Hi Everyone,

Its been several years since I have been active here. I have recently been brought in to help my dad with some issues he was having with his server, to which he confessed it hasnt been updated in ages and may be compromised.

Since I haven't messed with linux/ensim in a few years, im feeling a bit lost.

He is seeing butt-loads of incoming traffic, with little to no outgoing traffic. Over 800 gigs in the past week incoming. Obviously theplanet is sending him nasty emails about it.

I logged into his server, cant find anything out of the ordinary using chkrootkit and rkhunter. He is running Ensim 3.5.10 on 2.4.21-4.0.1.ELsmp.

Im looking for ways to scan all the phpbb installations on the server for thier version numbers, as well as ways to update his server.

I tried messing with up2date, but I think he botched it up. When i run up2date, i get the following:



Any help anyone can provide would be excellent.

If you need any more info, please let me know.

Any kind of error with up2date an yum should be handled via trouble ticket to ThePlanet as there are licensing issues involved.

I am going to take a wild guess but knowing the history of Ensim, and that updateing the system generally breaks it, that the updates were for the most part avoided. This compounded by the fact that it uses sendmail, my best guess is that may have an older exploitable sendmail version. So scanners hitting port 25 are going to see the older version and attract unneeded attention, hence lots of extra traffic coming in.

Any case without any details, that is my nest guess.

Theplanet did a forced update a few weeks ago that broke a good number of servers, if I had to take a guess this is what broke up2date assuming it was working.

Generally an exploit causes more outbound then inbound traffic, solely additional inbound traffic sounds more like perhaps an attack.

That kernel is pretty old but you would need up2date to get it fixed if you only have 1 server. I would say first off try to get TP to fix up2date. As far as tracking the bandwidth you could use something like netstat or iptraf but those are a bit harder to use.