Hey there all,
i run a data processing station that gets info automatically via email. So i have a user set up and in my software, i have the user log in (dovecot) and check the email and process anything there. There are actually two users on the system that do this.
Today, both lost permission to check their Maildir.
I can't find anything in the auth log that looks suspicious, or the .bash_history of either user. Not even the main user of the system.
The way it got fixed was with a sudo chown mailuser /home/mailuser -R

I don't get what could have don't this. I have not been running any maintenance or anything else, it has just been happy running along.

Is this a cracker that did something?
Has anyone seen this before?

thanks for any tips, i wonder if it's ok to breathe now, or if it will happen again.

thanks

Run rkhunter

chkrootkit

You will need to check system logs, web logs.

There are tools like snort for the purpose. Why did you not install it?

see a full manual/book

well, i have never heard much about them. I havn't really looked though. I don't run anything as root, i pay attention to what recommended permissions to set, what services are ok, and not ok... just never had any trouble in the past three years. I am kinda new at this, still, i guess this serves as an ample wake up call.
thanks

Soze for recycling posts but have a look at my first post here please: http://www.linuxquestions.org/questi...server-664871/

While people should have a basic understanding of what their system comprises of I don't mark (perceived) incidents, possible breaches of security, as something warranting a generic RTF(ine)M type of answer. Next time you or anyone encounters such a thread, if you can't manage to put in a more detailed response, I'd appreciate it if you point to 0) the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/ and 1) the Linux Security forum. TIA

Great response, and great link, unSpawn.
thanks for that.

No need to thank me: we're here to help. BTW I saw a move request for this thread to the Linux Security forum so hopefully it'll materialise there RSN.

Sometimes things just happen by accident. I don't know which distro you have this running on. Usually the package system has a command that will validate a package. This might help you determine whether files or directories have the wrong permissions.

For an rpm based system you could use: rpm -qf <path/to/file>
to determine which package supplies a file or directory and then
rpm -qV <packagename>
to validate it.

I think that debian based systems have a similar command.

Yes, that will help. The LQ wiki can be updated with more links too.
http://wiki.linuxquestions.org/wiki/...ecurity_Basics

little update here guys,
I am running a debian system, well, ubuntu Gutsy. The system has been in place for quite a while, months. This is the first time this has happened.
After i rewrote the permissions on the logs, i have not had a problem and it has been now a few hours.

So, maybe someone or some script-kiddie got in, but they didn't do much if they did, and left no tracks that i can find in any logs.

thanks for the advice to all, thank God it was ok this time..

i just put in an order at Amazon.com, i would feel even more like an idiot next time.

sk

In terms of perception and how to act on things I agree with that. Kinda Hanlon's razor thing, right?


Good you mentioned that. If you would be willing to help out with that Wiki page that would be most welcome...


Personally I don't like "maybe" and then leave things dangling. There either was or there was no breach. You trust the machine's integrity completely or you don't. So, if you would like us to provide a second opinion then posting a more detailed account of what you checked would be a nice start...

hey,
read up on and installed rkhunter. After it's update and run, everything looked good. I don't sleep well with something like this dangling either.

Thanks to all.