[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: smtp/postfix/sasl/openssh headaches

> ----- Original Message -----
> From: Andrei Popescu
> Sent: 01/11/12 05:01 PM
> To: debian-user@lists.debian.org
> Subject: Re: smtp/postfix/sasl/openssh headaches
> 
> On Mi, 11 ian 12, 16:41:33, Tony Baldwin wrote:
> > > > but according to lsof and netstat, as far as I can tell, the only 
> > > > thing using port 25 is the smtp server.
> > > 
> > > "The" smtp server is obviously not "the" stmp server you think it is.
> > > 
> > > > sudo lsof -i :25
> > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> > > > sendmail- 10742 root 3u IPv4 14207 0t0 TCP localhost.localdomain:smtp (LISTEN)
> > 
> > My understanding is that postfix has something with the same name.
> 
> From my box (squeeze and postfix):
> 
> # lsof -i :25
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> master 12339 root 12u IPv4 631016 0t0 TCP localhost:smtp (LISTEN)
> 
> Something is listening to port 25, but it is not postfix. Please run
> 
> aptitude search ~Pmail-transport-agent~i
> 
> on your box. If the only result is "postfix" and you can't think of any 
> other software on your machine that might listen to port 25 I would 
> suspect a rootkit :(
> 

Only postfix.
But this server has only been up for 9 days (Jan 2).
I have noted various failed attempts (from Valencia, Spain, from China, etc., although probably all behind proxies)
to login as root.

There's a lot of this in /var/log/auth.log:
Jan  8 07:01:15 (none) sshd[29968]: Failed password for root from 190.121.25.74 port 56313 ssh2
Jan  8 07:01:16 (none) sshd[29970]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=190.121.25.74  user=root

Looks like they've tried a lot of ports.

Root access over ssh is disabled, of course, but on linode, it isn't, initially, and they give you only a root password to get in.
(So, you go in change the root password, disable root over ssh, make a user, etc.)

How would I find/remove a rootkit?  I don't see any weird processes running, and it looks like all of these attempts were failures.

./tony
--
http://www.tonybaldwin.me
All Tony, all the time!
Reply to: