On Tue, 2003-04-22 at 23:19, Matt Stamm wrote:
I beleive my Linux server has been hacked. All of the sudden my Samba server has disappeared, and I've noticed, from looking at the log files, that Sendmail is launching every hour!
Step 1: Keep calm. Panic never solved anything You mentioned before that this is a test server you're running in your office, with just two samba users. Isn't your office behind a firewall? Could it be that one of your coworkers who has the root password thought he knew something about linux and wanted to try his hand at administration? If your machine really has been hacked, it looks extremely clumsy.
I'm trying to research this problem and I have some questions...
I'm using Suse 8.1. I'm still fairly new to Linux.
- Is there a better way to view the system log files other than just viewing then in an editor?
The best way to view the logs of a hacked system is to boot from a secure medium, such as the "rescue system" option of the SuSE CDs. From there you can mount your partitions and view the logs without any trojaned binaries getting in the way.
- Isn't postfix installed, not sendmail?
Who can say, except the person who installed the system? postfix is the default.
- It appears an outsider installed the Red Hat distribution of sendmail on my system. It launches every hour on the hour but fails, outputting "service smtp unknown" to the "warn" log file. Has anyone seen this and what are they trying to accomplish?
As I said, extremely clumsy if it's a hack. It looks more like someone wanting to try his hand at administration but not really knowing what to do. The red hat version of sendmail obviously expects to find an entry called "smtp" in /etc/services linked to port 22.
- The mail log file shows postfix launching hourly starting several days before sendmail was installed, then sendmail took over! Can postfix be used to access a system?
If there's a bug, but I can't remember hearing of one. The default installation should be reasonably secure If you really have been hacked, you shouldn't try to fix your system. The best (read 'only') way to be sure of your system's integrity is to do a full re-install. Boot from a secure system and make backups of your data first, then install from scratch and get all the security patches from SuSE before you start up your system again. You may want to get an expert in to look over your system to try to determine how people got in. Maybe it was a weak password, maybe it was a hitherto unknown security hole. I don't think anyone can really help you determine that over a mailing list.