Softpanorama
May the source be with you, but remember the KISS principle ;-)

Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Unix/Linux Security-related Perl Scripts

News

Recommended Links Audit Logs Integrity
Scanning Monitoring Configuration and maintenance SUID/SGID Checking Honey-pots

Record status of the system and all major files is the simplest and most important advice to Unix sysadmin. This is the single most important thing you do. In case you detect intrusion  you will also be able to present proof in a subsequent filing of the incident.

Here is the info adapted from  Checklist for investigating computer break-ins by Christian Stigen Larsen

Provide an audit trace of commands on the server

You can use script command invoked from /etc/profile to records all keyboard input to a file:

script -f ~/logfile.txt

You should also include a timestamp in Bash command history log

 

Check logfiles, secure them

Copy logfiles off site. Ideally, you are already forwarding syslog messages across the network to another, more secure computer. Many attackers either delete or modify log files.

Install a Perl script that analised your log and sends you summary each morning. Anything unusual, especially garbage, have helps to discover attacks.

I always check /var/log/messages, /var/log/secure as well as web server logs and whatever the server is running.

Check last and .bash_history in user directories. Missing history files or files symlinked to /dev/null is a pretty sure sign you've had an uninvited guest.

Don't rely too much on history files. It's pretty easy to avoid dumping command history, but many attackers (especially clueless script kiddies) often forget covering their tracks. A common technique is to run an editor like vi and type :shell. This spawns a non-login shell that doesn't write to command history.

Look for modified files, especially in /etc and /bin directories

There are many Perl scripts which can look for modifieed files. See

Here is very simple approach from article  Detecting Local Filesystem Changes with Perl

It is not uncommon for system administrators to have to drop whatever they are working on to deal with the security problem du jour. Some of these problems involve serious breaches of security. In these cases, the first question asked is often, "What has the intruder done?" In my recently released O'Reilly book, Perl for System Administration, I begin the chapter on security and network monitoring with a discussion of some of the available Perl tools that can help answer this question. Here's an excerpt from that chapter, which deals with finding changes made to a local filesystem:

Filesystems are an excellent place to begin our exploration into change-checking programs. We're going to explore ways to check if important files like operating system binaries and security-related files (e.g., /etc/passwd or msgina.dll ) have changed. Changes to these files made without the knowledge of the administrator are often signs of an intruder. There are some relatively sophisticated cracker tool-kits available on the Net that do a very good job of installing Trojan versions of important files and covering up their tracks. That's the most malevolent kind of change we can detect. On the other end of the spectrum, sometimes it is just nice to know when important files have been changed (especially in environments where multiple people administer the same systems). The techniques we're about to explore will work equally well in both cases.

The easiest way to tell if a file has changed is to use the Perl functions stat() and lstat(). These functions take a filename or a filehandle and return an array with information about that file. The only difference between the two functions manifests itself on operating systems like Unix that support symbolic links. In these cases lstat() is used to return information about the target of a symbolic link instead of the link itself. On all other operating systems the information returned by lstat() should be the same as that returned by stat(). Using stat() or lstat() is easy:

@information = stat("filename");

As demonstrated in Chapter 3, "User Accounts," we can also use Tom Christiansen's File::Stat module to provide this information using an object-oriented syntax. The information returned by stat() orlstat() is operating-system dependent. stat() and lstat() began as Unix system calls, so the Perl documentation for these calls is skewed towards the return values for Unix systems. See Table 10-1 in Perl for System Administration for a comparison between the values returned by stat() under UNIX and those returned by stat() on Windows NT/2000 and MacOS.

In addition to stat() and lstat(), other non-Unix versions of Perl have special functions to return attributes of a file that are peculiar to that OS. See Chapter 2, "Filesystems," for discussions of functions like MacPerl::GetFileInfo() and Win32::FileSecurity::Get().

Once you have queried the stat()ish values for a file, the next step is to compare the "interesting" values against a known set of values for that file. If the values changed, something about the file must have changed. Here's a program that both generates a string of lstat() values and checks files against a known set of those values. We intentionally exclude last access time from the comparison because it changes every time a file is read. This program takes either a -p filename argument to print lstat() values for a given file or a -c filename argument to check the lstat() values all of the files listed in filename.

use Getopt::Std;

# we use this for prettier output later in &printchanged()
@statnames = qw(dev ino mode nlink uid gid rdev size mtime
        ctime blksize blocks);
getopt('p:c:');
die "Usage: $0 [-p <filename>|-c <filename>]\n" unless ($opt_p or $opt_c);
if ($opt_p){
    die "Unable to stat file $opt_p:$!\n" unless (-e $opt_p);
    print $opt_p,"|",join('|',(lstat($opt_p))[0..7,9..12]),"\n";
    exit;
}

if ($opt_c){
    open(CFILE,$opt_c) or die "Unable to open check file $opt_c:$!\n";
    while(<CFILE>){
        chomp;
        @savedstats = split('\|');
        die "Wrong number of fields in line beginning with $savedstats[0]\n"
            unless ($#savedstats == 12);
        @currentstats = (lstat($savedstats[0]))[0..7,9..12];
        # print the changed fields only if something has changed
        &printchanged(\@savedstats,\ @currentstats)
            if ("@savedstats[1..13]" ne "@currentstats");
    }
    close(CFILE);
}
# iterates through attributes lists and prints any changes between
# the two
sub printchanged{
    my($saved,$current)= @_;
    # print the name of the file after popping it off of the array read
    # from the check file
    print shift @{$saved},":\n";
    for (my $i=0; $i < $#{$saved};$i++){
        if ($saved->[$i] ne $current->[$i]){
            print "\t".$statnames[$i]." is now ".$current->[$i];
            print " (should be ".$saved->[$i].")\n";
        }
    }
}

To use this program, we might type checkfile -p /etc/passwd>>checksumfile.

checksumfile should then contain a line that looks like this:

/etc/passwd|1792|11427|33060|1|0|0|24959|607|921016509|921016509|8192|2

We would then repeat this step for each file we want to monitor. Then, running the script with checkfile -c checksumfile will show any changes. For instance, if I remove a character from /etc/passwd, this script will complain like this:

/etc/passwd

Look for suspicious processes, open files

Using ps, pstree, top, lsof will quickly give an indication if anything suspicious is running.

