6 Nov
2013
6 Nov
'13
5:34 p.m.
Hi All,
I just discovered an unwanted sendmail listener at 63.141.225.90 on my bitfolk vps machine
by doing a
% ps aux
I still don't know how I was compromised.
At any rate, it seems my sendmail config file is deficient.
I've grepped through the /etc directory for the offensive address to no avail.
When my email client opens, it tells me "Folder is open by another process, access is
read-only".
This concerns me, because there are no visible other processes.
This is what caused me to look at 'ps aux', and discover the unwanted listener.
I believe this situation can be fixed, only I know not how.
Any advice will be gratefully received.
Cheers
6 Nov
6 Nov
5:59 p.m.
Hi,
I just discovered an unwanted sendmail listener at
63.141.225.90 on my
bitfolk vps machine by doing a
% ps aux
I still don't know how I was compromised.
At any rate, it seems my sendmail config file is deficient.
I've grepped through the /etc directory for the offensive address to no
avail.
When my email client opens, it tells me "Folder is open by another
process, access is read-only".
This concerns me, because there are no visible other processes.
This is what caused me to look at 'ps aux', and discover the unwanted
listener.
I believe this situation can be fixed, only I know not how.
Any advice will be gratefully received.
Kill the process?
If you believe your machine has been compromised then I'd take it
offline immediately and analyse it (maybe with a rescue boot from the
console).
If you want to investigate online (which I'd *strongly* advise against)
then you should at least put a firewall up on all incoming and outgoing
ports (and then use a shell on the console).
Regards,
@ndy
--
andyjpb(a)ashurst.eu.org
http://www.ashurst.eu.org/
0x7EBA75FF
6:52 p.m.
Hi Adam and Andy
turns out I made a mistake. Yesterday when I cleaned up a nasty exploit (it used
primecoin to brute force with perl the root passwd) I eliminated the /tmp directory (where
primecoin had been untarred by www-data).
I had omitted to reactivate the /tmp directory , /tmp was pointing earlier this afternoon
at a void.
Just now I % mkdir /tmp; chmod 1777 /tmp
and now it is all good.
Thanks for the assistance. :) It was a false alarm, sorry about that.
Cheers
Le Mercredi 6 novembre 2013 19h42, Andy Bennett <andyjpb(a)ashurst.eu.org> a écrit :
Hi,
I just discovered an unwanted sendmail listener at
63.141.225.90 on my
bitfolk vps machine by doing a
% ps aux
I still don't know how I was compromised.
At any rate, it seems my sendmail config file is deficient.
I've grepped through the /etc directory for the offensive address to no
avail.
When my email client opens, it tells me "Folder is open by another
process, access is read-only".
This concerns me, because there are no visible other processes.
This is what caused me to look at 'ps aux', and discover the unwanted
listener.
I believe this situation can be fixed, only I know not how.
Any advice will be gratefully received.
Kill the process?
If you believe your machine has been compromised then I'd take it
offline immediately and analyse it (maybe with a rescue boot from the
console).
If you want to investigate online (which I'd *strongly* advise against)
then you should at least put a firewall up on all incoming and outgoing
ports (and then use a shell on the console).
Regards,
@ndy
--
andyjpb(a)ashurst.eu.org
http://www.ashurst.eu.org/
0x7EBA75FF
4063
days inactive
4063
days old
2 comments
2 participants
participants (2)
-
Andy Bennett -
Max B