe Gal, 1960

http://commons.wikimedia.org/wiki/File:Prva_samopostre%C5%BEna_trgovina_v_Mariboru_na_Partizanski_cesti_1960_(1).jpg

4. Connecting Switchboard Manual - Peel Conner, Geez-oz, 2012

http://commons.wikimedia.org/wiki/File:Switchboard_Manual_-_Peel_Conner.JPG Bundesarchiv Bild 183-2008-0516-500, Fernschreibmaschine mit Telefonanschluss - Illger, Willi, 1930

http://commons.wikimedia.org/wiki/File:Bundesarchiv_Bild_183-2008-0516-500,_Fernschreibmaschine_mit_Telefonanschluss.jpg

5. Scripts Binary Code, Cncplayer, 2013

http://commons.wikimedia.org/wiki/File:Binary_Code.jpg

Used Photos6. Finding Files

Postcards and magnifying glass, Anna, 2007

http://commons.wikimedia.org/wiki/File:Postcards_and_magnifying_glass.jpg Bundesarchiv Bild 183-M0125-421, Fundbro in Berlin - Klaus Franke, 1973

http://commons.wikimedia.org/wiki/File:Bundesarchiv_Bild_183-M0125-421,_Fundb%C3%BCro_in_Berlin.jpg

DARPA Big Data - DARPA, 2013

http://commons.wikimedia.org/wiki/File:DARPA_Big_Data.jpg Magnifying glass - Faberge - shakko, 2011

http://commons.wikimedia.org/wiki/File:Magnifying_glass_-_Faberge.jpg Magnifying glass on antique table - Stphane Magnenat, 2008

http://commons.wikimedia.org/wiki/File:Magnifying_glass_on_antique_table.jpg Unused Phonebooks - David Shankbone, 2013

http://commons.wikimedia.org/wiki/File:Unused_Phonebooks.JPG

7. Backup IBM 7330 on white background, Crisco 1492, 2013

http://commons.wikimedia.org/wiki/File:IBM_7330_on_white_background.jpg

Used Photos8. In a box

Carton empty box - humusak2

http://www.freeimages.com/photo/1440365 Virtualbox logo, Oracle Corporation, 2010

http://en.wikipedia.org/wiki/File:Virtualbox_logo.png Vagrant - Fco.plj, 2013 http://en.wikipedia.org/wiki/File:Vagrant.png

9. Recover hack Youve-been-hacked, Hanonen, 2014

http://commons.wikimedia.org/wiki/File:Youve-been-hacked.jpg

Conclusion EquinoxeJuniorHighPac-Man - Equinoxe, 2012

http://www.c64-wiki.com/index.php/File:EquinoxeJuniorHighPac-Man.png

Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Slide 51Slide 52Slide 53Slide 54Slide 55Slide 56Slide 57Slide 58Slide 59Slide 60Slide 61Slide 62Slide 63Slide 64Slide 65Slide 66Slide 67Slide 68Slide 69Slide 70Slide 71Slide 72Slide 73Slide 74Slide 75Slide 76Slide 77Slide 78Slide 79

Documents

Linux Commandline Magic (JAB15)