Re: checking if my system is compromised
On Sat, 2007-04-07 at 15:33 -0700, Kamaraju Kusumanchi wrote:
> Hi all
>
> I am using Debian Etch (currently testing). Today from the abuse
> department of my ISP, I received the following warning (pasted in the
> end). My ISP has suspended my internet connection due to this.
> However, I am not able to track down the cause of the problem. I am
> wondering if anyone could help me out or tell me a better place to
> contact...
>
> I have used kopete sometime back to contact debian IRC channels.
> Other than that I have never heard of this undernet.org. I also cannot
> imagine a debian machine (especially with etch being so near to
> becoming stable) being compromised as a zombie.
>
> Here is what I have done so far
> 1) I have looked in various log files but could not find any
> suspicious activity.
>
> 2) I tried to register at http://forum.undernet.org but their system
> is not allowing me register my account.
>
> 3) I was not able to contact the original sender of the abuse report
> as there is no from address in the report forwarded to me. My ISP's
> abuse department is closed for the weekend and I am trying to resolve
> this issue before approaching them on Monday.
>
> Any ideas on how to determine+eliminate the root cause of this
> problem? Has anyone faced a similar problem before on Debian machines?
>
> thanks
> raju
More details needed. If you ISP cannot give you more details as to who
sent it, it is bogus. I've seen many of these randomly.
You need full logs. Full headers from the e-mail. And Full times you are
accused.
[snip report]
Demand these. If they cannot supply them, I'd suggest finding another
ISP.
--
greg, greg@gregfolkert.net
Novell's Directory Services is a competitive product to Microsoft's
Active Directory in much the same way that the Saturn V is a competitive
product to those dinky little model rockets that kids light off down at
the playfield. -- Thane Walkup
Reply to: