LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-10-2011, 09:22 AM   #1
eichenhain
LQ Newbie
 
Registered: Jan 2011
Posts: 2

Rep: Reputation: 0
exim4 / portmap compromised. problem "solved" -> exim4 question & rkhunter log


Hi folks!

I am pretty new to this forum and linux server administration. This is my question:

I am running a Debian server which got somehow compromised using vulnerabilities of unupdated versions of portmap and exim4.

Somebody used the server to send spam. exim4 was connecting to irc, portmap was mapping hundreds of ports and some evil perl scripts were causing drama.

What we did:

-deleted portmap
-stopped exim4 daemon (killall exim4 && /etc/init.d/exim4 stop)
-closed some ports

I used this to upgrade my packages:

aptitude update
aptitude safe-upgrade

(didnt restart the server afterwards! I read, that this is not necessary for security updates, right?)

exim4 is still installed:


Code:
ii  exim4-base                     4.69-9+lenny1                  support files for all Exim MTA (v4) packages
ii  exim4-config                   4.69-9+lenny1                  configuration for the Exim MTA (v4)
ii  exim4-daemon-light             4.69-9+lenny1                  lightweight Exim MTA (v4) daemon
We don't use any kind of mailservers. Is it safe for me to completely delete exim4? I could install some offline mail-agent.

chkrootkit says everything is ok. But I am concerned with some warnings I got from rkhunter's log:

Code:
[15:59:01]   /usr/sbin/adduser                               [ Warning ]
[15:59:01] Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: a /usr/bin/perl script text executable

[15:59:02]   /usr/bin/groups                                 [ Warning ]
[15:59:02] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: POSIX shell script text executable

[15:59:02]   /usr/bin/ldd                                    [ Warning ]
[15:59:02] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable

[15:59:06]   /bin/which                                      [ Warning ]
[15:59:07] Warning: The command '/bin/which' has been replaced by a script: /bin/which: POSIX shell script text executable

[16:00:22]   Checking for hidden files and directories       [ Warning ]
[16:00:22] Warning: Hidden directory found: /dev/.udev
[16:00:22] Warning: Hidden directory found: /dev/.initramfs

[16:01:45]   Checking version of Exim MTA                    [ Warning ]
[16:01:45] Warning: Application 'exim', version '4.69', is out of date, and possibly a security risk.
[16:01:45]   Checking version of GnuPG                       [ Warning ]
[16:01:45] Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk.
[16:01:45] Info: Application 'httpd' not found.
[16:01:45] Info: Application 'named' not found.
[16:01:45]   Checking version of OpenSSL                     [ Warning ]
[16:01:45] Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk.
[16:01:45]   Checking version of PHP                         [ Warning ]
[16:01:45] Warning: Application 'php', version '5.2.6', is out of date, and possibly a security risk.
[16:01:45]   Checking version of Procmail MTA                [ OK ]
[16:01:45] Info: Application 'procmail' version '3.22' found.
[16:01:45]   Checking version of ProFTPD                     [ OK ]
[16:01:45] Info: Application 'proftpd' version 'Version' found.
[16:01:45]   Checking version of OpenSSH                     [ Warning ]
[16:01:45] Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk.
Why is he telling me that these apps are out of date? I just run aptitude update and aptitude safe-upgrade -> nothing new to be installed.

Should I be concerned about those warnings?

Thx for any help guys!
 
Old 01-10-2011, 10:38 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,304
Blog Entries: 54

Rep: Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856
Quote:
Originally Posted by eichenhain View Post
I am pretty new to this forum
Welcome!


Quote:
Originally Posted by eichenhain View Post
and linux server administration.
Bummer.


Quote:
Originally Posted by eichenhain View Post
I am running a Debian server which got somehow compromised (..) What we did (..) deleted (..) upgrade my packages
If the server got compromised you need to find out how far they've gotten. The best way to thwart your own research is to kill processes, delete entities and update SW without saving and listing data. If people don't know what to do we suggest following at least steps from the CERT Intruder Detection Checklist: http://web.archive.org/web/200801092...checklist.html and create a thread before doing something...


Quote:
Originally Posted by eichenhain View Post
We don't use any kind of mailservers. Is it safe for me to completely delete exim4?
Servers need to send warnings somewhere and therefore need a MTA. It doesn't need to be listening on or accept mail from any publicly accessible interface.


Quote:
Originally Posted by eichenhain View Post
Warning: The command 'X' has been replaced by a script
See Rootkit Hunter FAQ entry 3.7: "I have just installed Rootkit Hunter, and I am already getting warning messages. Why is that?"


Quote:
Originally Posted by eichenhain View Post
Warning: Hidden directory found:
See rkhunter.conf, "ALLOWHIDDENDIR".


Quote:
Originally Posted by eichenhain View Post
Why is he telling me that these apps are out of date? I just run aptitude update and aptitude safe-upgrade -> nothing new to be installed. Should I be concerned about those warnings?
See Rootkit Hunter FAQ entry 3.2: "Rootkit Hunter tells me that I have an out-of-date or unsecure application installed. But I have fully patched my server! How is this possible?"
 
Old 01-10-2011, 11:00 AM   #3
eichenhain
LQ Newbie
 
Registered: Jan 2011
Posts: 2

Original Poster
Rep: Reputation: 0
Thx very much for your patience and for your reply!

I will try it!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Will DNS "A" records need to be setup for each Client PC to talk to exim4 Server? rtoney5 Linux - Server 5 11-27-2009 11:42 AM
Boot slowed by "MTA: exim4" General Linux - Software 1 08-06-2009 12:24 AM
Exim4 undeliverable emails"failed to chdir to /home/paul" PK2K Linux - Software 0 05-15-2006 06:31 PM
Proposed solution for "status" (aka "problem solved") indicator demerson3 LQ Suggestions & Feedback 12 04-08-2006 02:15 PM
exim4 exim4, setup debian tongueroo Linux - Networking 1 11-09-2004 04:12 AM


All times are GMT -5. The time now is 05:43 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration