I did some digging.
I remembered that during the software update ports 80, 53 was opened while the web and DNS services are still off and 22 droped. After the update which takes about 2&half hours I configured the web and DNS services.
I remebered that the DNS service was up and running before going home. On the next day when I checked the services named was off and turned it on. I thought it was kind of weird.
Looking further, a bind failure to certain service l (ike port 22) was found in the logs. It failed to bind because the service port is already in use.
Is it safe to say that the hacker made its way from those ports and installed the rootkit from there?
Thanks.
On 4/29/06, eric draven <[EMAIL PROTECTED]> wrote:
some mail scanners, e.g. qmail-scanner, are detected as LKMs....
better yet, do a fresh install, and plug in rkhunter/chkrootkit immediately...
On 4/28/06, seekuel < [EMAIL PROTECTED]> wrote:Hi guys,
I'm using CentOS 4.3 as my email server, postfix as MTA, and
open-xchange as webmail.
I installed chkrootkit and rkhunter. The configuration is rkhunter
and chkrootkit will execute evry 3am and email its result to the
administrator account.
I found this report with chkrootkit and also was surprised that and
email account was
created. I think that the system is compramized.
How do I deal with this issue?
A help is well appreciated.
Thanks,
Sandeil
Here is the output of chkrootkit:
---------Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have 2 process hidden for readdir command
You have 2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... eth0: PF_PACKET(/usr/sbin/snort-plain)
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... chkutmp: nothing deleted
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
[email protected] (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph
--
Suddenly, I heared a tapping, as of someone gently rapping, rapping at my chamber door...
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
[email protected] (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
