LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-06-2011, 12:09 PM   #16
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780

Quote:
Ok, so I do not have to install anything, this will not conflict with the current Plesk setup and I just have to perform the commands you gave me, correct? (And yes, in the right order so I will not shut myself out prematurely
That is correct. Since the IP changing is a potential issue here is what I would recommend:

Block the traffic except for your IP. Once you have everything else cut off and only you are logged in, obtain a clean copy of the SSH binary. Configure this SSH server to listen on a non-standard port, configure it for RSA key only and only for your user account. Once you think this is working, open this one additional port in your firewall, but don't make it IP dependent. This will still let you in and will close off the attacker and any back doors. Then, close off port 22 to prevent them from returning.

Last edited by Noway2; 05-06-2011 at 12:10 PM. Reason: added line about close port 22.
 
Old 05-06-2011, 12:31 PM   #17
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2
I had already gone through the steps from your previous post and edited my last post before I read this one, there is additional info in my previous post.

Sadly enough it seems that my whole server is unreachable now, I cannot FTP to it, I cannot ping it and I cannot reach it through http.

Oops....

This happened after doing this:

Quote:
You can use IP tables commands to stop the traffic. Iptables rules work like a waterfall, so order is important. To shut down all but SSH traffic from your known source the comamnds would be as follows:

iptables -A INPUT -p tcp -m tcp -s xx.xxx.xxx.xx --dport 22 -j ACCEPT
iptables -A INPUT -j DROP

You will also want to shut down port 22 on the output. Your SSH connection shouldn't use port 22 outbound
iptables -A OUTPUT ! -d xx.xxx.xxx.xx -j DROP # Blocks all packets NOT going to your IP
I still have my console open and was able to run netstat, ps and lsof. But no http, ftp or ping. Is this what was supposed to happen?

Edit:

Next step was looking for setuid and setgid, which I did, results are in the attachment.
Attached Files
File Type: pdf setuid and setgid.pdf (15.6 KB, 11 views)

Last edited by MartinM; 05-06-2011 at 12:40 PM.
 
Old 05-06-2011, 01:18 PM   #18
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 419Reputation: 419Reputation: 419Reputation: 419Reputation: 419
Quote:
Originally Posted by MartinM
But no http, ftp or ping. Is this what was supposed to happen?
Yes, that was supposed to happen. Everything except SSH should be cut off now (at least we hope so), and that is exactly what you want. You might want to test that you can establish a second SSH session from your computer just to make sure that you can access it.
 
2 members found this post helpful.
Old 05-06-2011, 01:20 PM   #19
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by Hangdog42 View Post
You might want to test that you can establish a second SSH session from your computer just to make sure that you can access it.
Just tried that and yes, I can

Also looked into /etc/inetd.conf by using "nano /etc/inetd.conf" which returned an empty file.
Another step from the CERT advise done.

Am hoping someone will be able to tell me something based on the files I uploaded here to see which process is the evildoer and needs to be killed.

Now it's time to get that new SSH binary and test that. Is that a matter of apt-get, or grep, or am I thinking in a wrong direction now?

Last edited by MartinM; 05-06-2011 at 01:25 PM.
 
Old 05-06-2011, 01:35 PM   #20
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
Quote:
I cannot FTP to it, I cannot ping it and I cannot reach it through http. ... I still have my console open and was able to run netstat, ps and lsof. But no http, ftp or ping. Is this what was supposed to happen?
Yes, that is exactly what is supposed to happen. The server has been locked down. Provided you used -s xxx where xxx is your IP, you, and only you, have access to it. The attacker has been cut off and the SSH attacks should have been stopped. The attacker can not get in any modify anything, they can't destroy evidence, they can't cover their tracks, and they can't command and control their applications. This is exactly what you want. Furthermore, things should not have been disturbed any more than was necessary and their applications should still be running so that you can identify them. If you need to upload any files to this system, use SCP, which works via SSH. The syntax is like this scp path/file user@yoursystem:/path/to/upload/to. If you have RSA key authentication working, it will work via the keys.

