Suspected Intruder
Bob Bruno - K2KI
k2ki at starc.org
Thu Jan 6 16:48:54 UTC 2005
Another thing that may cause this problem is someone who has you in their
address book was hit by a worm. The worm may have attempted to send itself
using your email address (spoof)? I sometimes get these return messages.
Bob Bruno - K2KI
k2ki at starc.org
----- Original Message -----
From: "Scot L. Harris" <webid at cfl.rr.com>
To: "Fedora List" <fedora-list at redhat.com>
Sent: Thursday, January 06, 2005 11:34 AM
Subject: Re: Suspected Intruder
> On Thu, 2005-01-06 at 10:38, Don Flinn wrote:
> > I suspect that an intruder may be using my node to send e-mail, because
> > I have received some notices from my e-mail daemon that such and such
> > was not available when I never sent e-mail to that person/address.
> >
> > How do I check if someone is logged in/using my machine? I'm running
> > FC3.
>
> First you may just be getting rejects from messages that have used your
> email accounts in forged from headers. This is very common. And not
> much you can do about it.
>
> Second, are you running an MTA on your system? If you are then you need
> to verify that it is not an open relay. If you are not currently
> running an MTA then this should not be an issue.
>
> If you suspect your system has been compromised you can try running
> chkrootkit or rkhunter (I think that is the correct name for the second
> one). These packages attempt to identify common root kit traces.
>
> Check your log files for login activity. Of course if someone has
> compromised your system they may be able to cover their traces.
>
> If you have not done so you should install tripwire. This will keep a
> watch on critical files on your system looking for changes. If someone
> does compromise your system tripwire should alert you to any changes
> they make. But this must be setup when you know your system is secure
> not after.
>
> If really do believe your system has been compromised the only safe
> thing to do is rebuild it from scratch. It is virtually impossible to
> make sure you have cleaned a system up once it has been compromised.
>
> Good luck.
>
> --
> Scot L. Harris
> webid at cfl.rr.com
>
> sillema sillema nika su
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
More information about the fedora-list
mailing list