QUOTE
Originally posted by Keo
hello all,
on jan 1st i started to get these emails:
--------------
chmod: getting attributes of `/etc/valiases/*': No such file or directory
eggdrop: no process killed
tail: no process killed
Shutting down antirelayd: [ OK ]
Starting antirelayd: [ OK ]
YPBINDPROC_DOMAIN: Domain not bound
YPBINDPROC_DOMAIN: Domain not bound
YPBINDPROC_DOMAIN: Domain not bound
Ftp Password Files synced
--------------
eggdrop: no process killed means that the following command was executed (or something similar) as part of the cron job you're getting mailed:
killall eggdrop
but no eggdrop process was running. This means you are _not_ running eggdrop. (Eggdrop is an IRC bot that's usually used to give extra services to an irc channel, such as provide a "seen" list. It's not a tool that's normally associated with skript kiddies - if they use irc, they tend to use things like proxies and/or relays).
Do a "locate eggdrop" to see if it's anywhere on your server.
The YPBINPROC_DOMAIN errors (IIRC) are to do with NIS. I haven't touched NIS (formerly Yellow Pages) for a while, so I can't help you there. NIS (Network Information Services) are a way of synchronizing Unix accounts over several machines.
Did you accidentally enable something? Maybe there's a script with a bug in it.
Do a Google search for chkrootkit. The trouble with most rootkits is that they do a very good job of hiding themselves (hence the tool). I'm not aware of any remote root exploits for RH 7.1 - but be sure to disable the portmap service - this has in the past been a source of remote root exploits. (Have a dig through the forums - there's a thread titled something like "First things to do with your WBL" or something like that).
Also, find a copy of nmap (I bet there's a redhat package) and nmap your own server to see what ports it's listening to. If it's listening to port 31337 ("Elite") then unless you set something up on that port, you've definitely been 0wned by skript kiddies (they use that port to show off their 31337 h@x0ring sk1llz). Know thine enemy.
And make sure you do shut down portmap. There's nothing on these servers that needs it, and it's very popular to attack. On average, I get three or four contact attempts on the sunrpc (portmap) port - 111. The other one is the lpd port (port 515) - there were a number of vulnerabilities in this, but the WBL systems don't have lpd running by default.
One thing I can't stress more strongly is when you get a dedicated server, you are a Unix system administrator. You may have nice tools like Plesk and Ensim that gives you an easy front-end, but it behooves you to become a Unix system administrator. Get a good Unix sysadmin book and learn the ins-and-outs of Unix (preferably get a sysadmin book aimed at RedHat Linux for these systems, of course). What Plesk or Ensim give you is an easy way to get into it and get your server useful straight away - but you'll get MUCH more from your server if you get the knowledge - not to mention, you'll do a much better job of keeping the skript kiddies out. You'll learn the power of Unix. The Knowledge is like the Force. (And yes, it has a dark side too
Those are the people who write the scripts that the skript kiddies use to break into systems).
(Incidentally, the same thing goes for Windows servers - contrary to the propaganda that Microsoft puts out, Windows isn't a nice simple pointy clicky thing - you have to be a real sysadmin for Windows systems too if you want to keep them secure and running right. Witness the Code Red affliction. If you want to keep a Windows box secure, it's actually HARDER than keeping a Unix system secure. Oh, the irony. IMHO, Windows should be kept firmly on the desktop - it's completely unsuitable as a server OS, despite Microsoft's claims. And I work with WinNT every day...)
Anyway. I've ranted long enough. (I didn't even plan to in the first place, but I got carried away...)