Now, I have looked over your list and there are some things that I think are potentially suspicious and some, like the Plesk related ones, I don't know enough to comment about. The files you have listed in /bin, /usr/bin, and /sbin are normal. The ones in /usr/lib may be normal. In my system (Slackware) I have a libexec directory with these files. The apache2/suexec can go either way. It is in a non-default place (per Apache) and I would put this on the to be checked list. The dmcrypt is one to check as it may be setuid, but if am reading things right should drop root privilege during execution (https://wiki.kubuntu.org/Security/Investigation/Setuid). I don't know what the /opt/psa stuff is but it looks like it might be associated with plesk. The qmail ones surprise me but it looks like there is a package for checkpw that uses setuid to avoid making patches. These files should be checked for legitimacy.

Now, there is a litany of things that need to be done and this will take some effort. The goal, of course, is to figure out how they gained entrance. In doing so, they should have made some noise somewhere. Based upon the command and process you found, I think that they gained root access.

1) You will want to get copies of all of the logs and examine them very thoroughly. Look for signs of intrusion. Look for signs of privilege escalation. Running the logs through Logwatch could be beneficial.
2) you will need to compare your system binaries against those for the distribution. Date and time modification may be of assistance. It depends on how careful the cracker was.
3) Look carefully at the process output - which I think help you find the rogue SSH program
4) examine all of the cron jobs
5) look for any hidden files
6) also, on your web server, are you running any sort of content manager, etc and if so what version(s). We will want to check the CVE list for known issues.
7) You said that Apache and everything were patched. That is good, but again check the versions against the security watch lists.

Remember, that any of these binary files, like find, could be designed to lie to you. You must verify them against the distribution first. If you need help examining any of the files and don't want to post them on line, I would recommend contacting any of the following individuals via private message (email): unSpawn, win32sux, noway2 (myself) unixfool, and Hangdog42.
 
1 members found this post helpful.
Old 05-06-2011, 01:40 PM   #21
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
To verify your packages in debian, there is a tool called debsums. It should be the equivalent to rpm -V.
 
1 members found this post helpful.
Old 05-06-2011, 01:54 PM   #22
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
Quote:
I have attached the results of netstat and ps, the results of lsof was too big so I need to find another solution for that...
Regarding the output of those commands. Please be sure to run them with the flags. For example, the output of ps shows bash and ps, which are the processes that your user was running.

The output of the netstat run (minus the process information) definitely shows an ssh bomb. Aside from the ssh connections, I noticed a few IMAPS connections. Are you running an imap server? You will want to try to cross-correlate the PID numbers and open files and sockets. Otherwise, it doesn't look like the offender was currently connected. Hopefully, this will lead you to a 'dud' binary, which in turn will hopefully lead to the entry path.

edit: I say that it doesn't look like he was connected as long as the imaps and imap2 connections are legit because the intrusion seemed to leave a screen session open with an ssh command. Speaking of this, you may see an entry for screen in your PS list. If so you may be able to switch to it with "screen -raAd" and disconnect from it with ctrl-A d (control A then d for detach).

The commands again are (run as root):
Code:
ps axfwwwe,  netstat -anpe, and lsof -Pwln

Last edited by Noway2; 05-06-2011 at 01:56 PM.
 
Old 05-06-2011, 01:54 PM   #23
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 419Reputation: 419Reputation: 419Reputation: 419Reputation: 419
Quote:
Originally Posted by MartinM
Am hoping someone will be able to tell me something based on the files I uploaded here to see which process is the evildoer and needs to be killed.
If I could ask a favor, could you re-run the netstat, ps and lsof commands Noway2 asked for? The ones you posted don't appear to have used the flags, and the extra provided by those flags provide is useful. One of the reasons I'm asking is that the ps output is ridiculously short, there is obviously much more than ps and bash running on the computer. If it remains this short, it suggests that at least ps has been replaced by something evil.

And yes, these commands do generate a boatload of data, so don't hesitate to contact one of us via email and we can get it somewhere visible.

<edit>

Noway2 and I are apparently thinking the same thing at the same time!

Last edited by Hangdog42; 05-06-2011 at 01:56 PM.
 
2 members found this post helpful.
Old 05-06-2011, 02:12 PM   #24
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by Noway2 View Post
Yes, that is exactly what is supposed to happen. The server has been locked down. Provided you used -s xxx where xxx is your IP, you, and only you, have access to it. The attacker has been cut off and the SSH attacks should have been stopped. The attacker can not get in any modify anything, they can't destroy evidence, they can't cover their tracks, and they can't command and control their applications. This is exactly what you want. Furthermore, things should not have been disturbed any more than was necessary and their applications should still be running so that you can identify them. If you need to upload any files to this system, use SCP, which works via SSH. The syntax is like this scp path/file user@yoursystem:/path/to/upload/to. If you have RSA key authentication working, it will work via the keys.
I found that Cyberduck (on my Mac) does the trick, I'm a happy GUI-man again

Quote:
Originally Posted by Noway2 View Post
Now, I have looked over your list and there are some things that I think are potentially suspicious and some, like the Plesk related ones, I don't know enough to comment about. The files you have listed in /bin, /usr/bin, and /sbin are normal. The ones in /usr/lib may be normal. In my system (Slackware) I have a libexec directory with these files. The apache2/suexec can go either way. It is in a non-default place (per Apache) and I would put this on the to be checked list. The dmcrypt is one to check as it may be setuid, but if am reading things right should drop root privilege during execution (https://wiki.kubuntu.org/Security/Investigation/Setuid). I don't know what the /opt/psa stuff is but it looks like it might be associated with plesk. The qmail ones surprise me but it looks like there is a package for checkpw that uses setuid to avoid making patches. These files should be checked for legitimacy.
Indeed all PSA-stuff is Plesk-related.

Quote:
Originally Posted by Noway2 View Post
Now, there is a litany of things that need to be done and this will take some effort. The goal, of course, is to figure out how they gained entrance. In doing so, they should have made some noise somewhere. Based upon the command and process you found, I think that they gained root access.

1) You will want to get copies of all of the logs and examine them very thoroughly. Look for signs of intrusion. Look for signs of privilege escalation. Running the logs through Logwatch could be beneficial.
2) you will need to compare your system binaries against those for the distribution. Date and time modification may be of assistance. It depends on how careful the cracker was.
3) Look carefully at the process output - which I think help you find the rogue SSH program
4) examine all of the cron jobs
5) look for any hidden files
6) also, on your web server, are you running any sort of content manager, etc and if so what version(s). We will want to check the CVE list for known issues.
7) You said that Apache and everything were patched. That is good, but again check the versions against the security watch lists.

Remember, that any of these binary files, like find, could be designed to lie to you. You must verify them against the distribution first. If you need help examining any of the files and don't want to post them on line, I would recommend contacting any of the following individuals via private message (email): unSpawn, win32sux, noway2 (myself) unixfool, and Hangdog42.
Now to be honest, I am more than willing to put in an all-nighter (and will probably have to ) and truly appreciate the help and patience I receive from you, but I need to know what to do exactly in layman-terms: Should I just download a copy of Lenny and check the filesizes and dates?

Or can you point me to a site where I can learn how to check these files for legitimacy and where to find this security watch list?

And about the logs, since I isolated the server I am not able to install Logwatch, so that's no option. Is there a trustworthy online tool for this somewhere around? And which are the most important ones to dive into, for as far as I can see, I have about 100 files in /var/log.
 
Old 05-06-2011, 02:20 PM   #25
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2
And in reply to hangdog42, another round of results :


Code:
mmn001:~# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
getnameinfo failed
tcp6       0      0 mmn001.local:ssh        [UNKNOWN]:53375         ESTABLISHED
getnameinfo failed
tcp6       0      0 mmn001.local:ssh        [UNKNOWN]:51944         ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ]         DGRAM                    2666     @/org/kernel/udev/udevd
unix  9      [ ]         DGRAM                    42646485 /dev/log
unix  3      [ ]         STREAM     CONNECTED     57707270 
unix  3      [ ]         STREAM     CONNECTED     57707269 
unix  3      [ ]         STREAM     CONNECTED     57707268 
unix  3      [ ]         STREAM     CONNECTED     57707267 
unix  2      [ ]         DGRAM                    44998638 
unix  2      [ ]         DGRAM                    44217155 
unix  3      [ ]         STREAM     CONNECTED     43909515 
unix  3      [ ]         STREAM     CONNECTED     43909514 
unix  2      [ ]         DGRAM                    43113683 
unix  2      [ ]         DGRAM                    42893573 
unix  2      [ ]         DGRAM                    42698784 
unix  2      [ ]         DGRAM                    42672878 
unix  2      [ ]         DGRAM                    42651653 
unix  3      [ ]         STREAM     CONNECTED     21836520 
unix  3      [ ]         STREAM     CONNECTED     21836519 
unix  2      [ ]         DGRAM                    11703245 
unix  2      [ ]         STREAM     CONNECTED     258698   
unix  2      [ ]         DGRAM                    11629    
unix  2      [ ]         DGRAM                    5928     
unix  2      [ ]         DGRAM                    5762     
mmn001:~#

Code:
mmn001:~# ps
  PID TTY          TIME CMD
13369 pts/0    00:00:00 ps
28983 pts/0    00:00:00 bash
mmn001:~#
lsof is still a pdf of 60 pages, so we need to find a workaround

Edit: Sent a message to hangdog42 in regards to that....

