Finding stuff on the Unix terminal
Leave a CommentOn Linux or other Unix-based systems, the terminal can be a powerful interface to locating and searching for stuff on your hard drive. The visual interface and search box may have limited options. Ever tried looking for files with some text in them? Here’s two commands that I’ve found very useful on the terminal, and I actually don’t use the search box interface anymore.
To find files by their names or wild cards, use:
find -iwholename “*name*.ext”
The quotes are where you can put in what you want to look for. This command will look in the current directory for files that end with “.ext” and contain “name” somewhere in their name. The -iwholename is just one of the many options in this command, and the -i part ensures the search is not case sensitive. For more info on the find command, here’s a link to the online man pages: http://bit.ly/qNtN93
To find files by searching what’s inside them, use:
grep -ilr “sometext” ./
I am assuming these are text files, but there’s more complex options for searching binary files too. Have a look at the online man pages of the grep command for more options: http://bit.ly/p53tsq The -lir options together give us a nice and tidy output. The -l part prints just the file names in which “sometext” was found, while the -i part makes searching case insensitive, and the -r part allows looking at sub-directories. The final “./” implies the current directory as the starting point for searching.
Notes to self
- This is tested on my Debian virtual OS, does it work on other distros?
- How do I make find search in sub-directories?
- Can I make find and grep work together (i.e. piping, etc) so I can search for only file types that have a certain keyword?
2010 in review
The stats helper monkeys at WordPress.com mulled over how this blog did in 2010, and here’s a high level summary of its overall blog health:
The Blog-Health-o-Meter™ reads Minty-Fresh™.
Crunchy numbers
A Boeing 747-400 passenger jet can hold 416 passengers. This blog was viewed about 3,600 times in 2010. That’s about 9 full 747s.
In 2010, there was 1 new post, growing the total archive of this blog to 12 posts.
The busiest day of the year was February 19th with 31 views. The most popular post that day was win32:rontokbr-I2 Worm Infection.
Where did they come from?
The top referring sites in 2010 were forum.avast.com, technodigits.wordpress.com, otvet.mail.ru, obama-scandal-exposed.co.cc, and google.com.
Some visitors came searching, mostly for sqlplus backspace, rontokbr, lsass worm, wax movie maker, and win32:rontokbr-i2.
Attractions in 2010
These are the posts and pages that got the most views in 2010.
win32:rontokbr-I2 Worm Infection August 2007
4 comments
Cleaning the LSASS worm : Part 2 August 2007
7 comments
Using SQLPlus February 2008
3 comments
Wax Movie Editor March 2008
1 comment
Cleaning the LSASS worm : Part 1 March 2007
3 comments
Open Microsoft Access Files
This may seem like a weird title! After all, what’s the big deal with opening .mdb files? However, there’s some of us out there (me inclusive) that don’t use Microsoft Office. Instead, we rely on free stuff like OpenOffice. So I found a nice utility called “MDB Browser and Editor” that lets you open your legacy .mdb databases 
Its free and I gave it a try, works pretty well. So check it out if you need to.
PS – Actually, OpenOffice does have a way to import existing Microsoft Access files into its database format. However, I couldn’t get this to work with my old password-protected .mdb database.
Useful Registry Locations
I’ve come across these keys by searching on the Internet. I use these keys for detecting viruses, troubleshooting stuff, and other geeky things. The convention I’m using in writing out the keys is MainKey\SubKey1\SubKey2\SubKeyEtc > Value (I’m not stating the data)
1. Windows Shell – This is the place where the OS sets its shell “explorer.exe”. Viruses often target this and inject other files to start up
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon > Shell
2. Run on Startup – The place programs use to start with the OS. There are two places in the registry that hold this, one for the system generally, and one specific to the logged in user.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3. Default Wallpaper – Sets the default wallpaper of your desktop (the one that shows when no one is logged in yet)
HKEY_USERS\.DEFAULT\Control Panel\Desktop
4. My Computer Context Menu – Things that show up when you right-click the My Computer icon on the desktop (not sure if the CLSID number value will be the same)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell
5. System Services – Listing of all system services. Useful for removing them manually
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Copy Path
Copy Path Shell Extension by Vertigo Software is one of those software that I would call essential. It lets you get the path or directory location of any file on your Windows system by right-cliclking on the file. Here’s the site link.
In addition, if you need to copy UNIX-like paths, you can try out ClipPath, another super software, with similar functionality of appearing in your context menu. I think these kinds of utilities should be in-built in modern operating systems. Windows 7 guys, are you listening?!
Cool AckerPack
Another good software for moi! Great for packaging presentations with dependant files into one executable. Works like a compression software, but has the ability to set a default file to launch from the packed file.
I found this so useful and necessary just a while ago. There was a presentation I had to provide, and it had an additional file with it with a link on the slide. So I needed to provide everything in one place. Zipping was an option, but I also needed to provide a simple way for the user to run the presentation. Unzipping the file, then selecting the presentation file (and remembering its name) wasn’t a failsafe plan. Much better if the user could just click on one file and everything starts working. And AckerPack did just that!
Here’s the author’s description:
AckerPack instantly compresses any folder into a self-extracting executable! Unlike old ZIP-based tools such as WinZIP, with AckerPack you choose where the files should be unpacked and which compressed file to open after installation. Because you have complete control over the process, AckerPack makes an ideal tool for building eBooks or simple software installations.
Believe it or not, packaging up an entire folder for delivery over the internet only takes three clicks!! Just right-click on any folder and select AckerPack Folder. AckerPack compresses up to 30% better than WinZip and produces a much smarter executable which doesn’t confuse the end-user.
