Suspected Intruder

Scot L. Harris webid at cfl.rr.com
Thu Jan 6 16:34:13 UTC 2005


On Thu, 2005-01-06 at 10:38, Don Flinn wrote:
> I suspect that an intruder may be using my node to send e-mail, because
> I have received some notices from my e-mail daemon that such and such
> was not available when I never sent e-mail to that person/address.
> 
> How do I check if someone is logged in/using my machine?  I'm running
> FC3.

First you may just be getting rejects from messages that have used your
email accounts in forged from headers.  This is very common.  And not
much you can do about it.

Second, are you running an MTA on your system?  If you are then you need
to verify that it is not an open relay.  If you are not currently
running an MTA then this should not be an issue.  

If you suspect your system has been compromised you can try running
chkrootkit or rkhunter (I think that is the correct name for the second
one).  These packages attempt to identify common root kit traces.  

Check your log files for login activity.  Of course if someone has
compromised your system they may be able to cover their traces.

If you have not done so you should install tripwire.  This will keep a
watch on critical files on your system looking for changes.  If someone
does compromise your system tripwire should alert you to any changes
they make.  But this  must be setup when you know your system is secure
not after.

If really do believe your system has been compromised the only safe
thing to do is rebuild it from scratch.  It is virtually impossible to
make sure you have cleaned a system up once it has been compromised.

Good luck.

-- 
Scot L. Harris
webid at cfl.rr.com

sillema sillema nika su 




More information about the users mailing list