Friday, July 31, 2009

Fun tracking down malware - svcchost.exe

I love being tech support. Found a little nasty called svcchost.exe (classic!) on a family windows computer. Run key in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
C:\Documents and Settings\username\Application Data\Microsoft\svcchost.exe

Beacons:

1 0.000000 10.1.1.9 10.1.1.1 DNS Standard query A xdemonx.selfip.org
2 0.000590 10.1.1.1 10.1.1.9 DNS Standard query response A 96.18.166.50
3 0.000895 10.1.1.9 96.18.166.50 TCP 1588 > 3085 [SYN] Seq=0 Win=16384 Len=0 MSS=1460

Reported to McAfee. They actually have some decent advice for finding runkeys:
On Windows XP systems, click START RUN, type MSCONFIG and hit ENTERClick the Startup tab.

A McAfee monkey in Bangalore produced a signature and sent back an extra.dat file in just a few minutes. Mission accomplished.

Sunday, July 12, 2009

Advice on how to report an ubuntu bug

The Ubuntu wiki has a great page on how to report a bug. It includes details of how to install debugging symbol packages (I didn't know these existed, I always headed for the source and compiled a debug build), and detailed gdb instructions.

I also finally learnt a better way to find out which version you are running (usually I look at /etc/issue or /etc/apt/sources), but this:
lsb_release -rd
gives you the numerical release number. Sweet.

Restarting NFS after changes to /etc/exports

On ubuntu I was using
/etc/init.d/nfs-common restart
to restart NFS after making changes to /etc/exports. Unfortunately this doesn't work. Use "exportfs -a" to sync changes (clients don't need to re-mount either).