I have decided now to take the CCIE security exam. I was searching resources for this exam. The first thing that i got is, the Cisco documentations that are very helpful and obviously relevant to the subject’s objectives.

I went through the objectives of the paper structure and then figured out some important topics such as algorithms, network devices, I searched them on Cisco’s Website and I got treasure of information. These information can help you a lot whether you taking security or any other networking certification of Cisco or other vendors.

I also have found a book for CCIE security that is authorized by Cisco.

CCIE Security

Today in the morning, I was researching on some security certifications and went through Cisco’s certification information.

I saw there many certifications including security certifications. The certification, that I got attracted to is CCIE SECURITY which is one of the most advanced security certification in current time. I am interested to take 350-018 exam now. It will definitely help an aspirant to have a great amount of knowledge of securing a network.

I also go to the sites where I can get guidance for certifications, such as brain dumps, pass4sure and many more. But truly, they provide real exam questions that might come for only one time in an exam. If you really want to have knowledge of these fields you should study yourself, this will enhance your knowledge.

You will wonder to know that I have found a site which really helps you for self-study. They are about to release their new guidance kit on CCIE Security. I have pre-ordered the kit when I went through this site.

This site provides facts, how to’s, scenarios, simulations. Based on the author’s self-study.

This site also claims that if you get failed in your exam they will pay back your money without any questions. You have to do just one thing that mail your marks sheet to the site. There is no time limit for claiming payback. You can inform them at any time and they will refund….It’s great. Will give more info regarding this paper in my next post…

Enjoy reading.

I was digging deep in amazon for some useful books. I found one very rare species of book. I will explain how it is rare, consider you wanted to prepare for an exam dedicated on Hacking lets take Computer hacking forensic investigator (CHFI). For the preparation you will consult dozens of books to complete distributed topics of the exam. You waste lots of time to find out the relevant matter and then concentrate hard on the matter. Every write have different art of writing and you have to adjust according to the all of them.

Now, consider different scenario. You wanted to prepare for the same exam and while looking for the book you find out a study guide, which is dedicated to this very paper. This book covers each and every topic come in exam. And the best part, it contains practice questions to test your skill on the subject.

Its a boon for the certification seekers. I am sharing the information to all my readers. Happy reading.

Find the link of book here.

Hello Friends

MCTS practice test such as 70-680, 70-685, 70-683, 70-620, 70-622, 70-640, 70-270, MCDST preactice test such as 70-271, and 70-272 are available in huge discount here.. You can save up to 50%. The discount is also available for other certification practice test, such as CCNA, LPIC, Adobe, GIAC, Sun, Oracle, and CompTIA. This is the Freedom sale. Make the most of it.

Click Here to get the discount.

Incident handling is the process of managing incidents in an Enterprise, Business, or an Organization. It involves the thinking of the prospective suitable to the enterprise and then the implementation of the prospective in a clean and manageable manner. It involves completing the incident report and presenting the conclusion to the management and providing ways to improve the process both from a technical and administrative aspect. Incident handling ensures that the overall process of an enterprise runs in an uninterrupted continuity.

There are six different phases of the Incident handling process, which are as follows:

1. Preparation phase
2. Identification phase
3. Containment phase
4. Eradication phase
5. Recovery phase
6. Lessons Learned phase

I am preparing for the GCIH exam and sweat comes to my feet while gathering information about this exam. I managed to acquire all possible information and it takes almost two full days. Then I decided, I am not gonna let anybody sweat like this. In this post you will find everything and Anything you want to know about the GCIH exam. Please feel free to add your information and ideas.

Q. What is the GIAC Certified Incident Handler (GCIH) exam?
A. GIAC Certified Incident Handler (GCIH) is a vendor-neutral certification that validates an individual’s understanding for incident handling/incident response; individuals who require an understanding of the current threats to systems and networks, along with effective countermeasures.

Q. What are the prerequisites for the GIAC Certified Incident Handling (GCIH) exam?
A. There is no prerequisite for the GCIH exam.

Q. What are the benefits of becoming a GIAC Certified Incident Handling (GCIH)?
A. A GCIH-certified candidate can work as an Incident Handler, e-Business Security professional, Systems administrator, Legal professional, IT manager, etc. Numerous corporate sectors are recruiting Incident Handlers to protect their digital infrastructure and to take appropriate steps against security breaches and other computer-related crimes within an organization.

