Automatic Password Generator application (APG)

The default behavior of APG is to prompt for random data from standard input and upon pressing enter, display six strong “pronounceable” passwords. They are referred to as “pronounceable” because the passwords may actually be pronounced like regular words. In fact, APG includes the pronunciation in parentheses () to the right of each password. Additionally, they are strong passwords because they include a mix of lowercase, uppercase, and numeric characters.

If you would like to enforce different behavior from APG, there are many options you may pass to the apg command for the purpose of changing the default output, and behavior of APG. For example, to generate random character passwords instead of the pronounceable passwords, you may invoke APG with the -a 1 option, where -a is the algorithm APG uses, and 1 selects random mode.

theregister.co.uk reported today on their website that a blog promoting Al Gore’s Inconvenient Truth has hacked by penis pill-promoting spammers. According to the site all their links from the blog portion of the site has been compromised to promote drugs. The method used for this hack is still unknown, but it has been reported that they were using an unpatched version of wordpress.

However as of this writing the site seem to have gone back to normal.

Link to the theregister article: http://www.theregister.co.uk/2007/11/27/climate_change_hack/

Screenshot showing the hack:

Tripwire is designed to detect modifications to files and directories and to alert you of any changes. Even though quiet a large amount of effort is needed to configure and run this program, it is very essential for high-profile systems that are exposed directly to the internet.

Tripwire works by storing important information about system directories and files it finds in a database. This information includes date and time, file size and checksums (to detect any modifications to critical system files). Once the database is in place, it works as a referance and should be updated regularly. Tripwire can be run as a cron to be updated daily so that in the event of a breach tripwire can warn you as early as possible by mail.

Tripwire encrypts it’s own data from possible tampering by intruders, so that tripwire can read it but cannot write it without a password.

First of all before one starts using tripwire it is important to create key files, if it hasn’t created already during installation. You can manually crate tripwire key with twadmin utility that come with tripwire:
twadmin –generate-keys -S /etc/tripwire/site.key

Next up you can create the database by typing tripwire –init the program will ask you for your passphrase.

Performing system integrity check is straight forward. Type tripwire –check. This process is likely to take several minutes. When it’s done, it creates a report that it stores in the REPORTFILE directory, as specified in the configuration file. Tripwire may also e-mail the report to the account specified with the GLOBALEMAIL variable, but only if Tripwire found problems or MAILNOVIOLATIONS is set to true. The command also sends the report to stdout, so you can see it on the screen. The report is fairly verbose, but pay particular attention to the filesystem summary section.

That’s more or less sums up the basic functions of tripwire, for more in depth details check out the man files.

These are some of the few things you can do if your system gets compromised by an intruder to the point that they have root access and have installed root kit in your system.

1. Disconnect your system from the network. Remove your system from the Internet and from your local network. You should literally unplug the network connection (if it’s wired).
2. Make a backup. Before you do anything else, make a backup of the system in its compromised state. The backup could be used to restore important data after carefull investigation. It could also be used as an evidence if there is a criminal investigation against the cracker or it could help you if the cracker used your system to attack others.
3. Determine the method of entry. This step is easier said than done. Your log files may provide clues concerning the method of entry, as might symptoms of system misbehavior. As you research the security of important servers and other programs, you may discover a server or two with known security bugs that might have been used to gain entry.
4. Wipe the system clean. Delete every system file on the computer—program files, libraries, configuration files, and so on. Do this by using an emergency Linux system and making new filesystems on the old partitions. As a minimal precaution, search any partitions you intend to keep for executable files (find /home -perm -0111 -type f should do the trick for /home) and evaluate whether they should be executable.
5. Reinstall or recover the system. Reinstall the system from scratch or restore it from a backup. If necessary, restore your system’s configuration to its pre-intrusion state—for instance, set up your servers the way they were before the intrusion. If you restore either the entire system or configuration files from backups, be sure the backups were made before the intrusion.
6. Upgrade system security. Update old packages and fix any possible methods of entry you identified. If you couldn’t identify anything specific, you’ll have to make do with package updates and increasing your general level of security.
7. Restore to the network. Only after you’ve upgraded security should you contemplate returning the system to the network. At this point, your system should be clean and much harder to break into than it was before,