exim4 / portmap compromised. problem "solved" -> exim4 question & rkhunter log

eichenhain · 01-10-2011, 09:22 AM

Hi folks!

I am pretty new to this forum and linux server administration. This is my question:

I am running a Debian server which got somehow compromised using vulnerabilities of unupdated versions of portmap and exim4.

Somebody used the server to send spam. exim4 was connecting to irc, portmap was mapping hundreds of ports and some evil perl scripts were causing drama.

What we did:

-deleted portmap
-stopped exim4 daemon (killall exim4 && /etc/init.d/exim4 stop)
-closed some ports

I used this to upgrade my packages:

aptitude update
aptitude safe-upgrade

(didnt restart the server afterwards! I read, that this is not necessary for security updates, right?)

exim4 is still installed:

Code:

ii  exim4-base                     4.69-9+lenny1                  support files for all Exim MTA (v4) packages
ii  exim4-config                   4.69-9+lenny1                  configuration for the Exim MTA (v4)
ii  exim4-daemon-light             4.69-9+lenny1                  lightweight Exim MTA (v4) daemon

We don't use any kind of mailservers. Is it safe for me to completely delete exim4? I could install some offline mail-agent.

chkrootkit says everything is ok. But I am concerned with some warnings I got from rkhunter's log:

Code:

[15:59:01]   /usr/sbin/adduser                               [ Warning ]
[15:59:01] Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: a /usr/bin/perl script text executable

[15:59:02]   /usr/bin/groups                                 [ Warning ]
[15:59:02] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: POSIX shell script text executable

[15:59:02]   /usr/bin/ldd                                    [ Warning ]
[15:59:02] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable

[15:59:06]   /bin/which                                      [ Warning ]
[15:59:07] Warning: The command '/bin/which' has been replaced by a script: /bin/which: POSIX shell script text executable

[16:00:22]   Checking for hidden files and directories       [ Warning ]
[16:00:22] Warning: Hidden directory found: /dev/.udev
[16:00:22] Warning: Hidden directory found: /dev/.initramfs

[16:01:45]   Checking version of Exim MTA                    [ Warning ]
[16:01:45] Warning: Application 'exim', version '4.69', is out of date, and possibly a security risk.
[16:01:45]   Checking version of GnuPG                       [ Warning ]
[16:01:45] Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk.
[16:01:45] Info: Application 'httpd' not found.
[16:01:45] Info: Application 'named' not found.
[16:01:45]   Checking version of OpenSSL                     [ Warning ]
[16:01:45] Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk.
[16:01:45]   Checking version of PHP                         [ Warning ]
[16:01:45] Warning: Application 'php', version '5.2.6', is out of date, and possibly a security risk.
[16:01:45]   Checking version of Procmail MTA                [ OK ]
[16:01:45] Info: Application 'procmail' version '3.22' found.
[16:01:45]   Checking version of ProFTPD                     [ OK ]
[16:01:45] Info: Application 'proftpd' version 'Version' found.
[16:01:45]   Checking version of OpenSSH                     [ Warning ]
[16:01:45] Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk.

Why is he telling me that these apps are out of date? I just run aptitude update and aptitude safe-upgrade -> nothing new to be installed.

Should I be concerned about those warnings?

Thx for any help guys!

unSpawn · 01-10-2011, 10:38 AM