Hi Adam and Andy

turns out I made a mistake. Yesterday when I cleaned up a nasty exploit (it used primecoin to brute force with perl the root passwd) I eliminated the /tmp directory (where primecoin had been untarred by www-data).

I had omitted to reactivate the /tmp directory , /tmp was pointing earlier this afternoon at a void.

Just now I % mkdir /tmp; chmod 1777 /tmp

and now it is all good.

Thanks for the assistance. :) It was a false alarm, sorry about that.

Cheers

Le Mercredi 6 novembre 2013 19h42, Andy Bennett <andyjpb@ashurst.eu.org> a écrit :

Hi,

> I just discovered an unwanted sendmail listener at 63.141.225.90 on my
> bitfolk vps machine by doing a
> % ps aux
>
> I still don't know how I was compromised.
>
> At any rate, it seems my sendmail config file is deficient.
>
> I've grepped through the /etc directory for the offensive address to no
> avail.
>
> When my email client opens, it tells me "Folder is open by another
> process, access is read-only".
> This concerns me, because there are no visible other processes.
> This is what caused me to look at 'ps aux', and discover the unwanted
> listener.
>
> I believe this situation can be fixed, only I know not how.
>
> Any advice will be gratefully received.

Kill the process?

If you believe your machine has been compromised then I'd take it
offline immediately and analyse it (maybe with a rescue boot from the
console).
If you want to investigate online (which I'd *strongly* advise against)
then you should at least put a firewall up on all incoming and outgoing
ports (and then use a shell on the console).

Regards,
@ndy

--
andyjpb@ashurst.eu.org
http://www.ashurst.eu.org/
0x7EBA75FF