unSpawn |
05-27-2018 05:16 AM |
Quote:
Originally Posted by allan_registos
(Post 5854949)
I have problems sending emails due to overused or overutilized internet connection.
|
"Over-utilized" in what way? Legitimate traffic, spam or worse? You did investigate before making changes, yes?
Quote:
Originally Posted by allan_registos
(Post 5854949)
Code:
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/python3/dist-packages/certbot_apache/tests/testdata/debian_apache_2_4/multiple_vhosts/apache2/mods-enabled/.gitignore /usr/lib/python3/dist-packages/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/.gitignore /usr/lib/python3/dist-packages/certbot_apache/tests/testdata/gentoo_apache/apache/apache2/vhosts.d/.keep_www-servers_apache-2 /usr/lib/python3/dist-packages/certbot_apache/tests/testdata/gentoo_apache/apache/apache2/modules.d/.keep_www-servers_apache-2 /lib/modules/4.4.0-124-generic/vdso/.build-id /lib/modules/4.4.0-121-generic/vdso/.build-id /lib/modules/4.4.0-122-generic/vdso/.build-id
/lib/modules/4.4.0-124-generic/vdso/.build-id /lib/modules/4.4.0-121-generic/vdso/.build-id /lib/modules/4.4.0-122-generic/vdso/.build-id
|
AFAIK this result is based on keyword search. Use the integrity verification your OS offers to verify those packages / files are legitimate.
Quote:
Originally Posted by allan_registos
(Post 5854949)
Code:
Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd
|
This is based on binary output. List ('ls -alt;') the SSH daemon package contents with their respective change times. Run Chkrootkit again but in expert mode to see the results to be able to verify this is not a false positive. Use the integrity verification your OS offers to verify the SSH daemon package is legitimate. If the integrity of the SSH daemon package can not be verified by any other means (like using a previously installed HIDS like Samhain, AIDE or even tripwire or by downloading and comparing the package contents) then be aware changing any of those files requires root rights (meaning a potential root compromise).
Quote:
Originally Posted by allan_registos
(Post 5854949)
Code:
Checking `bindshell'... INFECTED (PORTS: 465)
|
Listening processes on ports below 1024 should be restricted to / "protected by" root. Check which process runs on the port with the "modern" 'ss -t -l '( sport = :465 )';' or the tried-n-true 'lsof -n -i TCP:465;' or 'fuser -v 465/tcp;' or the kludgy 'netstat -n -l | grep 465;'.
Quote:
Originally Posted by allan_registos
(Post 5854949)
Code:
ens160: PACKET SNIFFER(/usr/sbin/dhcpd[1457])
|
Commonly DHCP daemon listening in "raw" mode, meaning most likely well known false positive. Use the integrity verification your OS offers to verify those packages / files are legitimate anyway.
Quote:
Originally Posted by allan_registos
(Post 5854949)
Code:
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! or,continuation,webapp,setuid 0 l,jmx,resources,websocket,ext,plusor,continuation,webapp,setuid jetty.home=/opt/zimbra/common/jetty_home jetty.base=/opt/zimbra/mailboxd /opt/zimbra/mailboxd/etc/jetty.xml
|
Search LQ (or the IntarWebs) and you'll find "The tty of the following user process(es) were not found" message was dealt with a gazillion times over, for example: https://www.linuxquestions.org/quest...2/#post4931954
|