Q. What credit does the GIAC Certified Incident Handling (GCIH) exam provide?
A. Passing the GCIH exam provides the GIAC Certified Incident Handler certification.

Q. How many questions are asked in the test?
A. This test consists of multiple-choice questions. There are no case study type questions, and the test is not adaptive. You will be required to attempt one hundred and fifty (150) questions.

Q. What is the duration of the test?
A. Candidates are required to attempt all questions in 240 minutes (4 hours).

Q. Which type of test is it? (Adaptive/Linear)
A. Linear

Q. What is the passing score?
A. 72.7% (109 of 150 questions) is the minimum passing score.

Q. What is the test retake policy?
A. If you fail a GIAC Certification Exam, you may purchase a retake for the cost $199 by clicking on the “buy retake” link, under the “certification attempts” section in the GIAC exam engine area of your portal account. Once purchased, retakes are non-refundable.

A retake will extend your final certification attempt deadline by one month and your adjusted deadline will be displayed in your Exam Engine.

If you do not purchase the retake before your expiration date arrives, you will need to purchase an extension, and then purchase the retake. Please see the information on extensions below. Your access to any associated practice tests and/or audio files will be automatically extended to match your certification deadline.

Q. Where can I take the test?
A. The primary method for taking a proctored exam is through our testing partner KRYTERION.

Q. What is the exam fee?
A. The cost of the GCIH certification attempt is $899 and recertification attempts are $325.

We remember the warriors of the war, who placed the foundation stone of our country. My friend who is in military services always said to me “Adam, Life ain’t like that. Dying in battle is the best part of life.” I still pay him homage. While I was digging Internet for new certification courses, I came up with a very decent and thoughtful discount offer from one of my favorite Website. uCertify.com

They are giving simple offer: ANY 3 Prepkits for $179.99. That’s just $59.99 each!

Its better to go to their blog and find out more detail. Click here to go on ucertify blog.

Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used candidly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool since it can produce almost any kind of correlation one would need and has a number of built-in capabilities.

The common Netcat switches are as follows:

Features of Netcat: NetCat has the following features:

• Outbound or inbound connections, TCP or UDP, to or from any ports
• Full DNS forward/reverse checking, with appropriate warnings
• Ability to use any local source port
• Ability to use any locally-configured network source address
• Built-in port-scanning capabilities, with randomization
• Built-in loose source-routing capability
• Can read command line arguments from standard input
• Slow-send mode, one line every N seconds
• Hex dump of transmitted and received data
• Optional ability to let another program service established connections
• Optional telnet-options responder
• Featured tunneling mode which also allows special tunneling, such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel).

Netcat Examples:

• Opening a raw connection to port 25 is (like telnet) :

  nc mail.server.net 25

• Setting up a one-shot webserver on port 8080 to present a file:

  ( echo -e “HTTP/1.0 200 Ok\n\r”; cat some.file; ) | nc -q 1 -l -p 8080

  The file can then be accessed via a webbrowser under http://servername:8080/. Netcat only serves the file once to the first client that connects and then exits.

• Checking if UDP ports (-u) 80-90 are open on 192.168.0.1 using zero mode I/O (-z) :

  nc -vzu 192.168.0.1 80-90

• Pipe via UDP (-u) with a wait time (-w) of 1 second to ‘loggerhost’ on port 514:

  echo ‘<0>message’ | nc -w 1 -u loggerhost 514

• Portscanning:

  An uncommon use of netcat is port scanning. Netcat is not considered the best tool for this job, but it can be sufficient (a more advanced tool is Nmap)

  nc -v -n -z -w 1 192.168.1.2 1-1000

  The “-n” parameter here prevents DNS lookup, “-z” makes nc not to receive any data from the server, and “-w 1? makes the connection timeout after 1 second of inactivity.

• Proxying

  Another useful behavior is using netcat as a proxy. Both ports and hosts can be redirected. Look at this example:

  nc -l -p 12345 | nc www.google.com 80

  Port 12345 represents the request. This starts a nc server on port 12345 and all the connections get redirected to google.com:80. If a web browser makes a request to nc, the request will be sent to google but the response will not be sent to the web browser. That is because pipes are unidirectional. This can be worked around with a named pipe to redirect the input and output.

  mkfifo backpipe
  nc -l -p 12345 0backpipe

  On the Linux computer, also can use “-c” option.

  nc -l -p 12345 -c ‘nc www.google.com 80′

• Making any process a server:

  On a computer A with IP 192.168.1.2:

  nc -l -p 1234 -e /bin/bash

  The “-e” option spawns the executable with its input and output redirected via network socket.

