On Tue, 2010-05-25 at 22:24 -0700, Duane Loftus wrote: > On Wed, 2010-05-26 at 00:04 -0500, Mike McCarty wrote: > > Duane Loftus wrote: > > > > > > YEA! Ta Da ! WooHoo! > > > > > > The re-install worked! I have done --propupd and --update and run the > > > first scan after making some mods in the rkhunter.conf file. > > > > Congratulations! > > > > > {Thank you all so very much.} > > > > > > I am pretty sure I have a trojan or resident spoofer in there, > > > > Why? > > I have 5 domains on the server. One of the domains (which is a mirror > of another domain that runs about 250 Meg / month) is running 5 times > higher (1.2 Gig so far this month) in "email" traffic / bandwidth. Most > of it is on the SMTP. It keeps exceeding the limits I have imposed. I > know the primary user (a retired Colonel and Investment Banker) and he's > not sending out spam. However he gets a lot of "spoofed" mail using his > address in lieu of the actual sender. > > It seems that there is something rotten in Denmark and on his domain. > > If I knew how to read logs properly and what to look for, I might be > better able to resolve this ongoing issue. So, I'm trying to learn. > But at my age, learning is a bit slower than it was in the past. > > But I'll get there. > > > > > > > > especially on one of the domains that has bandwidth / traffic going thru > > > the roof. It will take some time and effort to learn the logs and what > > > I can do about them. I'll work at it. > > > > > > Here is a section of my rkhunter.log. What should I be doing about the > > > "warning" items? > > > > [...] > > > > I didn't see anything particularly scary in there, unless you don't > > intend to run those services, in which case I'd wonder how they got > > enabled, and shut them down. > > > > You might try tcpdump to get a handle on what kind of traffic > > you are passing. > > > > Mike > Responding to the last few messages, I am running SpamAssasin on the server in addition to this.
But I wanted to install rkhunter for two reasons. First, rootkits are problematic and I had no way of discovering them. Rkhunter has a good reputation. Second, the installation itself is part of my "learning experience" with Linux. As you could readily tell, I've a long way to go. Oh, and third, you and your co-horts on this maillist have been terrific and extremely helpful; to which I thank you. Now, back to learning how to interpret and analyze the results. And yes, Helmut, I'm part of the silver streak club. But I try not to let that get in the way! > > ------------------------------------------------------------------------------ > > _______________________________________________ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users ------------------------------------------------------------------------------ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users