Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm wondering if someone is remotely logged into my RH9 box. The reason I think this is that I'm seeing numerous e-mails being sent out. I have sendmail hardened to not allow relyaing and have confirmed this thru ordb.org, but yet I still see the mass mailings being sent out. Is there a way for me to check if someone else is using my machine or find out who it is??
I'm not sure which logs specifically (I'm not at my machine) but I'd look quickly in the /var/log directory...maybe in 'messages' or something...although there may be one called 'security' or 'secure'
You can also use the 'last' command.
If you think your box is sending out mass mailings, shut it down quick...or at least suspend sendmail til you are sure...I mean, its not nice to spam...especially if you are aware you are spamming.
Definately shut down sendmail, add an inbound LOG target rule to your firewall for TCP/25 and outbound for any/any. If your box has been used a lot you're bound to see some requests...
Determine how they where able to use your box. The "last" command will give you an account of who's been logged in, for example "last -ai10" will give you the ten most recent ones. If enabled, "lastb" should give you the last login failures. "w" or "who" show you who's on the box now.
Check the integrity of your binaries, libraries and configuration files using Aide, Samhain or tripwire (if installed), else you'll have to resort to verifying against your rpm database but that won't catch everything. Run chkrootkit, just to be sure. If anything fishy comes up, catch the output of 'ps axwww', 'netstat -anp' and 'lsof' to file and shut down your network connection. If all seems OK, start looking in /var/log/messages for "weird" entries anything with error, fail, fatal or pam in it, and /var/log/maillog(.*gz) for clues. If you find remote addresses, expect them to be temp accounts and/or connected tru proxies.
If you report back, please elaborate on what you've done to check and what you've found.
Thanks for your replies. I was one step ahead of your advice and shut down my SMTP when I saw mail being relayed from the unknown source. I did some investigating in my maillog and found out that the domain of attbi.com was being used to relay the mail. I'm an idiot because I had allowed that domain to relay because I use attbi.com. I wanted to run some tests using my home machine. I forgot to remove it from the relay when I was done, but I did and VIOLA! No problems for three days now.
It's amazing.
I have been fooling around with some test runs of a home server.
People are always scanning, checking smtp, ftp, ssh, http, trying to exploit know hacks.
I am trying to learn to distinguish possible hits due to dynamic IP versus definate hack attempt.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.