It is one of the best method to dive in other system and retrieve the information. Atleast better then the dumbster diving. I am giving the list of the tools, which you can use to perform OS fingerprinting. Go ahead and experiment. Your comments are important for me.

• PRADS – Passive comprehensive TCP/IP stack fingerprinting and service detection.
• Ettercap – passive TCP/IP stack fingerprinting.
• NetworkMiner – passive DHCP and TCP/IP stack fingerprinting (combines p0f, Ettercap and Satori databases)
• Nmap – comprehensive active stack fingerprinting.
• p0f – comprehensive passive TCP/IP stack fingerprinting.
• PacketFence – PacketFence is an open-source network access control (NAC) system which provides the following features: registration, detection of abnormal network activities, proactive vulnerability scans, isolation of problematic devices, remediation through a captive portal, 802.1X, wireless integration and DHCP fingerprinting.
• Satori – passive CDP, DHCP, ICMP, HPSP, HTTP, TCP/IP and other stack fingerprinting.
• SinFP – single-port active/passive fingerprinting.
• XProbe2 – active TCP/IP stack fingerprinting.

pOf is one of its own kind type of tool. As the name suggests it is used for OS fingerprinting. P0f is a versatile passive OS fingerprinting tool. P0f can identify the system on machines that connect to your box, machines you connect to, and even machines that merely go through or near your box. All this even if the device is behind a fascist packet firewall.

P0f will also detect what the remote system is hooked up to (be it Ethernet, DSL, OC3, or avian carriers), how far it is located, what’s its uptime. The latest beta can also detect masquerade or illegal network hook-ups (useful for ISPs and corporate networks). P0f can detect certain types of packet filters and NAT setups, and sometimes can determine the name of the other guy’s ISP. Not a big deal? It’s still passive. It does not generate any network traffic. No name lookups, no traffic to the victim, no ARIN queries, no trace route.

NetworkMiner is a network forensic analysis tool (NFAT) for Windows. It is used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner is also used to parse PCAP files for off-line analysis and to regenerate or reassemble transmitted files and certificates from PCAP files.

The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).

NetworkMiner performs OS fingerprinting based on TCP SYN and SYN+ACK packet by using OS fingerprinting databases from p0f (by Michal Zalewski) and Ettercap (by Alberto Ornaghi and Marco Valleri). NetworkMiner can also perform OS fingerprinting based on DHCP packets (which usually are broadcast packets) by making use of the Satori (by Eric Kollmann) OS fingerprinting database from FingerBank. NetworkMiner also uses the MAC-vendor list from Nmap (by Fyodor).

Another work to help my friend with his white paper. I am including overview because each topic can elaborate in long epic. I like to add topics as it gives me chance to post atomic topics later. I will surely come with the elaborate post for each atomic topic.

Remote hacking is the process of entering a target system remotely by using the advantage of vulnerability.

Remote Hacking Steps:

1. Information Gathering / Foot Printing
2. Port Scanning
3. OS Fingerprinting
4. Banner Grabbing
5. Vulnerability Assessment
6. Search & Build Exploit
7. Attack
8. Maintaining Access
9. Covering Tracks

A description of the various remote hacking steps is given below:

1. Information Gathering / Foot Printing: In this step, maximum details of the target host are searched and gathered. It is a very important part of remote hacking because more attacks can be performed by a hacker when he has more information about the target system. Information gathering is done with the help of the following steps:
   • Find the company details including the URL and IP address.
   • Use Google or other search engines for more information from different websites.
   • Find out the information about the target domain with the help of the whois command.
   • Find out the physical location of the victim (use www.ipmango.com)
2. Port Scanning: Port is a medium of communication between two computers and every service on a host is identified by a unique 16-bit number called a port.
   

   Port Number	Service
   7	Ping
   21	File Transfer Protocol (FTP)
   23	Telnet
   25	SMTP (Mail)
   43	WHOIS
   53	DNS
   80	HTTP
   110	POP3 (Mail Access)
   513	Rlogin
   8080	Proxy

   Port scanning is the first basic step to get the details of open ports on the target system. Port scanning is used to find a hackable server with a hole or vulnerability.

