LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-26-2004, 08:21 PM   #1
vittibaby
LQ Newbie
 
Registered: Aug 2003
Posts: 19

Rep: Reputation: 0
server hacked!?!?!


I'm using squirrelmail. However, recently, I found that my first login always fail... 2nd log would be ok. could my server be hacked and the hacker has changed the login page to obtain my user passwords?

also, i find a log file called /var/log/forgemail... is this a Redhat default thing? Could someone be using my webserver to send spam mail?

What can I do to check the above? thanks!
 
Old 03-27-2004, 12:31 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Re: server hacked!?!?!

I'm using squirrelmail. However, recently, I found that my first login always fail... 2nd log would be ok. could my server be hacked and the hacker has changed the login page to obtain my user passwords?
Try verifying your login and init scripts. To verify the integrity of rpm packages you can use:

rpm -Va

If you have tripwire or some other file alteration scanner installed, now would be a good time to run a check. Also make sure to download and run chkrootkit.

i find a log file called /var/log/forgemail... is this a Redhat default thing? Could someone be using my webserver to send spam mail?
As far as I am aware, that is not a standard Redhat thing. Given the name, I would think your guess is reasonably accurate. Did you try taking a look at it's contents? Also run: stat /var/log/forgemail to get creatiion and last modifcation dates. Use the creation date as a rough timeframe and go through all of your system and security logs looking for anything abnormal (including application errors/panics/etc). Checkout the output of last and lastb. Look at /etc/passwd to see if you have any new users or users other than root with a uid/gid of 0. Run netstat -pantu or lsof -i to get a list of what applications are listening on interfaces (look for any services which don't seem normal or that you don't remember running).

Take some time and do some reading in the security references thread by unSpawn at the top of the forum. In particular look at the links under "Compromise, breach of security, detection"
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is my server hacked? kazjol Linux - Security 3 10-10-2004 12:09 PM
Server hacked cpanelskindepot Linux - Security 46 07-05-2004 06:19 PM
Server hacked php4u Linux - Security 1 07-05-2004 11:34 AM
web server hacked. sarin Linux - Security 12 10-05-2002 03:51 PM
pacpac has hacked my server. Help! 360 Linux - Security 10 04-22-2002 03:35 AM


All times are GMT -5. The time now is 11:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration