On Wed, 2010-05-26 at 00:04 -0500, Mike McCarty wrote:
> Duane Loftus wrote:
> >
> > YEA! Ta Da ! WooHoo!
> >
> > The re-install worked! I have done --propupd and --update and run the
> > first scan after making some mods in the rkhunter.conf file.
>
> Congratulations!
>
> > {Thank you all so very much.}
> >
> > I am pretty sure I have a trojan or resident spoofer in there,
>
> Why?
I have 5 domains on the server. One of the domains (which is a mirror
of another domain that runs about 250 Meg / month) is running 5 times
higher (1.2 Gig so far this month) in "email" traffic / bandwidth. Most
of it is on the SMTP. It keeps exceeding the limits I have imposed. I
know the primary user (a retired Colonel and Investment Banker) and he's
not sending out spam. However he gets a lot of "spoofed" mail using his
address in lieu of the actual sender.
It seems that there is something rotten in Denmark and on his domain.
If I knew how to read logs properly and what to look for, I might be
better able to resolve this ongoing issue. So, I'm trying to learn.
But at my age, learning is a bit slower than it was in the past.
But I'll get there.
>
> > especially on one of the domains that has bandwidth / traffic going thru
> > the roof. It will take some time and effort to learn the logs and what
> > I can do about them. I'll work at it.
> >
> > Here is a section of my rkhunter.log. What should I be doing about the
> > "warning" items?
>
> [...]
>
> I didn't see anything particularly scary in there, unless you don't
> intend to run those services, in which case I'd wonder how they got
> enabled, and shut them down.
>
> You might try tcpdump to get a handle on what kind of traffic
> you are passing.
>
> Mike
------------------------------------------------------------------------------
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