Some rootkits effectively hide their processes. This is typical for kernel module injections.

ps auxwww    # shows wide listing of command-lines
pstree       # process inheritance tree
top          # realtime view
lsof         # list open files

Look for suspicious stuff in /proc on linux systems

If you find a suspicious process running in memory, it might have been deleted from disk. You can still copy the executable image back to disk with the symbolic link in /proc/???/exe.

Quick overview of /proc:

cd /proc/1234   # check out the pid 1234
cat cmdline     # shows commandline used to run the process
file exe        # shows file info, especially if the symboltable still
                # exists.  if the file has been deleted, then exe links
                # to the image in-memory, so you can cp exe /tmp/somefile
strings -a exe  # see all ascii strings in the file, *extremely* useful
                # for googling
cat maps        # currently mapped memory regions

You can also use the listps program to explicitly investigate each process in the /proc filesystem. This can lead to discovery of programs hidden by normal ps output.

Examine suspicious executables

Use strings -a, hexdump -C, gdb, objdump (or otool on darwin) to examine suspicious executables. In many cases you'll find strings like r00tkit by zum azzHat — these are extremely helpful to identify and find exploit code. Google for anything you find. Don't forget to search google groups as well.

Examine executables more closely with debuggers and programming tools.

Use file somefile to see if it's a stripped executable. Hopefully it's not, and you will be able to view symbols with nm somefile. Also run ldd somefile to see which dynamic libraries are used.

Use gdb to debug the executable, but be careful when executing exploit code. Advanced code will check if it's being debugged, so you might have to circumvent that. (In worst case, get yourself a ring-0 debugger.) I've seen programs call ptrace and exit if they're being debugged.

If you have no qualms running the executable you can use strace somefile (or ktrace on darwin) to see all system calls made while running. That should give you a pretty good idea of the nature of the exploit code and lead to identify security holes in other programs.

Below is an investigation of stkill, a rootkit one of my computers was infected with.

$ file stkill
stkill: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), 
dynamically linked (uses shared libs), not stripped

$ ldd stkill
        libc.so.6 => /lib/tls/libc.so.6 (0x42000000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

$ nm stkill
         U atoi@@GLIBC_2.0
         U bcopy@@GLIBC_2.0
08049a78 A __bss_start
         w bzero@@GLIBC_2.0
0804997c d completed.3
         w connect@@GLIBC_2.0
08049988 d __CTOR_END__
08049984 d __CTOR_LIST__
08049974 D __data_start
08049974 W data_start
         w __deregister_frame_info@@GLIBC_2.0
08048770 t __do_global_ctors_aux
08048530 t __do_global_dtors_aux
... etc.

$ strace ./stkill   # might be dangerous
execve("./stkill", ["./stkill"], [/* 22 vars */]) = 0
uname({sys="Linux", node="eris", ...})  = 0
brk(0)                                  = 0x8049a90
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x40016000
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or
directory)
... etc.

Check for backdoors

Check for open backdoors in your system, either by using netstat, lsof or a full nmap-scan from another computer.

Check for network sniffing

Running ifconfig -a and looking for the PROMISC flag tells you if any ethernet cards are running in promiscuous mode. This means it is picking up all network packets, usually the signature of a sniffer being installed.

You can run ifconfig eth0 -promisc to turn off promiscuous mode.

Example:

$ ifconfig -a
eth0    Link encap:Ethernet  HWaddr 00:50:DA:4D:84:C5
        inet addr:81.191.35.198  Bcast:81.191.35.199  Mask:255.255.255.248
        UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
        RX packets:63608975 errors:0 dropped:0 overruns:1 frame:0
        TX packets:87694104 errors:0 dropped:0 overruns:0 carrier:0
        collisions:0 txqueuelen:100
        RX bytes:3711876829 (3539.9 Mb)  TX bytes:2017229474 (1923.7 Mb)
        Interrupt:10 Base address:0xb800

Security via obscurity

Changing sshd to listen to another port will rule out most large-scale network sweeps, since they don't have the time to scan each and every port on thousands of computers.

Regarding the web, running php is basically asking for someone to come crashing in. This is even more true if you've installed  an application and  forget to keep them updated.

As for scripted attacks, many try executing things like wget to download exploit binaries. Simply renaming wget or hiding it in /root/bin is usually enough to stop some expolits dead (but again, don't count on it!). The same is applicable to curl but Sue uses it for registration.

Security via  obscurity  works against botnet agents trying to find a vulnerable host on the net. But if you are specifically singled out as a target, these measures of course aren't enough.

Publish your findings on the web

Put your analysis on the web so other people can benefit from your work. All the times I've been hit with computer breaches, I've found helpful advice on the web.

In closing, remember that security is not a matter of adding stuff to your system. Security is an attitude, an approach and thought-set.

Prepare for the next break-in

You can just as well prepare for the next break-in right away, as it will happen again.

Set up syslog forwarding, routinely copy log files to other computers. Uninstall all unneeded inet servers (telnet, ftp, rpc, etc.), consider making some binaries or filesystems readonly (but don't believe this is enough to prevent modifications) and so on.