Unfortunately, the developer site has been down for some time now, but here’s the URL just in case: AvatarSoft.com. Here’s an alternate download for it: Softpedia.com
Thanks to Softpedia for keeping a mirror of AvatarSoft
Wax Movie Editor
This post is more of a memory note for me than anything else. I often find cool and free software, but don’t have any use for them at that moment. Later on when I do need them, I’ve already forgotten their names or the URL to get them from. So this is my series on free software.
I gave Wax Movie Editor a try and it certainly looks good. Sort of like the familiar Windows Movie Maker, but with extra functions. Here’s the link: http://www.debugmode.com/wax/
Using SQLPlus
Prelude – Have begun learning Oracle as part of my Databases course.
I found a lot of tutorials on writing SQL in Oracle, and getting info about the tables, but there’s a few tutorials that explain how to actually type in the commands into the SQLPlus editor. This is for those of us who do not have access to the web-driven version. The thing I was searching for was how to delete a mistake!
As stupid and wierd as that sounds, if you’ve typed in it and pressed the BACKSPACE key, you’ll know what I mean, i.e. on the server I have access to, the BACKSPACE key does not erase things I type into SQLPlus. Instead it prints out ‘funny’ characters: H^
Actually, neither does the DELETE key because of two reasons:
-
Pressing the BACK arrow key will print up more funny characters: [[D^
-
Pressing the DELETE key itself will give you more of those: [[3~
So all I was looking for was what to press to erase characters in SQLPlus. By trial-and-error, I found the following stuff:
-
To erase entire words, press CTRL + W
-
To erase single characters, press CTRL + BACKSPACE
Catching radio signals on a computer
It was 2AM in the morning (night?). I had just woken up and had a glass of water (can’t remember very well). Then my room-mate (Andrew’s his name) told me about this strange noise he had heard in his headset while playing on his XBox. As he focused on it more, he had found that it was actually a local radio station! How did Andrew manage to get the signals of a radio station on his headset?…
This is more of a documentation than a tutorial, because there are so many factors that led to this strange incident with my room-mate: he was able to catch local radio channels on his headset connected to his desktop. It was so scientific (there were various technical details), yet so social (his lifestyle contributed). First of all, here’s a list of devices I suspect were involved:
-
An old-model IBM metal-based keyboard
-
A ”Turtle Beach” headset
-
The headset wire connecting to the desktop
-
The ViewSonic desktop
-
A close-by radio mast transmitting signals
And here are the attributes of the room and other social factors that may have contributed:
-
My room-mate’s bed had a considerable metal frame
-
There were coins behind the keyboard
-
It was during the night, around 2AM
-
It was very cold (location Washington DC)
From some research Andrew did on the Internet, it seems that because of the cold and the night, the signals coming from the mast of the radio station nearby travelled lower than normal. Another contributing factor would be the IBM keyboard which has an internal metal frame for pressing the keys.
This incident was fascinating to me moreso because of all the varying factors that came into play: if the keyboard had been an ordinary one with a plastic depression frame, or maybe if his bed had not been raised above his desktop (see picture), or etc., this might not have happened.
win32:rontokbr-I2 Worm Infection
Symptoms
- Your registry is disabled
- Your system might be performing less than usual
Epilogue
I haven’t researched very well on this worm. It seems simple and is handled by just 2 files:
C:\WINDOWS\eksplorasi.exe
C:\WINDOWS\shellnew\sempalong.exe
Please note that I am not affiliated with any brands or software mentioned in this article.
Infection
The basic infection method is the worm adds itself to the “Shell” launch key for the system. This key in the registry is responsible for loading “explorer.exe” which is the parent of many other software that run on the PC.
Cure
The cure (as far as I can tell) for the strand that I encountered is simple. However, before trying it, I suggest you try out a-Squared Free. I find this software pretty reliable in detecting and removing ordinary trojans and worms (a feature lacking in most anti-virus I have tried).
We need the following tools for it (most of this is just to get to the registry, which this worm disables):
- ID System Optimizer (to enable the registry again)
- KillBox (to completely and safely delete the executables of the worm)
- Process Explorer (to detect and kill the worm’s processes)
Step 1. Run Process Explorer and try and locate the above named files running. If found, kill them.
Step 2. Use KillBox to delete the above files (I assume you have read their manual). If you have to, select the “Delete on ReBoot” option.
Step 3. Use ID System Optimizer to re-enable the Registry:
a. Navigate through “APPLICATIONS>Regedit>Disable Regedit”
b. When you click on “Disable Regedit”, a setting called “Enable Regedit” will appear on the right side. This will be turned to “No”. Click on it to make it “Yes”.
c. Click the “Apply Settings” button.
Step 4. Remove the infected key of the worm in the registry
a. Click “Run” from the Start Menu and type “regedit”. The registry opens. Now navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
b. Right-click on the “Shell” and select “Modify”. In the window that opens, you would see a text box called “Value Data” reading something like:
Explorer.exe “C:\WINDOWS\eksplorasi.exe”
c. Modify it to read ONLY “explorer.exe”. That is, delete the whole “C:\WINDOWS\eksplorasi.exe” part.
d. Also note the capital “E” in “explorer”. This usually gives an indication of an infection because the correct entry has a small “e”. If your value doesn’t include “C:\WINDOWS\eksplorasi.exe” but has a capital “E”, there is a possibility that the “explorer.exe” file might have been infected internally! [I could not verify this completely]
Step 5. Restart your PC
Prologue
These were the steps I took to remove the worm. I had discovered it by accident one day when the system gave a “File not found” error message showing this strangely named file “eksplorasi.exe”. [There's probably a bug in the worm itself!] After some research on the Internet, I was able to find the name of the worm, but not much else. So I decided to document this, just for reference
