Find what emails are being sent from a Linux server

find-emails-sent-from-linux-serverIn this series of articles I am trying to help server admins and owners of VPS or Dedicated servers to find viruses or malware on their servers. Part of the diagnosis of your system is to see what emails are being sent out and from which accounts. Since spammers like to use compromised servers, I believe that it makes sense to check regularly that the emails being sent out roughly match what you would expect to see.

I have servers that I host client websites on. If a client who usually sends out 20 emails a month suddenly sends out 500 then this is cause for concern and I would immediately investigate the server for malware.

On linux systems, Exim (the mail transfer agent) already logs the working directory of messages sent to the queue by a script. Here’s an example of what you would expect to see in an exim_mainlog file:
[crayon-5cbdbb09c289d207041146/]
Note: I like to use Notepad++ to analyze these large text files within Windows as other editors aren’t quite up to the task.

So it looks like there’s some function of the ‘fredbloggs’ website that auto-backs up the database, then sends a related email notice to whatever email address the webmaster provides, in this case, fredbloggs@gmail.com. The working directory for the generation of that message was “/home/fredbloggs/public_html”. Nothing suspicious here as we have an auto-backup program installed on this WordPress-powered website. Nothing to see here, move along please…

Here’s another example:
[crayon-5cbdbb09c28a6590347945/]
Again, possibly normal but I’d raise the question whether Jane changed her email address on WordPress. If not, this is cause for concern.  It’s a kind of detective work where you need to step back and look at all of the evidence to compile a big picture.

So, let’s run this beauty of a command against the exim_mainlog to give us an idea from which working directories our server gets messages sent to the mail queue:
[crayon-5cbdbb09c28ab195311927/]
The exim_mainlog records the arrival and delivery of all emails. It explains where the mail came from, to which address it was delivered, the hostname of the server and more. Additional details can be added to this log file by using extended logging in exim. Your output would be something like this on most systems:
[crayon-5cbdbb09c28ad798146623/]
So within the last 30 days, the /cforms directory has sent 8 messages to the queue. Cforms is a defunct WordPress plugin and now, as such, unsupported by the developer against exploits. Would you expect that Jane’s website should do that? A result like this isn’t necessarily suspicious as this is normal contact form use. Something like this, however, would be VERY suspicious:
[crayon-5cbdbb09c28af884624810/]
I can’t think of a valid reason why an ‘images’ directory should be sending mail, so alarm bells would trigger and that’s definitely something I would look into further.

So, presuming we saw strange usage numbers or a bizarre path, let’s dig even deeper and look at what the Subject of Jane’s emails actually were, as this gives us an indication of spam activity. Change directory into /var/log
[crayon-5cbdbb09c28b0250808080/]
Now run this:
[crayon-5cbdbb09c28b2668242835/]
Nice, it returns a list like this which tells us all we want to know:
[crayon-5cbdbb09c28b3388756584/]
Again, no cause for concern and the only spammy one there would be the first one, already marked as such by Akismet.

If you have lots of adverts for cheap meds or blue pills in there then you need to find the offending code that’s pushing spam through your email system. Start with a virus scan on your Linux server

Hope this helps and feel free to drop me a comment below.

 


Kaspersky Pure replaced by Total Security

Since I am getting a lot of questions on where Kaspersky Pure has gone and how to upgrade, I’ll try to clarify a few things. Yes, the main Kaspersky.com website has now dropped Pure as a product, seemingly without notification. The localized websites (such as .co.uk etc) have followed too. It seems that Kaspersky Pure has been phased out in favour of ‘Total Security’. There are a lot of Pure installation CDs out there so what to do?

OK, so here comes the terminology first:

  • KTS stands for Kaspersky Total Security
  • KIS stands for Kaspersky Internet Security
  • KAV stands for Kaspersky Anti-Virus
  • Changing from one installed product to another is called ‘migrating’

If you have an active or expired Kaspersky PURE 2.0 or 3.0 license, you have special options of migrating to Kaspersky Total Security. You can also migrate to Kaspersky Total Security from Kaspersky Internet Security and Kaspersky Anti-Virus or vice-versa.

Who can’t upgrade to Kaspersky Total Security?

