Re: [Nolug] SSH Key Question

"Wimprine, Thomas" <twimprine@stei.com> writes:

oh. and tw won't do you any good if you're already hacked. Don't trust
chkrootkit. check your sendmail version and redhat's security alerts
and make sure you haven't been running any known exposed vulnerabilies.

> This is the only 'suspicious' thing it found. A lot looks like what I just
> installed for graphdefang.
>
> I think I'm going to spend the rest of the day intalling and configureing
> tripwire. FUN FUN FUN!!!
>
>
> Searching for suspicious files and dirs, it may take a while...
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Digest/MD5/.packlist
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/File/Spec/.packlist
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Storable/.packlist
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Time/HiRes/.packlist
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/CPAN/.packlist
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Net/.packlist
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/DB_File/.packlist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/IO-stringy/.pack
> list
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MIME/Base64/.pac
> klist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MIME/Lite/.packl
> ist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Mail/.packlist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Mail/Audit/.pack
> list
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Mail/SpamAssassi
> n/.packlist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MIME-tools/.pack
> list
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Digest/SHA1/.pac
> klist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Net/.packlist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Net/Telnet/.pack
> list
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/HTML/Tagset/.pac
> klist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/HTML/Parser/.pac
> klist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/razor-agents-sdk
> /.packlist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/razor-agents/.pa
> cklist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Archive/Tar/.pac
> klist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Term/ReadKey/.pa
> cklist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Term/ReadLine/.p
> acklist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Unix/Syslog/.pac
> klist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/File/ReadBackwar
> ds/.packlist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/CPAN/WAIT/.packl
> ist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/TimeDate/.packli
> st
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MLDBM/.packlist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/GD/.packlist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/GD/Text/.packlis
> t
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/GD/Graph/.packli
> st /usr/lib/qt-3.0.5/etc/settings/.qtrc.lock
> /usr/lib/qt-3.0.5/etc/settings/.qt_plugins_3.0rc.lock
> /usr/lib/qt-3.0.5/etc/settings/.kstylerc.lock
> /usr/lib/openoffice/share/gnome/net/.directory
> /usr/lib/openoffice/share/gnome/net/.order
> /usr/lib/openoffice/share/kde/net/applnk/OpenOffice.org/.directory
> /usr/lib/openoffice/share/kde/net/applnk/OpenOffice.org/.order
>
> -----Original Message-----
> From: Wimprine, Thomas [mailto:twimprine@stei.com]
> Sent: Thursday, August 28, 2003 10:20 AM
> To: 'nolug@joeykelly.net'
> Subject: RE: [Nolug] SSH Key Question
>
> Sendmail with mimedefang, spamassassin, and AV. Then it relays it to my
> exchange box.
>
> I'm downloading the kit right now
>
> -----Original Message-----
> From: Scott Harney [mailto:scotth@scottharney.com]
> Sent: Thursday, August 28, 2003 10:16 AM
> To: nolug@joeykelly.net
> Subject: Re: [Nolug] SSH Key Question
>
> "Wimprine, Thomas" <twimprine@stei.com> writes:
>
>> Both systems are at work and the one I'm trying to get to is my email
>> gateway. It's a RH8 box but I havn't performed any updates recently. It's
>> behind the corp firewall and the only thing open to the outside is port
> 25.
>> The system I'm sshing (is that really a verb?) from is a W2K box running
>> putty.
>> It's the system key also not my user keys. I'm getting the message before
> I
>> login to the system.
>
> hmm. you might want to try chkrootkit as joey recommended. What smtp
> software version are you running on port 25?
>
>
> --
> Scott Harney<scotth@scottharney.com>
> "...and one script to rule them all."
> gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5
> ___________________
> Nolug mailing list
> nolug@nolug.org
> ___________________
> Nolug mailing list
> nolug@nolug.org
> ___________________
> Nolug mailing list
> nolug@nolug.org
>

-- 
Scott Harney<scotth@scottharney.com>
"...and one script to rule them all."
gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5
___________________
Nolug mailing list
nolug@nolug.org