I am running Fedora 20, and I just discovered that a client's server was logged in to back on October 9th from my ip address, and an erroneous ftp account was created on each of his cpanel installations, and each of those was then logged in to from multiple ip addresses in Russia over some period of time. I have contacted the client and his host and taken measures on their end to secure things, and I am currently running Fedora 20 Live from a usb stick, which I used to then change all of my passwords everywhere.
I ran rkhunter on my machine before booting from the usb, and I only saw 3 warnings:
[14:53:46] Warning: Checking for prerequisites [ Warning ] (which had to do with a warning about rkhunter.dat missing, I never created one) [14:53:48] /usr/sbin/ifdown [ Warning ] [14:53:48] Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable [14:53:48] /usr/sbin/ifup [ Warning ] [14:53:48] Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable
I am not well versed in reading rkhunter logs, but I did some Googling on what I did see and it doesn't look like it detected anything. I then ran yum verify-all, but that gave me ~47,400 lines of output, and apparently 1690 "does not match" (either mtime, size, or checksum) hits. I am not sure how to sift through all of that data.
Does anyone have any good suggestions for trying to track down what is going on with my system? It's not a public facing server, it's behind a router, and I don't have ssh or ftp on, so I am not sure how I got hit in the first place. Is there a way to scan the system without booting back in to it, mounting the filesystem while I am logged in to the live usb?
Thanks.
Aucun commentaire:
Enregistrer un commentaire