   A port scanner is a piece of software designed to search a network host for open ports. This is often used by administrators to check the security of their networks and by hackers to identify running services on a host with the view to compromising it. Port scanning is used to find the open ports, so that it is possible to search exploits related to that service and application.

   Some examples of port scanners are Nmap, Hping2, and Superscan.

3. OS Fingerprinting: OS (Operating System) Fingerprinting is a process to find out a victim’s operating system (Windows, Linux, UNIX).

   Tools: Nmap, NetScanTools Pro, P0f.

4. Banner Grabbing: Banner grabbing is an attack to find the brand and/or version of an operating system or application.

   OS Fingerprinting and Banner Grabbing are a part of port scanning.

5. Vulnerability Assessment: A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Examples of systems for which vulnerability assessments are performed for include, but are not limited to, nuclear power plants, information technology systems, energy supply systems, water supply systems, transportation systems, and communication systems.

   Vulnerability is the most reliable weakness that any programming code faces. These programming code may be buffer overflow, xss, sql injection, etc., and an exploit is a piece of malware code that takes advantage of a newly announced vulnerability in a software application, usually the operating system or a Web server.

   Vulnerability + Exploit = Hacking on remote machine

   Important Tools: Xcobra, NTOSpider, Nikto, Privoxy, Samurai, SPIKE Proxy, Nessus.

6. Search & Build Exploit: Information on vulnerability can be found with help of vulnerability archive sites.

   For exploit and final attack, download the source code format from the sites that can provide them. Some of the sites that can be used for downloading can be Microsoft, Adobe, or Mozilla.

7. Attack: In this step of Remote hacking, try to get reverse shell by launching the attack on a remote system.
8. Maintaining Access: A root kit or Trojan virus is placed for future remote access on the target system.
9. Covering Tracks: Covering Tracks is the last and important step of remote hacking, which includes the deletion of all logs on the remote system. In Linux or UNIX, all entries of the /var folder need to be deleted, and if it is a Windows operating system, all events and logs are deleted. This step is used by hackers to keep their identity anonymous.

Watch this video for Banner Grabbing in Linux (Back Track)……..

Lately I came up with a new methodical challenge. One of my friend is writing white paper on the effect of different tools used in hacking and penetration testing. He came to me with a weird kind of problem. He wants to categorize the password cracking tools according to their usage and effectiveness. It took my whole weekend to complete this work, but its worth like spending so much time. I learned what I thought never existed. Rare elites are out there in World. I am sharing the part of my work in this blog. KNOWLEDGE FOR ALL, ALL FOR KNOWLEDGE. I tried my best to omit any lame mistake and keep the content appropriate. I know many websites are also giving these lists but I tested each tool with my hands on practical experiences.

1. Cain and Abel :

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort.

It can recover passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

2. John the Ripper

It works on Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.

3.THC Hydra :

When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more then 30 protocols, including telnet, ftp, http, https, smb, several databases, and much more. Like THC Amap this release is from the fine folks at THC.

The project supports a wide range of services and protocols: TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP, PostgreSQL, Teamspeak, Cisco auth, Cisco enable, and Cisco AAA. It is licensed under version 2.0 of the GNU General Public License with the additional terms that the software may not be used for illegal purposes, and any commercial service or program that uses Hydra must give credit to THC.

4. Aircrack-ng:

Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless card whose driver supports raw monitoring mode (for a list, visit the website of the project) and can sniff 802.11a, 802.11b and 802.11g traffic. The suite includes airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), and airdecap (decrypts WEP/WPA capture files).

5. L0phtcrack:

L0phtCrack attempts to crack Windows passwords from hashes which it can obtain (given proper access) from stand-alone Windows workstations, networked servers, primary domain controllers, or Active Directory. In some cases it can sniff the hashes off the wire. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionarybrute-force, hybrid attacks, and rainbow tables

External Links:

• L0phtCrack Website

6. AirSnort:

AirSnort is a wireless LAN (WLAN) tool that recovers encryption keys. AirSnort operates by passively monitoring transmissions. It uses Ciphertext Only Attack and captures approximately 5 to 10 million packets to decrypt the WEP keys.

