6 Nov
2013
6 Nov
'13
5:59 p.m.
Hi,
I just discovered an unwanted sendmail listener at
63.141.225.90 on my
bitfolk vps machine by doing a
% ps aux
I still don't know how I was compromised.
At any rate, it seems my sendmail config file is deficient.
I've grepped through the /etc directory for the offensive address to no
avail.
When my email client opens, it tells me "Folder is open by another
process, access is read-only".
This concerns me, because there are no visible other processes.
This is what caused me to look at 'ps aux', and discover the unwanted
listener.
I believe this situation can be fixed, only I know not how.
Any advice will be gratefully received.
Kill the process?
If you believe your machine has been compromised then I'd take it
offline immediately and analyse it (maybe with a rescue boot from the
console).
If you want to investigate online (which I'd *strongly* advise against)
then you should at least put a firewall up on all incoming and outgoing
ports (and then use a shell on the console).
Regards,
@ndy
--
andyjpb(a)ashurst.eu.org
http://www.ashurst.eu.org/
0x7EBA75FF