On Tue, 2010-05-25 at 22:24 -0700, Duane Loftus wrote:
> On Wed, 2010-05-26 at 00:04 -0500, Mike McCarty wrote:
> > Duane Loftus wrote:
> > >
> > > YEA! Ta Da ! WooHoo!
> > >
> > > The re-install worked! I have done --propupd and --update and run the
> > > first scan after making some mods in the rkhunter.conf file.
> >
> > Congratulations!
> >
> > > {Thank you all so very much.}
> > >
> > > I am pretty sure I have a trojan or resident spoofer in there,
> >
> > Why?
>
> I have 5 domains on the server. One of the domains (which is a mirror
> of another domain that runs about 250 Meg / month) is running 5 times
> higher (1.2 Gig so far this month) in "email" traffic / bandwidth. Most
> of it is on the SMTP. It keeps exceeding the limits I have imposed. I
> know the primary user (a retired Colonel and Investment Banker) and he's
> not sending out spam. However he gets a lot of "spoofed" mail using his
> address in lieu of the actual sender.
>
> It seems that there is something rotten in Denmark and on his domain.
>
> If I knew how to read logs properly and what to look for, I might be
> better able to resolve this ongoing issue. So, I'm trying to learn.
> But at my age, learning is a bit slower than it was in the past.
>
> But I'll get there.
>
>
>
> >
> > > especially on one of the domains that has bandwidth / traffic going thru
> > > the roof. It will take some time and effort to learn the logs and what
> > > I can do about them. I'll work at it.
> > >
> > > Here is a section of my rkhunter.log. What should I be doing about the
> > > "warning" items?
> >
> > [...]
> >
> > I didn't see anything particularly scary in there, unless you don't
> > intend to run those services, in which case I'd wonder how they got
> > enabled, and shut them down.
> >
> > You might try tcpdump to get a handle on what kind of traffic
> > you are passing.
> >
> > Mike
>
Responding to the last few messages, I am running SpamAssasin on the server in
addition to this.
But I wanted to install rkhunter for two reasons.
First, rootkits are problematic and I had no way of discovering them.
Rkhunter has a good reputation.
Second, the installation itself is part of my "learning experience" with
Linux. As you could readily tell, I've a long way to go.
Oh, and third, you and your co-horts on this maillist have been terrific
and extremely helpful; to which I thank you.
Now, back to learning how to interpret and analyze the results.
And yes, Helmut, I'm part of the silver streak club. But I try not to
let that get in the way!
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Rkhunter-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
------------------------------------------------------------------------------
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
