similar to: Centos 5.3 -> Apache - Under Attack ? Oh hell....

Hello, I would like to ask for some specialist assistance in dissecting a 'rootkit' (seems to be massmailing specific,crafted somehow from another kit perhaps) It was found running on 5.x machines belonging (sofar) to my knowledge, 2 companies,one of wich was an isp and another a webhosting service running bsd. I will provide the kit and further details as soon as i am sure the thing will

Discussion to the https://bugzilla.mindrot.org/show_bug.cgi?id=1663 > 1) you lose the ability to specify key restrictions. I.e. you can't > force commands on a per-key basis, disable port-forwarding, etc. This extension is designed to provide some non kerberos possibility to create domains for groups of roughly equivalent users. It distributes the authorized keys from a single point in

I have experience block DDoS atacks. Contac White me in prived. If you have intereses. El mi?., 8 ene. 2020 8:45 p. m., Keith Christian <keith1christian at gmail.com> escribi?: > On Wed, Jan 8, 2020 at 5:37 PM H <agents at meddatainc.com> wrote: > > > I am being attacked by an entire subnet where the first two parts of the > > IP address remain identical but the

I've been doing research on switching our current e-mail server (qpopper, sendmail) to imap. The decision on which server to use is essentially down to Cyrus and Dovecot -- I like Cyrus' approach to a lot of things, but the "blackbox" nature of it makes some niceties like using spamassassin and procmail difficult, or at least counterintuitive. Dovecot seems to play nicer with

Hi, I'm running dovecot on an Ubuntu server (1:1.0.5-1ubuntu2). Dovecot provides pop3, imap, and sasl to postfix. The setup works quite nicely, however I do have one error that shows up repeatedly in my dovecot.log. <snip> dovecot: 2007-12-12 09:29:06 Error: child 32765 (login) killed with signal 9 dovecot: 2007-12-12 09:29:06 Error: child 18039 (login) killed with signal 9 dovecot:

Dear Friends, I am using CENTOS 4.3 - kernel 2.6.9-42.0.2.EL with rkhunter version 1.2.8, but the rkhunter program show me problem on file /bin/kill. I compare files /bin/kill with other CENTOS 4 and it has same size. ====================== SHOE LOG =========================== Rootkit Hunter 1.2.8 is running Mon, 30 Oct 2006 12:56:44 -0200 Determining OS... Ready Checking binaries *

Hi list, after a bit of struggling I found out how to cleanly install rkhunter ... maybe this is useful for you: * Download rkhunter (I downloaded v 1.2.8) * mv /etc/rpm/platform /root/etc_rpm_platform * setarch i386 rpmbuild -ta --target=i386 rkhunter-1.2.8.tar.gz * mv /root/etc_rpm_platform /etc/rpm/platform * rpm -ivh /usr/src/redhat/RPMS/noarch/rkhunter-1.2.8-1.noarch.rpm * wget

We have an occasional problem which manifests with multiple processes being created for a particular user. For example, for a user "xy004": xy004 8463 0.0 0.0 6.02M 0K ?? IW 11:48:59 0:02.02 smbd xy004 9426 0.0 0.0 5.99M 0K ?? IW 11:52:18 0:03.68 smbd xy004 10433 0.0 0.0 5.81M 0K ?? IW 12:17:20 0:00.85 smbd xy004

Hi, folks, rkhunter is reporting a broken link on one of our servers. This is quite reasonable, since it's on a drive whose controller card I have declared dead the other day. I've been googling, searching in the manpage, and I've done an rkhunter --propupd, but it still finds the broken link. Anyone know how to remove the link from the rkhunter d/b? mark

Hello guys, Whats is the best way to identify a possible user using a botnet with php in the server? And if he is using GET commands for example in other server. Does apache logs outbound conections ? If it is using a file that is not malicious the clam av would not identify. Thanks

Can't remember if I posted this before... We're getting warnings from rkhunterWarning: Checking for prerequisites [ Warning ] All file hash checks will be skipped because: This system uses prelinking, but the hash function command does not look like SHA1 or MD5. Now, googling, I find people saying to rm /etc/prelink.cache, then run rkhunter --propupd. Works. And then,

I updated java-1.7.0-openjdk a few hours ago - it *was* listed as a critical security update, and I don't want yelling from rkhunter. The man page tells me I can tell it rkhunter --propupd <package name>... but it doesn't know the name above as a package. Been googling a bit, and cannot find a good example of a package (other than the manpage's coreutil). Anyone got an example,

in my prior message, that should be in rkhunter.conf On Wed, Aug 30, 2017 at 11:43 AM, Tony Schreiner <anthony.schreiner at bc.edu> wrote: > This has come up for me on the most recent upgrade, add the line > > HASH_CMD=sha1sum > > On Wed, Aug 30, 2017 at 11:15 AM, <m.roth at 5-cent.us> wrote: > >> Can't remember if I posted this before... We're getting

Hello; I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44 & 0.45 report that my /sbin/init file is infected. It appears as though the egrep for "UPX" in the output of "strings" triggers the infected notice. When I copy the init file from an uninfected box to this one chkrootkit continues to report it as infected. Is chkrootkit reading a copy of the

Is there a step by step approach to securing CentOS 4X (or even RHEL 4X)? I don't mean the stuff in the docs/security guide but a working step by step guide? There used to be packages like rkhunter and tripwire but I don't know if the ones in rpmforge/kbs repo are up to date. Thanks, Josh.

On Wednesday, 26 February 2020 10:43:27 CET Richard W.M. Jones wrote: > On Wed, Feb 26, 2020 at 11:21:18AM +0200, Veselin Kozhuharski wrote: > > Hallo Rich, > > > > Here is the fd list and total number just before collectd application > > crashes. Before that the number of used fd's is constantly increasing. It > > looks like a fd leak inside libguestfs to me.

Another alternative is to use a FIMS/HIDS such as Aide (Advanced Intrusion Detection Environment), OSSEC or Samhain. Be prepared to learn a lot about what your OS normally does behind the scenes (and thus a fair amount of initial fine tuning to exclude those things). Aide seems to work well (I've seen only one odd result) and is quite granular. However, it is local system based rather than

We have extended collectd virt plugin to extract info about disk usage from a libvirt domain using libguestfs. In addition to my previous mail I am attaching some more infomration about the problem. Currently the collectd plugin works fine and retrieves the required statistics. The problem that I face happens after certain number of cycles (getting disk usage statistics). Collectd is terminated

On Wed, August 30, 2017 10:43 am, Tony Schreiner wrote: > This has come up for me on the most recent upgrade, add the line > > HASH_CMD=sha1sum > > On Wed, Aug 30, 2017 at 11:15 AM, <m.roth at 5-cent.us> wrote: > >> Can't remember if I posted this before... We're getting warnings from >> rkhunterWarning: Checking for prerequisites [ Warning

Ok, one more issue to resolve. The old server was still using the postfix/virtual for delivery, but the new one is using the dovecot LDA. Now, when an email generated locally by a cron job is delivered, this shows in the log: 2013-12-22T10:29:55-05:00 host postfix/pickup[31400]: C67FD90F676B2: uid=0 from=<newsrv+rkhunter at example.com> 2013-12-22T10:29:55-05:00 host