> -----Original Message-----
> From: Arthur Sherman [mailto:arturs (at mark) netvision.net.il]
> Sent: Friday, December 29, 2006 7:04 PM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:08418] Re: System hacked?!?!?
>
> > Services on:
> > Email Servers
>
> What kind of mail serives are in which position?
>
SMTP Service
Enable SMTP Server
Enable SMTP Auth
IMAP Service
Enable IMAP Server
POP Service
Enable POP Server
> > Simple Network Management Protocol (SNMP) Server
>
> Do you have SNMP on? For what purpose? If you can then you better have it
> off.
>
I just got the 2 weeks ago - it was on by default... so I didn't turn it off
yet. I'm still figuring it all out.
> > Can I just chalk it up to false positives from chkrootkit?
> >
> > --Will
>
>
> Looks legitimate to me.
> You could play around with 'netstat' - it can show which app is
> listenning.
>
Yeah, I saw that - and it appeared that sendmail was listening on 465 &
portsentry on 1524 & 31337 (or whatever
> If further check shows OK, then I would count it FP from chkrootkit.
> Btw, are you up to latest version?
>
I am using 0.44 of chkrootkit. I just saw that 0.47 is available, I guess
I'll add that to the list of things to upgrade on the box.
I ran rkhunter 1.2.8 this AM and it showed everything as clean.
--Will