Displaying 20 results from an estimated 1100 matches similar to: "Centos 5.3 -> Apache - Under Attack ? Oh hell...."
2005 May 14
2
Need some help
Hello,
I would like to ask for some specialist assistance in dissecting a
'rootkit' (seems to be massmailing specific,crafted somehow from
another kit perhaps)
It was found running on 5.x machines belonging (sofar) to my
knowledge, 2 companies,one of wich was an isp and another a webhosting
service running bsd.
I will provide the kit and further details as soon as i am sure the
thing will
2010 Feb 11
0
Allow to use agent for distribution of public keys
Discussion to the https://bugzilla.mindrot.org/show_bug.cgi?id=1663
> 1) you lose the ability to specify key restrictions. I.e. you can't
> force commands on a per-key basis, disable port-forwarding, etc.
This extension is designed to provide some non kerberos possibility
to create domains for groups of roughly equivalent users. It distributes
the authorized keys from a single point in
2020 Jan 09
1
Blocking attacks from a range of IP addresses
I have experience block DDoS atacks. Contac White me in prived. If you have
intereses.
El mi?., 8 ene. 2020 8:45 p. m., Keith Christian <keith1christian at gmail.com>
escribi?:
> On Wed, Jan 8, 2020 at 5:37 PM H <agents at meddatainc.com> wrote:
>
> > I am being attacked by an entire subnet where the first two parts of the
> > IP address remain identical but the
2003 Nov 03
4
dovecot vs cyrus, uw, etc.
I've been doing research on switching our current e-mail server
(qpopper, sendmail) to imap. The decision on which server to use is
essentially down to Cyrus and Dovecot -- I like Cyrus' approach to a lot
of things, but the "blackbox" nature of it makes some niceties like
using spamassassin and procmail difficult, or at least counterintuitive.
Dovecot seems to play nicer with
2007 Dec 13
3
child (login) killed with signal 9
Hi,
I'm running dovecot on an Ubuntu server (1:1.0.5-1ubuntu2). Dovecot
provides pop3, imap, and sasl to postfix. The setup works quite
nicely, however I do have one error that shows up repeatedly in my
dovecot.log.
<snip>
dovecot: 2007-12-12 09:29:06 Error: child 32765 (login) killed with signal 9
dovecot: 2007-12-12 09:29:06 Error: child 18039 (login) killed with signal 9
dovecot:
2006 Oct 30
2
Problem rkhunter v. 1.2.8 - CENTOS 4
Dear Friends,
I am using CENTOS 4.3 - kernel 2.6.9-42.0.2.EL with rkhunter version
1.2.8, but the rkhunter program show me problem on file /bin/kill.
I compare files /bin/kill with other CENTOS 4 and it has same size.
====================== SHOE LOG ===========================
Rootkit Hunter 1.2.8 is running
Mon, 30 Oct 2006 12:56:44 -0200
Determining OS... Ready
Checking binaries
*
2006 Dec 02
1
How to install rkhunter properly
Hi list,
after a bit of struggling I found out how to cleanly install rkhunter
... maybe this is useful for you:
* Download rkhunter (I downloaded v 1.2.8)
* mv /etc/rpm/platform /root/etc_rpm_platform
* setarch i386 rpmbuild -ta --target=i386 rkhunter-1.2.8.tar.gz
* mv /root/etc_rpm_platform /etc/rpm/platform
* rpm -ivh /usr/src/redhat/RPMS/noarch/rkhunter-1.2.8-1.noarch.rpm
* wget
2000 Feb 28
4
Multiple smbd processes generated
We have an occasional problem which manifests with multiple processes
being created for a particular user. For example, for a user "xy004":
xy004 8463 0.0 0.0 6.02M 0K ?? IW 11:48:59 0:02.02 smbd
xy004 9426 0.0 0.0 5.99M 0K ?? IW 11:52:18 0:03.68 smbd
xy004 10433 0.0 0.0 5.81M 0K ?? IW 12:17:20 0:00.85 smbd
xy004
2015 Aug 07
2
semi-OT: rkhunter, fix "broken links"
Hi, folks,
rkhunter is reporting a broken link on one of our servers. This is
quite reasonable, since it's on a drive whose controller card I have
declared dead the other day. I've been googling, searching in the
manpage, and I've done an rkhunter --propupd, but it still finds the
broken link. Anyone know how to remove the link from the rkhunter d/b?
mark
2017 Nov 06
2
How to detect botnet user on the server ?