Note that free migration to Kaspersky Total Security is not possible for the oldest versions of Pure. These were the original ‘version 1’ programs but are called:

Kaspersky PURE
Kaspersky PURE R2 (note that this is NOT the same as Kaspersky Pure 2.0)

They can’t be upgraded because their activation codes are incompatible with Kaspersky Total Security.

Now we know what versions can’t be upgraded, let’s upgrade those that can…

Free upgrades to Total Security

Successful upgrading depends on the current status of your license:

  • If you have an active licence for Kaspersky PURE 2.0 or Kaspersky PURE 3.0, you can simply use your current activation code for migration (upgrading) to Kaspersky Total Security.
  • If your license for Kaspersky PURE 2.0 or Kaspersky PURE 3.0 has expired, you can visit my shop here to buy Total Security at a cheaper price than renewal, then install it which migrates the licence for you automatically.

Migrating the Pure licence key to Total security

If you have Kaspersky PURE 2.0 or Kaspersky PURE 3.0 installed on your computer, do the following to upgrade to Kaspersky Total Security:

Download the Total Security package here (opens in a new window for you). This is what you should see:

kaspersky download total security

Grab the top one in my screenshot above, Total Security, and download it. Now we have 2 options, either installing over the top of Pure or removing Pure and installing your downloaded KTS. I have listed both below:

Option 1 – Install Kaspersky Total Security without removing Kaspersky PURE

When you install Kaspersky Total Security on top of Kaspersky PURE 2.0 or Kaspersky PURE 3.0, the following data is preserved:

  • License information
  • Quarantined objects
  • Product settings (config settings including Backup tasks)
  • Encrypted containers (including all data)
  • Password Manager databases for all user accounts. All data that was available when working with Password Manager, such as passwords to programs and accounts, identities, notes, etc.
  • Anti-Spam databases (if the Anti-Spam component was previously used)
  • Backup stores

This makes it the easier option for most users. If you are not experiencing any issues with Pure then do this. If you have slowdown issues, configuration problems or just want a fresh install (which is always nicer) then jump to Option 2 below.

Screenshots of the installation process when installing over Kaspersky Pure:

install-kaspersky-total-security

installing-total-security

finish-restart-total-security

This took about 3 minutes for us to complete including the restart, just accept the defaults.

Option 2 – Install Kaspersky Total Security, removing Kaspersky PURE first

CAVEAT – You must have your licence key available which can be found on the card inside the product case.

CAVEAT 2 – You will lose any saved passwords in the Kaspersky Password Manager. Not everyone uses this and it won’t affect other password managers such as LastPass, Roboform, Keepass etc.

CAVEAT 3 – You will lose any quarantined files, backup stores, encrypted containers and spam databases (if used) which are again specific to Kaspersky Pure

  • Fully uninstall Kaspersky Pure via your control panel.
  • Reboot your PC
  • Install Total Internet Security from the file you downloaded earlier or from a packaged CD

If you have never installed a program before, here is some help how to do it:

 

I hope that this helps answer your questions on installation, upgrading and compatibility. Kaspersky remains the most effective of all the antivirus and Internet security suites that we have tested in our workshop and Total Security is a worthy replacement for Pure.


Slow Windows 8 update speeds fixed

Slow update speeds in Windows 8 (and slow network speeds in general) are often because of the ‘poisoned’ DNS cache. This is because it can contain invalid or expired DNS records. Symptoms may be difficulty in opening websites or even problems with Windows updates. What we’ll do here to attempt to rectify this is to clear the DNS cache by simply flushing the invalid or expired DNS entries.

How to Flush the DNS Cache to speed up Windows 8

  • Logon to your Windows 8 computer with an administrative account.
  • Click on the desktop tile from the Start screen to go to the desktop window.
  • Hover the mouse over the bottom right corner of the window.
  • From the displayed options, click “Search”.
  • On the opened Search pane at the top right, ensure that the Apps category is selected.
  • Type in “cmd” without the speech marks.
  • From the displayed results on the Apps window, right-click on Command Prompt.
  • From the displayed advanced options at the bottom of the window, left click on “Run as administrator”.
  • When you see the User Account Control box, click “Yes” to provide the administrator approval to open the command prompt with the elevated privileges.
  • At the black command prompt window, type “ipconfig /flushdns” and press enter. This will delete the DNS cache.
  • Close the command prompt window when done.
  • Restart the computer.