Dr. Nikolai Bezroukov


NEWS CONTENTS

Old News ;-)

[Mar 24, 2010]  buck-security

This simple set of Perl scripts can be used on Red Hat and Suse too. Almost nothing is  Debian or Ubuntu specific

Buck-Security is a security scanner for Debian and Ubuntu Linux. It helps you to harden your system by running some important security checks. For example, it finds world-writable files and directories, setuid and setgid programs, superuser accounts, and installed attack tool packages. It also checks your umask and checks if the sticky bit is set for /tmp, among other checks.

 

search.cpan.org DecisionACL - Manage and Build Access Control Lists

Ian Robertson > Solaris-ACL-0.06 > Solaris::ACL

Solaris::ACL - Perl extension for reading and setting Solaris Access Control Lists for files

SYNOPSIS

  use Solaris::ACL;
  ($acl, $default_acl) = getfacl("path/to/file");
  setfacl("path/to/file", $acl [, $default_acl]);

DESCRIPTION 

This module provides access to the system level acl(2) call, allowing efficient setting and reading of Access Control Lists (ACLs) in perl.

ACL provides the following functions:

setfacl($path, $acl [, $default_acl])
Set the ACL of the file or directory named by $path to that specified by $acl. If $path names a directory, then the optional $default_acl argument can also be passed to specify the default ACL for the directory. See "ACL structure" for information on how the $acl and $default_acl hashes should be constructed.
getfacl($file_name)
Return a reference to a hash containing information about the file's ACL. If the file is a directory with a default ACL, then a list is returned, with the first entry being a hash reference to the ACL, and the second being a hash reference to the default ACL. See "Accessing ACL structures" for information on how to access these hashes, and "ACL structure" for information on how these hashes are internally constructed.

Accessing ACL structures

The structures returned by the getfacl call are blessed into the Solaris::ACL package, and can be inspected and changed using methods from that class. In most cases, the same method can be used for inspecting or setting values; a value is set if data is given to set it with; otherwise, it is inspected and returned. The following accessor methods are defined:

uperm
gperm
operm
mask
Without an argument, each of these methods returns the permission for the corresponding entity (user, group, other, or file mask). With an argument, they set the permission to that argument. For example:
  $user_perm = $acl->uperm;  # find out current owner permissions.
  $acl->operm(5);            # give others read-execute permissions.

If no mask is set in the ACL, mask returns -1.

users
groups
Without arguments, return a list of users (by uid) or groups (by gid) with special ACL access. When passed a uid/gid as an argument, return the permission for the given user/group, or -1 if no permission is set in the ACL. When passed a uid/gid and a permission, give the specified user/group the indicated permission; if the permission is -1, remove any permissions for the specified user/group.
calc_mask
Calculate the mask for the acl, as would the -r flag of setfacl.
equal($acl2)
Check to see if the acl is equal to $acl2. Returns 1 if equal, 0 otherwise.
Solaris::ACL->new($mode)
Create a new blessed acl with permissions for user, group and other determined by mode.

EXAMPLES

  $acl = new Solaris::ACL(0741);
  $acl->users(scalar(getpwnam("iroberts"),2);
  $acl->users(scalar(getpwnam("rdb"),0);
  $acl->calc_mask;

  $def_acl = new Solaris::ACL(0751);

  setfacl("working_dir", $acl, $def_acl);

  ($acl1, $def_acl1) = getfacl("working_dir");

  print "All is well\n" if($acl->equal($acl1));

  $acl2 = getfacl("working_file");
  print "uids with acls set: ", join(", ", $acl2->users), "\n";
  print "uid 29 had permission ", $acl2->users(29), "\n";
  $acl2->users(29,6);
  $acl2->calc_mask;
  setfacl("working_file", $acl2)
  print "uid 29 now has permission 6\n";

  # to copy an acl from one file or directory to another;
  setfacl($target_file, getfacl($source_file));

RETURN VALUES

setfacl returns TRUE if successful and FALSE if unsuccessful. getfacl, if successful, returns a list containing a reference to the hash describing an acl, and, if there is a default acl, a reference to the hash describing the default acl. If unsuccessful, getfacl returns a null list. If either setfacl or getfacl are unsuccessful, the variable $Solaris::ACL::error is set to a descriptive error string; in addition, if the failure was due to a system error, $! is set.

ACL structure

WARNING: The internal structures described here are subject to change in future versions.

All information passed to setfacl returned from getfacl is in the form of references to hashes. A hash describing an ACL can have the following keys:

uperm, gperm, operm, mask
Each of these keys have values containing permissions for the corresponding entity (user, group, other, mask).
groups, users
Each of these keys (if existent) contain a reference to a hash whose keys are decimal representations of numbers, and whose values contain permissions for the user/group whose uid/gid is the number in the key.

BUGS

No checking is done on data types; bad data will result in strange error message being placed in $Solaris::ACL::errors.

Perl MD5 Secure Login 0.10 by Alan Raetz - Saturday, July 13th 2002 18:19 EDT

About: Perl MD5 Secure Login is a Web-based framework for implementing an MD5-based encryption scheme on both client (using browser JavaScript) and server (using Perl Digest::MD5) for a secure password login to Web applications. Unlike .htaccess, the password is never stored or transmitted as plain text.

Changes: This release is now in a separate LoginMD5.pm module for easy integration into existing Perl/CGI apps, with a mainProgram.cgi test example. It uses cookies: after a user has successfully logged in, it stores an MD5 encrypted key on the client machine to maintain a user session (for 1 day, by default).

Snoopy.pl 0.5 Jacob Shaw.

