chkrootkit: possible trojan
Alexander Dalloz
alexander.dalloz at uni-bielefeld.de
Sat Sep 11 16:39:36 UTC 2004
Am Sa, den 11.09.2004 schrieb Stuart um 16:30:
> I still have (partial?) root access. Logs show china9988 at 21cn.com trying
> to relay through smtp port, which leads me to think that it's either a
> diversion, or I rehashed aliases.db before that part of the compromise
> was complete (highly unlikely, invisible shell access should be able to
> overcome that). NMap shows ports open for WMS and RTSP, which I've yet
> to figure out how to close.
The @21cn.com address relay attempts are by old and still annoying
SPAMmers. I never saw an attack coming from those SPAM IPs, just relay
trials. From 2 of my mail hosts:
$ grep 21cn.com /var/log/maillog* | wc -l
44
$ grep 21cn.com /var/log/maillog* | wc -l
8
Has been already much more in the past. A year ago or so I got daily ~
20 relay attempts with this chinamen adresses used.
Regarding the probable rootkit installed: please feed us with all
information you can get about that case. This is to prevent others
running Fedora to become rooted! Do you have insecure passwords in use
for the root account? I wonder how a current, up2date FC2 install is
vulnerable.
Alexander
--
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp
Serendipity 18:31:17 up 12 days, 15:47, load average: 0.76, 0.60, 0.52
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040911/eaf32661/attachment-0001.sig>
More information about the fedora-list
mailing list