LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-27-2006, 06:44 AM   #1
debyani
LQ Newbie
 
Registered: Oct 2006
Posts: 5

Rep: Reputation: 0
Question strange ps -ax output


I manage a mail server with postfix in fc4. the strange output of ps -ax related to smtpd makes me worry. Can anyone help to give some explanation about the output and confirm whether my server was compromised or not. Also how to control this situation.

I am new to this forum.

Thanks to everybody for help and suggestions

Debyani

The output of ps -ax (partial) is as follows

25104 ? S 0:00 smtp -n smtp-amavis -t unix -u -o smtp_data_done_timeout 1200 -o disable_dns_lookups yes -o max_use 20
25166 ? S 0:00 smtpd -n 127.0.0.1:10025 -t inet -u -o content_filter -o local_recipient_maps -o relay_recipients-maps -o smtpd_restriction_classes -o smtpd_delay_reject no -o smtpd_client_restrictions permit_mynetworks,reject -o smtpd_helo_restrictions -o smtpd_sender_restrictions -o smtpd_recipient_restrictions permit_mynetworks,reject -o mynetworks_style host -o mynetworks 127.0.0.0/8 -o strict_rfc821_envelopes yes -o smtpd_error_sleep_time 0 -o smtpd_soft_error_limit 1001 -o smtpd_hard_error_limit 1000 -o smtpd_client_connection_count_limit 0 -o smtpd_client_connection_rate_linit 0
25167 ? S 0:00 local -t unix
25168 ? S 0:00 smtp -t unix -u
25175 ? S 0:00 smtp -n smtp-amavis -t unix -u -o smtp_data_done_timeout 1200 -o disable_dns_lookups yes -o max_use 20
25178 ? S 0:00 smtp -t unix -u
 
Old 10-27-2006, 09:38 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Hello there and welcome to LQ. Hope you like it here.


Can anyone help to give some explanation about the output
Unlike monolithic MTA's like Sendmail, Postfix uses different named applications for different tasks. If you are unsure which application handles which task you should check out the explanation in the main Postfix site: the "Anatomy" part.


confirm whether my server was compromised or not.
Process names can be an indication of cracker activities if the name appears in the list and contains strings like backdoor, shell, startadore, etc, etc, but a process name can be changed. I say "appears in the list" because processes can be hidden. Processes' environment can be an indication as well. An application that was started as root account user but resides as (setuid root) binary in a directory for holding temporary files or has a current working (CWD) or root directory that looks "odd" can be an indication of cracker activity.

From this explanation you see your "ps" output is not complete, does not provide the necessary details and should not be taken as an authoritative means to safely confirm the machine was compromised or not. What to look for? If the machine is compromised you can expect to see one or more of the following (and more): reports from remote networks (scanning usually), changes in network traffic volume, network sources and destinations (.tw, .cn, .id, .kr, .hu, .br to name a few TLD's that could be an indication if you have no business with those), port ranges (outbound scanning, IRC, spam, DoSsing), inbound ports that are never used, strange behaviour of the host (accounts with an accessable shell, processnames, logfile anomalies, missing authentication records, missing files, setuid root binaries in temp dirs) etc, etc.

To check for symptoms please start by reading and following steps from the "Intruder Detection Checklist (CERT)": http://www.cert.org/tech_tips/intrud...checklist.html and post any info you get. If you post info please make sure you post exact lines and not approximations. If unsure reboot the machine and perform the checks from a Live CD whose binaries are trustable. Next to that it may be beneficial to run your file integrity scanner (like Aide, Samhain or even tripwire: if installed) and Chkrootkit and/or Rookit Hunter to see if that trips on something.


Also how to control this situation.
If you mean "manage" Postfix in the most general way, then that should be a separate question in say the Software or Server forum.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange output from C program Gins Programming 8 07-11-2006 11:29 PM
Strange continuous output Nightfrost Linux - General 2 11-02-2004 05:28 AM
Strange traceroute output egurski Linux - Networking 0 07-13-2004 07:25 PM
Strange dmesg output voyciz Linux - Networking 3 06-08-2004 01:05 PM
very strange dmesg output salparadise Linux - Software 6 04-08-2004 12:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration