Debugging

[mdlbear]

Not only did I get to spray the bedroom for bedbugs again this morning, I got to take our main household mail/fileserver down because some bastard installed a rootkit and was using it to send spam. Looks like it happened last night some time.

Thank goodness for chkrootkit, which made it easy to diagnose, and I'd been planning to power-down the server anyway to move the disks into the new case. But grumble anyway, because now I'll have to spend the evening doing a full re-install. Without my local mirror, which of course was on the fileserver, unless I start by moving it to the gateway (which is still up, since it's well-protected).

Email at theStarport dot org will be down until lateish tonight. Users (you know who you are) should assume that your passwords have been compromised -- see me for help setting your new password. Web connectivity will work, but you may have to get me to change your DNS settings. (If you think you know what you're doing, change the DNS server (may be called name server) from 198.180.216.2 to 198.180.216.254 or 64.170.148.74).

I think the break-in may have occurred via wireless; wireless will be down until I can put it on the other side of the firewall.

Comments

[braider.livejournal.com]

So, um, how can you tell if someone's using your computer to send spam?

[mdlbear]

In this case, the load average on the mail server was higher than normal and the mail logs showed a user that doesn't normally log in sending a lot of mail. Also I an email in my inbox with my return address that I knew I hadn't sent, so I would probably have found it eventually.