Last edited by MartinM; 05-06-2011 at 02:28 PM. Reason: Addition
 
Old 05-06-2011, 02:31 PM   #26
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
Quote:
The commands again are (run as root):
Code:
ps axfwwwe
netstat -anpe
lsof -Pwln
You are still not running the above commands with the options. What is after the command are called options such as "axfwwwe". Type exactly what was written in the code tags.

Last edited by OlRoy; 05-06-2011 at 02:34 PM.
 
2 members found this post helpful.
Old 05-06-2011, 02:48 PM   #27
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by OlRoy View Post
You are still not running the above commands with the options. What is after the command are called options such as "axfwwwe". Type exactly what was written in the code tags.
Correct, I completely overlooked the options, my apologies for this mistake.

I have re-run the commands, with the options now.
Attached Files
File Type: pdf ps_options1.pdf (30.7 KB, 15 views)
File Type: pdf netstat_options1.pdf (20.0 KB, 10 views)
 
Old 05-06-2011, 02:55 PM   #28
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
Let me start this next round by first complementing you on a difficult task that has been handled very well! In respect to, pulling an all nighter, you might want to re-think that (I imagine it is about 9-10pm already in your area). You will need to be fresh as you are looking for possibly subtle details. Let me also say this, if you are crunched for time in that you need to restore this machine to operation, make an image copy of it. I am not sure off hand how best to recommend this from a co-lo, but we will cross that bridge when we come to it.

Now for some specific instructions. In order to install any applications on this machine, such as log watch, you would need to download them from another location (get the .deb packages), upload them to this machine via SCP and install them with dpkg -i <package-name>.

You can find out what packages have been installed with the command dpkg --list, similarly, you can see what package a file belongs to with this command: dpkg --search filename

So, for example, from one of my systems running the Debian variant Ubuntu I did the following
1) which ssh
---> /usr/bin/ssh
2) sudo (or as root) dpkg --search /usr/bin/ssh
---> openssh-client
3) sudo dpkg --status openssh-client
---> This gives a lot of information. It tells me the package version, the dependencies, the configuration files (along with their sums) etc.
4) I installed debsums (you will need to do this manually)
4A) debsums openssh-client

The weakness here is that it verifies against stuff stored in your /var/lib/packages directory. This is a good first step and will likely show you if anything is changed. Running the init is probably futile at best and a bad idea at worst. you want to know if anything has been modified. I doubt if the attacker would go to the trouble of importing a whole set of cached packages. In order to be really sure, you will need to verify the md5sum against the package in the repository. You can browse the debian package repository against your version, find the files and extract them. You can then run an md5 against the downloaded copy and your copy. The debian packages are archives (like tar balls). See this link: http://www.g-loaded.eu/2008/01/28/ho...-deb-packages/ You can use these commands to extract the file of interest and then md5 it.

Note, there are a lot of files in a system. You don't have to do all of them, but I would start by focus on some key ones or ones that you think may be suspicious. You should probably verify your tools like apt, dpkg, and so forth. Use an md5sum utility that you have uploaded if you can. See if the find utility will give you any indications of things that may have changed in the last few weeks for example.

As far as the logs go, focus on /auth.log, dpkg.log, syslog, apache2/error.log, and aptitude
 
1 members found this post helpful.
Old 05-06-2011, 03:53 PM   #29
MartinM
Member
 
Registered: May 2011
Location: the Netherlands
Distribution: Debian Squeeze
Posts: 39

Original Poster
Rep: Reputation: 2
Well, enough info in the logs, that's for sure.