After flushing the DNS cache, the IP address of any website or network device is then automatically resolved by the DNS resolver using a DNS server.

 


Failure configuring windows updates reverting changes do not turn off your computer

This is quite a common fault on systems I have seen on PC systems ranging from XP through to Win 8. There are various ‘fixes’ mentioned out there, some of which are potentially damaging, so I thought I’d share my method of repair here. It has worked on 99% of computers we have had through the repair shop.

The fault often is triggered by a single downloaded update that does not want to apply itself. Subsequently, all the other downloaded updates fail too. If left, these updates will grow in quantity every week until they are difficult to diagnose, so do this sooner rather than later.

  • First off, check you are logged in as an administrator on the system.
  • Make sure that your clock set to the correct time, date, year and timezone. Don’t skip this, double check it!
  • In the following steps, make sure you download the correct version for your operating system, eg Windows 7 64-bit etc. If you are not sure which version you have, look in Control Panel, Select “View by small icons” then click on System. Here, you’ll see your Windows Edition and Sytem Type. While you are in here, check that you can see “Windows is activated”. If not, this is your problem and you need to activate Windows. To do this, click Start, type in “activate” then click on Activate Windows.
  • You can disable your antivirus temporarily but this is not necessary unless you try this method and it fails. Make sure if you do this that you are behind a firewall, either the Windows one or one in your router.
  • Open ‘Computer’ and navigate to C:\Windows\SoftwareDistribution\Download then delete everything you find in this folder.
  • Now, go to Windows update history on the computer (Control Panel, Windows Updates and select View Update History). Look at the ones that failed and note the KB number. You can then go to Microsoft Download Center and download each one individually by searching on the KB number. Use Internet Explorer for this, not Firefox/Chrome etc. After manually downloading and installing each one, restart the computer and repeat the process until each update is applied. Don’t skip the restart, this is necessary to apply many updates.
  • Once the list of downloads is finished you can create a restore point and then try an automatic Windows Update again, it should work now.

 

You can also give this a try – Windows Update Troubleshooter.  While this is, in theory, an automatic fix to the ‘failure configuing Windows updates’ issue, it doesn’t always work so I prefer to use my method above first which can isolate the problem to a single download. Good luck!

 


Cannot modify header information – headers already sent

So what exactly is ‘modify header information’ anyway? Well, it’s quite a common problem and one that has no definitive answer because there are many different code reasons why it occurs. That said, if you understand why it’s happening you should be able to diagnose your issue more easily. I’ll give an explanation first and then go on to provide a fix for WordPress template files as these seem to be the most prevalent code examples that get hacked and chopped about.

Headers sent to your browser explained

So, this issue rears its ugly head when someone visits your website and requests a page. Your server duly sends the page but before the visitor’s browser has completed the rendering of that page on the screen, it gets told to redirect to another page. This is unacceptable and the browser doesn’t like this so you see the error “Cannot modify header information – headers already sent”. Take this code example:
[crayon-5cbdbb09c2d69418351661/]
It’s simple enough php code where the object is to redirect the user’s browser to another website. This will not work though because the <html> line has started to output the code to the browser already. Remember that header() must be called before any actual output is sent and this can be by standard HTML, via PHP or even via the presence of blank lines.

The blank lines header error

The presence of blank lines within PHP in a file can cause errors. Here’s another example:
[crayon-5cbdbb09c2d6f082562955/]
Spot the mistake? It’s a common one but the extra space after the final question mark is actually output to the browser and can be the difference between the page working or not. Extra whitespace where it shouldn’t be is tricky for coding beginners to spot, so work logically through the code and try to structure it as cleanly as possible. Compare any modifications you have made to the original file and try the original again to see if that triggers the error. Typical problems include whitespace or new lines before the opening <?php or after the closing ?> which works in many cases but often causes this error. Try to code more cleanly and remember this can cause big problems later on.

