Re: EMERGENCY - need to secure my server against an ongoing SPAMMER

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



To check for root kits, you could download and unpack chkrootkit then runin the directory chkrootkit makes the command make sense <cr> After the make gets done, type chkrootkit -q >chkrootkit.log <cr> Then less chkrootkit.log will tell you about any rootkit co mpromises that were found on your machine. You got to be roo and off line to make and run. Why it is bastille didn't download chkrootkit and compile it for you I don't know. Security hardening packages not only need to be linux flavor and version agnostic, they need to check your system and at least offer you the opportunity to download and correctly configure and install add-on security software. Failure to do so makes them no better than anything produced by Microsoft and all that corporation could produce I'd buy in the future would be vacuum cleaners and jet engines because both of them really suck.

On Fri, 11 Mar 2005, Will Yardley wrote:

On Fri, Mar 11, 2005 at 10:41:03AM +0000, Bob Brennan wrote:

Sorry for the brevity here but I woke this morning to find my
mailserver sending 1000+ rejected email notices to postmaster@, and it
was increasing by the minute. I have shut down Sendmail and am
removing all relay permissions (I hope) but have a few issues that
need to be resolved quickly before going back online - knowing the
spammer will be retrying and my legitimate users are losing services.

In addition to the other stuff that people mentioned, you should probably check your HTTP logs and running processes to see if someone compromised a user account (via a hole in an insecure PHP or Perl script, for example) on your system. If you were running a vulnerable kernel, you'd want to strongly consider the possibility of a root exploit.

I'd suggest checking ps and netstat output (copying ps and netstat from
a known good machine), and also running nmap on the machine from another
machine to see if any weird ports are open.

Deleting the messages was a bad idea... viewing the contents of the
messages could have been helpful in figuring out what was going on.

However, looking in your LOGS might also give you an idea of what UID
was sending the messages, where they were sending them, etc.

w

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list




[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux