BLOG.ROOTLAU.COM - I.T.

AVG 誤報 userenv.dll 為木馬病毒

nospam@example.com (Root Lau) — Fri, 18 Sep 2009 23:34:56 -0500

AVG 大誤判

一早就連續接到幾通 AVG 抓到 c:\windows\system32\userenv.dll 有木馬的電話，本來接到第一通還問他昨天是不是有用隨身碟或是下載什麼程式，等到接到第二通、第三通就直覺應該是誤判，於是趕緊打開自己的電腦果然出現一樣的警示：

找到特洛伊木馬 Downloader.Generic8.8RZC

出現這個請直接【忽略】就好，只是會一直出現很煩耶！

或者是這個，請不要按「移除所選的感染檔案」或是「移除所有未修復的感染檔案」，直接按【關閉】就好了。

已經無法開機了怎麼辦？

如果你已經整台電腦掃毒然後 AVG 告訴你要重開機你也照辦了，那看到這篇就有一點太晚了，因為你的電腦應該已經無法開機了！

遇到這種情形也還不到重灌的地步，只要把被 AVG 防毒殺掉的 userenv.dll 補回去就正常了，但是你要有可以開機的光碟才能作這件事。

我是習慣用 XPE 來救，但是因為不是合法的版權所以不方便在這裡提供，請你自行用搜尋引擎找找看有沒有下載點，另外你也可以試試看用 Ubuntu Live CD 開機，然後將 userenv.dll 複製到 c:\windows\system32 即可。

沒有 userenv.dll 的話，這裡有提供 userenv.dll的壓縮檔可以下載，這是WinXP SP3的版本，其他的請自行設法從別台電腦取得。

這個問題應該在新的病毒碼出來之後就會消失了，但就怕已經很多人已經中招無法開機了 XD

2009/09/18 10:30PM 更新

更新最新版的病毒碼之後這一次的誤報事件算是落幕了，請你檢查一下你的病毒琰是不是已經升級到 2380，如果還沒的話快手動更新一下就不會再出現誤判警告了。

AVG 免費版防毒軟體：http://www.avgtaiwan.com

AVG 誤判官方討論串：http://forums.avg.com

userenv.dll 檔案下載：http://www.dll-files.com/dllindex/dll-files.shtml?userenv

SquirrelMail + poppassd

nospam@example.com (Root Lau) — Mon, 02 Jun 2008 15:54:00 -0500

不管輸入的密碼是多麼的正確，一律給錯：

很久沒有替別人安裝過 Mail Server 了，那個 Fedora Core 8 真了得‧‧‧

除了給那個 Bind 玩耍了幾天外，Poppassd 也攪了我十數個小時‧‧‧

那個 bind 竟然不許其他 ip 查詢‧‧‧

而 Poppassd 就錯漏百出‧‧‧

500 Old password is incorrect

查了半天程式、 log 、網路，不斷搜尋資料，一直找不到原因，直到看到有人提到 /etc/pam.d/poppassd 裡面

#%PAM-1.0
auth required pam_pwdb.so shadow nullok
account required pam_pwdb.so
password required pam_cracklib.so retry=3
password required pam_pwdb.so use_authtok nullok

使用的 pam_pwdb.so ，但是系統上沒有這個檔案 O_O 。仔細一查，奇了，竟然真的找不到這個檔案。

知道原因，就好辦。仔細查了一下，在 pam 套件裡，真的沒提供 pam_pwdb.so 。而 pam_pwdb.so 與 pam_unix.so 是相同功能的模組，於是解決方法就很簡單了：

cd /lib/security
ln -s pam_unix.so pam_pwdb.so

建立一個 soft link ，用 pam_unix.so 來提供 pam_pwdb.so 的功能，搞定！

但是，要求的 password 就很有要求了，我敢肯定用戶不大可能記到這樣子的密碼‧‧‧ >_<

相信不足三、二天就一定會有人走來跟我說忘記了密碼；還需努力，再找！

修改 /etc/pam.d/poppassd

刪除 pam_cracklib.so 這一行 (在這行的前面加 # 號)

在這行 "password required /lib/security/pam_unix.so use_authtok nullok"

刪除 pam_unix.so 後面的 "use_authtok"

終於可以睡覺了，但太陽伯伯已經出來!‧‧‧ z... z... Z...

