similar to: Need some help

Hello; I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44 & 0.45 report that my /sbin/init file is infected. It appears as though the egrep for "UPX" in the output of "strings" triggers the infected notice. When I copy the init file from an uninfected box to this one chkrootkit continues to report it as infected. Is chkrootkit reading a copy of the

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:09.htt Security Advisory The FreeBSD Project Topic: information disclosure when using HTT Category: core Module: sys Announced:

Morning, I am going to treat this as a rooted box and reinstall from scratch, but any thoughts appreciated: This is a Trixbox Server based on Centos, running kernel 2.6.18-53.1.4.el5 SMP The phone system stopped working but this was traced to a configuration error with a replacement switch (it did not get added to the vlan properly), which meant that Trixbox could not see any DNS servers and

Hi all, I need to install an anti-rootkid in a lot of servers. I know that there're several options: tripwire, aide, chkrootkit... ?What do you prefer? Obviously, I have to define my needs: - easy setup and configuration - actively developed -- Thanks, Jordi Espasa Clofent

Guys, apache cpus usage is hitting 100% sometimes ( to such an extent that its very noticeable) on a box with just 8 users or so. i m getting this when i run 'top'. The worrying thing is seeing the work 'atack' under command PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 23119 apache 15 0 964 556 472 S 0.7 0.0 0:03.68 atack 23479 apache 15

so I found that one of my VM hosts seems to have been compromised in some way; I've shut it down, isolated it, found a few odd things like gibberish comments and odd hostnames that I don't recognise pointed back to 127.0.0.1 in /etc/hosts. I tried TRD and it seems mildly useful, but has more of a windowsy feel for what it wants to be able to fix. does anyone know of something with more

Hello, when one has physical access to a computer, he can run something like tripwire, with keys and checksum on a separate, write-only media, to verify the integrity of the system. What if the system is a remote one (in my case Centos 4.3 on a User Mode Linux VPS some hundred of KMs from here)? Does it still make sense to run tripwire remotely? If yes, how, since you cannot plug a floppy or

Dear Friends, I am using CENTOS 4.3 - kernel 2.6.9-42.0.2.EL with rkhunter version 1.2.8, but the rkhunter program show me problem on file /bin/kill. I compare files /bin/kill with other CENTOS 4 and it has same size. ====================== SHOE LOG =========================== Rootkit Hunter 1.2.8 is running Mon, 30 Oct 2006 12:56:44 -0200 Determining OS... Ready Checking binaries *

Hi all, Debian Lenny, dovecot 1.0.15 My rkhunter script has picked up dovecot using port 1984 temporarily. When I run it now however, it is gone. Warning: Network TCP port 1984 is being used by /usr/lib/dovecot/imap. Possible rootkit: Fuckit Rootkit Use the 'lsof -i' or 'netstat -an' command to check this. Does dovecot use this port for any reason? anyone seen this before?

Hi, I have a 4.9-STABLE FreeBSD box apparently hacked! Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. Those are: chfn ... INFECTED chsh ... INFECTED date ... INFECTED ls ... INFECTED ps ... INFECTED But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED. I know by the FreeBSD-Security archives that

Hello, I built apache+openssl+mod_ssl. It is working fine, and I have been starting the server with: apachectl startssl Recently, however, I have decided that I will not be doing anything over https (for a while, at least) with this web server, so for security reasons, I want to only run on port 80. So now I start the server with: apachectl start And it runs without SSL. My question is, is

Update to the mozilla vulnerabilities wich were not Publicly reported (To MY standard, for BSD/Cros platform users) , so i performed my own research,PoC's etc, and have submitted all my results. I wont say i had ANYTHING atall todo with the Update, BUT please Update a.s.a.p to mozilla v1.0.4 , that should stop atleast ONE exploit, the other may be a simple matter oif not allowing your

WE have a centos 5.3 install, and our server is keep getting hacked. We see load averages of 500+ and see people from all over the world logging into our server (used last). Is there a good place to start to avoid these kinds of things? For example, here is what I already did. Open up sshd port only setup iptables to only accept port 80 and 22 No FTP No other ports are allowed according to IP

How do you know when a Linux system has been compromised?? Every day I watch our systems with all the typical tools, ps, top, who, I watch firewall / IPS logs, I have logwatch setup and mailing daily summaries to me and I dive deeper into logs if something looks suspicious. What am I missing or not looking at that you security gurus are looking at? I subscribe to the centos and SANS

Hello. My server was hacked. The CPU has been loaded on 99 % by "sh -i" process. I found out that someone has started phpshell through a hole in one of phpbb forums. Also has filled in scripts for flud and spam and "vadim script" in "/tmp". I has made it noexec. Recently has found out the same process. May be i have left again /tmp opened, or other hole may

My home system has been hacked. It's running CentOS 4.4, and I recently added an account to play around with Samba shares to back up PCs here at home. I had set a weak password for that account and forgot to disable it after my testing. I could hear the disk being accessed constantly, so I knew something was up. I disabled the port forwarding to my CentOS box on my Linksys router

Hi All, Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers. Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the

Hi, there is a remote (VPS) Centos 4.2 server which *may* have been compromised. Reinstalling everything from scratch isn't a problem, it may even be an occasion to improve a few things, the question is another. There are backups of necessary shell script, ASCII configuration files and more or less important email (maildir format, if it matters) including messages with binary attachments in

Hiya, Currently running Centos 4.2 x86_64 dist on a dual 3G xeon, 2G ram, scsi setupand everythings been running fine on it for some time. Then at 4am last night something kicked in (have mrtg running monitoring when) and since then its been running a load of about 1.5 (normally around 0.4). CPU usage is Cpu(s): 1.1% us, 0.6% sy, 0.0% ni, 97.9% id, 0.2% wa, 0.1% hi, 0.1%si. Can't see

Hi, One of our AWS machines was used in an DOS attack last night and I am looking for possible attack vectors. AWS tells me it was sending UDP port 0 traffic to a cloudflare address. This instance had an incorrectly configured AWS security group exposing all ports. The server in question is a Centos 7 based FreeIPA server, OpenVPN concentrator and DNS server. With a brief inspection before the