![](https://seccdn.libravatar.org/avatar/04ee796e6200c64ba358cd3120b49690.jpg?s=120&d=mm&r=g)
On 07/24/2017 05:33 AM, Anton Aylward wrote:
On 24/07/17 07:48 AM, Werner Flamme wrote:
Of course, nonsense files like mail.err, mail.log, mail.warn are empty. I only look at /var/log/mail - I need to collect all data to a connection, and the mail.prio files do not have those. Actually /var/log/mail is a mail.prio file as well :-)
But that's beside the point. Clearly this isn't a 'conventional' email service. At the extreme, a rogue, or as Carlos mentions, some malware, a trojan or something, isn't going to write to log files.
Lsof and fuser will tell you about network connections and their associated processes.
if you can't account for them all, be suspicious. There may be some parasite calling home. if you're not running Thunderbird and Firefox, which account for most of the connections my workstation has to all manner of sites, then the deviations from patterns you need to watch out for a re going to be more obvious. A full listing of IP connections with lsof might show up something you can't account for.
Please don't expect a single lsof parameter to instantly tell you. You are going to have to do a bit of creative detective work.
Yes, there are 'watcher' programs that will look out for the opening or creation of file or a network link. The issue is that you need to know what you are looking for in the first place. Assuming that this really is port 134 or port 25 might be like the drunk looking for his keys under the lamp post.
Of course, if malware is suspected you can't trust anything on the system, including programs like ps, ls, lsof, netstat, etc. Rootkits will modify these binaries and libraries so that they will seem to work, but won't show the malware's presence and activities. Statically linked binaries from DVD should be used for diagnosis if possible. I've been using "aide" to take md5 fingerprints of all important binaries and config files, with the signatures being stored off-machine. I've never caught anything, but it is sound practice and makes me feel a bit better. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org