Hello guys,
Whats is the best way to identify a possible user using a botnet with php
in the server? And if he is using GET commands for example in other server.
Does apache logs outbound conections ?
If it is using a file that is not malicious the clam av would not identify.
Thanks
2017 Aug 30
4
rkhunter and prelink
Can't remember if I posted this before... We're getting warnings from
rkhunterWarning: Checking for prerequisites [ Warning ]
All file hash checks will be skipped because:
This system uses prelinking, but the hash function command does not
look like SHA1 or MD5.
Now, googling, I find people saying to rm /etc/prelink.cache, then run
rkhunter --propupd.
Works. And then,
2014 Jan 17
1
rkhunter
I updated java-1.7.0-openjdk a few hours ago - it *was* listed as a
critical security update, and I don't want yelling from rkhunter. The man
page tells me I can tell it rkhunter --propupd <package name>... but it
doesn't know the name above as a package. Been googling a bit, and cannot
find a good example of a package (other than the manpage's coreutil).
Anyone got an example,
2017 Aug 30
1
rkhunter and prelink
in my prior message, that should be in rkhunter.conf
On Wed, Aug 30, 2017 at 11:43 AM, Tony Schreiner <anthony.schreiner at bc.edu>
wrote:
> This has come up for me on the most recent upgrade, add the line
>
> HASH_CMD=sha1sum
>
> On Wed, Aug 30, 2017 at 11:15 AM, <m.roth at 5-cent.us> wrote:
>
>> Can't remember if I posted this before... We're getting
2005 May 12
1
Do I have an infected init file?
Hello;
I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44 & 0.45 report that my /sbin/init file is infected.
It appears as though the egrep for "UPX" in the output of "strings" triggers the infected notice. When I copy the init file from an uninfected box to this one chkrootkit continues to report it as infected. Is chkrootkit reading a copy of the
2008 Sep 18
2
Security Guide for CentOS/RHEL
Is there a step by step approach to securing CentOS 4X (or even RHEL 4X)? I don't mean the stuff in the docs/security guide but a working step by step guide? There used to be packages like rkhunter and tripwire but I don't know if the ones in rpmforge/kbs repo are up to date.
Thanks,
Josh.
2020 Feb 26
1
Re: *** buffer overflow detected *** accessing invalid FD in libguestfs
On Wednesday, 26 February 2020 10:43:27 CET Richard W.M. Jones wrote:
> On Wed, Feb 26, 2020 at 11:21:18AM +0200, Veselin Kozhuharski wrote:
> > Hallo Rich,
> >
> > Here is the fd list and total number just before collectd application
> > crashes. Before that the number of used fd's is constantly increasing. It
> > looks like a fd leak inside libguestfs to me.
2017 Nov 06
1
How to detect botnet user on the server ?
Another alternative is to use a FIMS/HIDS such as Aide (Advanced Intrusion Detection Environment), OSSEC or Samhain. Be prepared to learn a lot about what your OS normally does behind the scenes (and thus a fair amount of initial fine tuning to exclude those things). Aide seems to work well (I've seen only one odd result) and is quite granular. However, it is local system based rather than
2020 Feb 24
3
*** buffer overflow detected *** accessing invalid FD in libguestfs
We have extended collectd virt plugin to extract info about disk usage from
a libvirt domain using libguestfs. In addition to my previous mail I am
attaching some more infomration about the problem.
Currently the collectd plugin works fine and retrieves the required
statistics. The problem that I face happens after certain number of cycles
(getting disk usage statistics). Collectd is terminated
2017 Aug 30
2
rkhunter and prelink
On Wed, August 30, 2017 10:43 am, Tony Schreiner wrote:
> This has come up for me on the most recent upgrade, add the line
>
> HASH_CMD=sha1sum
>
> On Wed, Aug 30, 2017 at 11:15 AM, <m.roth at 5-cent.us> wrote:
>
>> Can't remember if I posted this before... We're getting warnings from
>> rkhunterWarning: Checking for prerequisites [ Warning
2013 Dec 22
1
'unknown user' using dovecot LDA
Ok, one more issue to resolve.
The old server was still using the postfix/virtual for delivery, but the
new one is using the dovecot LDA.
Now, when an email generated locally by a cron job is delivered, this
shows in the log:
2013-12-22T10:29:55-05:00 host postfix/pickup[31400]: C67FD90F676B2:
uid=0 from=<newsrv+rkhunter at example.com>
2013-12-22T10:29:55-05:00 host