Hi Seekuel, You can check what program is listening to various ports via the command netstat -ap
You can also have a process tree output, via ps ajxf, which would allow you to check the parent <-> child relationship of each process If the process looks shady, kill the process, send a SIGKILL to it, and see, if spawns back (kill -9 proc name). You can also try to debug the program(using gdb) or use strace to see a glimpse, of what it does in a very low level. You can also use md5sum -c, to check if the running program is really valid. Aside from these commands, you can also try to use nessus on your machines(get manager's permission first :) ) to check for vulnerabilities on your system/s, and help you harden you machine. Finally, after checking all your programs, you can also try and experiment on NIDS/HIDS solutions, to help you in securing your network(Snort and Tripwire) You can also try checking the following sites for Linux/Unix Security Information: -www.linuxsecurity.com -phrack.org -packetstormsecurity.linux.com -securityfocus.com -hackinglinuxexposed.com - faqs.org/docs/securing Just be careful in going to shady sites :) On 5/1/06, seekuel <[EMAIL PROTECTED]> wrote:
I did some digging. I remembered that during the software update ports 80, 53 was opened while the web and DNS services are still off and 22 droped. After the update which takes about 2&half hours I configured the web and DNS services. I remebered that the DNS service was up and running before going home. On the next day when I checked the services named was off and turned it on. I thought it was kind of weird. Looking further, a bind failure to certain service l (ike port 22) was found in the logs. It failed to bind because the service port is already in use. Is it safe to say that the hacker made its way from those ports and installed the rootkit from there? Thanks. On 4/29/06, eric draven <[EMAIL PROTECTED]> wrote: > some mail scanners, e.g. qmail-scanner, are detected as LKMs.... better yet, do a fresh install, and plug in rkhunter/chkrootkit immediately... On 4/28/06, seekuel < [EMAIL PROTECTED]> wrote: > Hi guys, I'm using CentOS 4.3 as my email server, postfix as MTA, and open-xchange as webmail. I installed chkrootkit and rkhunter. The configuration is rkhunter and chkrootkit will execute evry 3am and email its result to the administrator account. I found this report with chkrootkit and also was surprised that and email account was created. I think that the system is compramized. How do I deal with this issue? A help is well appreciated. Thanks, Sandeil Here is the output of chkrootkit: --------- Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... You have 2 process hidden for readdir command You have 2 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed Checking `rexedcs'... not found Checking `sniffer'... eth0: PF_PACKET(/usr/sbin/snort-plain) Checking `w55808'... not infected Checking `wted'... chkwtmp: nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... chklastlog: nothing deleted Checking `chkutmp'... chkutmp: nothing deleted _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph -- Suddenly, I heared a tapping, as of someone gently rapping, rapping at my chamber door... _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
-- -- Xander R. Solis ----------------------- xrsolis.blogspot.com "Don't part with your illusions. When they are gone you may still exist, but you have ceased to live." GNUPG Key: 1024D/5257774A _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
