Re: [Ilugc] Needed help

Wed, 03 Oct 2012 03:10:30 -0700 

+++ Marikkannan Rajagopal [2012-10-03 15:17:55]:

> i configure the mail server (postfix+roundcube).Now i receive the mail from
> rackspace regarding my server was accessing caltech.edu without permission.
> And they send the log details like
> 
> 1001.21:50:07.229 50.56.221.50 46584 131.215.100.71 22 6 12
> 1001.21:50:07.741 50.56.221.50 45033 131.215.100.238 22 6 12
> 1001.21:50:07.868 50.56.221.50 52074 131.215.101.120 22 6 12
> 1001.21:50:07.483 50.56.221.50 51916 131.215.101.120 22 6 12
> 1001.21:50:08.317 50.56.221.50 52221 131.215.101.120 22 6 12

Your machine has most likely been compromised/r00ted by some worm and is now
looking for other machines to infect. (The other possiblity is you have some
kind of open proxy configured on your server and it is being exploited to
scan other machines).

> And i login to my cloud server through ssh and i check the "nmap localhost"
> there i got some error and i could not get the port and respective service.
> I made the software update and reboot the machine it was working fine.

The nmap run is absolutely useless since the worm/scanner won't be listening
on "localhost'.

Running software updates after you've been compromised is not useful either.

Try running "lsof -n |grep TCP" and see if you find anything suspicious,
chances are there will be a rootkit installed which would hide the process
from you.

>  But i want to know the " issue about caltech was there, or what was the
>  nature of that problem" then only i can manage the issue.

Also look at the output of "last -a" and see if you find any logins from any
IP/IPs other than yours.

If you don't have anything critical running on the server you are probably
better off just re-imaging it and using more secure passwords or switch to
keybased auth.

Kingsly


-- 
---------------------------------------------------------------------------
     Kingsly At Users Dot SourceForge Dot Net  -- http://kingsly.org/
---------------------------------------------------------------------------

Attachment: pgpwNTyAPPUax.pgp
Description: PGP signature

_______________________________________________
ILUGC Mailing List:
http://www.ae.iitm.ac.in/mailman/listinfo/ilugc

Reply via email to