[BlueOnyx:03528] Re: Has my system been hacked?

Exilewolf exilewolf at gmail.com
Tue Feb 9 00:14:34 -05 2010 

Well it changes back again you will have your answer, maybe install  
rkhunter etc to give you a little more peace of mind ?

On 09/02/2010, at 2:15 PM, "Mark E. Levy" <mark at levysplace.us> wrote:

> Thank you Gerald,
>
> I didn't see any "i"s in the list that resulted from the lsattr  
> command on
> those directories. Hopefully, that means all is well. It's still a  
> mystery
> how the root password got changed, though, but that's straightened  
> out too.
>
> Thanks to everyone who replied.
>
> -Mark
>
>
> -----Original Message-----
> From: blueonyx-bounces at blueonyx.it [mailto:blueonyx- 
> bounces at blueonyx.it] On
> Behalf Of Gerald Waugh
> Sent: Monday, February 08, 2010 10:05 PM
> To: BlueOnyx General Mailing List
> Subject: [BlueOnyx:03526] Re: Has my system been hacked?
>
>
> On Mon, 2010-02-08 at 18:18 -0600, Chris Gebhardt - VIRTBIZ Internet
> wrote:
>> Hi Mark,
>>
>> Mark E. Levy wrote:
>>> First the root password changes, now I'm getting the following in  
>>> the
>>> maillog and the mail server stops:
>>
>> POSSIBLY, you have been hacked.   I'd start looking around for other
>> signs, as well.
>>
>>> NOQUEUE: SYSERR(root): /etc/mail/sendmail.cf: line 101: fileclass:
> cannot
>>> open '/etc/mail/local-host-names': World-writable directory
>>>
>>> I also see /etc/mail/virthosts and /etc/mail/truster-users with  
>>> the same
>>> error.
>>>
>>> What should the permissions be for this tree?
>>
>> Maybe this will help:
>>
>> # ls -lah /etc/mail
>> total 336K
>> drwxr-xr-x  2 root  root 4.0K Feb  7 03:18 .
>> drwxr-xr-x 83 root  root  12K Feb  8 18:15 ..
>> -rw-r--r--  1 root  root 2.3K Feb  7 03:18 access
>> -rw-r-----  1 smmsp root  12K Feb  7 03:18 access.db
>> -rw-r--r--  1 root  root 1.6K Sep 17 11:15 aliases
>> -rw-r-----  1 smmsp root  12K Feb  7 04:51 aliases.db
>> -rw-r--r--  1 root  root    0 Mar 14  2007 domaintable
>> -rw-r-----  1 smmsp root  12K Oct  3 02:20 domaintable.db
>> -rw-r--r--  1 root  root  249 Jun  6  2006 fix_sendmail_header.mc
>> -rw-r--r--  1 root  root 5.4K Mar 14  2007 helpfile
>> -rw-r--r--  1 root  root  373 Feb  7 03:18 local-host-names
>> -rw-r--r--  1 root  root   69 Nov  2 18:04 mailertable
>> -rw-r-----  1 smmsp root  12K Nov  2 18:04 mailertable.db
>> -rw-r--r--  1 root  root 1.1K Oct  3 02:22 Makefile
>> -rw-r-----  1 root  root  12K Feb  8 18:15 popip.db
>> -rw-r-----  1 root  root 3.9K Jun  3  2008 poprelay.conf
>> -rw-r--r--  1 root  root  59K Feb  7 04:51 sendmail.cf
>> -rw-r--r--  1 root  root 8.4K Dec  2  2008 sendmail.mc
>> -r--r--r--  1 root  root  41K Mar 14  2007 submit.cf
>> -rw-r--r--  1 root  root  940 Mar 14  2007 submit.mc
>> -rw-r--r--  1 root  root  127 Mar 14  2007 trusted-users
>> -rw-------  1 root  root    0 Sep 17 11:15 virthosts
>> -rw-r--r--  1 root  root 2.2K Feb  7 03:18 virtusertable
>> -rw-r-----  1 smmsp root  12K Feb  7 03:18 virtusertable.db
>>
> A sure sign of a hack is immutable bit being set in a file's  
> attributes.
> do an lsattr on some directories
>  lsattr /bin /sbin /usr/bin /usr/sbin | more
> the immutable bit is 'i'
>
> Gerald
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list