On 4/28/06, seekuel <[EMAIL PROTECTED]> wrote: > Hi guys, > > I'm using CentOS 4.3 as my email server, postfix as MTA, and > open-xchange as webmail. > I installed chkrootkit and rkhunter. The configuration is rkhunter > and chkrootkit will execute evry 3am and email its result to the > administrator account. > > I found this report with chkrootkit and also was surprised that and > email account was > created. I think that the system is compramized. > > How do I deal with this issue? > > A help is well appreciated. > > Thanks, > > Sandeil > > Here is the output of chkrootkit: > --------- > Checking `asp'... not infected > Checking `bindshell'... not infected > Checking `lkm'... You have 2 process hidden for readdir command > > You have 2 process hidden for ps command > chkproc: Warning: Possible LKM Trojan installed > Checking `rexedcs'... not found > Checking `sniffer'... eth0: > PF_PACKET(/usr/sbin/snort-plain) > Checking `w55808'... not infected > > Checking `wted'... chkwtmp: nothing deleted > Checking `scalper'... not infected > Checking `slapper'... not infected > Checking `z2'... chklastlog: nothing deleted > Checking `chkutmp'... chkutmp: nothing deleted > > > > > > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > [email protected] (#PLUG @ irc.free.net.ph) > Read the Guidelines: http://linux.org.ph/lists > Searchable Archives: http://archives.free.net.ph > >
I think you need to stop the server and run clone the hard disk. You can then use the clone to doforensics. Dont do anything on the compromised hard disk. Mount the cloned hard disk readonly and noexec in a clean machine and start searching for traces of the attack. A reinstall is not going to work because you dont know how the system was compromised and most probably the attacker will be back. -- www.smsglobal.net SMS Global Ltd Short Message Service For Seafarers _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