Ubuntu 8.04 LTS Server

nospam@example.com (Root Lau) — Sun, 01 Jun 2008 05:16:00 -0500

當我收到 Ubuntu 8.04 LTS Server 這張光盤時，興致勃勃地開始安裝‧‧‧

由一開始接觸 Linux 就是使用 Redhat，別的就從沒有用過；聽說 Ubuntu 是個不錯的 distrubtion。

開始安裝時，也是得簡單，整過過程也不難，好像少了些什麼似的‧‧‧

但是當安裝完時竟然無法以 root 登入，即時 O 晒嘴；對了，安裝時好像並沒有問 root 的密碼！只有使用安裝時建立的用戶登入好了。

最後在線上找到了些有關於 Ubuntu Server 的資訊，原來她是把 root 的帳戶 disable 了，是為了安全吧了。如果要使用只有 root 才能使用的指令，就只得在指令前加上 sudo 才可以使用。

如果要一直使用 root 的身份，可以使用以下指令：

sudo -i

如果要啟動 root 的帳戶，可以使用以下指令：

sudo passwd root

如果要關閉 root 的帳戶，可以使用以下指令：

sudo passwd -l root

也可以在安裝時按 [F6] 進入進階模式，那裡可以啟動 root 的帳號並設定密碼。

解決 dovecot POP3 收信時發生 Mailbox / INBOX 錯誤的問題

nospam@example.com (Root Lau) — Mon, 24 Dec 2007 03:28:00 -0600

解決 dovecot POP3 收信時發生 Mailbox / INBOX 錯誤的問題

版本: dovecot-0.99.13-3.FC3

maillog:

pop3(某帳號): Error syncing mbox file /var/mail/某帳號: LF not found where expected
pop3(某帳號): Error indexing mbox file /var/mail/某帳號: LF not found where expected
pop3(某帳號): Couldn't open INBOX: Internal error occured. Refer to server log for more information.

以 telnet 登入 110 埠:

輸入完密碼後回應: -ERR No INBOX for user.

版本: dovecot-1.0-0.beta2.7

maillog:

pop3(某帳號): Mailbox init failed top=0/0, retr=0/ del=0/0, size=0

Outlook Express 訊息:

登入您的郵件伺服器時發生錯誤。您的密碼被拒絕。...通訊協定: POP3, 伺服器回應: '-ERR Mailbox isn't a valid mbox file',... 伺服器錯誤: 0x800CCC90, 錯誤碼: 0x800CCC92

解決方法:

以下以 foo 代表某帳號

cd /var/spool/mail
cp foo foo_ 備份郵件
true > foo 清空郵箱

另外寄一封信到 foo 帳號

cat foo_ >> foo 匯入剛剛備份的郵件

即可正常收信

from: http://cha.homeip.net/blog/archives/2006/06/mis.html

在 Linux 的 shell 上搜尋文字並替代

nospam@example.com (Root Lau) — Sun, 04 Nov 2007 06:49:00 -0600

天真的忙過死去活來！在決定放棄使用 Pacific Internet 的寬頻而改用 PCCW 的一刻，已經知道會有這一天的來臨‧‧‧ 無耐 Pacific Internet 實在不爭氣，連我這個 Reseller Partner 也要‧‧‧

接著就是要將我的 Servers (幾部) 的網絡設定，DNS，HTTPD，SENDMAIL，‧‧‧ 全部也要將 IP 更換下來，痛苦‧‧‧

幸好徙網路上找到了一個可以將文字更換的程式，工作就可以比較輕鬆地完成！

#!/bin/bash
        #       This script will search and replace all regular files for a string
        #       supplied by the user and replace it with another string.
        #
        #       Written by Daniel McCarthy
        #       daniel.mccarthy@linuxphile.org
        #
        function usage {
                echo ""
                echo "Search/replace script"
                echo "    Written by Daniel McCarthy"
                echo "      daniel.mccarthy@linuxphile.org"
                echo "      http ://linuxphile.org"
                echo ""
                echo "Not enough parameters provided."
                echo "Usage: ./$0 searchstring replacestring"
                echo "Remember to escape any special characters in the searchstring or the replacestring"
                echo ""
        }

