[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Relay Mail Issue

At 04:30 PM 8/21/00 -0400, you wrote:

> Information:
> The user account in question does not have shell access
> Had never FTP'd into the site
> The only logon is via POP
> His SMTP is handled via his own ISP
> He has no mailing lists (majardomo) running
> He has no CGI scripts running
> He does not have mail forwarding enabled
> No FrontPage Extensions
> No Server Side Includes

Does the user show up in the GUI admin? If not, it was obviously added
surreptitiously... otherwise, a hacker could have gotten into the system and
stolen the account info/changed the password.

I would do a portscan on your system to check for trojans, and advise users
to change their passwords. Your system might still be compromised.


You could try going into the root of your system and do
find -name "..."

There is a often used rootkit with this dir in it.
Then again he could have used another or no rootkit at all.

I'm bad in forensics. But be sure to check /tmp for . entries
reinstall the base-<version>.rpm which includes ls and some other standard utils. 
reinstall pam and login versions (getty's ??) make sure you install it with:
rpm -ivh --force as to make sure it overwrites the neccesary stuff.
Check your bootscripts for weird entries that do funny stuff (ideal time to make root shells!)
Most rootkits patch ls w who top uptime netstat ping login mingetty telnetd? useradd userdel. 

Check your /etc/passwd and /etc/shadow for entries with 0 as uid or gid.
check in your paths for entries starting or ending with x

I have excperienced a root only once.
Salvage what's left of the system. Wipe the disk clean and start over.
Make sure that the data you salvaged does not contain root shells in some users home dir. 

Bye

--
Seth
"Have you gone mad?"
"Well, yes, but that's beyond the scope of this email."