How to block malicious VBA documents and spreadsheets with spam assassin or amavisd

Posted in Operating Systems, Linux, Fedora, Debian, Suse, Red Hat, Services, Mail, Tips on Thursday, December 10, 2015 by

Monitoring our net streams for SMTP traffic, I have a particular Splunk alert configured to alert when a spam campaign in underway. It’s quite interesting to see what tricks spammers try and how long some campaigns last.

Something that has caught my attention is the increased use of unsolicited “invoice” and “order” emails which get sent with .doc documents attached. Reviewing the documents nearly all of them contain malicious VB scripting usually set to auto run, which downloads and tries to execute binaries.

Now I have created a number of spam assassin rules to block these types of emails (invoices with .doc files attached) but it’s a cat and mouse game, and you can’t be too generic as you may block legitimate email. What I can block ruthlessly is documents and spreadsheets which contain autorun VB scripting.

Here is how to do it:

Create the following file on your amavisd server at the location “/usr/local/bin/detectvba.pl”

#!/usr/bin/perl -w
# technion@lolware.net
# Detects vba macros containing blacklisted strings.
# https://github.com/technion/maia_mailguard/blob/master/scripts/detectvba.pl
# Mods by www.cammckenzie.com
#
# Suggested amavisd/maiad.conf config:
# ['Detect-VBA',
#   '/usr/local/bin/detectvba.pl', "{}",
#      [0], qr/INFECTED/, qr/\bINFECTED (.+)\b/m ],
#
use strict;

my $sigtool = '/usr/bin/sigtool'; #Clamav sigtool path

if ($#ARGV != 0) {
    print "Please supply directory to scan\n";
    exit 0;
}

#Sanity check directory
my $dir = $ARGV[0];
if ($dir !~ /^[a-z0-9A-Z\/-]+$/) {
    print "Invalid directory passed\n";
    exit 0;
}

opendir DIR, $dir or die "Cannot open dir $dir: $!";
my @files = readdir DIR;

foreach my $file (@files) {
    next if $file =~ /^\.$/;
    next if $file =~ /^\.\.$/;
    my $scan = `$sigtool --vba="$dir/$file"`;
    if ($scan =~ /autoopen/i ) {
        print "Scanning $file: INFECTED VBA\n";
        exit 1;
    } else {
        print "Scanning $file: OK\n";
    }
}

closedir DIR;

exit 0;

Then in amavisd.conf (/etc/amavisd/amavisd.conf on CentOS) modify the section “@av_scanners” and insert as a primary scanner the following stanza:

['Detect-VBA',
   '/usr/loca/bin/detectvba.pl', "{}",
      [0], qr/INFECTED/, qr/\bINFECTED (.+)\b/m ],

Then after that just restart your amavisd service and you should see, it finds Detect-VBA as a primary scanner, test it by sending yourself a malicious macro document lol.

Download the raw howto here, so that special characters are intact as FlatPress has a habit of removing them….https://www.cammcken … assin-or-amavisd.txt

Replace Linux RAID disk the ‘right’ way

Posted in Operating Systems, Linux, Tips, Hardware, Disks on Wednesday, September 16, 2015 by

Well before you power to replace the disk - can you be sure it will power back on?
Some distros have the bad habit of only install GRUB to one physical disk and if that disk dies…RAID wont save you (but a boot CD will…)

Firstly I like to confirm if /boot is configured in RAID 1. I then usually also install GRUB to all the physical disks via: 

grub-install /dev/sda

and sdb and sdc etc. Then I power off the server and replace the disk.

After powering on the server, sometimes it won’t boot due to the new disk getting booted first, so make sure to select another disk in the BIOS boot-up menu.

After the operating system returns it’s a matter of recreating the partitions on the new disk, before trying to add it back into the RAID array. My servers all have the same disk sizes in the array and the same partition layouts, so to recreate them on the old disk I just perform: 

sfdisk -d /dev/existing-disk | sfdisk /dev/new-disk

Confirm the new disks get the correct layout via: 

cat /proc/partitions

and then add the partition back to the RAID array: 

mdadm --add /dev/mdX /dev/sdXX

And then finally confirm its rebuilding via: 

mdadm --detail /dev/mdX

OR 

cat /proc/mdstat

Configure UTM 220 LCD panel under Linux

Posted in Linux, Network, Firewall, Hardware on Wednesday, September 9, 2015 by

I had the task of rebuilding an Astaro UTM 220 with CentOS and the LCD panel looked so lifeless, So I decided to restore it to some version of functional! From my research I can see that the display is LCM-162 and utilises the lcd driver HD44780.

In a nut shell here is what I did:

  • Download LCDproc (http://lcdproc.omnipotent.net/)
  • Modify: lcdproc-0.5.6/server/drivers/hd44780-ext8bit.c

Change: 

#define RS  STRB
#define RW  LF
#define EN1 INIT 

To:

#define RS  SEL
#define RW  INIT
#define EN1 LF 
  • compile it with option: ‘./configure –enable-drivers=hd44780′
  • make && make install
  • Modify: /usr/local/etc/LCDd.conf

Change:

  • Line 53: Driver=hd44780
  • Line 502: ConnectionType=8bit
  • Line 509: Device=/dev/parport0
  • Line 544: Size=16×2

Test it:

LCDd -f -r 4 -c /usr/local/etc/LCDd.conf &
lcdproc -f -s localhost -p 13666 C M L

If it works its just a matter of copying: scripts/init-LCDd.rpm and scripts/init-lcdproc.rpm to /etc/init.d and configuring chkconfig properly.

Hopefully that helps.

Good regex sites to help with Splunk

Posted in Tips on Tuesday, September 8, 2015 by
  • https://regex101.com/ - Great for general regex stuff and capture groups.
  • http://www.regexe.com/ - Great for dealing with capture groups in the way that Splunk likes them for anonymising data.
  • http://regexr.com/ - Classic website for quick PoC regexs.

Install or Change Server 2012 Product Key

Posted in Operating Systems, Windows, Tips on by
  1. Open Admin command prompt or powershell
  2. Remove the unused KMS key: slmgr -upk
  3. Install your MAK key: slmgr -ipk XXXX-XXXX-XXXX-XXXX
  4. Activate Windows
Next Page »