similar to: How to check for rootkit, troians etc in backed up files?

Hello, when one has physical access to a computer, he can run something like tripwire, with keys and checksum on a separate, write-only media, to verify the integrity of the system. What if the system is a remote one (in my case Centos 4.3 on a User Mode Linux VPS some hundred of KMs from here)? Does it still make sense to run tripwire remotely? If yes, how, since you cannot plug a floppy or

sorry for the vague subject, but I couldn't find a better one. I have the website http://digifreedom.net running on a Centos 4 VPS with Apache and Drupal 6.10 . This is a multisite Drupal setup: only one installation, with subdirectories in sites/, and a separate mysql database for each website. For several reasons, I had setup DNS, drupal and everything to work without the www prefix on

I'm receiving the centos-request in digest mode. Using Fedora 10 and Evolution. When I tried to reply to a centos-request message inside the digest, the result doesn't seem to look right. I cut/paste the proper subject line (replacing the CentOS Digest, Vol NN, Issue nn text), but some have complained that this approach doesn't allow the original question and replies to be threaded.

Greetings, I would like to install Postfix 2.3 or 2.4 (I need support for SASL authentication via Dovecot) on a Centos 4.4 server. I have already found rpm packages at http://postfix.wl0.org/en/available-packages/ and pages about using the centosplus repo for postfix. Before launching rpm or yum, however, I'd like to ask the list which way you think is the best way to do this. By

Hello, I may need to set up soon a Linux VPS, to be used almost exclusively for handling email (as in "2GB of disk space, 2GB/month of bandwidth would be surely enough") with a fully customized postfix/procmail/dovecot setup. I'd prefer to use Centos, which I already use and know. One reason why I'm asking this here is that I'd really like to be sure, before I go for it,

Greetings, everybody I've browsed around a bit, but there seems to be no single practical list of this kind. What would you do to make a new Centos server which must run apache, IMAP (Dovecot) and SMTP (PostFix) and nothing else for a few domains as secure from attacks as possible, using only standard RPM packages as much as possible? (Please note that choice of other IMAP and SMTP servers

Hi all, I need to install an anti-rootkid in a lot of servers. I know that there're several options: tripwire, aide, chkrootkit... ?What do you prefer? Obviously, I have to define my needs: - easy setup and configuration - actively developed -- Thanks, Jordi Espasa Clofent

Anyone wanna explain why ClamAV thinks Wine has a rootkit in it? It finds "mountmgr.sys" and "usbd.sys" as "BC.Heuristics.Rootkit.B" This is not altered Wine.. or even used... but it happens just pure straight up compile from source Wine even if its never been ran.... its finding them in the fakedlls folder. I have not tried on Linux, only on Mac OS X, using the

I manage a web hosting server that we've recently upgraded, in part so we could accommodate a domain that will enable community mapping. In a recent exchange of mails one developer said: "I could build the package directly on the server machine you have, provided that the potential security risk posed by having compilers installed is not an issue." and another said:

If the attacker could get a shell, the attacker could have used this local root exploit to get the necessary privileges to install the rootkit. One reason why there seem to be few RHEL reports is that RHEL5 is not that widely available yet but lots of vulnerable Fedora/Debian installations are available.

Hello everyone, I hope you are having a good day. However, I am concerned by this: https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229 Has anyone heard yet what the attack vector is, if 5.9 and 6.4 are affected, and if a patch is coming out? Thanks! Gilbert ******************************************************************************* Gilbert Sebenste

I want to install smarmontools v 5.40, and so I pulled the SRPM for 5.39 so I could patch and install... $ wget -Nc ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/smartmontools-5.39.1-2.el6.src.rpm However, the install of the source fails. $ rpm -ivh smartmontools-5.39.1-2.el6.src.rpm warning: smartmontools-5.39.1-2.el6.src.rpm: V3 RSA/MD5 signature: NOKEY, key ID

Isn't cached swap somewhat an oxymoron? Why cache virtual? Am I misunderstanding this line from top? Swap: 524120k total, 80760k used, 443360k free, 73448k cached Mike -- p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} Oppose globalization and One World Governments like the UN. This message made from 100% recycled bits. You have found the bank of Larn.

greetings, I am setting up Centos 6 i686 remotely, on a new VPS. A problem I have is that I cannot set password for new users. I have created one with useradd -m new_user but when I type passwd new_user this is the result: [root at vps ~]# passwd new_user Changing password for user new_user New password: Retype new password: passwd: Authentication token manipulation error [root at vps

Hello; I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44 & 0.45 report that my /sbin/init file is infected. It appears as though the egrep for "UPX" in the output of "strings" triggers the infected notice. When I copy the init file from an uninfected box to this one chkrootkit continues to report it as infected. Is chkrootkit reading a copy of the

Hello, I found this lurking around the web, and thought people who are running SSH-1.2.27 might be interested. -- Kevin Sindhu <kevin at tgivan dot com> Systems Engineer TGI Technologies Inc. Tel: (604) 872-6676 Ext 321 107 E 3rd Avenue Fax: (604) 872-6601 Vancouver,BC V5T 1C7 Canada. -------------- next part -------------- Welcome Root Kit SSH distribution v5.0 (by Zelea) This

Greetings, I have accounts on two Centos servers, A and B, each hosted on a remote VPS by a different provider/datacenter. Until yesterday night, I could connect without problems via SSH to both servers from my home Fedora 16 desktop. Yesterday I completed (fingers crossed) the switch to a different ADSL provider. From the moment I turned on the modem on the new ADSL line, I became unable to

Morning, I am going to treat this as a rooted box and reinstall from scratch, but any thoughts appreciated: This is a Trixbox Server based on Centos, running kernel 2.6.18-53.1.4.el5 SMP The phone system stopped working but this was traced to a configuration error with a replacement switch (it did not get added to the vlan properly), which meant that Trixbox could not see any DNS servers and

Here is the applicable article: http://www.linux.com/feature/125548 There are links in the above article that explain tests for the system and what is currently known about the rootkit. Apparently initial access is NOT via any vulnerability but just guessed root passwords. There are currently 2 methods to see if you are infected: 1. In some cases, the root kit causes you to not be able to

Hello, I would like to ask for some specialist assistance in dissecting a 'rootkit' (seems to be massmailing specific,crafted somehow from another kit perhaps) It was found running on 5.x machines belonging (sofar) to my knowledge, 2 companies,one of wich was an isp and another a webhosting service running bsd. I will provide the kit and further details as soon as i am sure the thing will