If your code has more than one PHP block in it and they are directly after each other, remove any spaces in between them. Try to consolidate the PHP into one block if possible here too.

 

Modify headers error where session_start() is used

Here’s another scenario:
[crayon-5cbdbb09c2d72416991814/]
So what is going wrong here? Well, the session_start() function attempts to send headers with the session cookie to the client. Unfortunately, PHP already sent headers when it wrote the title element to the ‘output stream’. To resolve this, you would need to move the session_start() code to the top, above the <html> line.

Often, the error indicates exactly where you should be looking in your code so look for php and html output around there.

Script encoding errors, UTF-8 and BOM

The Byte Order Mark (BOM) is a Unicode character used to signal the byte order (aka ‘Endianness’) of a text file or stream. Still with me? If you’re not, don’t worry, all you need to do is to try to make sure you don’t have any Byte Order Marks in your code as this messes up the headers too. There is, in my mind, little place for BOM on a WordPress installation. The Unicode standard permits BOM in UTF-8 but doesn’t recommend it.

Errors caused by the inclusion of BOM are generally because

  • You viewed the source in a bad text editor and saved it (hint use Notepad++ which is free and brilliant)
  • You used a poor FTP client (hint: use WinSCP, also free and brilliant)
  • You had the BOM in there originally (hint: don’t download files from dodgy sites).

The simple solution is to open up all the offending files in Notepad++ (or a similar good text editor) and swap the file format from Windows/Mac to Unix and turn off the BOM.

For advanced users, you can run this nifty ‘find’ code on the server to remove all BOM code. Use with caution as it can modify any file.
[crayon-5cbdbb09c2d74539517542/]
If you prefer to tread cautiously, use this code to simply display those BOM files:
[crayon-5cbdbb09c2d78874033237/]
The code above cleverly looks in the first line only which is where we find the BOM byte sequence (the UTF-8 representation of this is 0xEF,0xBB,0xBF). This means it runs pretty quickly.

Code your way out in functions.php

Well, I said I would give you a solution that works for WordPress and here it is. Please note, I would thoroughly recommend attacking the other solutions above first but if you are at your wits end try adding this to your theme’s functions.php file:
[crayon-5cbdbb09c2d79701959013/]
PHP will now not send any input to the browser until the page is fully loaded. This in turn allows your WordPress installation to redirect users as it sees fit.

Summary

Remember, what you are trying to find is basically two lots of output to your browser and this is often via HTML code and PHP code being run at the same time. Track it down and your error should be removed. Don’t underestimate the widespread duff code in 3rd party plugins too, disable these one by one and try again.

Hope this helps you to sort out your ‘headers already sent’ issues, please use the social links to recommend this page to others before they pull their hair out too 🙂

 


How to clear the DNS cache

clear dns cache mac windows

Your DNS cache stores IP addresses of webservers. These servers have delivered pages which you and others have recently viewed. If the location of the web server changes for any reason before the entry in your DNS cache automatically updates, you will find yourself unable to access the website. You may also see a lot of 404 error codes, which generally happens when your DNS cache is messed up.

This is particularly prevalent for Webmasters who are setting up a new website and suddenly get presented with an old page or no page at all. Often it is visble on another computer or mobile phone which makes it even more frustrating.

By clearing this DNS cache, your computer will then re-query the nameservers for the new DNS information.

How to clear your computer’s DNS cache in Windows 2000, XP, Vista, 7 or 8

  • Click the Start button
  • On the Start menu, click Run
  • If you do not see the Run command in Vista/7/8, enter “run” in the Search bar just above the start orb
  • Type the following in the Run text box: ipconfig /flushdns
  • Press Enter

Pay attention to the space between the g and the forward slash.

Close the command window and retry your browser.

How to clear your computer’s DNS cache in Mac OS 10.7 onwards

Please note that for this to work you require the Admin account password.

  • Click Applications
  • Click Utilities
  • Double click the Terminal application
  • Type in: sudo killall -HUP mDNSResponder

Close the terminal window and retry your browser.

How to clear your computer’s DNS cache in Mac OS 10.6 and below

  • Click Applications
  • Click Utilities
  • Double-click the Terminal application
  • Type in: dscacheutil -flushcache

That’s it and you should now be able to fire up your browser and get a fresh version of the page.


