That’s a pretty useful comment. For my purposes, I was hoping to access the BMC over the network without any extra equipment, as I have been able to do with Dell and Supermicro servers. However your comment is helpful in pointing out a solution for accessing the BMC on this machine without the iLO card and useful for people who don’t know how to talk to the BMC at all.

For your own purposes, there is some discussion on IPMI commands here:

http://wiki.adamsweet.org/doku.php?id=ipmi_on_linux

…though I’m not certain what program you’re using to talk to the BMC, they should still work.

Thanks again for a great comment.

I have a ML115 G1. The integrated IPMI/BMC controller (not the optional LO card) is actually functional. I was able to get a login prompt and browse what I believe is the IPMI “structure”. I’m not very familiar with IPMI commands yet…

The first thing you need to do is check in the BIOS and make sure that the IPMI/BMC is enabled and assigned to the serial port. You will then be able to get to the IPMI/BMC CLI from the serial port. Once you have some sort of terminal connected to the serial port, you use “ESC (” (without the quotes) to assign the serial port to the IPMI/BMC controller and “ESC Q” to give the serial port back to the system.
Once you have done ESC (, hit enter a few times and you should get a login prompt. I use admin as the user name and password. You will then get a /./-> prompt. From there you use the show command to list “targets”, “properties” and “verbs” possible for the targets.

I was able to cd into map1 then nic1 and see a bunch of properties that you can assign values to (ie: network address/mask/gateway/dhcp enable, etc.
I believe this may be what you are looking for.

For my use, I just want to be able to reboot this server remotely when the OS becomes unresponsive. So I have connected the ML115 serial port into a serial console server (DECServer 700) which is accessible from the network. Then it’s just a matter of telneting into the DECServer, connect a session to the serial port of the ML115 and issue IPMI commands from there to reset the server. Now I just need to find out what that IPMI command is!

Sylvain

No, it doesn’t depend on the filename at all for the reason you highlight. That would be quite a limitation.

In the example we’re passing the contents of the malware file to sigtool and telling sigtool to create a hexdump of the file contents. Then we’re taking the first 2 KB of the hexdump as the signature of the virus, which should theoretically be enough to uniquely identify the original file. As my article says, it’s sometimes necessary to take your hexdump from an offset number of bytes within the file if the first part isn’t unique enough.

Hope that clears it up for you.

head -c 4096

for example. ClamAV changed the specifications on the length of signatures in 2010, which was after this article was written, though I wasn’t aware they’d cut off support for smaller signatures. I couldn’t find any documentation on this and I don’t really have time to download the code and search it for how long signatures should be.

I did find some comments on people with corrupted or badly formatted signatures which caused ClamAV to bail out, you should be able to find similar stories by Googling.

Final thought, how big was your original file? If you specified a sig length of 2048 (ie 2 KB) and you files is less than 2 KB, then it’s not going to work is it?

Finally, I assume PHP.Downloader.dor.A is the signature you created? Are you certain it’s formatted correctly? Like this:

Name:Type:Offset:malware hex output

as detailed in the sig creation documentation:

http://www.clamav.net/doc/latest/signatures.pdf

I’m not aware that the syntax for signature specification has changed, but I haven’t looked into it. You could check your own sigs and compare them to the ones supplied by ClamAV (in /var/lib/clamav/ on my machines, but it depends on what system you’re running and whether you hand compiled or installed from packages). Or pull down the source code and trawl through it to find what the code says it expects.

Since Linux is becoming more popular, suddenly there are a rare few multi-platform viruses about, and some even targeted to Linux.

It’s not that Linux can’t be hacked, it’s just not as many hackers care to do it. I’m sure Linux is a much more secure OS than Windows, but there is no such thing as ultimate protection.

Here’s a question though,
let’s say I created a virus and before it attacked a computer, it renamed itself based on a bit of the computer’s information (e.g. MAC Adress, Username, etc) so that way the virus’s name may have been originally ‘Virus_Ur_Doomed.exe’ but it changed itself to bewrf2r2.exe.
the question is, how would virus scanners/firewalls pick up that it’s a virus? From what I read it seems that you base it off of the name of the virus. I may be wrong, but could you care to explain how firewalls and scanners catch a certain virus where it isn’t name-dependant? I’ve always wanted to make a custom firewall, just to protect the places (mostly browsers) where most firewalls and programs such as spybot S&D don’t cover (My parents and I both use a firewall and spybot, it seems they still get viruses through whatever programs they download and use. I’d like to fix this.)
So if you could perhaps give a brief explanation how you’d pick up and find ‘virus definitions’, that’d be great.

http://fixedgear808.blogspot.com/

It would have been really funny if it wasn’t so damn irritating…