Deja un comentario

Eliminar Delta-Search y Adware Lollipop

Si tu página de inicio ha sido remplazada por el buscador “Delta Search” probablemente estes infectado por este Adware. Si tu antivirus no lo detecta no te sorprendas, ya que no se trata de un virus propiamente… aunque es muy recomendable eliminarlo.

Se instala de forma predeterminada – en caso de no marcar lo contrario – como una barra de búsqueda y suele venir como complemento en ciertas instalaciones Shareware o similares, o bien descargándola desde la web del propio desarrollador… que curiosamente goza de una reputación no demasiado buena.

DETALLES TÉCNICOS:

Este software modifica la página inicio del navegador (Browser hijacking) y el motor de búsqueda predeterminado haciendo tracking de nuestras consultas. Además redirige a páginas específicas o envía publicidad dirigida con el fin de obtener visitas (y por consiguiente, pago por clic).

Es habitual que tras la instalación de este software no deseado (PuP) ciertas páginas web (generalmente proveedoras de software de seguridad) esten bloqueadas, o que se aprecie un aumento del consumo de los recursos de la máquina.

  • Ficheros asociados a Delta-Search:
  • %userprofile%\[Aleatorio].exe
  • C:\Windows\system32\[Aleatorio].exe
  • C:\Archivos de programa\Delta\1.8.X.X\deltasrv.exe
  • C:\Archivos de programa\Delta\1.8.X.X\deltaApp.dll
  • C:\Archivos de programa\Delta\1.8.X.X\deltaEng.dll
  • C:\Archivos de programa\Delta\1.8.X.X\deltaTlbr.dll
  • C:\Archivos de programa\Delta\1.8.X.X\escortShld.dll
  • C:\Archivos de programa\Delta\1.8.X.X\uninstall.exe
  • Registro Modificado por el Malware:
    • HKLM\SOFTWARE\Delta-Search
    • HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
    • HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
    • HLCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

DESINFECCIÓN:

Podremos eliminar este software de diferentes maneras:

Eliminación Manual:

  1. Accede al Panel de Control y desinstala los programas “Delta” y “Delta Toolbar”
  2. Elimina los complementos [Delta Toolbar y similares…] añadidos en el navegador:
  • Firefox: Heramientas > Complementos > Exentensiones
  • Internet Explorer: Herramientas > Administrar complementos
  • Google Ghrome: Configuración > Extensiones

3.  Accede a la configuración general y modifica la página de inicio

Eliminación mediante Software:

  1. Descarga alguno de los siguientes softwares: Malwarebytes | AdwCleaner | HitmanPro
  2. Realiza un análisis a tu sistema
  3. Elimina el malware detectado y reinicia en caso de ser necesario

 

Lollipop es un Adware común de estos últimos tiempos. No es de extrañar su proliferación, ya que curiosamente se instala junto a software de terceros en aplicaciones extensamente utilizadas como Softonic.

Según podemos leer en Lollipop Network, se trata de una aplicación para mejorar la experiencia de compras online, ayudando al usuario a conseguir mejores ofertas.

La versión original del programa en Español también permite su descarga mediante la web andocomparando, que según indican permitiría configurar los ajustes de este software según las necesidades de cada usuario.

El problema llega cuando instalamos software de terceros que incluye implícitamente Lollipop en sus términos de licencia, ya que en la mayoría de estos casos, Lollipop no permite configurarse y tampoco aparece en agregar o quitar programas.

El mayor inconveniente es que se abren popups publicitarios de forma indiscriminada dificultando a los usuarios deshacerse de este software de forma sencilla.

DETALLES TÉCNICOS

A pesar de la legítima apariencia de este software… se trata de un programa potencialmente no deseado (PUPs), y del mismo modo lo refleja VirusTotal en varios análisis aleatorios que he realizado de este fichero.

Tras su instalación en la máquina, se carga en cada inicio del sistema obteniendo información de los sitios visitados para mostrar anuncios “dirigidos” específicos.

Localización Habitual:

  • C:\Users\<Usuario>\AppData\Local\Lollipop
  • C:\Documents and Settings\<Usuario>\Configuración local\Datos de Programa\Lollipop

Clic en la imágen para agrandar

Ficheros Asociados al Malware:   Posibles Nombres Adicionales:
  • logo.ico
  • Lollipop.txt
  • lollipop_04150636.bat
  • lollipop_04150636.exe
  • lollipop_04150636.lpd
  • lollipop_04150636_cfg.lpd
  • lollipop_04150636_ps.lpd
 
  • losol.exe
  • Lollipop_1902-5328fbcc.exe
  • LollipopInstaller_solimba_14657.exe
  • LollipopInstaller_somoto_14693.ex_
  • Civ.exe
  • LollipopInstaller_tuguu_14656.ex
  • lollipopinstaller_vittalia__eazel.exe

Cadena de desinstalación (según versión):

Se detecta la siguiente cadena de desinstalación en el mismo path del producto:

1
2
3
4
5
6
7
8
@echo Uninstalling the software...
@"c:\documents and settings\Usuario\configuraci¢n local\datos de programa\lollipop\lollipop_04150636.exe" -uninstall
IF ERRORLEVEL 1 GOTO End
:Repeat
del "c:\documents and settings\Usuario\configuraci¢n local\datos de programa\lollipop\lollipop_04150636.exe"
if exist "c:\documents and settings\Usuario\configuraci¢n local\datos de programa\lollipop\lollipop_04150636.exe" goto Repeat
del "c:\documents and settings\Usuario\configuraci¢n local\datos de programa\lollipop\lollipop_04150636.bat"
:End

Identificación Antivirus:

