I would reinstall using known good backups. Trying to clean a server may be a lost cause. Sent from my iPhone
On Jul 9, 2014, at 1:27 PM, David Mehler <dave.mehler@gmail.com> wrote:
Hello,
Thank you. I would tend to agree. I've gone back and checked the reverse IP of the connection it's definitely a breech. I've got hidden directories under several places in the filesystem, nothing under /tmp, I don't get how this was done? Am I dealing with a rootkit or not?
I ran chkrootkit which reported the suckit rootkit but running rkhunter revealed nothing, and both were fully updated. I've done google searching and apparently that suckit rootkit diagnosis has a history of false positives with chkrootkit.
Any help appreciated.
Thanks. Dave.
On 7/9/14, Scott Granados <scott@granados-llc.net> wrote: This sounds to me like you got owned. I've noticed that a lot of penetrations like that have hidden directories and or stuff set up under /tmp. Remember that openssl needed to be updated recently as well as anything compiled using it. Not sure in your case whether they were fully successful but if directories appeared I'd tend to think so.
On Jul 9, 2014, at 1:50 AM, David Mehler <dave.mehler@gmail.com> wrote:
Hello Everyone,
I'm running an fc20 Linux linode. I'll admit the past two months I've not been paying as much attention to it as I should, with a bunch of unexpected stresses.
That being said it is fully up to date, I do that daily and it is running a firewall as well as the fail2ban software for automated bots defense.
Tonight I checked my email and noticed two from an account on my system sent to me that is my account. I've got all root email forwarded to my account to read it. Now two things, first this account shouldn't have got any cron reports, second since I use virtual users and they're all in a database that user shouldn't have been able to send email from my server to me.
I checked the account on the server and noticed a hidden directory called .local under which there was a share directory and a system directory under that. Finally there is a broken symbolic link called user which points or pointed I should say to a now nonexistent file and folder which do not exist.
I've got an email out to the user, and I've checked the password file for any accounts with login shells, nothing new has come up.
If this was an attempted root breakin with a rootkit this user is not in th e sudoers file so I think I'm safe there.
I'd like to hear your thoughts on this, and some further steps I can take on this issue to either confirm or refute as to whether I've been breeched.
Thanks. Dave.
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins