View Single Post
  #4  
Old 10th February 2010, 20:45
mazgit mazgit is offline
Junior Member
 
Join Date: Jan 2010
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi Till,

1) Do you host a website on this erver, that is accessible from outside?
No, this is only a mailserver.

2) Have you checked your server with rkhunter and chkrootkit?
Have checked now with rkhunter and chkrootkit, but are not so familiar with linux, so I'm not sure about the result.

Here is the summary of the rkhunter(there were a lot of warnings):
Code:
[19:07:48]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[19:07:48]     Checking for string '/dev/ida/.inet'          [ Not found ]
[19:07:48] Warning: Checking for possible rootkit strings    [ Warning ]
[19:07:48]          Found string 'hdparm' in file '/etc/init.d/boot.idedma'. Possible rootkit: Xzibit Rootkit
[19:07:48]
[19:07:48] Performing malware checks
[19:07:48] Info: Starting test name 'malware'
[19:07:48]
[19:07:48] Info: Test 'deleted_files' disabled at users request.
[19:07:48] Info: Starting test name 'running_procs'
[19:07:48]   Checking running processes for suspicious files [ None found ]
[19:07:48]
[19:07:48] Info: Test 'hidden_procs' disabled at users request.
[19:07:48]
[19:07:48] Info: Test 'suspscan' disabled at users request.
[19:07:48]
[19:07:48]   Performing check for login backdoors
[19:07:49] Info: Starting test name 'other_malware'
[19:07:49]     Checking for '/bin/.login'                    [ Not found ]
[19:07:49]     Checking for '/sbin/.login'                   [ Not found ]
[19:07:49]   Checking for login backdoors                    [ None found ]
[19:07:49]
[19:07:49]   Performing check for suspicious directories
[19:07:49]     Checking for directory '/usr/X11R6/bin/.,/copy' [ Not found ]
[19:07:49]     Checking for directory '/dev/rd/cdb'          [ Not found ]
[19:07:49]   Checking for suspicious directories             [ None found ]
[19:07:49]
[19:07:49]   Checking for software intrusions                [ Skipped ]
[19:07:49] Info: Check skipped - tripwire not installed
[19:07:49]
[19:07:49]   Performing check for sniffer log files
[19:07:49]     Checking for file '/usr/lib/libice.log'       [ Not found ]
[19:07:49]     Checking for file '/dev/prom/sn.l'            [ Not found ]
[19:07:49]     Checking for file '/dev/fd/.88/zxsniff.log'   [ Not found ]
[19:07:49]   Checking for sniffer log files                  [ None found ]
[19:07:49]
[19:07:49] Performing trojan specific checks
[19:07:49] Info: Starting test name 'trojans'
[19:07:49]   Checking for enabled inetd services             [ Skipped ]
[19:07:49] Info: Check skipped - file '/etc/inetd.conf' does not exist.
[19:07:49]
[19:07:49]   Performing check for enabled xinetd services
[19:07:49] Info: Using xinetd configuration file '/etc/xinetd.conf'
[19:07:49]     Checking '/etc/xinetd.conf' for enabled services [ None found ]
[19:07:49]       Found 'includedir /etc/xinetd.d' directive
[19:07:49]     Checking '/etc/xinetd.d/chargen' for enabled services [ None found ]
[19:07:49]     Checking '/etc/xinetd.d/chargen-udp' for enabled services [ None found ]
[19:07:49]     Checking '/etc/xinetd.d/daytime' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/daytime-udp' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/echo' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/echo-udp' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/fam' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/netstat' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/omni' for enabled services [ Warning ]
[19:07:50]     Checking '/etc/xinetd.d/servers' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/services' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/systat' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/time' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/time-udp' for enabled services [ None found ]
[19:07:50]   Checking for enabled xinetd services            [ Warning ]
[19:07:50] Warning: Found enabled xinetd service: /etc/xinetd.d/omni
[19:07:50] Info: Apache backdoor check skipped: Apache modules and configuration directories not found.
[19:07:50]
[19:07:50] Performing Linux specific checks
[19:07:50] Info: Starting test name 'os_specific'
[19:07:50]   Checking loaded kernel modules                  [ OK ]
[19:07:50] Info: Using modules pathname of '/lib/modules/2.6.13-15.18-default'
[19:07:50]   Checking kernel module names                    [ OK ]
[19:07:57]
[19:07:57] Checking the network...
[19:07:57] Info: Starting test name 'network'
[19:07:57] Info: Starting test name 'ports'
[19:07:57]
[19:07:57] Performing check for backdoor ports
[19:07:57]   Checking for TCP port 1524                      [ Not found ]
[19:07:57]   Checking for TCP port 1984                      [ Not found ]
[19:07:58]   Checking for UDP port 2001                      [ Not found ]
[19:07:58]   Checking for TCP port 2006                      [ Not found ]
[19:07:58]   Checking for TCP port 2128                      [ Not found ]
[19:07:58]   Checking for TCP port 6666                      [ Not found ]
[19:07:58]   Checking for TCP port 6667                      [ Not found ]
[19:07:58]   Checking for TCP port 6668                      [ Not found ]
[19:07:58]   Checking for TCP port 6669                      [ Not found ]
[19:07:58]   Checking for TCP port 7000                      [ Not found ]
[19:07:58]   Checking for TCP port 13000                     [ Not found ]
[19:07:58]   Checking for TCP port 14856                     [ Not found ]
[19:07:58]   Checking for TCP port 25000                     [ Not found ]
[19:07:59]   Checking for TCP port 29812                     [ Not found ]
[19:07:59]   Checking for TCP port 31337                     [ Not found ]
[19:07:59]   Checking for TCP port 33369                     [ Not found ]
[19:07:59]   Checking for TCP port 47107                     [ Not found ]
[19:07:59]   Checking for TCP port 47018                     [ Not found ]
[19:07:59]   Checking for TCP port 60922                     [ Not found ]
[19:07:59]   Checking for TCP port 62883                     [ Not found ]
[19:07:59]   Checking for TCP port 65535                     [ Not found ]
[19:07:59]
[19:07:59] Performing checks on the network interfaces
[19:07:59] Info: Starting test name 'promisc'
[19:07:59]   Checking for promiscuous interfaces             [ None found ]
[19:07:59]
[19:07:59] Info: Test 'packet_cap_apps' disabled at users request.
[19:08:05]
[19:08:05] Checking the local host...
[19:08:05] Info: Starting test name 'local_host'
[19:08:05]
[19:08:05] Performing system boot checks
[19:08:05] Info: Starting test name 'startup_files'
[19:08:05]   Checking for local host name                    [ Found ]
[19:08:05] Info: Starting test name 'startup_malware'
[19:08:05]   Checking for system startup files               [ Found ]
[19:08:08]   Checking system startup files for malware       [ None found ]
[19:08:08]
[19:08:08] Performing group and account checks
[19:08:08] Info: Starting test name 'group_accounts'
[19:08:08]   Checking for passwd file                        [ Found ]
[19:08:08] Info: Found password file: /etc/passwd
[19:08:08]   Checking for root equivalent (UID 0) accounts   [ None found ]
[19:08:08] Info: Found shadow file: /etc/shadow
[19:08:08]   Checking for passwordless accounts              [ None found ]
[19:08:08] Info: Starting test name 'passwd_changes'
[19:08:08]   Checking for passwd file changes                [ None found ]
[19:08:08] Info: Starting test name 'group_changes'
[19:08:08]   Checking for group file changes                 [ None found ]
[19:08:08]   Checking root account shell history files       [ OK ]
[19:08:08]
[19:08:08] Performing system configuration file checks
[19:08:08] Info: Starting test name 'system_configs'
[19:08:08]   Checking for SSH configuration file             [ Found ]
[19:08:08] Info: Found SSH configuration file: /etc/ssh/sshd_config
[19:08:08] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[19:08:08] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[19:08:08]   Checking if SSH root access is allowed          [ Not allowed ]
[19:08:08]   Checking if SSH protocol v1 is allowed          [ Warning ]
[19:08:08] Warning: The SSH configuration option 'Protocol' has not been set.
           The default value may be '2,1', to allow the use of protocol version 1.
[19:08:09]   Checking for running syslog daemon              [ Found ]
[19:08:09]   Checking for syslog configuration file          [ Found ]
[19:08:09] Info: Found syslog configuration file: /etc/syslog-ng/syslog-ng.conf
[19:08:09]   Checking if syslog remote logging is allowed    [ Not allowed ]
[19:08:09]
[19:08:09] Performing filesystem checks
[19:08:09] Info: Starting test name 'filesystem'
[19:08:09] Info: SCAN_MODE_DEV set to 'THOROUGH'
[19:08:09]   Checking /dev for suspicious file types         [ None found ]
[19:08:09]   Checking for hidden files and directories       [ Warning ]
[19:08:09] Warning: Hidden directory found: /dev/.udevdb
[19:08:20]
[19:08:20] Checking application versions...
[19:08:20] Info: Starting test name 'apps'
[19:08:22] Info: Application 'exim' not found.
[19:08:22]   Checking version of GnuPG                       [ Warning ]
[19:08:22] Warning: Application 'gpg', version '1.4.2', is out of date, and possibly a security risk.
[19:08:22]   Checking version of Apache                      [ Warning ]
[19:08:22] Warning: Application 'httpd', version '2.0.54', is out of date, and possibly a security risk.
[19:08:22]   Checking version of Bind DNS                    [ Warning ]
[19:08:22] Warning: Application 'named', version '9.3.2', is out of date, and possibly a security risk.
[19:08:22]   Checking version of OpenSSL                     [ Warning ]
[19:08:22] Warning: Application 'openssl', version '0.9.7g', is out of date, and possibly a security risk.
[19:08:22]   Checking version of PHP                         [ OK ]
[19:08:22] Info: Application 'php' version '4.4.0' found.
[19:08:22]   Checking version of Procmail MTA                [ OK ]
[19:08:22] Info: Application 'procmail' version '3.22' found.
[19:08:22]   Checking version of ProFTPd                     [ OK ]
[19:08:22] Info: Application 'proftpd' version '1.2.10' found.
[19:08:22]   Checking version of OpenSSH                     [ Warning ]
[19:08:22] Warning: Application 'sshd', version '4.1p1', is out of date, and possibly a security risk.
[19:08:22] Info: Applications checked: 8 out of 9
[19:08:22]
[19:08:22] System checks summary
[19:08:23] =====================
[19:08:23]
[19:08:23] File properties checks...
[19:08:23] Required commands check failed
[19:08:23] Files checked: 137
[19:08:23] Suspect files: 6
[19:08:23]
[19:08:23] Rootkit checks...
[19:08:23] Rootkits checked : 249
[19:08:23] Possible rootkits: 1
[19:08:23] Rootkit names    : Xzibit Rootkit
[19:08:23]
[19:08:23] Applications checks...
[19:08:23] Applications checked: 8
[19:08:23] Suspect applications: 5
[19:08:23]
[19:08:23] The system checks took: 2 minutes and 13 seconds
[19:08:23]
[19:08:23] Info: End date is Wed Feb 10 19:08:23 CET 2010
Here is part of the output from the chkrootkit:
Code:
/usr/bin/find: head terminated by signal 13

/tmp/root/ispconfig/php/lib/php/build/run-tests.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_procmail.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_system.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_db_mysql.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_string.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_isp_file.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_template.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_bind.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_postfix.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_sendmail.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_file.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_log.lib.php
/tmp/root/ispconfig/scripts/lib/config.lib.php
/tmp/root/ispconfig/scripts/lib/config.inc.php
/tmp/root/ispconfig/scripts/lib/server.inc.php
/tmp/root/ispconfig/scripts/shell/quota_msg.php
/tmp/root/ispconfig/scripts/shell/ftp_logs.php
/tmp/root/ispconfig/scripts/shell/traffic.php
/tmp/root/ispconfig/scripts/shell/check_services.php
/tmp/root/ispconfig/scripts/shell/logs.php
/tmp/root/ispconfig/scripts/shell/webalizer.php
/tmp/root/ispconfig/scripts/shell/backup.php
/tmp/root/ispconfig/scripts/shell/firewall.php
/tmp/root/ispconfig/scripts/shell/mail_logs.php
/tmp/root/ispconfig/scripts/shell/cleanup.php
/tmp/root/ispconfig/scripts/writeconf.php
/tmp/horde/imp-h3-4.1.1/lib/Auth/imp.php
/tmp/horde/imp-h3-4.1.1/lib/IMAP/Client.php
/tmp/horde/imp-h3-4.1.1/lib/IMAP/Search.php
/tmp/horde/imp-h3-4.1.1/lib/IMAP/Tree.php
/tmp/horde/imp-h3-4.1.1/lib/IMAP/Thread.php
