Re: [SLE] My server got hacked? Anyoen seem this?

From: Anders Johansson (andjoh_at_rydsbo.net)
Date: 03/10/05

Next message: Carl William Spitzer IV: "Re: [SLE] You can get it here"

Previous message: David Robertson: "Re: [SLE] 9.3 preorder now available.."
In reply to: Henry Tang: "Re: [SLE] My server got hacked? Anyoen seem this?"
Next in thread: Allen: "Re: [SLE] My server got hacked? Anyoen seem this?"
Reply: Allen: "Re: [SLE] My server got hacked? Anyoen seem this?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: suse-linux-e@suse.com
Date: Thu, 10 Mar 2005 20:31:54 +0100

On Thursday 10 March 2005 20:18, Henry Tang wrote:
> The example i gave is bad. It is more like this
>
> http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2003-06/0473.htm
>l
>
> I didn't want to post the email my server was trying to send out because
> it includes the /etc/passwd file so I posted examples i found on the
> net. Apprently root tried to send out couple of emails to unknown users
> of yahoo and other email address as well. The email was bounced and that
> is how i found out. :( I am not in the competition. :(

And is your machine a red hat machine?

If your machine tries to send out that email, then it does indeed look like
you have been hacked. The information you give isn't nearly enough to say how
it was done though.

What OS is the machine running? Is it patched with all available security
updates? Which services are you running on it?

Since the mail was never sent I suspect it hasn't been "owned", but just
caught by an automated script of some description. I would hazard a guess
that the log files haven't been cleaned, so you should still be able to find
traces of how they got in through them.

If this machine is in production use, I would recommend that you let someone
look at it who knows about security.

-- 
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@suse.com

Next message: Carl William Spitzer IV: "Re: [SLE] You can get it here"

Previous message: David Robertson: "Re: [SLE] 9.3 preorder now available.."
In reply to: Henry Tang: "Re: [SLE] My server got hacked? Anyoen seem this?"
Next in thread: Allen: "Re: [SLE] My server got hacked? Anyoen seem this?"
Reply: Allen: "Re: [SLE] My server got hacked? Anyoen seem this?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

esentutl errors
... The printer is hooked up to my machine running XP Pro and shared. ... I figured, OK, simple security problem. ... the local security policy database was: ... C:\WINDOWS\security>esentutl /r edb ...
(microsoft.public.windowsxp.general)
Re: esentutl errors
... The printer is hooked up to my machine running XP Pro and shared. ... I figured, OK, simple security problem. ... the local security policy database was: ... C:\WINDOWS\security>esentutl /r edb ...
(microsoft.public.windowsxp.general)
Re: Unchangeable passwords
... Start to read some books on security. ... password can be cracked with a machine running 24/7 in 50 days. ... Remove the obvious part (including the dot) for my email address. ... http://www.vanwesten.net for examples of ipf and pf. ...
(comp.os.linux.security)