> ----- Original Message ----- > From: Andrei Popescu > Sent: 01/11/12 05:01 PM > To: debian-user@lists.debian.org > Subject: Re: smtp/postfix/sasl/openssh headaches > > On Mi, 11 ian 12, 16:41:33, Tony Baldwin wrote: > > > > but according to lsof and netstat, as far as I can tell, the only > > > > thing using port 25 is the smtp server. > > > > > > "The" smtp server is obviously not "the" stmp server you think it is. > > > > > > > sudo lsof -i :25 > > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > > > sendmail- 10742 root 3u IPv4 14207 0t0 TCP localhost.localdomain:smtp > > > > (LISTEN) > > > > My understanding is that postfix has something with the same name. > > From my box (squeeze and postfix): > > # lsof -i :25 > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > master 12339 root 12u IPv4 631016 0t0 TCP localhost:smtp (LISTEN) > > Something is listening to port 25, but it is not postfix. Please run > > aptitude search ~Pmail-transport-agent~i > > on your box. If the only result is "postfix" and you can't think of any > other software on your machine that might listen to port 25 I would > suspect a rootkit :( >
Only postfix. But this server has only been up for 9 days (Jan 2). I have noted various failed attempts (from Valencia, Spain, from China, etc., although probably all behind proxies) to login as root. There's a lot of this in /var/log/auth.log: Jan 8 07:01:15 (none) sshd[29968]: Failed password for root from 190.121.25.74 port 56313 ssh2 Jan 8 07:01:16 (none) sshd[29970]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=190.121.25.74 user=root Looks like they've tried a lot of ports. Root access over ssh is disabled, of course, but on linode, it isn't, initially, and they give you only a root password to get in. (So, you go in change the root password, disable root over ssh, make a user, etc.) How would I find/remove a rootkit? I don't see any weird processes running, and it looks like all of these attempts were failures. ./tony -- http://www.tonybaldwin.me All Tony, all the time! -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120111232547.12...@gmx.com
