112 Chapter 3 • System Scanning and Probing You can learn more about the currently available antivirus products at www.cn.is.fh-furtwangen.de/~link/security/av-linux_e.txt. As of this writing, the Packetstorm site has an extensive collection of antivirus applications at http://packetstorm.securify.com/viral-db/avp-linux. Using AntiVir As with any other virus scanner, AntiVir can do the following: ■ Check the system’s boot record. ■ Search directories and subdirectories. ■ Automatically delete infected files. ■ Save scans into a log file. ■ Use an internal scheduler, or an external scheduler, such as at or cron. ■ Scan NFS-mounted drives. ■ Delete infected files. ■ Move infected files to a central “quarantine” area of your own choosing. AntiVir scans the files you specify using its virus definition file, which is located at /usr/lib/AntiVir/antivir.vdf. Run without arguments, AntiVir will scan only the current directory. For a more extensive scan, you must specify arguments to change this default behavior. For example, to have AntiVir scan the /var/log/ directory, you would have to issue the following command: antivir /var/log -s -allfiles -s -nolnk -r4 You can review all of the command-line options by issuing the antivir -h command, which is handy when you have forgotten exactly how to use the pro- gram. Figure 3.1 shows all of the command-line options available to you. Table 3.1 lists some of the more relevant arguments to AntiVir. Table 3.1 AntiVir Options Argument Description -allfiles Scans all files in the directory. -z Scans archived files. -onefs Scans only locally mounted drives (does not scan NFS-mounted drives). www.syngress.com Continued 138_linux_03 6/20/01 9:35 AM Page 112 System Scanning and Probing • Chapter 3 113 -del Removes infected files. -r4 Places AntiVir into verbose mode, which means that you will be able to see extensive output. If you choose to save logs of the scan, your logs will also contain this information. -ro Overwrites the existing log file. -ra Appends new scan information to the existing log file. -rf Allows you to specify the location and name of the log file (e.g., /root/antivirlog.txt). -s Recursively scans all subdirectories. www.syngress.com Figure 3.1 Command-Line Arguments Table 3.1 Continued Argument Description 138_linux_03 6/20/01 9:35 AM Page 113 114 Chapter 3 • System Scanning and Probing Key Mode and Non-Key Mode AntiVir is sold by a for-profit company, and it gives you some licensing options when running the program. First, you can run the program without any license at all.This will place the program into “non-key mode,” which limits the pro- gram so that the -s, -nolnk, and -onefs options will not work. Consequently, you will not be able to, for example, tell AntiVir to search the entire drive by issuing the following command: antivir / -s -allfiles -s -nolnk -r4 Licensing AntiVir If you plan to use this application for private use, you can download and install the program, and then apply for a private license at www.antivir.de/order/ privreg/order_e.htm. Eventually, you will receive a license file named hbedv.key. Once you have this license, you must place it in the /usr/lib/AntiVir directory. Once you start (or restart) AntiVir, you can use all of the options the program has to offer. Exercise: Updating AntiVir An antivirus application is only as useful as its virus definition file. If you are run- ning in non-key mode, you cannot install any updates for AntiVir.Those who legally obtain and use the private license are entitled to one update every two months. If you purchase AntiVir, you can obtain daily updates. To obtain an update, go to www.hbedv.com/download/download.htm and download the appropriate .vdf file for your application. Once you obtain a key, place it in the /usr/lib/AntiVir/ directory. Installing version 6.6.0.0 of AntiVir is simplicity itself.This exercise assumes that you have already downloaded and registered AntiVir. 1. Create a directory named antivir. 2. Obtain the file named avlxsrv.tgz from the CD that accompanies this book and place it in the antivir directory. Normally, when a tarball is unzipped, the package will create its own directory. However, this isn’t the case with AntiVir.You can also install the Red Hat Packet Manager (RPM) if you wish. 3. Issue the following command: tar -zxvf avlxsrv.tgz. www.syngress.com 138_linux_03 6/20/01 9:35 AM Page 114 System Scanning and Probing • Chapter 3 115 4. Several files will be generated, including the install.sh script. Issue the following command, exactly as shown: ./install.sh 5. The preceding command tells the system to run the install.sh script. Upon doing so, you will see that the program creates the /usr/lib/ AntiVir directory.You will be asked if you want to create a symbolic link (the program uses the word symlink. Press y to indicate yes.The symbolic link this creates is from the /usr/lib/AntiVir/antivir directory to the /usr/bin directory. Establishing this symbolic link allows AntiVir to start without you having to enter the entire path (e.g., /usr/bin/antivir). NOTE A symbolic link is similar to a Windows shortcut, although more powerful. It is a reference to another file system object on any file system (on the local system or on another network) supported by Linux. In Unix, you can create a symbolic link that leads to a binary by using the ln -s command: ln -s existingItem newItem 6. You have now installed AntiVir. However, you still cannot use all of AntiVir’s options. Now, open a browser and go to www.antivir.de/ order/privreg/order_e.htm. 7. Enter the relevant information, and then order your key.The key will be sent to you in a few minutes. 8. Once you obtain the key, copy it to the /usr/lib/AntiVir/ directory. Now, scan your local directory for a virus by issuing the following command: antivir 9. The system will load its file (/usr/lib/AnviVir/antivir.vdf), and then scan the directory. In all likelihood, it will find nothing. Now, scan all files and all subdirectories in your home directory: antivir /root -allfiles -s www.syngress.com 138_linux_03 6/20/01 9:35 AM Page 115 116 Chapter 3 • System Scanning and Probing 10. Thus far,AntiVir hasn’t been very forthcoming about what it finds. Also, notice how all output goes onto the screen, rather than to a log file.You can change this by issuing the following command: antivir ~ -allfiles -s -r4 -rf/log.txt -ro This command has AntiVir go into verbose mode, and then deposit all of its standard output into a file in your current directory named log.txt.The -ro command will erase any file named log.txt and replace it with what it finds. If you want to append information to the end of the log.txt file, instead of overwriting it, use the -ra option. 11. The following command, for example, searches the var/spool/ directory, which can contain mail files: "/var/spool/*" -s -rf/log.txt -ro 12. Now, change to the /etc/cron.daily directory. 13. Using a text editor such as vi or pico, create a file named antivir.cron, and enter the following code: #!/bin/sh antivir / -allfiles -s -r4 -rf/root/log.txt -ro This command has crontab run AntiVir so that it scans the entire hard drive for viruses, and then creates a log file named log.txt in the /root directory. Because you have created this cron entry in the /etc/cron.daily/ directory, the job will be run every day. To learn more about AntiVir options, consult the README file that comes with the program.You can also learn more about the program by typing antivir -h and scrolling through the options. Using TkAntivir The command-line interface is very useful when you want to administer the system quickly, or when you have to remotely administer a system using SSH or Telnet. However, a rather elegant GUI front end called TkAntivir is available for free at the Geiges Software Training and Consulting Web page at www.geiges.de/ tkantivir or from the accompanying CD (tkav.gz or the equivalent tkantivir-1.30- 1.i386.rpm. When you download TkAntivir, make sure that you obtain the version that supports your language.The program was developed in Germany, and if you are www.syngress.com 138_linux_03 6/20/01 9:35 AM Page 116 System Scanning and Probing • Chapter 3 117 not careful, you will install the German language version, rather than the English version. Required Libraries and Settings Before you try to install TkAntivir, you must have the following libraries and settings: ■ Tcl/Tk version 8.x or higher Most systems already have Tcl/Tk installed, but you may have to upgrade the version on your system. A default installation of Red Hat 7.0 has adequate versions of this library already installed. ■ A resolution of at least 800 x 600 You may have to run Xconfigurator or XF86Setup to reconfigure your X settings. NOTE Although TkAntivir is designed to run in any X-Windows environment, it runs best in KDE, which is not surprising, since the KDE interface was first developed in Germany. The application runs on the Gnome desktop as well. You can download Gnome at www.gnome.org. If you are run- ning certain versions of the Blackbox window manager, TkAntivir will go through the loading procedure, but will not run. Try running KDE or Gnome to solve this problem. You have the option of installing TkAntivir using tarball or RPM packages. In this particular instance, Red Hat systems seem to respond better to the RPM. Scanning Systems for Boot Sector and E-Mail Viruses The TkAntivir interface, shown in Figure 3.2, is relatively intuitive and allows you to concentrate on what you want AntiVir to do, as opposed to getting the com- mand-line syntax correct.The Scanning options section allows you to specify the path you wish to search.You can also use this section to search only for certain file types, which is useful when scanning e-mail spooling directories for suspect attachments.The Options section allows you to skip checking the system boot www.syngress.com 138_linux_03 6/20/01 9:35 AM Page 117 118 Chapter 3 • System Scanning and Probing record and symbolic links, which helps the scan finish faster, because it won’t have to scan the same file repeatedly.This section also allows you to specify whether you want to search for compressed files (e.g., files compressed by zip or gzip).Verbose scan mode allows you to receive more information in your log file. The Repair options section allows you to determine what AntiVir will do when it finds a virus. Notice that it is set to ignore by default, which is wise.Virus applications, like any scanning or monitoring application, are susceptible to false positives, which are instances when an application identifies a perfectly benign file, process, or activity as somehow threatening. If you tell AntiVir to delete any file that it thinks is defective, and AntiVir makes a mistake, you may end up deleting an important system file, or removing a user’s important report. Either way, you could cause problems for yourself if you automate file removal. Finally, the Macro repair options section allows you to determine what will be done with macros created by various applications, including Microsoft Word. If, for example, you have a Linux server acting as a file and print server, you may want to consider some of these options. Again, remember that mistakenly deleting files can cause serious problems because Unix/Linux has no native undelete facility. www.syngress.com Figure 3.2 The TkAntivir Interface 138_linux_03 6/20/01 9:35 AM Page 118 System Scanning and Probing • Chapter 3 119 The Scan icon, at the upper-left portion of the interface, allows you to acti- vate the settings you enter.The Scheduler icon brings up the Scheduler interface, shown in Figure 3.3. From here, you can: ■ Choose the path that a particular job will scan. You can also include subdirectories. ■ Tell AntiVir when it should run. You can schedule a one-time event, or schedule AntiVir to run every day, every week, or after a cer- tain number of days. Figure 3.3 shows that a job is scheduled to run at 2:00 A. M. each week.The job will run on Monday of each week. If you click Single Events, you will be able to configure AntiVir to run at a certain time on the same day, or the next day, or after a certain number of days. Once you are finished configuring the time, you can then click Add a Job.You can also review and update existing jobs, simply by highlighting the existing job and then clicking either Job Info or Update. The Report Viewer icon allows you to view reports generated earlier, or reports generated on other systems. Once you click this icon, you will see the www.syngress.com Figure 3.3 Scheduling a Scan 138_linux_03 6/20/01 9:35 AM Page 119 120 Chapter 3 • System Scanning and Probing Open dialog box, shown in Figure 3.4. Once this dialog box opens, you can then navigate to the log file you want to read, and then open it. Additional Information The Preferences tab allows you to change the location of AntiVir binary, the TkAntivir files, or the log file.The AntiVir and VDV info file allows you to deter- mine when it is time to download and install a new .vdf file. Now that you are familiar with the requirements for TkAntivir, it is time to install and use it. Exercise: Using TkAntivir 1. Make sure that you have all of the required libraries. Review this section for more details. 2. Verify that you have 800 x 600 resolution. Consult your man pages for Xconfigurator or XF86Setup.You can also directly edit your X- Windows configuration file (XF86Config). 3. Download and install TkAntivir from www.geiges.de/tkantivir. Although your situation may vary, the RPM file works best on Red Hat systems. Once you obtain the RPM file, check its MD5 signature, and then install it using the rpm -ivh command. www.syngress.com Figure 3.4 The Open Dialog Box in TkAntivir 138_linux_03 6/20/01 9:35 AM Page 120 System Scanning and Probing • Chapter 3 121 4. Enter the following command to create a log file directory off of the /usr/lib/AntiVir/log/ directory: mkdir /usr/lib/AntiVir/log/ 5. Once you install TkAntivir, run the program by issuing the tkantivir command. 6. You will see a dialog box informing you that the configuration is not complete. Click OK to bring up the configuration window. Enter the information shown in Figure 3.5. Make sure that you enter this text exactly as shown—Linux systems are always case sensitive. 7. Click OK.You will see the splash screen shown in Figure 3.6. 8. You will then see the main interface. If you do not see this interface, either you need to use KDE or Gnome, or you need to change your monitor resolution. www.syngress.com Figure 3.5 Setting Preferences for TkAntivir Figure 3.6 The TkAntivir Splash Screen 138_linux_03 6/20/01 9:35 AM Page 121 [...]... signatures Once the application conducts the scan, it compares the information it obtains from the scanned host and compares it to its database.The creators of Nmap spend a great deal of time trying to keep this feature as up to date as possible by making sure that Nmap’s signature database is current One of the ways that Nmap accomplishes operating system guessing is that it understands how each particular... information at www.insecure.org Using NmapFE as a Graphical Front End You are not limited to a command-line interface.The Nmap Front End (NmapFE) provides a well-written, stable GUI that allows you to control almost every aspect of Nmap.You can download NmapFE at www.insecure.org It is available in both a tarball and an RPM (the RPM is available on the CD accompanying this book: nmap-frontend-0.2. 53- 1.i386.rpm)... from all others www.syngress.com 139 138 _linux_ 03 140 6/20/01 9 :36 AM Page 140 Chapter 3 • System Scanning and Probing s -D This option allows you to specify several additional hosts who will appear as originators of the scan Hackers often use this option to confuse systems administrators, who will usually not be able to tell from where the scan truly came As a systems administrator, you can use it to. .. Scanning and Probing • Chapter 3 application, such as Cheops or an IDS to generate a network map See later in this chapter and Chapter 4 for more information s -iL Allows Nmap to read information from a text file For example, if you already have a text file that contains the IP addresses or host names of a text file, you can specify this filename rather than an IP or host range For example, if you wished to save... are effective in these cases: s -f Has Nmap break up its scans into smaller IP packets.This way, a firewall will not be able to capture and log the packets as easily s -S Address Allows you to specify the originating address of the scan Originally meant to allow Nmap to work with various operating systems that would not report the IP address to Nmap, it is possible to use this feature to spoof the source. .. aggressive and insane, respectively www.syngress.com 138 _linux_ 03 6/20/01 9 :36 AM Page 1 43 System Scanning and Probing • Chapter 3 Example: Conducting a Paranoid Scan To conduct a paranoid scan against a host, you would issue the following command: nmap -S 20.20.20.20 -e eth -P0 -sS -v -T paranoid sandi Remember however, that this scan will take some time to complete, because the paranoid setting has Nmap wait... devices to automatically run a zombie zapper against an offending system.This way, the problem is automatically solved.You will learn about how IDS applications and firewalls can respond automatically to threats in Chapters 9 and 11 If you notice large amounts of unknown traffic when you monitor your network or network perimeter, you can use a zombie zapper against the host or hosts generating this traffic... scanner such as GSS does not actually test for flaws in binaries and Web applications, a good port scanner can help you isolate which ports are open, and then take any action that is necessary Port scanning a machine may set off an alarm for the system’s administrator, who might take a dim view of your actions Be extremely careful using any of the applications in this chapter Improper use of these applications... Figure 3. 13 Nmap Tools & Traps… Nmap: A Tool for Hackers or Security Professionals? You may be wondering whether Nmap is actually a “hacker tool” meant to help compromise the security of a network Nmap was first introduced as a hacking tool, but has been quickly adopted by IT professionals It provides excellent information concerning hosts on your network It also allows your IT professionals to: s Audit... Chapter 3 Using Nmap Nmap is an advanced port scanner It is also capable of identifying the version of an operating system.You can download Nmap, shown in Figure 3. 13, at www.insecure.org Perhaps the best thing about Nmap is that its developer, Fyodor, is extremely talented, active, and a good collaborator He and his colleagues update Nmap often, and the updates usually bring desirable new features and . the www.syngress.com Figure 3. 3 Scheduling a Scan 138 _linux_ 03 6/20/01 9 :35 AM Page 119 120 Chapter 3 • System Scanning and Probing Open dialog box, shown in Figure 3. 4. Once this dialog box opens, you can then navigate. which ports are open, and then take any action that is necessary. Port scanning a machine may set off an alarm for the system’s administrator, who might take a dim view of your actions. Be extremely careful. assumes that you have already downloaded and registered AntiVir. 1. Create a directory named antivir. 2. Obtain the file named avlxsrv.tgz from the CD that accompanies this book and place it in the antivir