On Fri, 2007-11-30 at 09:36 -0500, Evans F. Mitchell KD4EFM / AFA2TH / WQFK-894 wrote: > By any chances, have you ran 'ps ax' from root and looked > to see what does not look like it should be there?? The box is already down and replaced by a backup. Implemented some of your suggestions on it. Issue was unauthorized web site.I have bash_history logs for all the users created by hacker so I know commands run including starting httpd. When I get back from an 11 day business trip I will set those drives on a slow as molasses test machine and see what I can figure out...for educational purposes. B.J. > IF you are willing, paste your 'ps' output for us to > help you find the program that is running and sending out > the emails. > > also review your sendmail rule set. > Next, to help lock down your server a little more > make sure you have set a password on your VNC. > I had and Italian 17 year old poking around one > of my Amateur Radio boxes via VNC, simply cause I > forgot to set a vnc password, so it was wide open > like a windoz server box without a login screen, > you know, the good old "I AM OPEN FOR YOUR PLEASURES..." > > Also change your sshd, the port it is on, and do a rule > set that only allows a specific ip to access it. > I think I am correct saying you can do that as well with VNC. > > The other option would be to stop the service all together > IF your not needing it. > > Good Luck. > > Evans F. Mitchell KD4EFM/AFA2TH/WQFK-894 > > > > > -----Original Message----- > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf > Of Alfredo Perez > Sent: Friday, November 30, 2007 7:40 AM > To: CentOS mailing list > Subject: Re: [CentOS] CleanLog.h > > On Thu, Nov 29, 2007 at 04:43:44PM -0600, B.J. McClure wrote: > > Sad to say one of my file servers was exploited and used to run a > > Phishing scam. Have identified subject virus amongst other things. > > It appears twice in a virus scan; /sbin/z (which I assume can just be > > deleted) and /sys/bus/serio/drivers/atkbd/description. The latter > > file is also present in identical uninfected machines. I have been > > unable to open the file, even with root privileges, although it > > appears to be a text file. Any suggestions on how to proceed > > appreciated. Guess I could delete it and copy over the file from an > identical machine. > > > > Thanks in advance, > > B.J. > > > > CentOS 5.0, Linux 2.6.18-8.1.15.el5 x86_64 16:26:48 up 10:46, 1 user, > > load average: 0.07, 0.08, 0.04 > > Hi Can you tell me which virus scan you are using? > > Thanks > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos CentOS 5.0, Linux 2.6.18-8.1.15.el5 x86_64 09:57:33 up 1 day, 4:16, 1 user, load average: 0.05, 0.06, 0.04 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20071130/f40eeb3a/attachment-0004.html>