checking if my system is compromised

To: debian-user@lists.debian.org
Subject: checking if my system is compromised
From: Kamaraju Kusumanchi <kamaraju@bluebottle.com>
Date: Sat, 07 Apr 2007 15:33:34 -0700
Message-id: <[🔎] 1175985214.46181c3ea89d4@mail.bluebottle.com>

Hi all

I am using Debian Etch (currently testing). Today from the abuse department of my ISP, I received the following warning (pasted in the end). My ISP has suspended my internet connection due to this. However, I am not able to track down the cause of the problem. I am wondering if anyone could help me out or tell me a better place to contact...

I have used kopete sometime back to contact debian IRC channels. Other than that I have never heard of this undernet.org. I also cannot imagine a debian machine (especially with etch being so near to becoming stable) being compromised as a zombie.

Here is what I have done so far
1) I have looked in various log files but could not find any suspicious activity.

2) I tried to register at http://forum.undernet.org but their system is not allowing me register my account.

3) I was not able to contact the original sender of the abuse report as there is no from address in the report forwarded to me. My ISP's abuse department is closed for the weekend and I am trying to resolve this issue before approaching them on Monday.

Any ideas on how to determine+eliminate the root cause of this problem? Has anyone faced a similar problem before on Debian machines?

thanks
raju

***************************
abuse report forwarded to me
***************************
Good day,

We are contacting you in order to inform the Abuse Department of your ISP that the following IPs have been compromised by unknown persons:

Ip: 128.253.28.128

Complaint ticket: PJBP-2564

Abusers have been caught on IRC (Undernet.org Network) using
the above IPs for loading IRC clients (floodbots, spambots, trojan
spreading clients, etc.) involved in illegal activities such as DDoS,
SPAMMING or Infected links/trojans spreading.

We would kindly appreciate your action to solve the hacked boxes
or inform your customers about it in order to make sure the
abusers wont be able anymore to use your services for such
activities.

As we are a non-profit Anti Abuse Project organized on an IRC
Network, please reply to our reporting e-mail, so this way we can
keep track of our Solved/Declined requests.

Sincerely,

Lucia Munteanu
***************************

Reply to:

Follow-Ups:
- Re: checking if my system is compromised
  - From: Greg Folkert <greg@gregfolkert.net>
- Re: checking if my system is compromised
  - From: Greg Folkert <greg@gregfolkert.net>
- Re: checking if my system is compromised
  - From: Jose Luis Rivas Contreras <ghostbar38@gmail.com>
- Re: checking if my system is compromised
  - From: John Hasler <jhasler@debian.org>
- Re: checking if my system is compromised
  - From: Michael Pobega <pobega@gmail.com>
- Re: checking if my system is compromised
  - From: Kamaraju Kusumanchi <kamaraju@bluebottle.com>

Prev by Date: Password scanner do linux
Next by Date: Re: checking if my system is compromised
Previous by thread: Re: Password scanner do linux
Next by thread: Re: checking if my system is compromised
Index(es):
- Date
- Thread