Snoopy.pl is a simple SNMP scanner written in PERL, and making use of the Net::SNMP module. It will scan a list of hosts, and report the system id back if a valid community string is found.

perl.oreilly.com -- News -- Detecting Local Filesystem Changes with Perl

It is not uncommon for system administrators to have to drop whatever they are working on to deal with the security problem du jour. Some of these problems involve serious breaches of security. In these cases, the first question asked is often, "What has the intruder done?" In my recently released O'Reilly book, Perl for System Administration, I begin the chapter on security and network monitoring with a discussion of some of the available Perl tools that can help answer this question. Here's an excerpt from that chapter, which deals with finding changes made to a local filesystem:

Filesystems are an excellent place to begin our exploration into change-checking programs. We're going to explore ways to check if important files like operating system binaries and security-related files (e.g., /etc/passwd or msgina.dll ) have changed. Changes to these files made without the knowledge of the administrator are often signs of an intruder. There are some relatively sophisticated cracker tool-kits available on the Net that do a very good job of installing Trojan versions of important files and covering up their tracks. That's the most malevolent kind of change we can detect. On the other end of the spectrum, sometimes it is just nice to know when important files have been changed (especially in environments where multiple people administer the same systems). The techniques we're about to explore will work equally well in both cases.

The easiest way to tell if a file has changed is to use the Perl functions stat() and lstat(). These functions take a filename or a filehandle and return an array with information about that file. The only difference between the two functions manifests itself on operating systems like Unix that support symbolic links. In these cases lstat() is used to return information about the target of a symbolic link instead of the link itself. On all other operating systems the information returned by lstat() should be the same as that returned by stat(). Using stat() or lstat() is easy:

@information = stat("filename");

As demonstrated in Chapter 3, "User Accounts," we can also use Tom Christiansen's File::Stat module to provide this information using an object-oriented syntax. The information returned by stat() orlstat() is operating-system dependent. stat() and lstat() began as Unix system calls, so the Perl documentation for these calls is skewed towards the return values for Unix systems. See Table 10-1 in Perl for System Administration for a comparison between the values returned by stat() under UNIX and those returned by stat() on Windows NT/2000 and MacOS.

In addition to stat() and lstat(), other non-Unix versions of Perl have special functions to return attributes of a file that are peculiar to that OS. See Chapter 2, "Filesystems," for discussions of functions like MacPerl::GetFileInfo() and Win32::FileSecurity::Get().

Once you have queried the stat()ish values for a file, the next step is to compare the "interesting" values against a known set of values for that file. If the values changed, something about the file must have changed. Here's a program that both generates a string of lstat() values and checks files against a known set of those values. We intentionally exclude last access time from the comparison because it changes every time a file is read. This program takes either a -p filename argument to print lstat() values for a given file or a -c filename argument to check the lstat() values all of the files listed in filename.

use Getopt::Std;

# we use this for prettier output later in &printchanged()
@statnames = qw(dev ino mode nlink uid gid rdev size mtime
        ctime blksize blocks);
getopt('p:c:');
die "Usage: $0 [-p <filename>|-c <filename>]\n" unless ($opt_p or $opt_c);
if ($opt_p){
    die "Unable to stat file $opt_p:$!\n" unless (-e $opt_p);
    print $opt_p,"|",join('|',(lstat($opt_p))[0..7,9..12]),"\n";
    exit;
}

if ($opt_c){
    open(CFILE,$opt_c) or die "Unable to open check file $opt_c:$!\n";
    while(<CFILE>){
        chomp;
        @savedstats = split('\|');
        die "Wrong number of fields in line beginning with $savedstats[0]\n"
            unless ($#savedstats == 12);
        @currentstats = (lstat($savedstats[0]))[0..7,9..12];
        # print the changed fields only if something has changed
        &printchanged(\@savedstats,\ @currentstats)
            if ("@savedstats[1..13]" ne "@currentstats");
    }
    close(CFILE);
}
# iterates through attributes lists and prints any changes between
# the two
sub printchanged{
    my($saved,$current)= @_;
    # print the name of the file after popping it off of the array read
    # from the check file
    print shift @{$saved},":\n";
    for (my $i=0; $i < $#{$saved};$i++){
        if ($saved->[$i] ne $current->[$i]){
            print "\t".$statnames[$i]." is now ".$current->[$i];
            print " (should be ".$saved->[$i].")\n";
        }
    }
}

To use this program, we might type checkfile -p /etc/passwd>>checksumfile. checksumfile should then contain a line that looks like this:

/etc/passwd|1792|11427|33060|1|0|0|24959|607|921016509|921016509|8192|2

We would then repeat this step for each file we want to monitor. Then, running the script with checkfile -c checksumfile will show any changes. For instance, if I remove a character from /etc/passwd, this script will complain like this:

/etc/passwd

 

TCPR

Tcpr is a set of perl scripts that enable you to run ftp and telnet commands across a firewall. Forwarding takes place at the application level, so it's easy to control.

Primary archive: ftp://ftp.alantec.com/pub/tcpr

 

sherpa - a system security configuration tool for GNU-Linux by Rick Crelia

See also Sherpa

Sherpa is a tool for configuring and then checking system security via the console. Written in perl, it allows an admin to maintain a custom database of file and directory permissions and ownership attributes as local needs dictate. Any changes from the prescribed layout will be detected each time sherpa is run. Also, sherpa does some basic system checks (world-writable files, .rhosts and hosts.equiv files, etc.) that help the busy admin keep on top of a system.

sherpa inventories basic filesystem security (permissions, file ownership) and creates a report of what it finds. It can also be used as a remedial tool, one that will change file permissions and ownership according to the modes listed in perms.lst.

sherpa will do a series basic check of RedHat GNU/Linux 5.x/6.x and SuSE 6.0 filesystems and should be run (a) after inital installation of the operating system and then (b) periodically. Many of the checks performed herein are based on sources I have studied and found useful.

sherpa performs the following checks on your local filesystems:

  1. Checks for SUID and SGID files
  2. Checks for world writable files
  3. Checks for .rhosts and hosts.equiv files
  4. Summarizes configured network services (via inetd) and checks for use of tcp_wrappers
  5. Checks for use of shadow passwords
  6. Checks file and directory permissions, as well as ownership against a set list (a sample list for RedHat 6.x is here)

Also, sherpa is written in Perl because of ease of use when it comes to report generation and system administration needs. While I'm sure a C program would be faster, it would be a lot less *practical* than a Perl script and less amenable to localized tweaking as the need to do so arises.

Features

 

ViperDB
by J-Dog <j-dog@resentment.org>
< http://www.resentment.org/projects/viperdb/ >
Platforms: AIX, BSDI, DG-UX, Digital UNIX/Alpha, FreeBSD, HP-UX, IRIX, Linux, NetBSD, OpenBSD, SCO, Solaris, SunOS, True64 UNIX, UNIX, Ultrix and Unixware
Size: 4.16Kb
Score: Not scored yet

ViperDB was created as a smaller & faster option to Tripwire. Tripwire while being a great product leaves something to be desired in the speed department and also, by default tripwire generates a report everytime it runs and directs that report to an email address. This hinders most people from running Tripwire every few minutes to do a system check. ViperDB however is the answer to this problem. ViperDB uses a fast plaintext db and is written in perl.

Mark Crosbie, Detect a SATAN scan of your system
Keywords: SATAN scan detector, network monitoring
Abstract: A simple PERL script that will detect a heavy SATAN scan by monitoring the output of the TCP wrappers package. You must have TCP wrappers (/pub/tools/unix/tcp_wrappers) installed to use this.

Bruce Barnett, trojan.pl
Abstract: Trojan.pl is a trojan horse checking program. It examines your searchpath and looks at all of the executables in your searchpath, looking for people who can create a trojan hource you can execute.

G. Paul Ziemba, tcpr
Abstract: Tcpr is a set of Perl scripts that enable you to run ftp and telnet commands across a firewall. Forwarding takes place at the application level, so it's easy to control.

Lionel Cons, Rsucker
Abstract: A perl scirpt that acts as a fake r* daemon and log the attempt is syslog. Byte sucker for r* commands.

James Seng, Logging fingerd in PERL
Keywords: fingerd, loggin, rfc931
Abstract: This finger deamon is written in perl to do addition logging into a file called /var/log/trap/fingerd. It contain additional information like who is at the other end of the connect (via rfc931 : read authuser), who does he/she finger and any other information which his send through the finger port. It is programmed to deny chain fingering, and stop immediately if it detects special symbol like "|<>..." in the input stream. It can be easily modified to filter out information, deny fingering of certain person, deny fingering from certain host, filter finger information etc without the trouble of recompilation since it is written in perl.

 

Ray W. Hiltbrand, Doug Hughes, Paul Danckaert, Pierre Beyssac, phf prober perl script (A related WWW homepage exists for this item)
Keywords: phf, cgi
Abstract: phf perl script is used to try to find out as much information from the person calling the script as possible. The only reason for using phf on the system is to exploit a bug to execute commands.

Steve Romig, Perl Cops
Abstract: This is a perl version of Dan's version of Bob Baldwin's Kuang program (originally written as some shell scripts and C programs). Features including Caches passwd/group file entries in an associative array for faster lookups. This is particularly helpful on insecure systems using YP where password and group lookups are slow and you have to do a lot of them, can specify target (uid or gid) on command line, can use -l option to generate PAT for a goal, can use -f to preload file owner, group and mode info, which is helpful in speeding things up and in avoiding file system 'shadows'.

David Barr, A DNS Debugger
Abstract: dnswalk is a DNS debugger. It performs zone transfers of specified domains, and checks the database in numerous ways for internal consistency, as well as accuracy. dnswalk requires perl and dig. (Tested under perl-4.036, dig 2.0, and the dig shipped with BIND 4.9.x) If you do not have these tools, get them. (perl is assumed to be in /usr/local/bin, edit the first line of dnswalk if it is not)

----

L6
Provides a flexible and intelligent interface for periodic integrity checks of data using Perl

Availability: anonymous ftp at L6
Additional Info: L6

Application: perlradius   Development Version: 1.6

Brief Description: A drop-in replacement for the livingston radiusd

---

Title: dnswalk
Authors: David Barr
File size: 112090 bytes
Abstract:

dnswalk is a DNS debugger. It performs zone transfers of specified domains and checks the database in numerous ways for internal consistency as well as accuracy. dnswalk requires perl and dig.ToC

Title: tcpr
Authors: G. Paul Ziemba
File size: 82823 bytes
Abstract:

Tcpr is a set of Perl scripts that enable ftp and telnet commands to be run across a firewall. Forwarding takes place at the application level for easy control.ToC

Title: access_list_examples
Authors: Paul Traina
File size: 19074 bytes
Abstract:

access_list_examples is series of Perl scripts that allow one to quickly and easily configure ACL entries for firewall routers.ToC

Title: Raudit
Authors: Michele D. Crabb
File size: 11615 bytes
Abstract:

raudit is a Perl script which audits each user's .rhosts file and reports on various findings. Without arguments, raudit will report on the total number of rhosts entries, the total number of non- operations entries, for which the hosts is listed in the /etc/hosts.equiv file, the total number of remote entries, for which the host is a non-NAS host. raudit will also report on any entries which may be illegal. An entry is considered illegal if the username does not mach the username from the password file or if the entry contains a "+" or a "-". Raudit is normally run on a weekly basis via a cron job which runs rhosts.audit. The output is mailed to the NAS security analyst(s).ToC

Title: Logging fingerd in PERL
Authors: James Seng
File size: 1814 bytes
Abstract:

This finger daemon is written in perl to do additional logging into a file called /var/log/trap/fingerd. It contain additional information like who is at the other end of the connect (via rfc931 : read authuser), who does s/he finger, and any other information which is sent through the finger port. It is programmed to deny chain fingering and stop immediately if it detects special symbols like "|<>..." in the input stream. It can easily be modified to filter out information, deny fingering of a certain person, deny fingering from certain hosts, and filter finger information etc. without the trouble of recompilation since it is written in perl.ToC