External Links:

• AirSnort Homepage
• AirSnort Installation Guide on openSUSE10.1
• AirSnort Installation Guide on Windows

7. Solar Wind:

It includes various Security-related tools such as many network discovery scanners, an SNMP brute-force cracker, router password decryption, a TCP connection reset program, one of the fastest and easiest router config download/upload applications available and more.

External Links:

solarwind Official Website

8. PwdDump:

Pwdump is able to extract NTLM and LanMan hashes from a Windows target, regardless of whether Syskey is enabled. It is also capable of displaying password histories if they are available. In order to work, it must be run under an Administrator account, or be able to access an Administrator account on the computer where the hashes are to be dumped.

9. RainbowCrack:

The RainbowCrack tool is a hash cracker that makes use of a large-scale time-memory trade-off. A traditional brute force cracker tries all possible plaintexts one by one, which can be time consuming for complex passwords. RainbowCrack differs from “conventional” brute forcerainbow tables to reduce the length of time needed to crack a password drastically.

External Links:

crackers in that it uses large pre-computed tables called

• Project RainbowCrack – Developer’s official site.
• Rainbow Tables & Rainbow Crack tutorial

10. Brutus:

Brutus is one of the fastest, most flexible remote password crackers you can get your hands on – it’s also free. It is available for Windows 9x, NT and 2000, there is no UN*X version available although it is a possibility at some point in the future. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, NTP, and more.

External Links:

http://www.hoobie.net/brutus/

See this for John-The-Ripper, find the others on Youtube..

A rootkit is software that is installed on your server with the purpose of hiding the fact that your server has been compromised and providing access to your server so that the intruder can easily return. It is important to understand that in order for an intruder to install a rootkit they will have to have gained the rights to do so on your server. This means that the first line of defense is good security that prevents the installation of a rootkit.

The intruder could use a rootkit to hide the password cracker program that’s stealing your passwords and sending them back to the intruder. The intruder could also use a rootkit to hide a “back door” program that would give him easy access back into the compromised system.

There are at least six basic categories of rootkits which all serve the same purpose. They prevent the intruder’s malicious software from showing screen output to the unsuspecting user, and they prevent the malicious software from leaving traces in the system logs. They also prevent the malicious software from showing up in a “ps” or “top” process list.

Firmware rootkits
One of the most difficult rootkits to discover is the firmware rootkit that is placed in the code that exists in the ACPI or PCI cards or your system clock. Firmware rootkits can be installed in any flashable code on your motherboard or any cards that you install. The difficulties here will be that you cannot fix this by reinstalling your operating system or wiping your hard drives.

Virtualized rootkits change a computer’s boot-up sequence so that the rootkits get loaded instead of the operating system. Once the rootkits are running in memory, the original operating system loads and then runs in a virtual machine as a guest operating system. The rootkit can then intercept hardware calls from the original operating system in order to conceal the presence of any malicious software or activity.

Kernel rootkits
When Linux boots up, it loads kernel extensions, or modules. Loadable Kernel Module, or LKM rootkits, can modify these modules to make them do the intruder’s bidding. These are also very difficult to detect. They can subvert any attempt to detect them and can prevent removal. On the other hand, they can be prevented. On a known clean system, just recompile the Linux kernel without support for loadable kernel modules.

Boot Loader rootkits
In this rootkit the boot loader is replaced with a modified boot loader which is used to achieve the goals of the intruder.

Library rootkits
These rootkits work by modifying the operating system’s libraries that provide system calls. They will either patch the library files, hook onto them, or outright replace them.

Application level rootkits
These are sometimes referred to as “traditional” rootkits. That’s because they’re the oldest variety. Application level rootkits replace system utility programs with their own trojaned versions. On Linux, the affected system utilities include login, ls, du, netstat, ifconfig, ps and top. When the unsuspecting user invokes one of these counterfeit utilities, it’ll will do what the user wants done, but in the background, it will also do something for the intruder.

One way to check these utilities is to invoke them with the -/ option switch. If the command works with that switch, it’s an sign that its executable file is infected.

Rootkit Hunter
Rootkit Hunter performs a more comprehensive check than chkrootkit, and takes somewhat longer to run. If your distro’s package repository doesn’t have it, you can download it from the author’s website. The site is: http://rootkit.nl/projects or you can download it from sourceforge.net.

