To check for root kits, you could download and unpack chkrootkit then
runin the directory chkrootkit makes the command make sense <cr> After the
make gets done, type chkrootkit -q >chkrootkit.log <cr> Then less
chkrootkit.log will tell you about any rootkit co mpromises that were
found on your machine. You got to be roo and off line to make and run.
Why it is bastille didn't download chkrootkit and compile it for you I
don't know. Security hardening packages not only need to be linux flavor
and version agnostic, they need to check your system and at least offer
you the opportunity to download and correctly configure and install add-on
security software. Failure to do so makes them no better than anything
produced by Microsoft and all that corporation could produce I'd buy in
the future would be vacuum cleaners and jet engines because both of them
really suck.
On Fri, 11 Mar 2005, Will Yardley wrote:
On Fri, Mar 11, 2005 at 10:41:03AM +0000, Bob Brennan wrote:
Sorry for the brevity here but I woke this morning to find my
mailserver sending 1000+ rejected email notices to postmaster@, and it
was increasing by the minute. I have shut down Sendmail and am
removing all relay permissions (I hope) but have a few issues that
need to be resolved quickly before going back online - knowing the
spammer will be retrying and my legitimate users are losing services.
In addition to the other stuff that people mentioned, you should
probably check your HTTP logs and running processes to see if someone
compromised a user account (via a hole in an insecure PHP or Perl
script, for example) on your system. If you were running a vulnerable
kernel, you'd want to strongly consider the possibility of a root
exploit.
I'd suggest checking ps and netstat output (copying ps and netstat from
a known good machine), and also running nmap on the machine from another
machine to see if any weird ports are open.
Deleting the messages was a bad idea... viewing the contents of the
messages could have been helpful in figuring out what was going on.
However, looking in your LOGS might also give you an idea of what UID
was sending the messages, where they were sending them, etc.
w
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list