LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 11-20-2007, 08:01 AM   #16
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 420Reputation: 420Reputation: 420Reputation: 420Reputation: 420

Unless you've done some serious checking into how your machine was compromised, you're just fooling yourself. None of the software on a compromised machine can be trusted. If you're counting on your logs to show you if spam is being sent, those may not be reliable. And by simply deleting the file you found, you may simply have tipped off the crackers that you were aware of them and they simply did a better job of hiding their tracks.

Quote:
I have also raised security level.
Just what does that mean? Have you actually taken any steps to find out if you were compromised and how?

Sorry if I'm coming across as harsh, but I'm seeing a ton of guesswork and handwaving here and precious few facts.
 
Old 11-20-2007, 01:10 PM   #17
tredegar
LQ 5k Club
 
Registered: May 2003
Location: London, UK
Distribution: Debian "Testing"
Posts: 6,116

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
I also check if any mail is going out from my server and there is none, only the real one.
HangDog is right.

How are you "checking"?

As I said in post #2 you need a completely fresh install, with careful attention to security.

The fact that ps -al or any other commands you may try, don't return anything unexpected does NOT mean that there are unwelcome processes running. The attacker may have replaced the ps (or any other) command with a new one, that filters out any malicious activity.

There's a good possibility that you are still spamming the world (or worse), and have no idea that you are doing it

Please, get a grip, wake up, recognise the severity of the problem and deal with it properly. Yes, this will be a lot of (unwelcome) work for you, but you need to learn how to secure an accessible server so this cannot happen again.

Deleting the odd malicious file will not help in the long run. The spammers are laughing at you. You think you have "canceled" the user who caused this, but he probably has a backdoor by now, and is using your system as he likes.

To understand this better, please google for "root kit".

Meanwhile, you should take your server down, and disconnect it from the internet. The reason: You may be hosting child-porn, drug money laundering and a lot of other unpleasantness. When the police come knocking at your door (because all this came from your server) you will find it difficult to explain yourself, especially as we have already asked you to disconect it, and you have ignored these warnings.

Last edited by tredegar; 11-20-2007 at 01:11 PM.
 
Old 11-20-2007, 04:53 PM   #18
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by tredegar View Post
you need a completely fresh install, with careful attention to security.
With all due respect but without auditing a reinstall only provides temporary and shallow "safety" because there's no lessons learnt. IMNSHO this should be the second step:
Quote:
Originally Posted by Hangdog42 View Post
work your way through the CERT checklist to help you get a handle on what has happened.
 
Old 11-21-2007, 03:15 AM   #19
tredegar
LQ 5k Club
 
Registered: May 2003
Location: London, UK
Distribution: Debian "Testing"
Posts: 6,116

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
With all due respect but without auditing a reinstall only provides temporary and shallow "safety" because there's no lessons learnt.
Agreed - I asked him to remove the possibly compromised disk for later forensic analysis.
What he seems to be doing is attempting to "tidy up" by deleting files, and removing users. I do not think he realises that he cannot trust his computer anymore.
 
Old 11-21-2007, 05:53 PM   #20
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
If you check back a few incidents in Linux Security you'll see that with all these vulnerable app versions still in use a spammer essentially doesn't need root to send spam. But if he however doesn't do any auditing then I agree he should reinstall from scratch.
 
Old 11-27-2007, 07:07 AM   #21
Blisk
LQ Newbie
 
Registered: Aug 2004
Posts: 18

Original Poster
Rep: Reputation: 0
Ok, I found out, that I have installed server from scratch, for nothing.
The server were never security comprimised.
All it was, is that someone upload on forum, a file, which is php executable, and that file was copying SPAM to mailqueue folder for mails.

I found out that when I installed server and copied forum to it, and mqueue was full with SPAM again, it makes me crazy.
But than I found out that script and delete it, after that I rise security of forum and uploading files.

I have also installed on forum security MOD ctracker which prevents that, but I enabled it, because I didn't know that this file is for spamming. Now I will be more carefull.

if someone like to have that file I can send it.
 
Old 11-27-2007, 02:55 PM   #22
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by Blisk View Post
Ok, I found out, that I have installed server from scratch, for nothing.
No, you learned from it, or so I'd hope.


Quote:
Originally Posted by Blisk View Post
The server were never security comprimised.
May be so, and besides I didn't say it was. But since you never returned to this thread to post audit info I'll take that as "just another statement", with all due respect of course.


Quote:
Originally Posted by Blisk View Post
if someone like to have that file I can send it.
As always I'm interested.
 
Old 11-28-2007, 01:46 AM   #23
Blisk
LQ Newbie
 
Registered: Aug 2004
Posts: 18

Original Poster
Rep: Reputation: 0
here I cannot attach file, so, how can I send it?
 
Old 11-28-2007, 11:28 AM   #24
tredegar
LQ 5k Club
 
Registered: May 2003
Location: London, UK
Distribution: Debian "Testing"
Posts: 6,116

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
here I cannot attach file, so, how can I send it?
You can click unSpawn's name link, and choose "Send Email to unSpawn"
 
Old 11-28-2007, 12:15 PM   #25
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
...or even better, host it at some free D/L site and send me the link.
 
Old 11-28-2007, 01:05 PM   #26
tredegar
LQ 5k Club
 
Registered: May 2003
Location: London, UK
Distribution: Debian "Testing"
Posts: 6,116

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
...or even better, host it at some free D/L site and send me the link.
I had lost the link for this site, which'll do what you want. Found it now:

http://rafb.net/paste/index.html

 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can FTP server be "used" by spammers rickh Linux - Networking 1 11-01-2006 02:53 AM
spammers problem hinetvenkat Linux - Security 0 06-07-2005 06:09 AM
Very mad with spammers zidane2010 General 13 05-26-2004 01:57 PM
Spammers... Artimus LQ Suggestions & Feedback 10 03-18-2003 04:24 PM
Damn spammers!!! Noerr Linux - Security 31 06-13-2002 11:38 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 12:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration