Migrating from file to lvm storage

Steps to take for migrating from file to lvm storage. This tutorial will make use of virsh from libvirt. Tested on Ubuntu 14.04 (Trusty Tahr).

Before we begin

I assume you already have an LVM storage pool created and active. You can list your storage pools with this command.

root@flipflop /home/data # virsh pool-list
 Name                 State      Autostart 
-------------------------------------------
 mylvmpool            active     yes 

On my system, only 1 storage book is started. It’s called ‘mylvmpool’. Click here for steps how to create an LVM storage pool. Use this command to display more detailed information about the storage pool.

root@flipflop /home/data # virsh pool-info mylvmpool
Name:           mylvmpool
UUID:           cf2438fa-eeb7-457d-ae48-7c05f3cc8dc8
State:          running
Persistent:     yes
Autostart:      yes
Capacity:       2.73 TiB
Allocation:     569.81 GiB
Available:      2.17 TiB

Migrating from file to lvm storage

Continue reading

New LVM pool in existing volume group

These commands show how you can create a new LVM pool in an existing volume group. Virsh from libvirt is used for the task.
I’ve tested everything on a fresh Ubuntu Server 14.04 (Trusty Tahr).

How we start

During the installation of this server, I created 1 large volume group which spanned almost the whole disk ( except for /boot which sits on its own primary partition ). That single volume group lives in partition 2.

root@flipflop ~ # sgdisk -p /dev/sda
Disk /dev/sda: 5860533168 sectors, 2.7 TiB
Logical sector size: 512 bytes
Disk identifier (GUID): D09D3D4B-01CE-4A1F-8ED0-4E68253A85D6
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 5860533134
Partitions will be aligned on 2048-sector boundaries
Total free space is 2014 sectors (1007.0 KiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            4096         1052671   512.0 MiB   FD00  
   2         1052672      5860533134   2.7 TiB     FD00  
   3            2048            4095   1024.0 KiB  EF02  
root@flipflop ~ #

The installer of Ubuntu created this partition table. Note that we’re using a Guid Partition Table (GPT). A normal MBR is not possible anymore since the disk is over 2TB in size. In this partition, a Logical Volume Group (LVM) has been created.

root@flipflop ~ # vgdisplay
  --- Volume group ---
  VG Name               vg0
  System ID             
  Format                lvm2
  Metadata Areas        1
  Metadata Sequence No  5
  VG Access             read/write
  VG Status             resizable
  MAX LV                0
  Cur LV                4
  Open LV               4
  Max PV                0
  Cur PV                1
  Act PV                1
  VG Size               2.73 TiB
  PE Size               4.00 MiB
  Total PE              715236
  Alloc PE / Size       143872 / 562.00 GiB
  Free  PE / Size       571364 / 2.18 TiB
  VG UUID               YOVLIn-I0bX-0bND-JhuX-EnxI-YuO8-5ux86P
   
root@flipflop ~ #

Defining the new storage pool

To define the storage pool, I’m using the virsh command from libvirt with the pool-define-as option.
If you want to see all options, issue this command.

root@flipflop ~ # virsh help pool-define-as

To define the actual pool, I’ve run this command.

root@flipflop ~ # virsh pool-define-as mylvmpool logical - - /dev/sda2 vg0 /dev/vg0

This command defines the pool. There is no need to run ‘virsh pool-create’ because the pool already exists.
If you want to autostart the storage pool.

root@flipflop ~ # virsh pool-autostart mylvmpool

Checking the storage pool

Right now we can manipulate the vg using the virsh command. A couple of examples:

  • Listing all storage pools
  • root@flipflop ~ # virsh pool-list
     Name                 State      Autostart 
    -------------------------------------------
     mylvmpool            active     yes
  • Getting detailed info about a storage pool
  • root@flipflop ~ # virsh pool-info mylvmpool
    Name:           mylvmpool
    UUID:           cf2438fa-eeb7-457d-ae48-7c05f3cc8dc8
    State:          running
    Persistent:     yes
    Autostart:      yes
    Capacity:       2.73 TiB
    Allocation:     562.00 GiB
    Available:      2.18 TiB
  • Listing all volumes in the storage pool
  • root@flipflop ~ # virsh vol-list mylvmpool
     Name                 Path                                    
    ------------------------------------------------------------------------------
     home                 /dev/vg0/home                                             
     root                 /dev/vg0/root                           
     swap                 /dev/vg0/swap
  • Creating a new volume
  • root@flipflop ~ # virsh vol-create-as mylvmpool newvol 100G
    Vol newvol created
  • Checking if the volume has been created
  • root@flipflop ~ # virsh vol-list mylvmpool
     Name                 Path                                    
    ------------------------------------------------------------------------------
     home                 /dev/vg0/home                                         
     newvol               /dev/vg0/newvol                         
     root                 /dev/vg0/root                           
     swap                 /dev/vg0/swap
  • Listing the details of the new volume
  • root@flipflop ~ # virsh vol-info newvol --pool mylvmpool
    Name:           newvol
    Type:           block
    Capacity:       100.00 GiB
    Allocation:     100.00 GiB
  • Deleting the new volume
  • root@flipflop ~ # virsh vol-delete newvol --pool mylvmpool
    Vol newvol deleted

