Thank you sir. I'll do that. I'm new to actual Linux security and this is one experience I will not forget :)
I ve seen the logs and traces of an account being added to the email users like the imap subscribed folders is not deleted but the user account was deleted.
Any sugestions or howtos on hardening CentOS Linux?
thanks...
On 4/28/06, Xander Solis <[EMAIL PROTECTED]> wrote:
Hi,
You could try to both into single user mode, and copy ps from another
linux machine to check and verify the same output. Dont have the new
ps in the same path as the old ps. Or execute the command
directly(./ps). You could also use the check-ps, as another
alternative, to check and verify the running
processes( http://www.la-samhna.de/misc/)
Next step is to check and verify if all data backups are intact, you
would need it especially if its a production server :) You may
eventually need to re-install the server, as you may not know totally,
what other malicious code, is in that machine, if you dont employ HIDS
to verify the filesystem integrity.
Linux kernel Rootkits are tricky in that they can change the IDT of
the running linux machine in realtime, or even if you try to run
debugging tools, you will never know, if the actual memory dump you
see is of the system.
More detailed info are here, on how to handle these incidents:
http://www.securityfocus.com/infocus/1738
You can check phrack69, on how this technology is done.
Detecting kernel level rootkits:
http://la-samhna.de/library/rootkits/detect.html
Hope this helps dude.. keep backups in the future :)
Xander
On 4/28/06, seekuel <[EMAIL PROTECTED]> wrote:
> Hi guys,
>
> I'm using CentOS 4.3 as my email server, postfix as MTA, and
> open-xchange as webmail.
> I installed chkrootkit and rkhunter. The configuration is rkhunter
> and chkrootkit will execute evry 3am and email its result to the
> administrator account.
>
> I found this report with chkrootkit and also was surprised that and
> email account was
> created. I think that the system is compramized.
>
> How do I deal with this issue?
>
> A help is well appreciated.
>
> Thanks,
>
> Sandeil
>
> Here is the output of chkrootkit:
> ---------
> Checking `asp'... not infected
> Checking `bindshell'... not infected
> Checking `lkm'... You have 2 process hidden for readdir command
>
> You have 2 process hidden for ps command
> chkproc: Warning: Possible LKM Trojan installed
> Checking `rexedcs'... not found
> Checking `sniffer'... eth0:
> PF_PACKET(/usr/sbin/snort-plain)
> Checking `w55808'... not infected
>
> Checking `wted'... chkwtmp: nothing deleted
> Checking `scalper'... not infected
> Checking `slapper'... not infected
> Checking `z2'... chklastlog: nothing deleted
> Checking `chkutmp'... chkutmp: nothing deleted
>
>
>
>
>
> _________________________________________________
> Philippine Linux Users' Group (PLUG) Mailing List
> [email protected] (#PLUG @ irc.free.net.ph)
> Read the Guidelines: http://linux.org.ph/lists
> Searchable Archives: http://archives.free.net.ph
>
>
--
--
Xander R. Solis
-----------------------
xrsolis.blogspot.com
"Don't part with your illusions. When they are gone you may still
exist, but you have ceased to live."
GNUPG Key: 1024D/5257774A
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
[email protected] (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph
--
Respectfully yours,,
Sandeil Tenebro, E.C.E.
www.cts.edu.ph
College of Technological Sciences MIS Department
N. Bacalso Ave., Sambag 1 Cebu City Philippines
Linux Registered User #384410
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