Title: dump_lastlog
Authors: Eugene H. Spafford
File size: bytes
Abstract:

Under most versions of Unix, there is a "lastlog" file that records the time and sometimes the terminal of the last login for each user. This is then printed as part of the next login as information. Some systems also include information on the number of invalid attempts on the account since the last valid login. This Perl program dumps the file for SunOS/Solaris systems as it works on both. If your lastlog format is different, simply modify this logging format. One may need to adjust the path to the lastlog file.ToC

Title: anlpasswd
Authors: Mark Henderson
File size: 428289 bytes
Abstract:

A modified version of Larry Wall's Perl password program that in an NIS environment, allows for gecos changes and also checks a sorted list of all the "bad passwords".ToC

[Nov. 1, 1999] Title: Perl Cops by Steve Romig

This is a perl version of Dan's version of Bob Baldwin's Kuang program, which was originally written as shell scripts and C programs. Features including caching passwd/group file entries in an associative array for faster lookups. This is particularly helpful on insecure systems using YP where password and group lookups are slow and frequent. User can specify target (uid or gid) on command line. can use -l option to generate PAT for a goal. User can use -f to preload file owner, group and mode info, which is helpful in terms of speed and avoiding file system 'shadows'.ToC

[July 15, 1999] Fcheck -- Mr_G - July 13th 1999 FCHECK is a very stable PERL script written to generate and comparatively monitor a UNIX system against its baseline for any file alterations and report them through syslog, console, or any log monitoring interface. Monitoring events can be as quick as one minute intervals if a systems drive space is small enough making it very difficult to circumvent. A freely available open-source alternative to 'tripwire' that is time tested, and is easier to configure and use. Also supports remote monitoring of other UNIX systems.

sidentd (Daemons/Ident)
Secure identd written in perl, allows per-user fake replys
Sep 12th 1998, 13:07
stable: 0.5 - devel: none - license: GPL


Jul 01st 1998, 08:35
stable: 1.1 - devel: none - license: GPL


Recommended Links

ScriptSearch - Perl Utilities Security

Unix Host and Network Security Tools -- big largely outdated list

You'll find a lot of useful security related stuff over at insecure.org.

Basic Steps in Forensic Analysis of Unix Systems

Forgetting to Lock the Back Door- A Break-in Analysis on a Red Hat ...

Introduction to Forensics | Linux Journal

 


Honey-pots and Fakes

Title: Rsucker
Authors: Lionel Cons
File size: 6639 bytes
Abstract:

Rsucker is a perl script that acts as a fake r* daemon and log the attempt is syslog. Byte sucker for r* commands.ToC

sidentd (Daemons/Ident)
Secure identd written in perl, allows per-user fake replys
Sep 12th 1998, 13:07
stable: 0.5 - devel: none - license: GPL


Audit and Hardening

Shepra Bastille SUSE Tools Perl Cops  

Perl Cops

[Nov. 1, 1999] Title: Perl Cops by Steve Romig

This is a perl version of Dan's version of Bob Baldwin's Kuang program, which was originally written as shell scripts and C programs. Features including caching passwd/group file entries in an associative array for faster lookups. This is particularly helpful on insecure systems using YP where password and group lookups are slow and frequent. User can specify target (uid or gid) on command line. can use -l option to generate PAT for a goal. User can use -f to preload file owner, group and mode info, which is helpful in terms of speed and avoiding file system 'shadows'.ToC

 

Shepra

sherpa - a system security configuration tool for GNU-Linux

sherpa inventories basic filesystem security (permissions, file ownership) and creates a report of what it finds. It can also be used as a remedial tool, one that will change file permissions and ownership according to the modes listed in perms.lst.

sherpa will do a series basic check of RedHat GNU/Linux 5.x/6.x and SuSE 6.0 filesystems and should be run (a) after inital installation of the operating system and then (b) periodically. Many of the checks performed herein are based on sources I have studied and found useful.

sherpa performs the following checks on your local filesystems:

  1. Checks for SUID and SGID files
  2. Checks for world writable files
  3. Checks for .rhosts and hosts.equiv files
  4. Summarizes configured network services (via inetd) and checks for use of tcp_wrappers
  5. Checks for use of shadow passwords
  6. Checks file and directory permissions, as well as ownership against a set list (a sample list for RedHat 6.x is here)

Also, sherpa is written in Perl because of ease of use when it comes to report generation and system administration needs. While I'm sure a C program would be faster, it would be a lot less *practical* than a Perl script and less amenable to localized tweaking as the need to do so arises.

Features

 

Bastille

 Linux PR Bastille Linux releases v1.0.0 at SANS San Francisco Security Conference 99 -- actually it's not very Linux specific and can be adapted to any Unix.

Bastille Linux releases v1.0.0 at SANS San Francisco Security Conference 99
  Dec 14th, 05:40 UTC

The Bastille Linux development team is proud to announce the first release of the Bastille Linux hardening script. The Bastille Hardening script attempts to provide the most secure, yet functional, Redhat 6.0 system available. (Support for Red Hat 6.1 is forthcoming.) Bastille Linux was designed with several major goals:

Bastille Linux draws from every available major reputable source on Linux Security. The initial development integrated Jay Beale's existing hardening scripts for Solaris and Linux with most major points from the SANS Securing Linux Step by Step, Kurt Seifried's Linux Administrator's Security Guide, and several other sources.

Bastille Linux has been designed to educate the installing administrator about the security issues involved in each of the script's tasks. Each step is optional and contains a description of the security issues involved.

Once the initial development was near complete, we brought the effort to the developers of the Bastille Discussion mailing list. Further, we began soliciting outside suggestions and testing. The script was GPL'd promptly and the Specification shared.