  • TROJ_GEN.R0UCDEA
  • WS.Reputation.1
  • Trj/OCJ.E
  • Skintrim.DVYD
  • W32/Kryptik.AZAW
  • Trojan.Win32.Wintrim
  • Adware/Lollipop
  • Win32:Adware-APX [Adw]

DESINFECCIÓN:

OPCIÓN 1:

  • Acceder a Panel de Control > Agregar o Quitar Programas
  • Seleccionar el software “Lollipop” y desinstalarlo
  • Eliminar las posibles extensiones que pudiera haber creado en el navegador

OPCIÓN 2:

  • Acceder al Directorio de instalación Lollipop
  • Ejecutar el fichero .bat que lanza el parámetro uninstall del producto

OPCIÓN 3:

  • Descarga e Instala alguna de las aplicaciones de eliminación de Adware
  • Descarga e Instala la aplicación Malwarebytes Anti-Malware Free [Descargar]
  • Actualiza la protección (Update Malwarebytes Anti-Malware)
  • Desde la pestaña “Scanner” realiza un análisis completo (Perform full scan)
  • Cuando finalice selecciona el malware detectado y elimínalo (Remove Selected)

OPCIÓN 4:

  • Ejecuta el Administrador de Tareas de Windows
  • Localiza y Finaliza el proceso ‘Lollipop.exe”
  • Accede a la Localización Habitual del programa según tu Sistema Operativo
  • Elimina el directorio “Lollipop”
  • Recomendable analizar tu sistema con un software Anti-Malware

 

Por ejemplo se instalan con el Izarc:  

http://www.bajolared.com/wordpress/software-de-terceros-comprometen-tu-maquina-caso-izarc/

 

Deja un comentario

Reparar BOOT de Arranque Windows 7

Un problema frecuente al que solemos enfrentarnos con nuestros equipos es que un buen día sin previo aviso el equipo no logre arrancar el sistema operativo. Una de las más frecuentes causas es producida por un fallo en el archivo “BOOT.ini” de nuestro sistema.

En este Post os resumiremos de forma sencilla como reparar la configuración de dicho archivo y conseguir que nuestro equipo arranque de una forma correcta siendo el Sistema Operativo del PC Windows 7.

PRIMERO: Disponer de un DVD de Windows 7 que introduciremos en el lector de DVD del equipo.

SEGUNDO: Indicar en la BIOS arranque desde CD/DVD (esto puedes hacerlo de forma sencilla pulsando F8 en el arranque en la mayoría de las placas, o configurando el BOOT PRIORITY ORDER en la configuración de la BIOS pulsando “SUPR” o “F2” en la mayoría de las placas)

TERCERO: Elegiremos idioma y disposición del teclado en el Asistente de instalación de Windows 7, una vez elegido, presionaremos Instalar.

CUARTO: Elegir la opción  “reparación del equipo” y despues en la pantalla que aparece “Símbolo de Sistema”

QUINTO: Ejecutar los siguientes comandos.

– bootrec /fixmbr

La opción /FixMbr escribe un MBR compatible con Windows en la partición del sistema. Esta opción no sobrescribe la tabla de particiones existente. Sirve para resolver un problema si el MBR está dañado, o se hace necesario tener que quitar código no estándar del MBR.

– bootrec /fixboot

La opción /FixBoot escribe un nuevo sector de arranque en la partición del sistema utilizando uno compatible con Windows.

Usaremos esta opción si se cumple alguna de las 3 condiciones siguientes:

A) El sector de arranque se ha reemplazado con un sector de arranque de Windows que no es estándar.

B) El sector de arranque se daña.

C) Se ha instalado un sistema operativo Windows anterior una vez instalado Windows Vista. En esta situación, el equipo se inicia con el Cargador de Windows NT (NTLDR) en lugar de con el Administrador de arranque de Windows (Bootmgr.exe).

– bootrec /rebuildbcd

La opción /RebuildBcd examina todos los discos en busca de instalaciones que sean compatibles con Windows. Además, esta opción permite seleccionar las instalaciones que desea agregar al almacén del BCD. Utilizaremos esta opción para volver a generar completamente el BCD.

SEXTO: Escribiremos “exit” y reiniciaremos el Equipo.

 

Ampliación de Ayuda

Si siguiendo estos pasaso el equipo no se arregla, podéis probar a Reparar el Sistema de Archivos con de windows 7 con CHKDSK y leer este Tutorial

Esperamos que el Post os sea de Ayuda, Toda ayuda para difundirlo y poder ayudar a más gente es siempre agradecida!! Gracias de Antemano.

http://www.restauraciontalavera.es/blog/tecnologia/05-2011/reparar-boot-de-aranque-windows-7

 

Deja un comentario

Recuperación de datos

http://www.bairesnortelug.com.ar/2007/01/31/recuperacion-de-datos-perdi-todo-y-ahora-que-hago/

Empecemos por los que a mi entender son los mejores en el rubro:

Photorec
Es conocido por su efectividad en la recuperación de memorias SD de las cámaras digitales. Se encuentra bajo licencia GPL y es multiplataforma. Actualmente soporta:
* DOS/Win9x
* Windows NT 4/2000/XP/2003
* Linux
* FreeBSD, NetBSD, OpenBSD
* Sun Solaris
* Mac OS X
Los tipos de particiones soportados son:
* FAT,
* NTFS,
* EXT2/EXT3 filesystem
* HFS+
según la pagina web del proyecto se probó recuperar información con éxito de las siguientes cámaras:
* Canon EOS300D, 10D
* HP PhotoSmart 620, 850, 935
* Nikon CoolPix 775, 950, 5700
* Olympus C350N, C860L, Mju 400 Digital, Stylus 300
* Sony DSC-P9
* Praktica DCZ-3.4
* Casio Exilim EX-Z 750

Foremost
Muy efectivo para recuperar diferentes tipos de archivos. La técnica que utiliza es el método de lectura RAW en busca de cabeceras, finalización y estructura interna de archivos. El propio soft tiene una base de datos de estructura de archivos bastante amplia entre las que se destacan:
jpg (Soporte para JFIF y Exif incluidas en las camaras digitales modernas), gif, png, bmp, avi, mpg (soporta la mayoria de MPEG’s (comenzando con la cabecera de archivo 0x000001BA)), exe (Windows PE executables), rar, wav, riff, wmv, wma, mov, pdf, ole (Incluye powerpoint, Word, Excel, Access, y Star Writer) ,zip, htm y cpp

dd
Esta utilidad existe desde hace tiempo dentro de las coreutils de cualquier sistema *nix. Se encuentra también bajo licencia GPL.
Cual es la utilidad?. Nos permite copiar bloque a bloque información. Por ejemplo si deseamos hacer una imagen de un cd deberíamos hacer lo siguiente:
dd if=/dev/cdrom of=/home/usuario1/imagen.img
Pero el problema recide si el cd o medio donde se encuentra la información esta dañado.
Para poder solventarse este problema dio origen a una serie de forks de dd con ciertas mejoras para estos casos:

dd_rescue
Este este programa nació al poco tiempo de dd. El funcionamiento es simple: tratará de copiar toda la información por más que existan errores en el dispositivo. Se lo puede ejecutar varias veces y no volverá a empezar de cero, sino que tratara de completar la operación hasta conseguir la información completa.
Ejemplo:

# dd_rescue –e 7 –l /tmp/resultado.log –r –d /dev/hdc /var/tmp/cd.img

Se lee el contenido de /dev/hdc y se escribe en cd.img
–e 7 es el parámetro que indica el numero de veces que se lecturas reiteradas
–l luego esta el archivo en el cual se guardan los registros de la lectura
–r es para el sentido de la lectura hacia atrás o hacia delante

El defecto del dd_rescue es que puede tomar mucho tiempo en las lecturas, por la cantidad de veces que le pediremos pasar sobre el sector defectuoso y también por el tamaño de la información a recuperar.

Myrescue
Este programa es una mejora a dd_rescue y trata de encontrar la mejor manera de enfrentar el problema. Por ejemplo primero leer la información sana para continuar donde esta el problema.

DD_rhelp
En este caso prueba diferentes métodos de lectura.

DDrescue
Abarca todas las funciones de los programas anteriores y de dd_rescue.
Utiliza el método de leer primero lo que esta bien y luego utilizar diferentes técnicas sobre los sectores erróneos. Tengan en cuenta que el proceso de recuperación de este programa también es muy lento.

Recoverdm
Util para recuperar CD’s rayados, al encontrar un error baja la velocidad de lectura e intenta copiarlo.

Ejemplo:

# recoverdm –t30 -o /home/user1/recupero.img –n l –r6-i/dev/hdc
-t 30 ajusta el tipo de unidad para DVD
-o el archivo destino
-i el dispositivo a leer
-n el numero de repeticiones para la lectura

gpart
Intenta recuperar la partición primaria en caso de que la tabla de la partición tenga el sector 0 dañado,incorrecto o borrado. Los tipos de particiones soportados son:
* DOS/Windows FAT (FAT 12/16/32)
* Linux ext2
* Linux swap partitions versions 0 and 1 (Linux >= v2.2.X)
* OS/2 HPFS
* Windows NT/2000 FS
* *BSD disklabels
* Solaris/x86 disklabels
* Minix FS
* Reiser FS
* Linux LVM physical volume module (LVM by Heinz Mauelshagen)
* SGI XFS on Linux
* BeOS filesystem
* QNX 4.x filesystem

Test disk
Infaltable, es multiplataforma, actualmente soporta:
* DOS
* Windows (NT4, 2000, XP, 2003),
* Linux,
* FreeBSD, NetBSD, OpenBSD,
* SunOS
* MacOS
Soporta los siguientes file systems:
* BeFS ( BeOS )
* BSD disklabel ( FreeBSD/OpenBSD/NetBSD )
* CramFS, Compressed File System
* DOS/Windows FAT12, FAT16 and FAT32
* HFS and HFS+, Hierarchical File System
* JFS, IBM’s Journaled File System
* Linux Ext2 and Ext3
* Linux Raid
o RAID 1: mirroring
o RAID 4: striped array with parity device
o RAID 5: striped array with distributed parity information
o RAID 6: striped array with distributed dual redundancy information
* Linux Swap (versions 1 and 2)
* LVM and LVM2, Linux Logical Volume Manager
* Mac partition map
* Novell Storage Services NSS
* NTFS ( Windows NT/2K/XP/2003 )
* ReiserFS 3.5, 3.6 and 4
* Sun Solaris i386 disklabel
* Unix File System UFS and UFS2 (Sun/BSD/…)
* XFS, SGI’s Journaled File System
Ideal para recuperar particiones perdidas por el mal uso de fdisk o en los casos de pendrives o flash memory que perdieron la partición por ser retirados sin ser desmontados correctamente.
De la wiki de Testdisk pueden obtener ejemplos de como utilizar esta herramienta para recuperar particiones:
http://www.cgsecurity.org/wiki/Ejemplos_de_recuperacion_de_datos

Sleuthkit + autospy Browser
Cuando todo lo anterior falla tenemos a estas dos herramientas bastante complejas y no aptas para novatos. Sleuthkit es un conjunto de herramientas para realizar análisis del tipo forense. Solamente esta disponible para ambiente *nix (Linux, OS X, FreeBSD, OpenBSD y Solaris). Autospy es una interfaz que facilita la utilización de sleuthkit.
Soporta las siguientes particiones:
– FAT12 FAT16 FAT32
– Linux EXT2/EXT3
– Linux SWAP (version 1 and 2)
– NTFS (Windows NT/W2K/XP)
– BeFS (BeOS)
– UFS (BSD)
– Netware
– ReiserFS

Distros lives:

RIP
La mejor, hasta ahora nunca me defraudó, incluye la mayoría de los programas descriptos anteriormente. Si necesitan mayor información revisen el completo informe que realice sobre ella.

SuperGRUB
Realmente espectacular, probado con éxito contra una imagen de windows 2000 que al bootear simplemente se quedaba la pantalla en negro. Ocupa menos de 1MB. Se puede bajar la imagen de disquette o cd.
Las posibilidades son las siguientes:

Gnu/Linux:

* Restorear Grub al MBR automaticamente
* Restorear LILO al MBR (BETA)
* Arrancar Linux
* Activar la particion de Linux

Windows:

* Arreglar el arranque de Windows
* Arrancar Windows
* Arrancar Windows de un segundo disco
* Arrancar Windows de una particion secundaria

* Arrancar otros sistemas operativos como GNU Hurd

* Activar partiticiones
* ocultar particiones
* desocultar partiticiones

Trinity Rescue Kit
Todo lo necesario para rescatar info de Windows dañados. NTFS Undelete, antivirus que trabaja con cuarto motores principales, y demás herramientas.

System rescue CD
Compuesto por:
* GParted, con mayores prestaciones que la competencia de pago, Partition Magic. Merce un informe aparte.
* GNU Parted, útil para editar particiones.
* Partimage, para clonar discos.
* Herramientas para diferentes sistemas de archivos (e2fsprogs, reiserfsprogs, reiser4progs, xfsprogs, jfsutils, ntfsprogs, dosfstools): que nos permite formatear, hacer un resize, debug de cualquier tipo de partición exitente en el disco rígido.
* Ntfs3g: nos permite montar una partición NTFS con derechos full lectura/escritura.
* Sfdisk, para hacer un backup o restore de la tabla de particiones.
* Test-disk, el cual ya describí.

Ultimate boot CD
Live cd con la mas completa recopilación de disk Managers, soft de diagnóstico de discos rígidos, software de destrucción segura de información (disk wiping), editores de sectores de discos, editores de partición, herramientas para manejo de particiones NTFS y mucho más.
Nota: el cd contiene varias herramientas que poseen Copyright, no son GPL.

Como reflexion final, cuiden su información. Hagan backups. Cada tanto utilicen SMARTmon tools para hacer un diagnóstico del disco. No crean que nunca les va a pasar porque cuando les pase lo van a lamentar.

Referencias:
Photorec (http://www.cgsecurity.org/wiki/PhotoRec)
dd_rescue (http://www.garloff.de/kurt/linux/ddrescue/)
Foremost (http://foremost.sourceforge.net/)
myrescue (http://www.garloff.de/kurt/linux/ddrescue/)
dd_rhelp (http://www.garloff.de/kurt/linux/ddrescue/)
ddrescue (http://www.gnu.org/software/ddrescue/)
recoverdm (http://www.vanheusen.com/recoverdm/)
Testdisk (http://www.cgsecurity.org/wiki/TestDisk)
gpart (http://www.stud.uni-hannover.de/user/76201/gpart/#help)
Sleuthkit (http://www.sleuthkit.org/)
RIP Linux (http://www.tux.org/pub/people/kent-robotti/looplinux/rip)
SuperGRUB (http://supergrub.forjamari.linex.org/)
Trinity Rescue Disk (http://trinityhome.org)
System Rescue CD (http://www.sysresccd.org)
Ultimate Boot CD (http://www.ultimatebootcd.com/)

ESTE TEXTO SE PUBLICA BAJO LICENCIA CREATIVE COMMONS BY-NC-SA 2.5 AR.

——————-

When files disappear, Magic Rescue saves the day

http://archive09.linux.com/feature/126525

Magic Rescue

The basic command is magicrescue -d directory -r recipe device or, to give an example, magicrescue -d /mnt/external -r /usr/share/magicrescue/recipes/zip /dev/sda1. You can enable searches for multiple formats by specifying a directory that holds all the recipes for those formats.

The man page suggests that you run the command hdparm -d1 -c -u1 /dev/device to enable direct memory access before running Magic Rescue. The command is not strictly necessary, but it can significantly reduce the time that the program takes to run. However, you may prefer to tweak performances by limiting the operation in other ways provided by the command parameters (see below).

