Debugging

2005-06-13 12:17 pm
mdlbear: "Sometimes it's better to light a flamethrower than to curse the darkness" - Terry Pratchett (flamethrower)
[personal profile] mdlbear
Not only did I get to spray the bedroom for bedbugs again this morning, I got to take our main household mail/fileserver down because some bastard installed a rootkit and was using it to send spam. Looks like it happened last night some time.

Thank goodness for chkrootkit, which made it easy to diagnose, and I'd been planning to power-down the server anyway to move the disks into the new case. But grumble anyway, because now I'll have to spend the evening doing a full re-install. Without my local mirror, which of course was on the fileserver, unless I start by moving it to the gateway (which is still up, since it's well-protected).

Email at theStarport dot org will be down until lateish tonight. Users (you know who you are) should assume that your passwords have been compromised -- see me for help setting your new password. Web connectivity will work, but you may have to get me to change your DNS settings. (If you think you know what you're doing, change the DNS server (may be called name server) from 198.180.216.2 to 198.180.216.254 or 64.170.148.74).

I think the break-in may have occurred via wireless; wireless will be down until I can put it on the other side of the firewall.
  • Mood: annoyed
Flat | Top-Level Comments Only

Date: 2005-06-13 12:52 pm (UTC)
ext_20420: (Default)
From: [identity profile] kyburg.livejournal.com
Love that icon. May I steal?

Date: 2005-06-13 02:18 pm (UTC)
mdlbear: blue fractal bear with text "since 2002" (Default)
From: [personal profile] mdlbear
Stole it from [livejournal.com profile] ravan. Don't recall whether I asked, though I think I did.

Date: 2005-06-13 12:59 pm (UTC)
mithriltabby: Graffito depicting a penguin with logo "born to pop root" (Hack)
From: [personal profile] mithriltabby
Wow! Given how easy it is to turn Windows machines into zombies over the Net, I’m amazed anyone is bothering to go after Linux machines via wardriving. Maybe the competition for spam zombies is getting fierce?

The only port open on my home firewall is for SSH, and I switched it to only allowing logins from trusted machines after I saw odd network activity on my router’s status lights, checked my log files, and saw someone with an IP address in China trying various obvious usernames. For wireless, I go with belt and braces of WEP and MAC address filtering, which is a bit of a bother any time someone new wants to use my network, but that doesn’t happen often enough to be an imposition.

Date: 2005-06-13 02:14 pm (UTC)
mdlbear: blue fractal bear with text "since 2002" (Default)
From: [personal profile] mdlbear
I would have thought that, too. It's also possible they hacked a Windows box first and set up a tunnel; wouldn't surprise me. I stupidly left the WAP inside the firewall for convenience; kept meaning to put it in its own subnet but for one reason or another never got around to it. (It wasn't easy because it's a bridge; this evening it gets replaced with a shiny new Linux-based Linksys WRT54G router, on the hot side of the firewall.)

Date: 2005-06-13 01:21 pm (UTC)
From: [identity profile] braider.livejournal.com
So, um, how can you tell if someone's using your computer to send spam?

Date: 2005-06-13 02:21 pm (UTC)
mdlbear: blue fractal bear with text "since 2002" (Default)
From: [personal profile] mdlbear
In this case, the load average on the mail server was higher than normal and the mail logs showed a user that doesn't normally log in sending a lot of mail. Also I an email in my inbox with my return address that I knew I hadn't sent, so I would probably have found it eventually.

ping

Date: 2005-06-13 11:44 pm (UTC)
mdlbear: blue fractal bear with text "since 2002" (Default)
From: [personal profile] mdlbear
... and the purpose of this comment is to see whether mail is working again.
Flat | Top-Level Comments Only

Most Popular Tags

Links

Style Credit

Page generated 2025-12-25 12:53 pm
Powered by Dreamwidth Studios