Suspected Intruder

Bob Bruno - K2KI k2ki at starc.org
Thu Jan 6 16:48:54 UTC 2005 

Another thing that may cause this problem is someone who has you in their
address book was hit by a worm. The worm may have attempted to send itself
using your email address (spoof)? I sometimes get these return messages.

Bob Bruno - K2KI
k2ki at starc.org

----- Original Message ----- 
From: "Scot L. Harris" <webid at cfl.rr.com>
To: "Fedora List" <fedora-list at redhat.com>
Sent: Thursday, January 06, 2005 11:34 AM
Subject: Re: Suspected Intruder


> On Thu, 2005-01-06 at 10:38, Don Flinn wrote:
> > I suspect that an intruder may be using my node to send e-mail, because
> > I have received some notices from my e-mail daemon that such and such
> > was not available when I never sent e-mail to that person/address.
> >
> > How do I check if someone is logged in/using my machine?  I'm running
> > FC3.
>
> First you may just be getting rejects from messages that have used your
> email accounts in forged from headers.  This is very common.  And not
> much you can do about it.
>
> Second, are you running an MTA on your system?  If you are then you need
> to verify that it is not an open relay.  If you are not currently
> running an MTA then this should not be an issue.
>
> If you suspect your system has been compromised you can try running
> chkrootkit or rkhunter (I think that is the correct name for the second
> one).  These packages attempt to identify common root kit traces.
>
> Check your log files for login activity.  Of course if someone has
> compromised your system they may be able to cover their traces.
>
> If you have not done so you should install tripwire.  This will keep a
> watch on critical files on your system looking for changes.  If someone
> does compromise your system tripwire should alert you to any changes
> they make.  But this  must be setup when you know your system is secure
> not after.
>
> If really do believe your system has been compromised the only safe
> thing to do is rebuild it from scratch.  It is virtually impossible to
> make sure you have cleaned a system up once it has been compromised.
>
> Good luck.
>
> -- 
> Scot L. Harris
> webid at cfl.rr.com
>
> sillema sillema nika su
>
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>

More information about the fedora-list mailing list