If you're new here, you may want to subscribe to my RSS feed. So that you can read the latest updates about Web2.0 tools, Making Money Online, Tips in SEO, Ajax and many more. Thanks for visiting ProgramimiCOM!

What is a rootkit?

A rootkit is a set of software tools inteded to conceal running processes, files or system data from the operating system. Basically they let someone get access or run commands when they shouldn’t be allowed and don’t want to be found. Rootkits can go undetected for long periods of time so it’s a good idea to check your system for them regularly in additional to virus scans.

The concept of the rootkit isn’t a new one, and dates back to the days of Unix. An intruder could use a kit of common Unix tools, recompiled to allow an intruder to have administrative or root access without leaving traces behind. Rootkits, as we’ve come to know them today, are programs designed to conceal themselves from both the operating system and the user — usually by performing end-runs around common system APIs. It’s possible for a legitimate program to do this, but the term rootkit typically applies to something that does so with hostile intent as a prelude toward stealing information, such as bank account numbers or passwords, or causing other kinds of havoc.

Many antivirus and security-software manufacturers have since added at least some rudimentary level of rootkit detection to their products, but there have been a number of free, standalone rootkit detection tools that have been in use for some time. In this article, I examine six of the more prevalent standalone applications, and talk about their relative merits and abilities. To test them out, I used them to scan a system for three varieties of rootkit: Fu or FuTo, which can “stealth” any process; the AFX Windows Rootkit 2003, which can hide processes and folders from the system; and Vanquish, which is similar to AFX but uses a slightly different concealment mechanism.

How They Work
The detectors themselves typically work by comparing different views of the system and seeing where there’s a mismatch. One of the original ways to perform this kind of detection was to dump a complete list of all the files on the volume while inside the operating system, then boot to the Recovery Console and dump another file list, then compare the two. If a file shows up in the second list but not in the first and isn’t a Windows file kept hidden by default, it’s probably a culprit. More recent rootkit detectors use variations on this scheme that don’t require exiting the operating system to get usable results.

I’ve also looked at these applications in a more general light and tried to consider how useful the program is likely to be in the future: how easy the detector is to use; how easy it is to interpret the results; how often the detector was updated; and so on. Remember that rootkits, like viruses, are a moving target. An anti-rootkit program that protects you today might be defenseless tomorrow against a whole new variety of threat — in fact, many rootkit makers write their programs to specifically avoid detection by some existing programs.

For the most part, these programs are for advanced- to expert-level users. They’re not intended to be used as general-purpose solutions; they don’t always distinguish between false positives (i.e., files hidden by the operating system deliberately) and real rootkits; they come with no warranty — they’re provided “as-is” — and some of them (such as Trend Micro’s product) have their core technologies available in a far more user-friendly version in a commercial product. In short, if you’re not a professional, your best bet, at least for now, is to either hire a guru or use a mainstream product that has some kind of rootkit detection capability (such as Trend Micro Internet Security 2007).

Continue article

• 0 Comments

As you should know, on Windows 2003 Server, CDONTS was deprecated and CDOSYS is the new one Microsoft email sender component (read more on Microsoft Website)

However, some ASP scripts will require CDONTS and customers can need CDONTS install.So, to install CDONTS

1) First, install MailEnable or other SMTP server. Make sure it is running.
2) Download and unzip cdonts.dll to C:WindowsSystem32 folder
3) Register the CDONTS.DLL component on your server by clicking start >> run >> type :
regsvr32 c:winntsystem32cdonts.dll >> ENTER

Now CDONTS should being work perfectly.

To know if CDONTS is installed you can use http://www.pensaworks.com/prg_com.asp to view a list of installed components.

Based on: http://www.windows-2003-hosting.co.uk/?pagename=cdontshowto

• 0 Comments

1) Start Internet Information Services Manager or open the Internet Information Services (IIS) snap-in.

2) Expand Server_name, where Server_name is the name of the server, right-click Default SMTP Virtual Server, and then click Properties.

3) Click the Access tab, and then under Access control, click Authentication.

4) Click to select either or both the Basic authentication and the Integrated Windows authentication check boxes, click to clear the Anonymous access check box (if it is selected), and then click OK.

By doing so, authentication is required before access is granted to the SMTP virtual server. In this case, if the user or computer does not successfully authenticate, the user or computer cannot send mail to the server.

NOTE: If you click to select the Anonymous access check box and do not click to select the Basic authentication and the Integrated Windows authentication check boxes, all users and computers are able to access the SMTP virtual server.

This disables authentication.

5) Under Relay restrictions, click Relay.

6) Note the options that are available in the Relay Restrictions dialog box. By default, the Only the list below option is selected and this list is empty. Additionally, the Allow all computers which successfully authenticate to relay, regardless of the list above option is selected. With this feature, users and computers that can authenticate with the server can relay through the server. All computers are blocked except those that meet the authentication requirements that you configured earlier in the Authentication dialog box of the Access tab.

Note that if you allow only anonymous access, the server does not authenticate users or computers.

7) Click Add, and then do one of the following to add a single computer, group of computers, or a domain:

Click Single computer.

Type the IP address of the computer that you want in the IP Address box, and then click OK.

Click Group of computers.

Type the subnet address and the Subnet mask of the group into the corresponding boxes, and then click OK.

Click Domain.

Type the domain name that you want in the Name box, and then click OK.

If you do not want to add a computer, group or computers, or a domain, click Cancel.

8) Click OK, and then click OK.

• 0 Comments

APF firewall can deny ALL connections for ssh and allow only a single or select few of IPs to connect to your server. We’ll guide you through DENY ALL with APF firewall.

PROBLEM:
You want to deny all IPs to connect to shell/ssh on you server but only allow a select one or few to connect with APF firewall.

APF SOLUTION:
1) Login to your server as the root user.

2) cd /etc/apf

3) Use vi or nano to edit the /etc/apf/allow_hosts.rules file
EG: vi /etc/apf/allow_hosts.rules

4) Scroll down until after their last comment with the ##

Add the following in:

tcp:in:d=22:s=YOURHOMEIPHERE
out:d=22:d=YOURHOMEIPHERE

The d=22 part is the port, so you can repeat for other services as well to limit connections if you like.

Save the changes.

5) Edit the /etc/apf/deny_hosts.rules file
EG: vi /etc/apf/deny_hosts.rules

Scroll down until the last default comment ## then below it add the following:

tcp:in:d=22:s=0/0
out:d=22:d=0/0

Save the changes.

6) Restart APF firewall
apf -r

Your server is now only allowing connections to the SSH service from one IP using APF. To add more than one IP repeat the steps in 4) adding a new tcp and out line for each IP.

Cheers

• 1 Comment

You can use a group policy to protect your server from known viruses that require an executable to run. For example, Sobig.F and Blaster are two fine examples.Go to Run > Type MMC to open the Microsoft Management Console.

Select File > Add/Remove Snap-in > Add > Group Policy Object Editior

Allow it to modify the Local Computer in the wizard. Close > OK

Navigate to Local Computer Policy > User Configuration > Administrative Templates > System Click on Systems on the left hand pane. You should get some choices in the right hand pane.

Select Don’t Run Specified Windows Applications.

Select Enable and then Show > Add

Add any applications you want to restrict. Blaster and Sobig.F are

WINPPR32.EXE
MSBLASTER.EXE

Click OK and close out of the MMC. You are now protected.

This is no substitute for AV Protection and a Firewall. This is just another layer of protection.

• 0 Comments