How to make WordPress secure

Want to make WordPress secure? Then let’s harden it now! OK this is going to be a long article that I’ll add to as “best practice” changes with new releases.  For starters, let’s clear up what I’m trying to teach.  What we are doing here is limiting access by people who are trying to compromise your WordPress installation. And they are out there, believe me.

So first off, the easy stuff….

  1. Keep your WordPress and Plugins updated. You can lock down WP all you want but if you have a dodgy plugin you could be wide open to the world.
  2. Keep your server up to date. Vulnerabilities in older versions of php and various scripts mean that an attacker could get in outside of the WordPress installation.
  3. Shared hosting. I personally don’t use this as it can severely compromise security. Even if you do all the locking down possible, someone else may leave wide-open gaps on the server.  If you want reliable VPS hosting I recommend taking a look at  Servint dedicated and VPS hosting.
  4. Use a decent antivirus and antimalware on your own PC.  The largest amount of compromised servers come from password attacks and if you have malware on your PC that gets your FTP password then it’s ‘Game Over’. Use Kaspersky and MalwareBytes for a great solution.
  5. Choose strong passwords. Never underestimate how easy most passwords are to crack with a computer. Passwords such as “Password”, “abc123”, “Letmein” are crackable in minutes. Pets’ names, people’s names, car names are all easily guessable too. Consider putting non-alphabet characters in there too such as $ or !

 

WordPress file permissions

Now let’s move on to WordPress file permissions.  These are most people’s nightmare but it doesn’t have to be difficult.  All files should be owned by your account and writable only by you. For directories, if you use SuPHP on your server (and I recommend you do) they should all be 755. If not using SuPHP then follow these rules:

  • /wp-content/plugins/ These are the plugin files. All files should be writable only by your user account.
  • /wp-includes/ WordPress’s ‘logic’ files.  All files should be writable only by your user account.
  • /wp-content/themes/ Your theme files. If you want to use the built-in theme editor, all files need to be group writable. If not, all files can be writable just by your user account
  • /wp-admin/ This is the WordPress admin area. All files should be writable only by your user account.
  • /wp-content/ This is for your content which should be writable by everyone (owner/user, group, and public)

For other directories under /wp-content/ you should read the relevant plugin or theme documentation.  Err on the side of caution here though, locking down first and working backwards to release permissions where required.

For novices looking for a quick guide, if you are not using SuPHP then do this:

Set all directories to 755 and all files to 644.  If you are on a shared-server, set your wp-config.php to 750 so no other user will be able to read your database username and password!


From WordPress version 2.7, there has been the facility to automatically update the WordPress installation.  It is remarkably stable and well tested so I recommend this is used.  The great thing is that after the update, all files are set to 644 and all directories to 755  and writable by only the user.  They are still readable by everyone else, including the web server.

This now leads us on to ‘security by obscurity’. In other words, making the default stuff different so attackers spend more time at the first hurdle. Here are my top tips for quick and easy fixes.

  1. Stop showing the WP version you are currently running. Why? Well, if you are running an older WordPress version with a known vulnerability then you effectively display this to the world. There are numerous plugins to do this for you but you can simply add <?php remove_action('wp_head', 'wp_generator'); ?> to your theme’s function.php file. Note that there are other ways of finding out the version that a WP website uses but this works well to hide the obvious.
  2. Rename the admin account. I do this on a new install from within Fantastico but you can also create a new Administrative account from WordPress’s back end and delete the default admin account. You will get prompted to pass ownership of all the deleted user’s posts to the new Admin which is recommended.
  3. Change the WordPress database table prefix. A lot of the  WordPress-specific SQL injection attacks assume that the database table prefix is “wp_” , so changing this blocks many (but nit all) SQL-injection attacks.

Finally, 3 words I can’t stress the importance of……Backup, Backup and Backup.  Don’t hesitate to make this a priority. For a complete backup AND a brilliant way to clone your entire site check out the excellent WP-Twin WordPress Clone Software. This not only creates a FULL backup of WordPress’s database, but it backs up all other files and folders for you. It will enable you to move your installation across servers too, something most backup software won’t do. Most blogs can be completely cloned and backed up in a few minutes without any technical knowledge.

Good luck and hope this helps you to make WordPress secure.

 


Online backup and coupon code for 20% off Mozy

Mozy online backup discount coupon codeOnline backup just got a whole lot cheaper with the latest coupon code from Mozy.   Click the link below and type in the coupon code ENCRYPTION for 20% discount:

Mozy online backup coupon code

Note: Enter the code into the promotional code box at signup to get the full discount.

 

Other recent contenders for our recommended backup software:

Crash Plan


Get more space on Dropbox

Here’s a great way to get more space on Dropbox, the free secure online file storage service.

Recently, Dropbox offered an increase to customers who used the Camera Upload facility. This method takes advantage of their generous offer and allows you to use that free space to the maximum.

First, if you haven’t got this great free online storage tool then click here to download it with a free gift of extra storage from me!

Note down your current Dropbox allowance by left clicking once on the tray icon (eg 1GB% of 2.5GB used). Don’t skip this step.

Copy 2.5 GB or more of video files to a pen drive or external hard drive. Don’t try to just copy to a folder on your PC as this won’t work!  You can use photos (or even a combination of photos and videos) but lots of small files take much longer to upload. Try to avoid a single movie that is very large, eg 3.5GB as syncing this is often flaky. If you’re in a hurry, increase your syncing speed by right clicking the tray icon then Preferences > Bandwidth and select ‘Don’t limit’ on both upload and download speeds.

Switch off other Dropbox devices that sync, just use one PC.

Put the pen drive in, allow the Dropbox pop-up import box to show. If it doesn’t show, select it from the Windows autoplay box. Note: if autoplay is not enabled, click on Start > Windows > Type “autoplay” and click the Autoplay link in the panel above at the top. You should set “Import pictures and videos using Dropbox” in the following fields as shown:

Windows autoplay Dropbox

 

Once you see the Dropbox Camera Upload box, untick the ‘always do this’ box (IMPORTANT if you are not interested in always using the feature).
Import to your Camera Uploads folder in Dropbox.

Dropbox camera upload

Let the import finish, syncing starts immediately. Note this may take several hours or days depending on your connection speed! Watch your allowance go up to 3GB more than you had before (eg 4GB% of 5.5GB used).
Delete the files if you want to, but leave 1 in there. Rinse and repeat using the same pen drive for any other Dropbox accounts, family or friends. Rename a few files and swap one each time just in case. Now you have extra space and can use it whenever you want.

 

Dropbox free space FAQ

Why copy 2.5GB not 3GB of files to Dropbox?

This is because Dropbox currently give you 0.5GB for using the Camera Upload feature and 0.5GB for each further 0.5GB of files that you copy over.

What about Dropbox’s upload and download speed settings that I changed?

Change them to whatever you are comfortable with. If you have a slow connection then limit it to 50kB/s download and 10kB/s upload, otherwise don’t limit it.

Does this work on the iPad/iPhone?

Sure does. Download the iPad and iPhone app here. This link takes you directly to the App Store and allows you to download the free Dropbox app. Once installed, any future camera photos and videos will be seamlessly transferred to secure online storage. Dropbox is indispensable for the iPad and you can use it to upload files (including movies) to the iPad too, without iTunes!

 

Final thoughts

If your friends don’t have Dropbox then please point them to this article and get them to use my download link above to say thanks. Dropbox is a great tool and has been completely stable on my systems and client systems for many years.

 


Prevent scheduled disk check in Windows Vista

Occasionally you may need to prevent a scheduled disk scan in Windows. This occurs during the reboot phase and can take a long time, sometimes even an hour or more depending on drive size and data contained on it. Once started it can’t be stopped. Turning the power off can cause corruption to the hard drive.

Here’s the answer to prevent it from occurring on restarting the PC:

Open the command prompt with administrative privileges (Type “cmd” in the search box in the Start Menu, then right click cmd.exe in the search results and select “Run as Administrator”)

Type “chkntfs /x c:” (where c: is the drive letter of the hard drive you wanted to scan).

This will cancel the scan and allow a speedier reboot.