The Bastille Linux hardening script is a community consensus project: it attempts to integrate existing "best practices" documents and the shared knowledge of many administrators. The project needs constant input from its user community (This means you!) in order to remain current, as well as to fill in the gaps in our existing structure. Bastille Linux is far from perfect, and your input is crucial to making it better.

Bastille Linux 1.0.0 is available from the following locations:
http://bastille-linux.sourceforge.net/bastille-1.0.0.tar.gz
http://www.gl.umbc.edu/~jbeale1/bastille-1.0.0.tar.gz

SUSE Tools

 Linux Today SuSE Security Announcement - new security tools -- -- actually it's not very SUSE specific and can be adapted to any Unix.

Tools developed by SuSE (all open source) and included in SuSE 6.3 :

SuSE FTP Proxy - The first program of the SuSE Proxy Suite. A secure FTP proxy with support for SSL, LDAP, command restriction, active and passive FTP support, and much more.
RPM: fwproxy.rpm, fwproxys.rpm (SSL - not in the US version)

SuSE Firewall - The new firewall script from SuSE, rewritten from scratch. Autodetection of interface information, masquerading, autoprotection of services, protection from internal networks, fail-close design and easy to configure. RPM: firewals.rpm

Harden SuSE - A special script for hardening a SuSE Linux 5.3 - 6.3. By answering 9 questions, the system is reconfigured very tightly. e.g. disabling insecure network services, removing suid/sgid/world-writable permissions which are not critical. RPM: hardsuse.rpm

SuSE Secumod - This loadable kernel module enhances the security of the system by adding a symlink/hardlink/pipe protection, procfs protection, trusted path execution and capabilities. RPM: secumod.rpm

SuSE Secchk - These are cron scripts which run daily, weekly and monthly to check the security of the system and compare them to the last run. RPM: seccheck.rpm

Yast-1 - New administration menu for setting password aging, authentication fail delay and logging of logins + failures. RPM: yast.rpm

SuSE auditdisk - Please note that this tool is in beta phase! This tool generates a bootdisk with checksum data and all binaries etc. needed to automaticaly verify file checksums upon booting. This way it can't be subverted by lkm's like a standard e.g. tripwire installation.
WWW: http://www.suse.de/~marc - not included on SuSE 6.3 yet

Watch out for updates of these tools on our WWW or FTP update sites. Although these are tools developed by SuSE, they (should) work on any Linux distributions with little problems.

New tools included in the SuSE Linux distribution (not created by SuSE):

FreeS/WAN - IPSEC implementation to build secure VPN tunnels via public networks.
RPM: freeswan.rpm (not in the US version)

GNU Privacy Guard - A free pgp-like tool for secure (not limited to email) communication. Frontends are also included.
RPM: gpg (not in the US version)

Nessus - A very good network security scanner!
RPM: nessus

plus tmpwatch, arpwatch, plug, sslwrap, the newest nmap and more. "Old" packages include: john, saint, cipe, pgp, scanlogd, ssh, tripwire, etc.


SUSE  webpage for security announcements:
http://www.suse.de/security

 

[Nov. 1, 1999] Title: Perl Cops by Steve Romig

This is a perl version of Dan's version of Bob Baldwin's Kuang program, which was originally written as shell scripts and C programs. Features including caching passwd/group file entries in an associative array for faster lookups. This is particularly helpful on insecure systems using YP where password and group lookups are slow and frequent. User can specify target (uid or gid) on command line. can use -l option to generate PAT for a goal. User can use -f to preload file owner, group and mode info, which is helpful in terms of speed and avoiding file system 'shadows'.ToC

Michele D. Crabb, Raudit
Abstract: raudit is a Perl script which audits each user's .rhosts file and reportson various findings. Without arguments raudit will report on the total number of rhosts entries, the total number of non-operations entries (entries for which the hosts is listed in the /etc/hosts.equiv file, the total number of remote entries (entries for which the host is a non-NAS host. raudit will also report on any entries which may be illegal. An entrie is considered illegal if the username does not mach the username from the password file or if the entry contains a "+" or a "-". Raudit is normally run on a weekly basis via a cron job which runs rhosts.audit. The output is mailed to the NAS security analyst(s).

----

L6
Provides a flexible and intelligent interface for periodic integrity checks of data using Perl

Availability: anonymous ftp at L6
Additional Info: L6

----

Check.pl


Monitoring

Courtney. latest version is 1.3

http://www.alw.nih.gov/Security/CIAC-Notes/CIAC-Notes-08.html

Monitors the network and identifies the source machines of SATAN probes/attacks. Courtney receives input from tcpdump counting the number of new services a machine originates within a certain time window. If one machine connects to numerous services within that time window, courtney identifies that machine as a potential SATAN host.

NodeWatch
Patrick Ryan - September 24th 1998, 01:54 EST

NodeWatch is an open source TCP/IP network monitoring tool written in Perl for UNIX. It will watch, i.e. poll, a set of network nodes and react to node connectivity changes by making entries to the syslog or executing user defined commands. NodeWatch was written from the perspective of a network manager; it only keeps track of the node's ability to respond to ICMP echo request datagrams with ICMP echo reply datagrams.

syswatch-1.1.tar.gz SysWatch 1.1 - SysWatch is a perl script that allows you to view current system information, disk utilization, resource utilization all in your web browser. Changes: Added automatic drive mapping (less configuration). Added red bar for drives over 90% full. The same script will now work on both *BSD and Linux. 3.621 kb. By Chris Martino.

durep (Console/Monitoring)

Disk Usage Reporter
Jun 07th 1999, 23:04
stable: none - devel: 0.8 - license: Artistic

[fm] Angel Network Monitor

Angel is a simple yet useful tool to monitor the services on your network. Technically speaking, it's a Perl program that runs every 'n' minutes (usually fired from your cron) and calls different perl subprograms (referred to as "plugins" from now on) to do the actual testing. It will then generate an HTML table containing the status of your network.


