EMERGENCY - need to secure my server against an ongoing SPAMMER
Jude DaShiell
jdashiel at shellworld.net
Sun Mar 13 01:11:40 UTC 2005
To check for root kits, you could download and unpack chkrootkit then
runin the directory chkrootkit makes the command make sense <cr> After the
make gets done, type chkrootkit -q >chkrootkit.log <cr> Then less
chkrootkit.log will tell you about any rootkit co mpromises that were
found on your machine. You got to be roo and off line to make and run.
Why it is bastille didn't download chkrootkit and compile it for you I
don't know. Security hardening packages not only need to be linux flavor
and version agnostic, they need to check your system and at least offer
you the opportunity to download and correctly configure and install add-on
security software. Failure to do so makes them no better than anything
produced by Microsoft and all that corporation could produce I'd buy in
the future would be vacuum cleaners and jet engines because both of them
really suck.
On Fri, 11 Mar 2005, Will Yardley wrote:
> On Fri, Mar 11, 2005 at 10:41:03AM +0000, Bob Brennan wrote:
>
>> Sorry for the brevity here but I woke this morning to find my
>> mailserver sending 1000+ rejected email notices to postmaster@, and it
>> was increasing by the minute. I have shut down Sendmail and am
>> removing all relay permissions (I hope) but have a few issues that
>> need to be resolved quickly before going back online - knowing the
>> spammer will be retrying and my legitimate users are losing services.
>
> In addition to the other stuff that people mentioned, you should
> probably check your HTTP logs and running processes to see if someone
> compromised a user account (via a hole in an insecure PHP or Perl
> script, for example) on your system. If you were running a vulnerable
> kernel, you'd want to strongly consider the possibility of a root
> exploit.
>
> I'd suggest checking ps and netstat output (copying ps and netstat from
> a known good machine), and also running nmap on the machine from another
> machine to see if any weird ports are open.
>
> Deleting the messages was a bad idea... viewing the contents of the
> messages could have been helpful in figuring out what was going on.
>
> However, looking in your LOGS might also give you an idea of what UID
> was sending the messages, where they were sending them, etc.
>
> w
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
>
More information about the fedora-list
mailing list