Some examples that even I understand to be trouble

Apache2/error.log

Hundreds if not thousand of lines, all from different client-IPs but all looking for the same on my server:
[Sun May 01 06:30:53 2011] [error] [client xxx.xxx.xxx.xxx] script '/var/www/vhosts/default/htdocs/signup.php' not found or unable to stat

Hundreds if not thousand of lines, all from the same IP and all looking for different files in the same path on my server, e.g. phpmanager/mysqladmin/typo3/phpMyAdmin/etc:
[Sun May 01 05:37:54 2011] [error] [client xx.xxx.xx.xxx] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin

syslog

Lots of these lines:
May 5 06:36:15 mmn001 kernel: [166954.174693] ssh-scan[16867]: segfault at 0 ip 8048e33 sp ffe223b0 error 4 in ssh-scan[8048000+c0000]

dpkg.log

Just entries from one day:

Code:
2011-04-18 13:07:51 startup archives unpack
2011-04-18 13:07:53 install libssl-dev <none> 0.9.8g-15+lenny11
2011-04-18 13:07:53 status half-installed libssl-dev 0.9.8g-15+lenny11
2011-04-18 13:07:53 status triggers-pending man-db 2.5.2-5
2011-04-18 13:07:54 status half-installed libssl-dev 0.9.8g-15+lenny11
2011-04-18 13:07:54 status unpacked libssl-dev 0.9.8g-15+lenny11
2011-04-18 13:07:54 status unpacked libssl-dev 0.9.8g-15+lenny11
2011-04-18 13:07:54 trigproc man-db 2.5.2-5 2.5.2-5
2011-04-18 13:07:54 status half-configured man-db 2.5.2-5
2011-04-18 13:07:56 status installed man-db 2.5.2-5
2011-04-18 13:07:56 startup packages configure
2011-04-18 13:07:56 configure libssl-dev 0.9.8g-15+lenny11 0.9.8g-15+lenny11
2011-04-18 13:07:56 status unpacked libssl-dev 0.9.8g-15+lenny11
2011-04-18 13:07:57 status half-configured libssl-dev 0.9.8g-15+lenny11
2011-04-18 13:07:57 status installed libssl-dev 0.9.8g-15+lenny11
Auth.log

Filled with entries with usernames from same IP and failed passwords and entried with CRON sessions starting up and closing. Don't know if the last ones are correct, have to look in the schedule in Plesk to see if they are correct or illegal.

Aptitude

Empty log (should I rejoice or be worried? )

Personal Time-management:

True enough, I have to stay awake to be able to follow the tips and instructions in an orderly fashion. But on the other hand, some of the sites on my server are third-party sites and I feel a huge responsibility towards these people.
Is there any chance that I can make their sites available again without causing other server-owners on the internet to be flooded with those SSH-scans originating from my server again?

Last edited by MartinM; 05-06-2011 at 03:58 PM. Reason: Addition
 
Old 05-06-2011, 03:53 PM   #30
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
(I mentioned this to Hangdog42 off line and am adding it here)
In the ps output, I am suspicious of two entries on the second page: process 4268 and 4269. I think 4268 is the screen session that was left open by the intruder. I think 4269 is our real culprit. I admit that I don't understand how to fully interpret that entry with the command line full of garbage. I am wondering if it has been obfuscated like with bas64 or rot13 or something. What strikes me as odd though is the _/bin/bash entry, notice the _/ portion. I would look for a directory like _ esp in the root directory. Be sure to look carefully at the files pointed to by this entry.

The other thing I notice is a lot of entries of xinetd. These may or may not be ok. It strikes me as a little weird that it is listening on so many ports. I would look very closely at the configuration file associated with this application. According to the PS output, it appears to be tied to MYSQL, which I might expect, but it is listening on strange ports like 21 (FTP command) 106 (not standard), and 587 (smtp submission). You also have some things like the sw_cp_serv listening on public interfaces on high ports, which bears scrutiny.

The question remains, how did they get entry. Hopefully the logs will help answer this. I have a suspicion that they used a process vulnerability and elevated from there. The trick is to find which process.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[iptables] How to block brute force attacks? littlebigman Linux - Software 2 04-05-2011 04:48 AM
[SOLVED] Server receiving a lot of brute force SSH attacks the182guy Linux - Newbie 6 10-16-2009 08:27 AM
[SOLVED] MySql-ban brute force attacks? qwertyjjj Linux - Software 3 08-10-2009 05:28 AM
Does anyone know if guardian can be set to block brute force attacks and only brute f abefroman Linux - Software 2 06-05-2008 10:55 AM
Question on Brute Force Attacks Mad Mike Linux - Security 4 10-16-2006 10:25 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration