RE: [Nolug] SSH Key Question

From: Wimprine, Thomas <twimprine_at_stei.com>
Date: Thu, 28 Aug 2003 10:36:02 -0500
Message-ID: <30397D20E848D2119BA70008C724E28D0EB54CB1@lajeffeex01.stei.com>

This is the only 'suspicious' thing it found. A lot looks like what I just
installed for graphdefang.

I think I'm going to spend the rest of the day intalling and configureing
tripwire. FUN FUN FUN!!!

Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Digest/MD5/.packlist
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/File/Spec/.packlist
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Storable/.packlist
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Time/HiRes/.packlist
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/CPAN/.packlist
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Net/.packlist
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/DB_File/.packlist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/IO-stringy/.pack
list
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MIME/Base64/.pac
klist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MIME/Lite/.packl
ist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Mail/.packlist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Mail/Audit/.pack
list
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Mail/SpamAssassi
n/.packlist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MIME-tools/.pack
list
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Digest/SHA1/.pac
klist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Net/.packlist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Net/Telnet/.pack
list
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/HTML/Tagset/.pac
klist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/HTML/Parser/.pac
klist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/razor-agents-sdk
/.packlist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/razor-agents/.pa
cklist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Archive/Tar/.pac
klist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Term/ReadKey/.pa
cklist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Term/ReadLine/.p
acklist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Unix/Syslog/.pac
klist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/File/ReadBackwar
ds/.packlist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/CPAN/WAIT/.packl
ist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/TimeDate/.packli
st
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MLDBM/.packlist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/GD/.packlist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/GD/Text/.packlis
t
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/GD/Graph/.packli
st /usr/lib/qt-3.0.5/etc/settings/.qtrc.lock
/usr/lib/qt-3.0.5/etc/settings/.qt_plugins_3.0rc.lock
/usr/lib/qt-3.0.5/etc/settings/.kstylerc.lock
/usr/lib/openoffice/share/gnome/net/.directory
/usr/lib/openoffice/share/gnome/net/.order
/usr/lib/openoffice/share/kde/net/applnk/OpenOffice.org/.directory
/usr/lib/openoffice/share/kde/net/applnk/OpenOffice.org/.order

-----Original Message-----
From: Wimprine, Thomas [mailto:twimprine@stei.com]
Sent: Thursday, August 28, 2003 10:20 AM
To: 'nolug@joeykelly.net'
Subject: RE: [Nolug] SSH Key Question

Sendmail with mimedefang, spamassassin, and AV. Then it relays it to my
exchange box.

I'm downloading the kit right now

-----Original Message-----
From: Scott Harney [mailto:scotth@scottharney.com]
Sent: Thursday, August 28, 2003 10:16 AM
To: nolug@joeykelly.net
Subject: Re: [Nolug] SSH Key Question

"Wimprine, Thomas" <twimprine@stei.com> writes:

> Both systems are at work and the one I'm trying to get to is my email
> gateway. It's a RH8 box but I havn't performed any updates recently. It's
> behind the corp firewall and the only thing open to the outside is port
25.
> The system I'm sshing (is that really a verb?) from is a W2K box running
> putty.
> It's the system key also not my user keys. I'm getting the message before
I
> login to the system.

hmm. you might want to try chkrootkit as joey recommended. What smtp
software version are you running on port 25? 

-- 
Scott Harney<scotth@scottharney.com>
"...and one script to rule them all."
gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5
___________________
Nolug mailing list
nolug@nolug.org
___________________
Nolug mailing list
nolug@nolug.org
___________________
Nolug mailing list
nolug@nolug.org
Received on 08/28/03

This archive was generated by hypermail 2.2.0 : 12/19/08 EST