PowerMTA is no doubt great MTA but it requires lots of configuration to make it work intelligently. If your pmta license have Out bound connections limit than you have to configure it smartly, to free up connections and increase emails per minute/hour.

Most of the time, these connections are used by invalid domains e.g hotmaail.com, yahooo.com, gmail.cm and on other hand your bounce-after for global domains is too long e.g bounce-after 4d 12hr (by default)

How PowerMTA works?

PowerMTA tries to resolve Domain to IP (If it fails, it doesn’t make tcp connection, through DnsQueryFailed error), then it tries to make tcp connection and wait for SMTP greeting. (It keeps trying until smtp-greeting-timeout value (default 5m) reaches.After5 minutes, connection is killed and this process is repeated until bounce-after (in your global domain configuration) is reached.

And there are dozens of typo error domains of yahoo/gmail/hotmail

One more technique is to bounce back all domains that doesn’t have MX record. This would help you to reduce your PMTA Queue.

Step-1 : General PowerMTA configuration tweaking

Edit: /etc/pmta/config

<domain *>
...
...
smtp-greeting-timeout 1m
bounce-upon-no-mx yes
</domain>

PowerMTA suggests to set it to 5 minute(If your network is not reliable) I disagree. 60 seconds are more than enough for remote MTA to response.

Step-2 : Bounce back invalid domains immediately

dummy-smtp-port – is SMTP black-hole, is powermta feature that use to listen for dummy SMTP connections. This new configuration would require to restart your PowerMTA(service pmta restart) You can refer to official document and find which configuration requires reload and restart.

dummy-smtp-port 2525
<smtp-pattern-list dummysmtp>
reply // bounce-queue
</smtp-pattern-list>

domain-macro invaliddomainslist yahooo.com, gmail.cm, hotmaail.com
<domain $invaliddomainslist>
route [your-lan-ip]:2525
smtp-pattern-list dummysmtp
bounce-after 1m
</domain>

service pmta restart

How to identify these messages in accounting log file?

These are marked as category 'other' with 'failed,5.0.0 (undefined status),x-pmta;bounce-queue'

How to mark them in bad-domain category?

You will need to create bounce-category-patterns to handle this.

<bounce-category-patterns>
/failed\,5\.0\.0 \(undefined status\)\,x\-pmta\;bounce\-queue/ bad-domain
</bounce-category-patterns>

Now, if you process accounting log file, you would see all these domains under bad-domain category instead Other.

PowerMTA is industry top class Mail Transfer Agent that is used by myspace.com, top email service providers including ISPs. PMTA has very advance configuration that helps you to manage millions of email per day.

There are hundreds of feature which can’t be cover here. Below are few features copied from port25.com

PowerMTA Features

• Number of simultaneous connections
• Number of messages per connection
• Number of delivery attempts per hour (throttling)
• Retry period and bounce period

• Authentication method
• Ability to break connections of lower priority queues
• New IP address warm-up feature to help build reputation
• Ability to pause queues and delete or re-start
• Delivers 10x more messages per hour than leading freeware alternatives and corporate mail systems
• Strict compliance with Internet email protocols
• Includes both outbound and inbound message processing
• VirtualMTAs allowing you to segment your mail-streams as necessary. Each VMTA may have its own IP address and delivery policy configured by you.
• Real-time reputation monitoring
• Immediate notification of perceived blocks
• Ability to implement new delivery policy for perceived blocks
• Command line statistics and analysis utility
• Web-based status monitoring
• Data export of statistics log (XML, CSV, HTML, etc.)
• API to statistics log (C, Java, Perl)
• Data can be accessed in real-time or batch mode.
• Statistics can also be retrieved on a “per job” or “Virtual MTA” basis.
• Standard submission interface using SMTP
• File-based submission using pickup directory
• Proprietary submission interface through our API (C, C++, Java, Perl, .NET)
• Data exports from delivery log (XML, CSV, HTML, etc.)
• API to delivery log (C, Java, Perl)
• Forwarding of inbound messages to file or via local pipe
• Installation follows the common approaches used on each of the major platforms.
• Text-file configuration tool comes pre-populated with common settings
• Extensive control options allow you to tailor PowerMTA to your specific needs.
• A command-line management tool is provided.

Built-in support for :

• Domain Keys and DKIM
• SenderID and SPF

Platforms where PMTA can be installed includes :

• Microsoft Windows (2003/2008)
• Linux RPM based (Red Hat, CentOS) and DEB based (Debian, Ubuntu)
• Sun Solaris (Solaris 8 or later, SPARC)

Apache 2.4.1 is the latest stable version available on Apache.org download section. Since it is the latest version so it may have plenty of dependencies issues. In my case, i am installing it from source(httpd-2.4.1.tar.bz2).

Currently i am logged in using SSH on Plain CentOS 6.2 server and it has very basic packages installed.