    This post explained how to create a new LVM storage pool in an existing Logical Volume Group. It also show how volumes can be listed, created and deleted.

    Mails with FAX attachment

    I’ve been receiving a lot of mails with Fax attachment lately. The attachment is a zip file with a virus. I’ve been analysing the binary a little bit and came up with the following interesting info.

    Size and hash

    rivy@spdy:~/Downloads/FAX$ ls -l FAX_20150226_1424989043_176.zip
    -rw-rw-r-- 1 rivy rivy 12790 Feb 27 19:47 FAX_20150226_1424989043_176.zip
    rivy@spdy:~/Downloads/FAX$ md5sum FAX_20150226_1424989043_176.zip
    c3a277e79afedb9538f4759e62bb3c64  FAX_20150226_1424989043_176.zip
    rivy@spdy:~/Downloads/FAX$ sha256sum FAX_20150226_1424989043_176.zip
    72f7cfa43c61e2d9bb21a92ad60bc955f4c20b20997bb0ad204da6c6d2c464cd  FAX_20150226_1424989043_176.zip
    rivy@spdy:~/Downloads/FAX$

    As you can see the zip file is around 12k in size. Unzipping resulted in 1 executable with the same filename.

    Archive:  FAX_20150226_1424989043_176.zip
      inflating: FAX_20150226_1424989043_176.exe

    Md5 and sha256 for this executable are:

    rivy@spdy:~/Downloads/FAX$ ls -l FAX_20150226_1424989043_176.exe
    -rw-r--r-- 1 rivy rivy 39168 Feb 27 15:35 FAX_20150226_1424989043_176.exe
    rivy@spdy:~/Downloads/FAX$ md5sum FAX_20150226_1424989043_176.exe
    c2e9e728576d5f230d97cfc6960361fc  FAX_20150226_1424989043_176.exe
    rivy@spdy:~/Downloads/FAX$ sha256sum FAX_20150226_1424989043_176.exe
    de32206ccde1b20a944c5ac4c49a565d9d65ba4786bacc37aa18c2ca7d83b39f  FAX_20150226_1424989043_176.exe
    rivy@spdy:~/Downloads/FAX$

    Looking for strings

    Looking for plaintext strings in the binary is a quick and easy way to determine if software is harmfull. You can print all strings. Strings is one of the many usefull tools which are part of the binutils package on most Linux distributions.

    rivy@spdy:~/Downloads/FAX$ strings FAX_20150226_1424989043_176.exe
    `tD<m=
    8j	Y
    /dln
    RRhqcap
    X[YZa
    ReplaceFileA
    GetACP
    IsBadWritePtr
    SetComputerNameW
    QueryDosDeviceW
    CreateJobObjectA
    ReadConsoleOutputA
    IsDebuggerPresent
    Beep
    _lopen
    GetProfileIntW
    TerminateProcess

    The list was longer but I removed everything else. So what did we find until now.

    • Mail with attachment from unknown person
    • Attachment is a zip file which contains an executable
    • Executable calls functions like SetComputerName and IsDebuggerPresent

    This means that we can clearly conclude that this mail with FAX attachment is malware.

    Virustotal results

    We are already sure that this attachment is malware. I queried Virustotal also for this binary. One can either upload a suspicious file or paste the hash to use Virustotal. Pasting the hash can be a good idea if the file can contains confidential information. These are the results.
    Mail with fax attachment
    As you can see, the last analysis happened 16 minutes ago. The malware is still very new. According to the “Additional Information” tab, the first upload happened 3 hours ago. Also, only 3 out of 57 AV vendors would detect this binary as malware.
    This is a direct link to the analysis page of this malware.

    Detecting this malware on your network

    Clicking the “behavioural information” tab reveals even more interesting info. It lists which files are opened en written to. Take note of the “c:/autoexec.bat”!
    We also see that the malware tries to make http GET requests with a User Agent string of “Mazilla/5.0”. Obviously this should be “Mozilla/5.0”. This typo makes it very easy to create IPS signatures to detect this malware on the network.