        #check for required parameters
        if [ ${ #1 } -gt 0 ] && [ ${ #2 } -gt 0 ];
        then
        for f in `find -type f`;
        do
                if grep -q $1 $f;
                then
                        cp $f $f.bak
                        echo "The string $1 will be replaced with $2 in $f"
                        sed s/$1/$2/g < $f.bak > $f
                        rm $f.bak
                fi
        done

        else
        #print usage informamtion
        usage
fi

參考：http://linuxphile.org/node/13

更改 root 的密碼

nospam@example.com (Root Lau) — Sun, 04 Nov 2007 06:34:00 -0600

有不少朋友至電給小 root 問有關於如更改 root 的密碼，當然不是我的私人密碼啦！是 Linux 管理員帳戶 root 的密碼。

All
you need to do is reboot the machine. When you are presented with the
Grub menu, hit the 'e' key. This will allow you to edit the current
boot options. Add the ' single' to the line that begins with 'kernel
/vmlinuz'. Now press 'b' to boot with the modified boot options.

You'll
now be presented with the command line. At the command line simply
enter 'passwd'. You'll be prompted, twice, for a new password.

Type in 'exit' and the machine will continue booting into the normal process. Your root password has now been changed.

轉自：http://linuxphile.org/node/15

Adding GD PHP support to Fedora Core 5 (FC5)

nospam@example.com (Root Lau) — Mon, 08 Oct 2007 04:06:00 -0500

A simple way to install PHP-PD in FC5

% yum install gd-devel
% yum install php-gd

restart apache:
% /sbin/service httpd restart

http://iamcam.wordpress.c......pport-to-fedora-core-5-fc5/

IT佬 vs 通渠佬

nospam@example.com (Root Lau) — Sat, 20 Jan 2007 05:05:00 -0600

從其他的 forum 聽到以下的一段關於 I.T. 工作的評價；心感切身，原來入錯行，怪不得客人都不願意付出分文地不斷的打電話來問東問西，但說要收費安排技術員上門解決問題時，連數百元服務費也不願付出...

公司爆屎渠搵個通渠佬用真空 pump 通渠 + 執走 D 屎收費 HKD 2000.00 (都係做 3 個鐘到)

公司個 SQL down 左唔肯做 replication 搵個 IT SQL2000 expert 執過晒都係收費 HKD 1500.00 (註: 500蚊個鍾架)

大家都係執屎一個小學程度, 一個大學畢業 + MSDBA 但收費平過小學生

Ref: http://www4.discuss.com.h......tra=page%3D3&page=1

Information about the nslookup command (MS-DOS)

nospam@example.com (Root Lau) — Thu, 23 Mar 2006 03:32:00 -0600

SYNTAX

Commands: (identifiers are shown in uppercase, [] means optional)

NAME

print info about the host/domain NAME using default server

NAME1 NAME2

as above, but use NAME2 as server

help or ?

print info on common commands

set OPTION

set an option

all	print options, current server and host
[no]debug	print debugging information
[no]d2	print exhaustive debugging information
[no]defname	append domain name to each query
[no]recurse	ask for recursive answer to query
[no]search	use domain search list
[no]vc	always use a virtual circuit
domain=NAME	set default domain name to NAME
srchlist=N1[/N2/.../N6]	set domain to N1 and search list to N1,N2, etc.
root=NAME	set root server to NAME
retry=X	set number of retries to X
timeout=X	set initial time-out interval to X seconds
type=X	set query type (ex. A,ANY,CNAME,MX,NS,PTR,SOA,SRV)
querytype=X	same as type
class=X	set query class (ex. IN (Internet), ANY)
[no]msxfr	use MS fast zone transfer
ixfrver=X	current version to use in IXFR transfer request

server NAME

set default server to NAME, using current default server

lserver NAME

set default server to NAME, using initial server

finger [USER]

finger the optional NAME at the current default host

root

set current default server to the root

ls [opt] DOMAIN [> FILE]

list addresses in DOMAIN (optional: output to FILE)

