Hi Adam and Andy
turns out I made a mistake. Yesterday when I cleaned up a nasty exploit (it used primecoin to brute force with perl the root passwd) I eliminated the /tmp directory (where primecoin had been untarred by www-data).
I had omitted to reactivate the /tmp directory , /tmp was pointing earlier this afternoon at a void.
Just now I % mkdir /tmp; chmod 1777 /tmp
and now it is all good.
Thanks for the assistance. :) It was a false alarm, sorry about that.
Cheers
Le Mercredi 6 novembre 2013 19h42, Andy Bennett <andyjpb@???> a écrit :
Hi,
> I just discovered an unwanted sendmail listener at 63.141.225.90 on my
> bitfolk vps machine by doing a
> % ps aux
>
> I still don't know how I was compromised.
>
> At any rate, it seems my sendmail config file is deficient.
>
> I've grepped through the /etc directory for the offensive address to no
> avail.
>
> When my email client opens, it tells me "Folder is open by another
> process, access is read-only".
> This concerns me, because there are no visible other processes.
> This is what caused me to look at 'ps aux', and discover the unwanted
> listener.
>
> I believe this situation can be fixed, only I know not how.
>
> Any advice will be gratefully received.
Kill the process?
If you believe your machine has been compromised then I'd take it
offline immediately and analyse it (maybe with a rescue boot from the
console).
If you want to investigate online (which I'd *strongly* advise against)
then you should at least put a firewall up on all incoming and outgoing
ports (and then use a shell on the console).
Regards,
@ndy
--
andyjpb@???
http://www.ashurst.eu.org/
0x7EBA75FF
