Re: [Nolug] SSH Key Question

"Wimprine, Thomas" <twimprine@stei.com> writes:

> This is the only 'suspicious' thing it found. A lot looks like what I just
> installed for graphdefang.
>
> I think I'm going to spend the rest of the day intalling and configureing
> tripwire. FUN FUN FUN!!!

try AIDE instead. A little more modern that tw. tw is a little
long in the tooth and tought to compile.

>
>
> Searching for suspicious files and dirs, it may take a while...
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Digest/MD5/.packlist
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/File/Spec/.packlist
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Storable/.packlist
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Time/HiRes/.packlist
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/CPAN/.packlist
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Net/.packlist
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/DB_File/.packlist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/IO-stringy/.pack
> list
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MIME/Base64/.pac
> klist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MIME/Lite/.packl
> ist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Mail/.packlist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Mail/Audit/.pack
> list
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Mail/SpamAssassi
> n/.packlist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MIME-tools/.pack
> list
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Digest/SHA1/.pac
> klist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Net/.packlist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Net/Telnet/.pack
> list
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/HTML/Tagset/.pac
> klist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/HTML/Parser/.pac
> klist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/razor-agents-sdk
> /.packlist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/razor-agents/.pa
> cklist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Archive/Tar/.pac
> klist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Term/ReadKey/.pa
> cklist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Term/ReadLine/.p
> acklist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Unix/Syslog/.pac
> klist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/File/ReadBackwar
> ds/.packlist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/CPAN/WAIT/.packl
> ist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/TimeDate/.packli
> st
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MLDBM/.packlist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/GD/.packlist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/GD/Text/.packlis
> t
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/GD/Graph/.packli
> st /usr/lib/qt-3.0.5/etc/settings/.qtrc.lock
> /usr/lib/qt-3.0.5/etc/settings/.qt_plugins_3.0rc.lock
> /usr/lib/qt-3.0.5/etc/settings/.kstylerc.lock
> /usr/lib/openoffice/share/gnome/net/.directory
> /usr/lib/openoffice/share/gnome/net/.order
> /usr/lib/openoffice/share/kde/net/applnk/OpenOffice.org/.directory
> /usr/lib/openoffice/share/kde/net/applnk/OpenOffice.org/.order
>
> -----Original Message-----
> From: Wimprine, Thomas [mailto:twimprine@stei.com]
> Sent: Thursday, August 28, 2003 10:20 AM
> To: 'nolug@joeykelly.net'
> Subject: RE: [Nolug] SSH Key Question
>
> Sendmail with mimedefang, spamassassin, and AV. Then it relays it to my
> exchange box.
>
> I'm downloading the kit right now
>
> -----Original Message-----
> From: Scott Harney [mailto:scotth@scottharney.com]
> Sent: Thursday, August 28, 2003 10:16 AM
> To: nolug@joeykelly.net
> Subject: Re: [Nolug] SSH Key Question
>
> "Wimprine, Thomas" <twimprine@stei.com> writes:
>
>> Both systems are at work and the one I'm trying to get to is my email
>> gateway. It's a RH8 box but I havn't performed any updates recently. It's
>> behind the corp firewall and the only thing open to the outside is port
> 25.
>> The system I'm sshing (is that really a verb?) from is a W2K box running
>> putty.
>> It's the system key also not my user keys. I'm getting the message before
> I
>> login to the system.
>
> hmm. you might want to try chkrootkit as joey recommended. What smtp
> software version are you running on port 25?
>
>
> --
> Scott Harney<scotth@scottharney.com>
> "...and one script to rule them all."
> gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5
> ___________________
> Nolug mailing list
> nolug@nolug.org
> ___________________
> Nolug mailing list
> nolug@nolug.org
> ___________________
> Nolug mailing list
> nolug@nolug.org
>

-- 
Scott Harney<scotth@scottharney.com>
"...and one script to rule them all."
gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5
___________________
Nolug mailing list
nolug@nolug.org