-a	list canonical names and aliases
-d	list all records
-t TYPE	list records of the given type (e.g. A,CNAME,MX,NS,PTR etc.)

view FILE

sort an 'ls' output file and view it with pg

exit

exit the program

EXAMPLES

C:\>nslookup computerhope.com
Server: ns.computerhope.com
Address: 1.1.1.1

Name: computerhope.com
Address: 204.228.150.3

( from: http://www.computerhope.com/nslookup.htm )

伺服又被 Hack 了‧‧‧

nospam@example.com (Root Lau) — Mon, 13 Mar 2006 08:40:00 -0600

今早反公司途中，接到老丁的電話說我的網站 (即伺服) 被 hacker 入侵了，過以為他說笑；怎知回到公司後一打開 IE，入到自己的網站後，心裡暗叫不妙，看到：

You Are HACKED BY ALEKS

再查看所有的網站，有十數個中招，幸好都集中在一台伺服上，其餘的都沒有發現被 hack，但這樣並不代表沒事‧‧‧ 在這台伺服上，大部份的 index.html 及 index.php 都被置換了，雖然可以被補救，但此終都覺得這一台 server 已經不大可靠了，而且她還是 Redhat 9，很早已經看她不順眼呢！

在沒有多大的信心下，就將她安裝成為 Fedora Core 4；實在太多的設定都變了，天啊~~ 單是 DNS 都給她用上二、三個小時，還有那個 VSFTP，喔~不是它的錯！都是 SeLinux 的問題，又再花上數小時‧‧‧

今晚氣溫急降，只有 9^oC，唉~~~

使用 PHP 去 Upload 的上限

nospam@example.com (Root Lau) — Fri, 17 Feb 2006 05:05:00 -0600

原來使用網頁寄存商的網頁寄存服務都幾多限制的，例如使用 PHP 程式作上存檔案時只可以上存到 2M 的，如果是自已的 Server 就很容易解決，修改 /etc/php.ini 便可以。

但是，使用網頁寄存服務就沒可能修改到 php.ini 了‧‧‧

找了很久，終於找到方法了，就是修改 .htaccess 了，只需要加入以下設定即可：

php_value upload_max_filesize 12M

可以說，在我使用的主機上可以用得上，希望你們也可以！

HELO COMMAND

nospam@example.com (Root Lau) — Tue, 07 Feb 2006 04:25:00 -0600

How to Send Fake Mail Using SMTP Servers

By Hunter
hunter@wicked.gt.ed.net
---------------------------------------------------------------------------
Overview
SMTP (Simple Mail Transfer Protocol) is the protocol by which Internet mail
is sent. SMTP servers use this protocol to communicate with other servers
or mail clients. However, by telneting directly to a mail server and
manually speaking SMTP, one can easily send mail from any address specified
- meaning that mail can be sent from fake addresses while the sender's real
address is untraceable.

What is Needed?
All that you need is a generic telnet client. Local echo should be turned
on so you can see what you type. Also, it is important to note that SMTP
servers do not handle backspaces, so you must type everything correctly.

How do I Start?
Telnet to port 25 of your target SMTP server (more on SMTP servers
selection below). The server should respond with a generic welcome message.
You will type HELO domain.name. Use any domain name you wish as most
servers do not check the name against the IP you are telneting from. Type
MAIL FROM: . This is where the message will appear to be
from. Next, type RCPT TO: . This specifies who will
receive the message. Type DATA and type the body of your message. To send
the message, enter a line with only a period. Type QUIT to disconnect.

Sample Session

220 hq.af.mil Sendmail 4.1/Mork-1.0 ready at Thu, 14 Mar 96 00:26:46 EST
HELO prometheus.com
250 hq.af.mil Hello prometheus.com (prometheus.com), pleased to meet you
MAIL FROM:
250 ... Sender ok
RCPT TO:
250 ... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
This is the body of my message.
.
250 Mail accepted
QUIT
221 hq.af.mil delivering mail

What about message subjects?
The subject, date, to, etc. are part of the DATA area. After the DATA
command, start with date and continue is the fashion illustrated by the
example code below. Make sure there are no mistakes, because the first
mistake will cause the data to appear in the body of the message, not
header. It is interesting, because these fields take precedence over the
MAIL FROM: and RCPT TO: when displaying. A message can be routed to a
person even though the message itself appears to be addressed to someone
else. The key is to type VERY carefully.

Example:
        DATA
        Date: 23 Oct 81 11:22:33
        From: SMTP@HOSTY.ARPA
        To: JOE@HOSTW.ARPA
        Subject: Mail System Problem

        Sorry JOE, your message to SAM@HOSTZ.ARPA lost.
        HOSTZ.ARPA said this:
        .
End Example

Can my mail be traced?
Yes, the IP address you mailed from can be traced if you are not careful.
All mail will show a line in the header listing the IP address that you
originally telneted from. If the person you are sending mail to doesn't
know much about IP's and the like, you shouldn't worry too much.
Furthermore, depending on your the nature of your connection, there are
different implications. For instance, if you have a direct connection, you
can be easily traced by your IP address. On the other hand, if you have a
dial-in connection or service such as AOL, you will not have a defined IP
address. You will be assigned a temporary one. The only way your mail can
be traced with this type of connection is to check against the dial in
service's system logs. The take-home message is that you are safe with this
type of connection unless you do something really stupid. Finally, the best
case scenario is a public access terminal with no logging. This type
connection is untraceable.
Author's Note: I have found some servers that don't log IP. Read No IP SMTP
Server

What SMTP servers can I use?
An easy (but hit-or-miss) way to find random SMTP servers is to look at web
addresses on Yahoo! or another search engine. Universities and government
agencies are always good choices. Find a URL and telnet to port 25. If you
get a response, you have located an available server. 95% of servers will
accept your mail. The others will not allow external mail forwarding for
security reasons. Always test the server first.

                                     OR

Check Hunter's List of Usable SMTP Servers. All servers on this list have
been tested and will work. A hyptertext interface makes it easy to use the
servers.
---------------------------------------------------------------------------

                               Apocalypse 95

Last revision: 3.15.96
Mail to: hunter@wicked.gt.ed.net
Hunter's List of SMTP Servers

By Hunter
hunter@wicked.gt.ed.net
---------------------------------------------------------------------------
Note: There is no guarantee that the administrators of these servers will
be happy if you use the servers. I am only acknowledging the existence of
these servers. For a server that doesn't stamp your IP on the message
header, read No IP SMTP Server

If you have a telnet client set up as a helper app to your web browser,
simply click on the name of a server to use the server for direct mail.
Some links may be slow.

centerof.thesphere.com
misl.mcp.com
jeflin.tju.edu
arl-mail-svc-1.compuserve.com
alcor.unm.edu
mail-server.dk-online.dk
lonepeak.vii.com
burger.letters.com
aldus.northnet.org
netspace.org
mcl.ucsb.edu
wam.umd.edu
atlanta.com
elmer.anders.com
venus.earthlink.net
urvax.urich.edu
vax1.acs.jmu.edu
loyola.edu
cornell.edu
brassie.golf.com
quartz.ebay.gnn.com
acad.bryant.edu
palette.wcupa.edu
utrcgw.utc.com
umassd.edu
trilogy.usa.com
mit.edu
corp-bbn.infoseek.com
vaxa.stevens-tech.edu
ativan.tiac.net
miami.linkstar.com
wheel.dcn.davis.ca.us
kroner.ucdavis.edu
ccshst01.cs.uoguelph.ca
server.iadfw.net
valley.net
grove.ufl.edu
cps1.starwell.com
unix.newnorth.net
mail2.sas.upenn.edu
nss2.cc.lehigh.edu
pentagon.mil
blackbird.afit.af.mil
denise.dyess.af.mil
cs1.langley.af.mil
wpgate.hqpacaf.af.mil
www.hickam.af.mil
wpgate.misawa.af.mil
guam. andersen.af.mil
dgis.dtic.dla.mil
www.acc.af.mil
redstone.army.mil

---------------------------------------------------------------------------

                               Apocalypse 95

Last revison: 3.30.96
Mail to: hunter@wicked.gt.ed.net
Mail Servers with No IP Logging

Number of Servers that have updated Sendmail versions due to my list

---------------------------------------------------------------------------
When I wrote How to Send Fake Mail Using SMTP Servers, I said that your
messages are traceable by your IP address (it will always be stamped in the
header). Well, slowly, I am finding systems that don't append your IP to
the message. You can send messages through this servers, using the
techniques I described in my SMTP fakemail tutorial, and they are totally
untraceable. If you have a telnet client set as a helper app to your
broweser, all you have to do is click on the link below, and you will be
connected to the respective SMTP server.

DO NOT DO ANYTHING REALLY STUPID WITH THESE SERVERS. If a server was posted
on this list, but isn't now, don't use it! Don't say that I didn't warn
you.

cvo.oneworld.com
www.marist.chi.il.us
bi-node.zerberus.de
underground.net
alcor.unm.edu
venus.earthlink.net
mail.airmail.net
---------------------------------------------------------------------------

                               Apocalypse 95

---------------------------------------------------------------------------
How to find your own IP-Less Severs:
Finding your own servers that do not append IP to message headers is a
relatively easy process if you know what to look for. There are many SMTP
server programs out there. Sometimes you will hit an odd system with an
unusual server program that you can test by hand. However, the easiest way
it to look for the more common ones. By far, the easiest to look for is a
certain older Sendmail version that many systems still use. To find it,
connect with a server as usual. Examine the welcome text. You are looking
for a line that looks like the following:
   220 xxxx.xxxx.xxx Smail3.1.29.1 #15 ready at Mon, 10 Jan 96 12:34 EDT

The important part is the Smail3.1.29.1. If you find a server with this
number, 3.1.29.1, or another 3.x.x.x number, you have what you are looking
for.

X'mas Vs Hacker ......

nospam@example.com (Root Lau) — Fri, 23 Dec 2005 12:27:00 -0600

個聖誕節又要同啲 hacker 角力‧‧‧

#$@$#%^%

:-( :-(

Anyway, 聖誕快樂！

Netvigator 網上行的電子郵件設定

nospam@example.com (Root Lau) — Tue, 09 Aug 2005 12:23:00 -0500

近日很多朋友不時向小劉尋求技術支援，說無法寄出電子郵件者不少；其實 Netvigator 「升級」郵件伺服器的計劃已經過數月的時間，亦有收到 Netvigator 通知者亦不少，只是無人留意罷了。

如
果你是使用 Netvigator 提供的電子郵件地址者，不受影響；唯使用其他域名的電子郵件地址者，無法使用 Netvigator
的郵件伺服器。只需將帳戶設定內的 SMTP 伺服器由 mail.netvigator.com 改為
smtp.netvigator.com，並鉤選 [我的伺服器需要驗證]，再按 [設定] 及輸入登入帳戶和密碼。

在設定你們的郵件伺服器前，請準備你的帳戶名稱及密碼，並根據下面的方法去設定 Outlook Express：

http://cs.netvigator.com/......roup_setting_outlook_c.html

其實我倒也覺得奇怪，我一不在 Netvigator 或 PCCW 裡工作，二不是 Netvigator 的 Reseller，三更不是 Netvigator 的用戶；為什麼不找 Netvigator 的技術支援或 CS (熱線電話：1833 833) 呢？

NVU網頁編輯程式

nospam@example.com (Root Lau) — Thu, 14 Jul 2005 02:37:00 -0500

NVU 是一套同樣以 Mozilla 為核心的網頁編輯器 (就像市面上常見的 FrontPage 或是 Dreamweaver 等等網頁編輯程式)，目前由 Linspire (以前的 Lindows) 主導開發。

承襲了 Mozilla 的特色， NVU 是一套開放源碼(Open Source)、跨平台(Cross Platform)、免費的程式，任何人都可以自由下載使用。

那可以把購買 Frontpage 的錢省下來了！

nvu-1.0-win32-installer-full.exe

nvu-1.0-win32-installer-zhTW.exe

nvu-1.0-win32-zhTW-GREEN.zip