Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hey there all,
i run a data processing station that gets info automatically via email. So i have a user set up and in my software, i have the user log in (dovecot) and check the email and process anything there. There are actually two users on the system that do this.
Today, both lost permission to check their Maildir.
I can't find anything in the auth log that looks suspicious, or the .bash_history of either user. Not even the main user of the system.
The way it got fixed was with a sudo chown mailuser /home/mailuser -R
I don't get what could have don't this. I have not been running any maintenance or anything else, it has just been happy running along.
Is this a cracker that did something?
Has anyone seen this before?
thanks for any tips, i wonder if it's ok to breathe now, or if it will happen again.
well, i have never heard much about them. I havn't really looked though. I don't run anything as root, i pay attention to what recommended permissions to set, what services are ok, and not ok... just never had any trouble in the past three years. I am kinda new at this, still, i guess this serves as an ample wake up call.
thanks
While people should have a basic understanding of what their system comprises of I don't mark (perceived) incidents, possible breaches of security, as something warranting a generic RTF(ine)M type of answer. Next time you or anyone encounters such a thread, if you can't manage to put in a more detailed response, I'd appreciate it if you point to 0) the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/ and 1) the Linux Security forum. TIA
No need to thank me: we're here to help. BTW I saw a move request for this thread to the Linux Security forum so hopefully it'll materialise there RSN.
Sometimes things just happen by accident. I don't know which distro you have this running on. Usually the package system has a command that will validate a package. This might help you determine whether files or directories have the wrong permissions.
For an rpm based system you could use: rpm -qf <path/to/file>
to determine which package supplies a file or directory and then
rpm -qV <packagename>
to validate it.
I think that debian based systems have a similar command.
little update here guys,
I am running a debian system, well, ubuntu Gutsy. The system has been in place for quite a while, months. This is the first time this has happened.
After i rewrote the permissions on the logs, i have not had a problem and it has been now a few hours.
So, maybe someone or some script-kiddie got in, but they didn't do much if they did, and left no tracks that i can find in any logs.
thanks for the advice to all, thank God it was ok this time..
i just put in an order at Amazon.com, i would feel even more like an idiot next time.
In terms of perception and how to act on things I agree with that. Kinda Hanlon's razor thing, right?
Quote:
Originally Posted by amani
The LQ wiki can be updated with more links too.
Good you mentioned that. If you would be willing to help out with that Wiki page that would be most welcome...
Quote:
Originally Posted by nephish
So, maybe someone or some script-kiddie got in, but they didn't do much if they did, and left no tracks that i can find in any logs.
Personally I don't like "maybe" and then leave things dangling. There either was or there was no breach. You trust the machine's integrity completely or you don't. So, if you would like us to provide a second opinion then posting a more detailed account of what you checked would be a nice start...
hey,
read up on and installed rkhunter. After it's update and run, everything looked good. I don't sleep well with something like this dangling either.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.