On Thu, 2005-01-06 at 10:38, Don Flinn wrote: > I suspect that an intruder may be using my node to send e-mail, because > I have received some notices from my e-mail daemon that such and such > was not available when I never sent e-mail to that person/address. > > How do I check if someone is logged in/using my machine? I'm running > FC3. First you may just be getting rejects from messages that have used your email accounts in forged from headers. This is very common. And not much you can do about it. Second, are you running an MTA on your system? If you are then you need to verify that it is not an open relay. If you are not currently running an MTA then this should not be an issue. If you suspect your system has been compromised you can try running chkrootkit or rkhunter (I think that is the correct name for the second one). These packages attempt to identify common root kit traces. Check your log files for login activity. Of course if someone has compromised your system they may be able to cover their traces. If you have not done so you should install tripwire. This will keep a watch on critical files on your system looking for changes. If someone does compromise your system tripwire should alert you to any changes they make. But this must be setup when you know your system is secure not after. If really do believe your system has been compromised the only safe thing to do is rebuild it from scratch. It is virtually impossible to make sure you have cleaned a system up once it has been compromised. Good luck. -- Scot L. Harris webid@xxxxxxxxxx sillema sillema nika su
