I haven’t had time to post for over a month, but I’m back. The other day I found this article (http://www.linux.com/articles/58142) talking about bringing back files using lsof. At first it did not make a lot of sense since unless you have the file open, this will not work. How likely are you to have the files you just deleted by mistake still open?

Well, not very likely. BUT…if you own a shared hosting company, (or if you are the system administrator of one), you know that often someone will have poor code along with allow_url_fopen turned on, and in no time you will have hackers injecting and running scripts on your server.

Usually you are able to find the running process and kill it. But if you look at the file descriptors you may find the file that got deleted after it was ran and still in memory.

I will have a similar example to the one in the article:

Create a file, open it, Ctrl + Z, then delete the file

[root@tiger proctest]# echo "Hello Linuxzone" >crazyfile
[root@tiger proctest]# less crazyfile
Hello Linuxzone

[1]+ Stopped less crazyfile

[root@tiger proctest]# rm crazyfile
rm: remove regular file `crazyfile’? y

Run lsof and grep for the filename or command ran. Alternatively you can find the PID from the running process on compromised box.

[root@tiger proctest]# lsof crazyfile
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
less 4771 root 4r REG 3,5 16 2099178 crazyfile (deleted)

[root@tiger proctest]# lsof|grep less

less 4771 root cwd DIR 3,5 4096 2099177 /home/jc/proctest
less 4771 root rtd DIR 3,5 4096 2 /
less 4771 root txt REG 3,5 101788 8280017 /usr/bin/less
less 4771 root mem REG 3,5 112168 376984 /lib/ld-2.3.4.so
less 4771 root mem REG 3,5 1529136 376987 /lib/tls/libc-2.3.4.so
less 4771 root mem REG 3,5 1175697 8278659 /usr/lib/libncursesw.so.5.4
less 4771 root 0u CHR 136,0 2 /dev/pts/0
less 4771 root 1u CHR 136,0 2 /dev/pts/0
less 4771 root 2u CHR 136,0 2 /dev/pts/0
less 4771 root 3r CHR 5,0 1857 /dev/tty
less 4771 root 4r REG 3,5 16 2099178 /home/jc/proctest/crazyfile (deleted)
Go to /proc/PID and check file descriptors inside the fd directory. You can also check the command ran by cat cmdline:

[root@tiger proctest]# cd /proc/4771
[root@tiger 4771]# ll
total 0
dr-xr-xr-x 2 root root 0 May 5 23:08 attr
-r-------- 1 root root 0 May 5 23:08 auxv
-r--r--r-- 1 root root 0 May 5 23:08 cmdline
lrwxrwxrwx 1 root root 0 May 5 23:08 cwd -> /home/jc/proctest
-r-------- 1 root root 0 May 5 23:08 environ
lrwxrwxrwx 1 root root 0 May 5 23:08 exe -> /usr/bin/less
dr-x------ 2 root root 0 May 5 23:08 fd
-rw-r--r-- 1 root root 0 May 5 23:08 loginuid
-r-------- 1 root root 0 May 5 23:08 maps
-rw------- 1 root root 0 May 5 23:08 mem
-r--r--r-- 1 root root 0 May 5 23:08 mounts
lrwxrwxrwx 1 root root 0 May 5 23:08 root -> /
-r--r--r-- 1 root root 0 May 5 23:08 stat
-r--r--r-- 1 root root 0 May 5 23:08 statm
-r--r--r-- 1 root root 0 May 5 23:08 status
dr-xr-xr-x 3 root root 0 May 5 23:08 task
-r--r--r-- 1 root root 0 May 5 23:08 wchan

[root@tiger 4771]# cat cmdline
lesscrazyfile

[root@tiger 4771]# cd fd
[root@tiger fd]# ll
total 5
lrwx—— 1 root root 64 May 5 23:08 0 -> /dev/pts/0
lrwx—— 1 root root 64 May 5 23:08 1 -> /dev/pts/0
lrwx—— 1 root root 64 May 5 23:08 2 -> /dev/pts/0
lr-x—— 1 root root 64 May 5 23:08 3 -> /dev/tty
lr-x—— 1 root root 64 May 5 23:08 4 -> /home/jc/proctest/crazyfile (deleted)
[root@tiger fd]# cat 4
Hello Linuxzone
[root@tiger fd]# cp 4 /tmp/crazyfile.restored
[root@tiger fd]# cat /tmp/crazyfile.restored
Hello Linuxzone

I was looking into a solution for a customer and mod_vhost_alias came in handy.

Lets say you want to host blogs for several people and you want to host them on the following subdomain format: blogname.crazyblogs.com. Instead of having a separate virtual host for each one, you can do something like this:

<VirtualHost 123.111.222.123:80>
UseCanonicalName Off
VirtualDocumentRoot /var/www/%0/htdocs
ServerName *.crazyblogs.com
</VirtualHost>

Now, if you go to http://blog1.crazyblogs.com, it will look for a index file inside /var/www/blog1.crazyblogs.com/htdocs.

You can find further information on:

http://httpd.apache.org/docs/2.0/vhosts/mass.html#simple

http://httpd.apache.org/docs/2.0/mod/mod_vhost_alias.html

This week I had a customer ask me if MySQL or the file system on his server had a 4GB file limitation because he was getting a ‘table full’ type error on one of his large tables. I found posts ab out it  everywhere on Google, including MySQL website (http://dev.mysql.com/doc/refman/5.0/en/full-table.html) but I am blogging it anyway.

Apparently it is just an easily fixable file pointer limitation with MySQL 4.x.

Here is the fix:

alter table_name MAX ROWS = 10000000; (this can take a while)

To fix it for new tables, add this to you /etc/my.cnf:

myisam_data_pointer_size=6

This will allow tables to have up to a 256TB size limit. The default value is 4 which allows up to 4GB.

Alright. I really want to test FreeBSD 7 but I refuse to download 3 CD images instead of one DVD image. But they do not have it available in their mirrors.

I find it very funny they have this at their page:

” There are many options for installing FreeBSD, including installation from CD-ROM, DVD, floppy disk, an MS-DOS® partition, magnetic tape, anonymous FTP, and NFS. Please read through the installation guide before downloading the entire FreeBSD distribution.”

Anyway, no DVD ISO! Maybe I will just install it over NFS! (who da heck installs an OS from magnetic tape? or 2 thousand floppies?)

That’s my bitchin for the day.

–JC

PS: I still love you FreeBSD.

I was reading this article on debiantutorials.org (http://www.debiantutorials.org/content/view/224/1/) and I thought it was pretty interesting.

He makes some good points (and some silly ones :]) on how to rescue her from the evils of Micro$oft. The real secret is to make it simple and functional. He used a Debian box, replaced some of her Windows programs with web applications, and what he could not replace, he just distracted her with some silly games!

My only question is: “How do you make you grandmother switch to Linux?” Can you do it yourself or does your mom have to do it?

More power to open source software,

JC