/tmp/horde/imp-h3-4.1.1/lib/IMAP/Sort.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/rfc822.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/plain.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/images.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/html.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/notification.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/zip.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/partial.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/tnef.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/related.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/itip.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/multipart.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/alternative.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/pkcs7.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/appledouble.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/pgp.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/status.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/enriched.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Contents.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Headers.php
/tmp/horde/imp-h3-4.1.1/lib/Identity/imp.php
/tmp/horde/imp-h3-4.1.1/lib/Mailbox.php
/tmp/horde/imp-h3-4.1.1/lib/Block/summary.php
/tmp/horde/imp-h3-4.1.1/lib/Block/tree_folders.php
/tmp/horde/imp-h3-4.1.1/lib/Crypt/PGP.php
/tmp/horde/imp-h3-4.1.1/lib/Crypt/SMIME.php
/tmp/horde/imp-h3-4.1.1/lib/Quota/cyrus.php
/tmp/horde/imp-h3-4.1.1/lib/Quota/mercury32.php
/tmp/horde/imp-h3-4.1.1/lib/Quota/command.php
/tmp/horde/imp-h3-4.1.1/lib/Quota/logfile.php
/tmp/horde/imp-h3-4.1.1/lib/Quota/courier.php
/tmp/horde/imp-h3-4.1.1/lib/Quota/mdaemon.php
/tmp/horde/imp-h3-4.1.1/lib/IMAP.php
/tmp/horde/imp-h3-4.1.1/lib/prefs.php
/tmp/horde/imp-h3-4.1.1/lib/version.php
/tmp/horde/imp-h3-4.1.1/lib/Session.php
/tmp/horde/imp-h3-4.1.1/lib/Fetchmail/imap.php
/tmp/horde/imp-h3-4.1.1/lib/Filter.php
/tmp/horde/imp-h3-4.1.1/lib/Maillog.php
/tmp/horde/imp-h3-4.1.1/lib/Folder.php
/tmp/horde/imp-h3-4.1.1/lib/Notification/Listener/status.php
/tmp/horde/imp-h3-4.1.1/lib/Search.php
/tmp/horde/imp-h3-4.1.1/lib/Maintenance/Task/fetchmail_login.php
/tmp/horde/imp-h3-4.1.1/lib/Maintenance/Task/tos_agreement.php
/tmp/horde/imp-h3-4.1.1/lib/Maintenance/Task/purge_trash.php
/tmp/horde/imp-h3-4.1.1/lib/Maintenance/Task/rename_sentmail_monthly.php
/tmp/horde/imp-h3-4.1.1/lib/Maintenance/Task/delete_sentmail_monthly.php
/tmp/horde/imp-h3-4.1.1/lib/Maintenance/Task/delete_attachments_monthly.php
/tmp/horde/imp-h3-4.1.1/lib/Maintenance/imp.php
/tmp/horde/imp-h3-4.1.1/lib/api.php
/tmp/horde/imp-h3-4.1.1/lib/IMP.php
/tmp/horde/imp-h3-4.1.1/lib/Spam.php
/tmp/horde/imp-h3-4.1.1/lib/Fetchmail.php
/tmp/horde/imp-h3-4.1.1/lib/Message.php
/tmp/horde/imp-h3-4.1.1/lib/Compose.php
/tmp/horde/imp-h3-4.1.1/lib/Quota.php
/tmp/horde/imp-h3-4.1.1/lib/base.php
/tmp/horde/imp-h3-4.1.1/folders.php
/tmp/horde/imp-h3-4.1.1/message.php
/tmp/horde/imp-h3-4.1.1/compose.php
/tmp/horde/imp-h3-4.1.1/stationery.php
/tmp/horde/imp-h3-4.1.1/scripts/custom_login.php
/tmp/horde/imp-h3-4.1.1/redirect.php
/tmp/horde/imp-h3-4.1.1/spelling.php
/tmp/horde/imp-h3-4.1.1/test.php
/tmp/horde/imp-h3-4.1.1/login.php
/tmp/horde/imp-h3-4.1.1/mailbox.php
/tmp/horde/imp-h3-4.1.1/fetchmailprefs.php
/tmp/horde/imp-h3-4.1.1/smime.php
/tmp/horde/imp-h3-4.1.1/index.php
/tmp/horde/imp-h3-4.1.1/acl.php
/tmp/horde/imp-h3-4.1.1/fetchmail.php
/tmp/horde/imp-h3-4.1.1/attachment.php
/tmp/horde/imp-h3-4.1.1/search.php
/tmp/horde/imp-h3-4.1.1/expand.php
/tmp/horde/imp-h3-4.1.1/saveimage.php
/tmp/horde/imp-h3-4.1.1/pgp.php
/tmp/horde/imp-h3-4.1.1/filterprefs.php
/tmp/horde/imp-h3-4.1.1/view.php
/tmp/horde/imp-h3-4.1.1/recompose.php
/tmp/horde/imp-h3-4.1.1/thread.php
/tmp/horde/imp-h3-4.1.1/contacts.php
Binary file (standard input) matches
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth1: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         6347 tty5   /sbin/mingetty tty5
! root         6532 tty6   /sbin/mingetty tty6
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
Reply With Quote