Downloading and compiling Apache 2.4.1

cd /usr/local/src/
wget http://apache.mirrors.pair.com//httpd/httpd-2.4.1.tar.bz2
tar -jxf httpd-2.4.1.tar.bz2
cd httpd-2.4.1
./configure --prefix=/usr/local/apache --enable-so --enable-deflate --enable-expires --enable-headers --enable-rewrite

Note : Here i required deflate,expires,headers and other modules so i included that.

Ops, failed to dependencies.. because we don’t have gcc compiler and other devel packages for apr, apr-utils, openssl and so on.
yum install apr-devel apr-util-devel gcc pcre-devel.x86_64 zlib-devel openssl-devel

Great. Here we go;
make
again ERROR :

rotatelogs.c:298: warning: implicit declaration of function ‘apr_file_link’
/usr/lib64/apr-1/build/libtool --silent --mode=link gcc -std=gnu99 -pthread
-o rotatelogs  rotatelogs.lo      /usr/lib64/libaprutil-1.la -ldb-4.7 -lexpat
-ldb-4.7 /usr/lib64/libapr-1.la -lpthread
rotatelogs.o: In function `post_rotate':
rotatelogs.c:(.text+0x5ed): undefined reference to `apr_file_link'
collect2: ld returned 1 exit status
make[2]: *** [rotatelogs] Error 1
make[2]: Leaving directory `/usr/local/src/httpd-2.4.1/support'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/local/src/httpd-2.4.1/support'
make: *** [all-recursive] Error 1

Current apr and apr-util version is older while Apache 2.4.1 requires latest APR and APR-utils e.g 1.4.x is the latest available version.
Lets include the latest apr and apr-util into apache srlib/ so it can also be compiled along with Apache.
cd /usr/local/src/httpd-2.4.1/srclib/

Installing APR & APR-Utils dependencies :

wget http://mirror-cybernet.lums.edu.pk/pub/apache//apr/apr-util-1.4.1.tar.bz2
wget http://mirror-cybernet.lums.edu.pk/pub/apache//apr/apr-1.4.6.tar.bz2

Note : If this mirror doesn’t work, chose other mirrors

tar -jxf apr-1.4.6.tar.bz2
tar -jxf apr-util-1.4.1.tar.bz2
mv apr-1.4.6 apr
mv apr-util-1.4.1 apr-util

Lets configure it now :
./configure --prefix=/usr/local/apache --enable-so --enable-deflate --enable-expires --enable-headers --enable-rewrite --with-included-apr --with-included-apr-util
make
make install

Following this tutorial i was able to install Apache 2.4.1 successfully on CentOS 6.2. If you are unable to install or having difficulty you can leave a comment and i will try to respond you quickly as much possible.

Since i was busy, so couldn’t write about Andreas Koch‘s new app called ‘DroidSheep Guard’ that helps you protect against DroidSheep and FaceNiff android application.

How DroidSheep Guard works?

DroidSheep Guard continuously monitor your ARP table and alerts you when it finds suspicious activity.Droidsheep and faceniff are popular android applications that use ARP spoofing technique to hijack all sessions traveling on Wifi networks. Using DroidSheep Guard you can configure it to check every x minute and once it found malicious activity, it will popup an alert.

How to install DroidSheep Guard?

Fortunately Google didn’t remove DroidSheep guard from Android Market(called Play Store now). Plus it doesn’t require your phone to be ROOTED unlikely DroidSheep.

Method No.1

Requirements :

1. Internet is enabled on your Android phone.
2. Your Gmail account is logged in on Android phone.

Steps :

1. Open Firefox/or any internet browser
2. Login on gmail.com with same account that you are using on your Android phone.
3. Go to https://play.google.com/store/apps/details?id=de.trier.infsec.koch.droidsheep.guard.free&feature=search_result
4. Click on Install
5. Check your phone, DroidSheep Guard is already installing Magic, hah?

Method No.2 :

Requirements :

1. Android Phone

Steps :

1. Open your Play Store
2. Search for ‘DroidSheep Guard’
3. Click on Install

Happy protection against ARP Spoofing!

I have talked about ApacheKiller flaw in detail here with possible workaround to mitigate this flaw.

Last week, a DDoS mitigation service vendor Arbor Networks revealed a detailed report can be download from here which say,

ApacheKiller Flaw

is known as ‘The Biggest Little Internet Threat‘ by Security Analysts. It has been exploited massively and its
very hard to estimate that what is the number of servers are yet to be fixed.

Few days back, i was analyzing my blog traffic and found that ApacheKiller was the most viewed post and most of the people have downloaded the ApacheKiller bash script and python version to penetrate web servers that are still vulnerable. It is estimated that Apache is used by 400 million websites, big number?

If you are web master and still confused, how to mitigate it? I can help you with immediate workarounds.

The best thing is to update your Apache to latest version 2.4  or if you are having difficulties or not sure, you can contact me. I will make it done for you or get FREE Consultancy!

We have talked about SlowHTTPTest in detailed here, 2 days ago Shekyan released a new version, below is summary of change log.

SlowHTTPTest 1.4 release notes:

• Added man pages as doc support
• Some bug fixes
• and now it can handle 64000 concurrent connections  OpsS!!

You can read our previous post in detail that would help you, how to compile and use it.

Download and install SlowHTTPTest latest version :

wget http://slowhttptest.googlecode.com/files/slowhttptest-1.4.tar.gz
tar -zxvf slowhttptest-1.4.tar.gz

cd slowhttptest-1.4
./configure
make
make install

Video Tutorial – How to use SlowHTTPTest?

ANTI - Android Network Toolkit – Anti is collection of network exploration tools that help you penetrate your network right away from your android phone. ANTI useful application is developed by ZImperium LTD and they say ‘ ANTI – Penetration Made easy ‘.

ANTI.apk application is divided into two parts;

• Application
• Extendable plugins

How to install ANTI APK on android phone?
I’m not sure APK is available on Android Market but you can follow below tutorial to get it installed.

This application works only on ROOTED android phones

1. Download from http://www.zimperium.com/Anti.apk using your phone browser.
2. Go to Downloads
3. Click on ANTI.Apk, authorize and install it.

How to use ANTI – Android Network Toolkit?
When you run ANTI, it will connect to your Wifi AP and create map for your network. You can select a device and scan for different services.

ZImperium offered Basic version as FREE with following limited features :

• Scanning
• OS Detection*
• Traceroute
• Port Connect
• WIFI Monitor
• HTTP Server

If you purchased paid version which categorized as Silver, Gold and Platinum you will get access to below features :

• Man-in-the-middle
• Remote Exploits
• Plugins
• Support
• Exploit Credits (For Report or Attack)

To read more about licensing, visit ZImperium LTD web.

HookWorm Stealth is an old PHP Backdoor just like c99Shell created by Justin Klein Keane as Proof of concept.

HookWorm Stealth provides less features than c99Shell but it’s activity can’t be track easily like c99Shell. it uses Cookies to leave no TRACE in Web server access log.

HookWorm Stealth PHP Backdoor Features :

• Find .htaccess
• Find open ports on remote system
• Search for writable files or directories
• and many more.

Download HookWorm Stealth from  http://www.madirish.net/sites/default/files/hookworm.php.tar.gz

When you get access of remote web server SHELL, the access log of web server will throw /index.php 200 OK status code that’s a normal good HTTP request.

To read further about HookWorm Stealth, go to the author blog

Today i extracted one archive which contained .bin and .cue files and i was unable to play them with VLC Media Player, after doing google found it is archive similar to .iso. I convert it to ISO using bchunk utility and mount it as loop back device and .

bchunk – Free utility use to convert .bin, .cue files to .iso

1. Install bchunk

On ubuntu/backtrack Linux;
aptitude install bchunk

On RHEL/CentOS Linux;
yum install bchunk

2. Convert .bin .cue to iso using bchunk

bchunk iron-lycp5etg.bin iron-lycp5etg.cue iron-lycp5etg.iso

Note : .bin file will always have .cue file in same directory plus iron-lycp5etg is a sample file.

Output :

Reading the CUE file:
Track 1: MODE1/2352 01 00:00:00
Writing tracks:

1: iron-lycp5etg01.iso 472/472 MB [********************] 100

3. Mount iron-lycp5etg01.iso

mkdir /mnt/iso
mount -o loop iron-lycp5etg01.iso /mnt/iso

Now you can find all video files under /mnt/iso/

cd /mnt/iso/
vlc filename.mov

If you have any question or suggestion, feel free to comment.

TeamViewer 6 or 7.0.9300 beta version can be run as root easily on backtrack or any Linux distribution including Ubuntu / CentOS 6 / RedHat by modifying the wrapper file which is instructed to not execute Team Viewer products as root.

When you run Teamviewer7 from console, you will get this error;

root@hackersgarage:~/Downloads# teamviewer7
TeamViewer: 7.0.9300
Profile: /root (root)
Desktop:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04.2 LTS
Release: 10.04
Codename: lucid

Error: TeamViewer must not be executed as root!

How to install Team Viewer 7 beta on backtrack5 RC1 linux?

wget http://www.teamviewer.com/download/version_7x/teamviewer_linux.deb
dpkg -i teamviewer_linux.deb

For RPM based distro CentOS/RHEL
wget http://www.teamviewer.com/download/version_7x/teamviewer_linux.rpm
rpm -ivh teamviewer_linux.rpm

Warning : Running application as root is not recommended.

FIX Team Viewer7 to run as ROOT by running below SED command :

sed -i 's/die \"T/echo \"T/g' /opt/teamviewer/teamviewer/7/bin/wrapper

DONE! Now Go to Application –> Internet –> Team Viewer 7