—————–

Otros:

extundelete: extundelete –restore-all /dev/particion_con_los_datos_borrados

Deja un comentario

Enlaces de interes

Enlaces varios:

Extensiones Thunderbird:

Curiosidades de Hardware

Seagate
  • Seagate Base de Conocimientos http://seagate.custkb.com/seagate/crm/selfservice/search.jsp?DocId=207931
  • SeaTools | Seagate http://www.seagate.com/ww/v/index.jsp?locale=en-US&name=SeaTools&vgnextoid=720bd20cacdec010VgnVCM100000dd04090aRCRD
  • Seagate drive firmware issues, your DNS-323 and smartmontools: http://www.horto.ca/?p=25
  • Download Firmware: http://support.seagate.com/firmware/firmnav_en.html
  • Seagate Base de Conocimientos Firmware: http://seagate.custkb.com/seagate/crm/selfservice/search.jsp?DocId=207951&NewLang=en
Deja un comentario

Ideas Pendientes

Ideas Pendientes:

Seguridad

Deja un comentario

Debugging POP/IMAP/SMTP With Telnet

POP3

$ telnet host.domain.com 110
Trying x.x.x.x …
Connected to host.domain.com (x.x.x.x).
Escape character is ‘^]’.
+OK POP3 host.domain.com v2003.83rh server ready
USER USERNAME
+OK User name accepted, password please
PASS PASSWORD
+OK Mailbox open, 48 messages
LIST
+OK Mailbox scan listing follows
1 3894
2 11761
3 5499
4 13448
5 10451
RETR 5

QUIT

IMAP

$ telnet x.x.x.x 143
Trying x.x.x.x…
Connected to host.domain.com.
Escape character is ‘^]’.
* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS AUTH=LOGIN] host.domain.com IMAP4rev1 2003.338rh at Mon, 12 Sep 2005 14:12:44 -0500 (CDT)
a LOGIN USERNAME PASSWORD
a OK [CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT SCAN SORT THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND] User USERNAME authenticated
a EXAMINE INBOX
* 46 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1093716296] UID validity status
* OK [UIDNEXT 610] Predicted next UID
* FLAGS (NonJunk Junk $MDNSent NotJunk $NotJunk JunkRecorded $Junk $Label4 $Label1 $Label2 $Label3 $Label5 \Answered \Flagged \Deleted \Draft \Seen)
* OK [PERMANENTFLAGS ()] Permanent flags
* OK [UNSEEN 27] first unseen message in /var/spool/mail/xxxxxxx
a OK [READ-ONLY] EXAMINE completed
a FETCH 1 BODY[TEXT]

a LOGOUT
* BYE host.domain.com IMAP4rev1 server terminating connection
a OK LOGOUT completed
Connection closed by foreign host.

SMTP

$ telnet x.x.x.x 25
Trying x.x.x.x…
Connected to host.domain.com.
Escape character is ‘^]’.
220 host.domain.com ESMTP Sendmail 8.9.3+Sun/8.9.3; Mon, 12 Sept 2005 12:18:01-0500 (CDT)
HELO me@localhost
250 host.domain.com Hello me [x.x.x.x], pleased to meet you
MAIL FROM:< me@domain >
250 < me@domain >… Sender ok
RCPT TO:< you@domain >
250 < you@domain >… Recipient ok
DATA
354 Enter mail, end with “.” on a line by itself
Hi You!
.

250 QAA00316 Message accepted for delivery
QUIT
221 host.domain.com closing connection
Connection closed by foreign host.

Debugging authentication problems

A common problem after installing the Courier authentication library is that authentication, using authtest, doesn’t work. This document shows how to use courier’s debugging features to pinpoint the problem.

1. Turn on debugging

For courier-imap, you need to set one of the following values in /usr/local/etc/authdaemonrc:

DEBUG_LOGIN=1    # turn on authentication debugging
DEBUG_LOGIN=2    # turn on authentication debugging AND show passwords

This setting is located at the very end of the configuration file.

After changing this setting, restart the authentication daemon by running the “authdaemond stop” and “authdaemond start” commands.

At this point, all debugging output goes to syslog at level ‘debug’, which is normally not shown. You will probably need to change your /etc/syslog.conf file to be able to see these messages. If you have an existing entry which says “mail.info” (which means facility ‘mail’, level ‘info’ or higher) then you can just change this to “mail.debug”. Alternatively you can add a new entry like this:

*.debug                        /var/log/debug

Don’t forget to create this file, and to send a HUP signal to syslogd to make it re-read its configuration:

# touch /var/log/debug
# killall -1 syslogd

If you don’t want to mess around with your syslog configuration, you can also start authdaemond manually, and log its output to a file:

/usr/local/libexec/courier-authlib/authdaemond >filename 2>&1

2. Issue a manual login

You can use the authtest command to verify authentication, or go ahead and install Courier-IMAP.

For courier-imap, you will get much better information by not using a mail client and manually logging in using ‘telnet’. The transcript of this telnet session may give useful information as to what is going on. If you are going to report a problem to the mailing list, you should certainly include this transcript as well as the corresponding debugging output.

-- to debug POP3 --
# telnet x.x.x.x 110
user USERNAME
pass PASSWORD
stat
quit

-- to debug IMAP --
# telnet x.x.x.x 143
a login USERNAME PASSWORD
a examine inbox
a logout

-- to debug POP3 over SSL --
# openssl s_client -connect x.x.x.x:995
(then use same commands as POP3 example)

-- to debug IMAP over SSL --
# openssl s_client -connect x.x.x.x:993
(then use same commands as IMAP example)

This isn’t an option for sqwebmail of course – just login through the web interface and check the authentication debug log which is generated.