To perform a check of your system, enter:

rkhunter -c

Here is a typical summary which is listed at the end of the check.
System checks summary

File properties checks…
Files checked: 129
Suspect files: 0

Rootkit checks…
Rootkits checked : 115
Possible rootkits: 0

Applications checks…
Applications checked: 9
Suspect applications: 0

The system checks took: 3 minutes and 1 seconds

All results have been written to the logfile (/var/log/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

To update Rootkit Hunter, enter:

rkhunter –update

If you do a test and it discovers some programs have changed but you are sure that the changes occurred as the result of an upgrade you will want to upgrade those changes with rkhunter so that it does not continually report those as problems. Note that rkhunter will only be able to tell you that changes have occurred not why they have changed, that is your responsibility to find out.

rkhunter –propupd

Run without User Input
In order to run rkhunter as a cron job, or without user input, you must make a few modifications. Other wise, during the course of its scan, it will stop several times and ask the user to press “Enter”. Use the command:

rkhunter –cronjob

Report only Problems
You can run rkhunter so that it will only report problems that it discovers.

rkunter –cronjob –rwo

Email Your Account
You will need to edit two lines to enter your email and check your mail command header setting. This command will work for Sendmail but not Postfix.

MAIL-ON-WARNING=youremail@example.com root@mydomain
MAIL_CMD=mail -s “[rkhunter] Warnings found for ${HOST_NAME}”

If you are using Postfix as the mail server you will want to modify the default line so it looks like this:
MAIL_CMD=/usr/sbin/sendmail

This is the message you will receive is there is a problem.

”Please inspect this machine, because it may be infected.”

False Positives
You may have to uncomment lines in the rkhunter.conf file to allow for some hidden directories. You may also have to enter the lines and issues that are discovered for your system that are false positives. Of course, you will want to verify either that rkhunter discovered these on a new system or that you are sure they do not represent intrusion.

LOGFILE=/var/log/rkhunter.log

If you allow the root user to login using SSH, change this line.
ALLOW_SSH_ROOT_USER=yes

You may need to allow some directories and files to stop the false positives.
#ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/dev/.udev
#ALLOWHIDDENDIR=/dev/.udevdb
#ALLOWHIDDENDIR=/dev/.udev.tdb
ALLOWHIDDENDIR=/dev/.static
ALLOWHIDDENDIR=/dev/.initramfs
#ALLOWHIDDENDIR=/dev/.SRC-unix

ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac

SCRIPTWHITELIST=/sbin/ifup
SCRIPTWHITELIST=/sbin/ifdown
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/whatis

Enter the applications you want to whitelist. This is a possible list for a CentOS system apache on Ubuntu is called apache2 instead of httpd.

APP_WHITELIST=”httpd sshd PHP named”
Here is an example of the output that you need to fix in order to eliminate false positives.

rkhunter –cronjob –rwo
Warning: Hidden directory found: /dev/.udev
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text

]]>

I was start liking computers when theory of Y2K hit us. It created chaos that didn’t last long. Everything stay tuned and work fine. This time another theory hit us with proclaiming greater destruction in real time scenario.

Welcome to the 2038 Bug theory.

The year 2038 problem, we all call it as Unix Millennium Bug,or Y2K38 as our private joke. It expects cause some computer software to fail before or in the year 2038. The problem affects all software and systems that store system time as a signed 32-bit integer, and interpret this number as the number of seconds since 00:00:00 UTC on Thursday, 1 January 1970. The farthest time that can be represented this way is 03:14:07 UTC on Tuesday, 19 January 2038. Times beyond this moment will “wrap around” and be stored internally as a negative number, which these systems will interpret as a date in 1901 rather than 2038. This will likely cause problems for users of these systems due to erroneous calculations.

Further, while most programs will only be affected in or very close to 2038, programs that work with future dates will begin to run into problems much sooner. For example, a program that works with dates 20 years in the future will have to be fixed no later than in 2018.

Because most 32-bit Unix-like systems store and manipulate time in this format, it is usually called Unix time, and so the year 2038 problem is often referred to as the Unix Millennium Bug. However, any other non-Unix operating systems and software that store and manipulate time this way will be just as vulnerable.

I find one website very informative about this Y2K38 theory, even if I have taken the image of the bug from this site. Find it here.

I will ask you to google it and I am sure you will find interesting facts round the corner. Lets wait for it.

Find one very good graphical description of Y2K38 problem on Wikipedia. Look at it.