SUID/SGID Checking

 

Thor
thor.pl keeps tabs on suid and sgid files on your file system. It also keeps track of the checksums of your binaries and the root accounts on the system as well as a few other things. It's a handy script that helps you find possible security risks, or breakins.

Download: http://www.linuxscripts.com/arc/thor1.0.tar.gz
Homepage: http://www.linuxscripts.com/

 

 

 


Integrity checking

Triplight

Triplight is an intrusion detection, and integrity monitor system. This release is rather unpolished (you need to hack up a crontab file, and to set a file path in the perl source), but fully functional. To accomplish its design goals, it reads in a list of files stored in flat ASCII, and uses md5sum to check their integrity against that recorded earlier in a database. If the database is placed on a read-only medium such as a write-protected floppy, then it should provide an infallible record against remotely installed trojan horses. Thus by monitoring the integrity of the system, triplight will serve as an aid in intrusion detection.

Download: http://linux.rice.edu/magic/triplight/triplight.tar.gz (189 hits)
Homepage: http://linux.rice.edu/magic/triplight/ (416 hits)
Stable Version: 0.01
Author: Sam Carter
License: GPL
Category: Console/Firewall and Security
Depends on: md5sum, cron, perl
Appindex ID: 933137162

 

[July 15, 1999] Fcheck -- Mr_G - July 13th 1999 FCHECK is a very stable PERL script written to generate and comparatively monitor a UNIX system against its baseline for any file alterations and report them through syslog, console, or any log monitoring interface. Monitoring events can be as quick as one minute intervals if a systems drive space is small enough making it very difficult to circumvent. A freely available open-source alternative to 'tripwire' that is time tested, and is easier to configure and use. Also supports remote monitoring of other UNIX systems.

Trojan

A perl script that can be run by any user (most audit tools are only available to root) to determine if any binaries in their path are potentially trojan horses.s. It examines your searchpath and looks at all of the executables in your searchpath.

  Trojan readme

  Trojan (tar)

  Source archive (ftp://coast.cs.purdue.edu/pub/tools/unix)

trojan.pl

[ November 4, 1998] World Wide Digital Security Inc.  -- New SAINT™ Released (ver 1.3.4)

ViperDB
by J-Dog <j-dog@resentment.org>
< http://www.resentment.org/projects/viperdb/ >
Platforms: AIX, BSDI, DG-UX, Digital UNIX/Alpha, FreeBSD, HP-UX, IRIX, Linux, NetBSD, OpenBSD, SCO, Solaris, SunOS, True64 UNIX, UNIX, Ultrix and Unixware
Size: 4.16Kb
Score: Not scored yet

ViperDB was created as a smaller & faster option to Tripwire. Tripwire while being a great product leaves something to be desired in the speed department and also, by default tripwire generates a report everytime it runs and directs that report to an email address. This hinders most people from running Tripwire every few minutes to do a system check. ViperDB however is the answer to this problem. ViperDB uses a fast plaintext db and is written in perl.

 


Log tools in Perl

Swatch

i005_P3_swatchv3

[July 16, 1999]Lumberjack Log rotation software, perl replacement for newsyslog
Jun 08th 1999, 08:48 stable: none - devel: none license: Public Domain. Lumberjack is a perl replacement for the BSD newsyslog. Logs are rotated and renamed to logfile.YYMMDD, and the daemon/signal are configurable. Contrary to the URL for the file, this program should work on all systems, not just NetBSD. http://kludge.psc.edu/~ksulliva/netbsd/lumberjack.man.html

 

[July 16, 1999] Autobuse Grant Taylor - January 11th 1999, 19:04 EST

Autobuse is Perl daemon which identifies probes and the like in logfiles and automatically reports them via email. This is, in a way, the opposite of logcheck in that autobuse identifies known badness and deals with it automatically, while logcheck identifies known goodness and leaves you with the rest.

 

97: score: 0.33 log (Console/Administration)
a simple system changelog script, useful for multiple admins
Jul 15th 1999, 12:09
stable: 0.8 - devel: none - license: GPL
198: score: 0.33 logcoloriser (Console/Log Analyzers)
Ssyslog log colourising PERL script
Jul 31st 1999, 22:12
stable: 1.0.2 - devel: none - license: GPL
199: score: 0.33 Lumberjack (Console/Administration)
Log rotation software, perl replacement for newsyslog
Jun 08th 1999, 08:48
stable: none - devel: none - license: Public Domain

Scanning tools and supporting scripts

nlog (Console/Log Analyzers)
nmap 2.x log management and analyzer toolkit
Dec 25th 1998, 13:13
stable: 1.5.3 - devel: none - license: free to use but restricted

 

ftpcheck dave weekly - October 28th 1998, 01:36 EST

ftpcheck scans hosts and networks for FTP and anonymous FTP archives. It was written as a security analysis tool. ftpcheck is very fast. It can effectively scan a class C network for anonymous FTP sites in less than 5 seconds. It does this by starting a new process for each connection. ftpcheck requires perl and libnet (from CPAN).

Download: http://david.weekly.org/code/ftpcheck.pl
Homepage: http://david.weekly.org/code/

Configuration and maintenance

sherpa (Console/Firewall and Security)

A system security configuration and maintenance tool
Jul 07th 1999, 22:10
stable: 0.1.1 - devel: none - license: GPL

rpmwatch (Console/Packaging)
Keeps your RPMs in sync with the official errata




Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2014 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine. This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting hosting of this site with different providers to distribute and speed up access. Currently there are two functional mirrors: softpanorama.info (the fastest) and softpanorama.net.

Disclaimer:

The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: February 19, 2014