3. Interpret the debug output

First, a brief explanation of courier’s authentication system. There are a number of standalone authentication modules. An authentication module exists for every authentication method. Each authentication module is installed as a shared library. When authdaemond starts, it attempts to load and initialize the authentication modules, logging the following messages to syslog:

Oct 17 11:25:37 commodore authdaemond: modules="authuserdb authpam authpgsql authldap authmysql authcustom", daemons=5
Oct 17 11:25:37 commodore authdaemond: Installing libauthuserdb
Oct 17 11:25:37 commodore authdaemond: Installation complete: authuserdb
Oct 17 11:25:37 commodore authdaemond: Installing libauthpam
Oct 17 11:25:37 commodore authdaemond: Installation complete: authpam
Oct 17 11:25:37 commodore authdaemond: Installing libauthpgsql
Oct 17 11:25:37 commodore authdaemond: libauthpgsql.so: cannot open shared object file: No such file or directory
Oct 17 11:25:37 commodore authdaemond: Installing libauthldap
Oct 17 11:25:37 commodore authdaemond: libauthldap.so: cannot open shared object file: No such file or directory
Oct 17 11:25:37 commodore authdaemond: Installing libauthmysql
Oct 17 11:25:37 commodore authdaemond: libauthmysql.so: cannot open shared object file: No such file or directory
Oct 17 11:25:37 commodore authdaemond: Installing libauthcustom
Oct 17 11:25:37 commodore authdaemond: Installation complete: authcustom

The first message lists all authentication modules that were compiled, and indicates that authdaemond will spawn five processes to handle all authentication requests. This is followed by messages indicating that indicate which authentication modules were installed.

In this example, authdaemond did not load the authpgsql, authldap, and authmysql modules. That’s because in this case the Courier authentication library is installed by the system’s package manager. The LDAP, MySQL, and PostgreSQL support was placed into optional sub-packages which are not installed. Even though all of these modules were initially compiled, the optional authentication modules were not installed.

This is normal. authdaemond will simply ignore any authentication module it cannot find, and will activate only those modules that are available. When an authentication request comes in, all of the modules will be executed, one after the other, resulting in one of three conditions:

ACCEPT
The user was authenticated successfully
REJECT
The module did not know this username, or the user gave invalid credentials. The request is passed to the next module.
TEMPFAIL
The module suffered an internal failure, such as inability to contact an external database. The login is rejected, and no further modules are tried.

In a typical Courier installation the authentication request is sent, via a filesystem socket, to a pool of authdaemond processes (note the extra “d” on the end) which perform the actual work. authdaemond, in turn, contains other authentication modules such as authpam, authmysql, and so on.

If authdaemond is running successfully, then it will in turn run each of the modules it is linked against. If any one returns REJECT then the next is tried; if any returns TEMPFAIL or ACCEPT then no further modules are tried.

So a typical example might look like this:

Apr 14 14:07:15 billdog authdaemond: received auth request, service=pop3, authtype=login
Apr 14 14:07:15 billdog authdaemond: authcustom: trying this module
Apr 14 14:07:15 billdog authdaemond: authcustom: nothing implemented in do_auth_custom()
Apr 14 14:07:15 billdog authdaemond: authcustom: REJECT - try next module
Apr 14 14:07:15 billdog authdaemond: authcram: trying this module
Apr 14 14:07:15 billdog authdaemond: cram: only supports authtype=cram-*
Apr 14 14:07:15 billdog authdaemond: authcram: REJECT - try next module
Apr 14 14:07:15 billdog authdaemond: authuserdb: trying this module
Apr 14 14:07:15 billdog authdaemond: userdb: opened /etc/userdb.dat
Apr 14 14:07:15 billdog authdaemond: userdb: looking up 'brian'
Apr 14 14:07:15 billdog authdaemond: userdb: entry not found
Apr 14 14:07:15 billdog authdaemond: authuserdb: REJECT - try next module
Apr 14 14:07:15 billdog authdaemond: authpam: trying this module
Apr 14 14:07:15 billdog authdaemond: authpam: sysusername=brian, sysuserid=<null>, sysgroupid=1001, homedir=/home/brian, address=brian, fullname=Brian Candler, maildir=<null>, quota=<null>, options=<null>
Apr 14 14:07:15 billdog authdaemond: pam_service=pop3, pam_username=brian
Apr 14 14:07:15 billdog authdaemond: dopam successful
Apr 14 14:07:15 billdog authdaemond: authpam: ACCEPT, username brian

What’s happening here?

  • The request was received by ‘authdaemond’
  • It tries ‘authcustom’ – this module does nothing unless you have customised it yourself, so it REJECTs the request
  • It tried ‘authcram’, but since this was a request with authtype=login (rather than authtype=cram-md5, say), this module cannot handle it so it REJECTs
  • ‘authuserdb’ has a go. In this case there is an /etc/userdb.dat file for it to look in, but the requested username ‘brian’ does not exist in there, so it REJECTs
  • ‘authpam’ has a go. It finds the username and home directory in /etc/passwd, and then calls the PAM subsystem to authenticate. The authentication is successful.

So, in principle, debugging is straightforward. Watch the modules operate, search for the one which you think should be authenticating the user, and if it is not, check for REJECT (user not known or password mismatch) or TEMPFAIL (internal error) status. Additional messages should indicate why this status was returned.

4. Read the documentation

Most of the configuration files like authldaprc, authmysql are well documented with comments.

For the nitty-gritty details of authentication modules, see man authlib. There is probably a copy of this manpage installed on your system; if that command doesn’t work, try one of these:

# man -M /usr/local/man authlib
or
# cd /path/to/sources
# cd authlib
# nroff -mandoc authlib.7.in | less

If you are using userdb authentication, you definitely need to read man makeuserdb, man userdb, and man userdbpw.

5. Use the mailing list

Please read through the common problems and solutions at the bottom of this document. The next thing to do, of course, is search the web to see if your particular problem has been seen before and solved. Google is very good for this.

If you still cannot work out what the problem is, then you can ask on the appropriate mailing list. But before you post, please gather together all the following information:

  • The operating system and version you are running
  • The versions of packages you have installed
  • The ./configure command line you gave to build it
  • If you didn’t build it yourself, where you got the package from (and if possible, find out from the packager what options they used to build it)
  • The versions of any other relevant software which you are linking against, e.g. openldap, mysql, pgsql
  • The transcript of the ‘telnet’ session you used to manually test server connections
  • The corresponding debug output which was generated for that session
  • The contents of relevant configuration files, e.g. authldaprc, authmysqlrc, imapd, pop3d
  • A copy of the database entry you are trying to authenticate against: e.g. the line from your userdb file, an LDAP entry, a row from your mysql table, the line in /etc/password, etc.

If you include all this, you are much more likely to get a helpful response.


Frequently seen authentication problems and solutions

See also the Courier MTA FAQ

When I try to login with POP3 using telnet, the server disconnects immediately after the “PASS” command, without giving a -ERR response

The reason for this error will probably be found in your mail logs. Usually it indicates either that the home directory does not exist (chdir failed), or the Maildir has not been created. See ‘man maildirmake’.

PAM authentication says “pam_start failed, result 4 [Hint: bad PAM configuration?]”

Probably your PAM configuration is bad. If you have /etc/pam.d/other, then try simply removing /etc/pam.d/pop3 and /etc/pam.d/imap and see if it works (this is sufficient for FreeBSD). Otherwise, try copying one of your existing /etc/pam.d/xxx files to /etc/pam.d/pop3, imap or webmail respectively.
The result value is a PAM_XXXX constant from /usr/include/security/pam_constants.h (this file may be in a different location on your system). Under FreeBSD, 4 is PAM_SYSTEM_ERR.

When I connect on the SSL ports (995 or 993), the server accepts the connection but then immediately disconnects

You probably didn’t install any SSL certificates. Courier-imap comes with scripts you can run to do this for you:

# /usr/local/sbin/mkimapdcert
# /usr/local/sbin/mkpop3dcert

I expected the authentication library to compile authmysql (or some other module), but it’s not there

If the mysql authentication module did not compile, then perhaps ./configure was unable to find your mysql libraries (you can read through the file ‘config.log’ in the source directory to see what it found). You may need to force it to look in the right place, as follows:

# ./configure --with-authmsql --with-mysql-libs=/usr/local/mysql/lib  \
              --with-mysql-includes=/usr/local/mysql/include

On some systems (e.g. FreeBSD), the mysqlclient library depends on the math and compression libraries. For these systems, try:

# LDFLAGS="-lm -lz" ./configure --with-authmysql ... same as before

The POP3/IMAP server says “Temporary problem, please try again later” when a bad password is entered

authdaemond tries each of the configured authentication modules in turn, until either one accepts the login, or they have all rejected it (in which case the usual “Login failed” error is returned, and the user can try again).

However, if one of these modules is unable to run because some resource is not available, then it gives a “temporary failure” response and no further modules are tried. You should find the exact cause in your mail logs, but typically it means that you have a module like ‘authmysql’ in your module list, but the mysql database is not running.

So unless you actually do have account data in mysql (in which case you need to fix your mysql setup), you should remove ‘authmysql’ and any other modules you do not use from authmodulelist in authdaemonrc.

Deja un comentario

Authenticated SMTP

http://workaround.org/ispmail/lenny/authenticated-smtp

It is important that you understand what “relaying” is and why “open relays” are a big problem on the internet. Usually Postfix accepts an email only if one of these criteria match:

  • the recipient’s email address belongs to a user on your mail server
  • the sender is sending the email from within the local network (defined by Postfix’s “mynetworks” setting)
  • the sender is authenticated (SMTP supports authenticating with a username and password)

For security reasons the following must not be allowed:

Otherwise a spammer could abuse your system to send millions of spam emails.This would waste your bandwidth, annoy many people and get your server blacklisted quickly. Such a relay that is not checking which emails to accept is called an “open relay“. Fortunately Postfix makes it hard to become an open relay. Setting the smtpd_recipient_restrictions right (as described below) is very important.

Generally you can define the networks that are allowed to relay through your mail server by setting the mynetworks parameter in your main.cf. Usually you set it to your local network so local users do not need to authenticate:

$> postconf -e mynetworks=192.168.50.0/24

But one case of relaying from outside of your network is important in real-life. Imagine you have a user who is currently not connected to your local network but wants to send out an email to the internet through your mail server. According to the above rules the user would not be able to do that because neither are they on your network nor are they sending an email to one of your domains. You need to find a way to make your remote user be trusted by your mail server. The users will need to send their username and password so you know relaying should be permitted. This is what authenticated SMTP is about. And all decent email clients have that feature built in.

Authenticated SMTP with Postfix has always been a pain. It was done through the SASL (Simple Authentication and Security Layer) library that was part of the Cyrus mail server. It was nearly impossible to debug and threw error messages that were gibberish and misleading. Fortunately starting with Postfix 2.3 we can make Postfix ask the Dovecot server to verify the username and password. And since you already configured Dovecot this is really easy now. Postfix just needs some extra configuration:

$> postconf -e smtpd_sasl_type=dovecot
$> postconf -e smtpd_sasl_path=private/auth
$> postconf -e smtpd_sasl_auth_enable=yes
$> postconf -e smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

smtpd_sasl_auth_enable enables SMTP authentication altogether. And the smtpd_recipient_restrictions define rules that are checked after the remote user sends the RCPT TO: line during the SMTP dialog. In this case relaying is allowed if:

  • permit_mynetworks: the user is in the local network (mynetworks) or
  • permit_sasl_authenticated: if the user is authenticated or
  • reject_unauth_destination: the mail is destined to a user of a domain that is a local or virtual domain on this system (mydestination, virtual_alias_domains or virtual_mailbox_domains).

There are further restrictions (smtpd_client_restrictions, smtpd_helo_restrictions, smtpd_sender_restrictions) that get checked during the different states of the SMTP dialog (IP connection, HELO/EHLO command, MAIL FROM command) but for now you should put all restrictions into the smtpd_recipient_restrictions.

Try to authenticate during an SMTP session:

$> telnet localhost smtp

The server will let you in:

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mailtest ESMTP Postfix (Debian/GNU)

Say hello:

ehlo example.com

Postfix will present a list of features that are available during the SMTP dialog:

250-mailtest
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Send the authentication string with a Base64-encoded password:

auth plain am9obkBleGFtcGxlLmNvbQBqb2huQGV4YW1wbGUuY29tAHN1bW1lcnN1bg==

The server should accept that authentication:

235 2.0.0 Authentication successful

Disconnect from Postfix:

quit

Goodbye:

221 2.0.0 Bye

Authentication works. Well done.

Note

If you have set John’s password to something other than ‘summersun’ you need Base64-encode it yourself. Use:

$> perl -MMIME::Base64 -e \
‘print encode_base64(“john\@example.comjohn\@example.compassword”)’;

Now you can test sending email with authentication enabled. To make even your local network untrusted temporarily you can set:

$> postconf -e mynetworks=
$> postfix reload

Restart Postfix (/etc/init.d/postfix restart). Fire up your mail program and watch your mail.log (tail -f /var/log/mail.log) while you send an email to a domain on the internet. I recommend you send a test email to devnull@workaround.org which is an email address that will just discard your email. If everything worked well your logfile will show:

postfix/smtpd[4032]: 1234567890: client=..., sasl_method=PLAIN, sasl_username=john@example.com
postfix/cleanup[4040]: 2EAE8379CB: message-id=<...>
postfix/qmgr[3963]: 1234567890: from=<john@example.com>, size=830, nrcpt=1 (queue active)
postfix/smtpd[4032]: disconnect from ...
postfix/smtp[4041]: 1234567890: to=<devnull@workaround.org>,
    relay=torf.workaround.org[212.12.58.129]:25, delay=6,
    delays=0.09/0.08/5.6/0.23, dsn=2.0.0, status=sent
    (250 OK id=1HsPC3-0008UJ-O5)
postfix/qmgr[3963]: 2EAE8379CB: removed

Otherwise in case of an error your logfile might look like:

postfix/smtpd[4032]: connect from ...[10.20.30.40]
postfix/smtpd[4032]: warning: ...[10.20.30.40]: SASL PLAIN authentication failed:
postfix/smtpd[4032]: lost connection after AUTH from ...[10.20.30.40]
postfix/smtpd[4032]: disconnect from ...[10.20.30.40]

Don’t forget to set mynetworks back to your network definition:

$> postconf -e mynetworks=192.168.50.0/24
$> postfix reload

Your email program may have warned you that the mail server uses an untrusted SSL certificate. When you installed Postfix Debian created a self-signed SSL certificate for you automatically. The default certificate is sufficient for testing but just like you did for Dovecot you can create a custom SSL certificate. The default certificate is stored at /etc/ssl/certs/ssl-cert-snakeoil.pem and the default private key is stored at /etc/ssl/private/ssl-cert-snakeoil.key. This will create a new certificate/key pair:

$> openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/postfix.pem \ -keyout /etc/ssl/private/postfix.pem

Same procedure as above when you created a certificate for Dovecot. Just remember to set the “Common Name” to the fully-qualified hostname. You could as well use the same certificate you created for Dovecot if the server name is the same. In that case just use the files /etc/ssl/certs/dovecot.pem and /etc/ssl/private/dovecot.pem below.

Do not forget to set the permissions on the private key so that no unauthorized people can read it:

$> chmod o= /etc/ssl/private/postfix.pem

You will have to tell Postfix where to find your certificate and private key:

$> postconf -e smtpd_tls_cert_file=/etc/ssl/certs/postfix.pem
$> postconf -e smtpd_tls_key_file=/etc/ssl/private/postfix.pem

When you relay through Postfix again you should not get that certificate warning any longer.

By default Postfix will allow that the login data for SMTP authentication is sent in plain text. You better only allow encrypted transmission of the credentials by setting these parameters:

$> postconf -e smtpd_use_tls=yes
$> postconf -e smtpd_tls_auth_only=no

What these parameters do is offer (but not require) encryption for SASL authentication to be used so that if you’re using the PLAIN or LOGIN SASL methods your passwords aren’t transmitted in the clear. When the client initially connects to the server, the AUTH command isn’t offered by the server. If the client issues the STARTTLS command and successfully negotiates the TLS connection, the client sends the EHLO command a second time and this time the server offers the AUTH command. This won’t require any kind of encryption from clients who don’t need to authenticate (i.e. servers that connect to send mail to the domains our server is a final destination for, as opposed to our end users attempting to relay mail through it to external domains).

If you truly do want to forbid unencrypted SMTP connections (I do this on ports 587 and 465), you’d want to use either “smtpd_tls_security_level = encrypt” (for STARTTLS, generally on port 587) or “smtpd_tls_wrappermode = yes” (for SSL encryption from the initial connection on, generally on port 465). You could also set “smtpd_tls_security_level = may” so that TLS encryption is offered but it’s not mandatory (so-called opportunistic TLS).

Once you are done you should test if your mail server is safely configured to prevent illegal relaying attempts. On a root shell enter:

$> telnet relay-test.mail-abuse.org

This contacts a very convenient service on the internet which tries to relay emails through your mail server. Give it a moment while it checks your server. If at the end you see something like “System appeared to reject relay attempts” then you are fine.