Re: How do I fix this?
On Monday 10 April 2006 18:22, Tony Godshall wrote:
>According to Gene Heskett,
>
>> On Saturday 08 April 2006 12:04, M A wrote:
>> >Hi there Got this from my ISP the other day
>> >
>> >We have been forced to take your server off line, since your server
>> > is performing phishing from your secondary IP address
>> > xxx.xxx.xxx.224.
>> >
>> >that IP address was one my secondary IP's, using debian sarge, have
>> > iptables firewall,
>> >using qmail as the mail server ..
>> >
>> >How do i fix this, or detect that is happening ..
>> >
>> >
>> >Cheers
>>
>> You have been "rootkitted", To learn more, go get chkrootkit, and
>> rkhunter. chkrootkit is now a bit long, but its got most of them
>> covered.
>>
>> At the end of the day, your best recovery is to wipe and re-install,
>> and make sure the automatic software update facility is working so
>> that when security problems have been fixed, your machine will more
>> or less automaticly upgrade the software to keep your machine
>> reasonably safe from future such exploits.
>
>Or, if you want to do forensic analysis, take the drive
>offline and install with a new/clean/fresh drive. Then you
>can look at the problem at your leisure.
And thats even better advice, at the cost of a drive. You did need a
nice superduper 300GB for the main services didn't you? :-)
--
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules. I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.
Reply to: