suspecious activity
Aasef Iqbal
aneedz at gmail.com
Thu Dec 9 06:43:26 UTC 2004
Hi!
One of my servers was hit with spam. One of my clients was spamming
through this machine. It was hard to figure out who it really is,
because the sites being advertised were not on my server and the
return address was either <> or <anonymouse at abc.com>. Now I have
closed one of these hosting accounts n since last 24 hrs there is no
suspecious activity.
However there are couple of things that make me worried.
1. last time the spammed email's return-path was <root at myserver.com>
2. if i issue the command #last if would see a user logging in within
last few days. I have banned shell access accept from couple of
hosts.. and most of the list is pretty much ok... except few entries
like ...
clientloginname ftpd30692 somehost.somedomain Fri Dec 3 13:30
gone - no logout
clientloginname ftpd440 somehost.somedomain Thu Dec 2 20:29 -
20:29 (00:00)
there are only very few users with shall, to my idea this
clientloginname should not appear in the #last's list.
Should I be suspecious and take some actions and what do I need to do,
is there any checklist kind of thing so that I can assure if all is
safe now.
How can I check if there is no keylogger kinda thing in there.
Kindly advise.
Asif
More information about the redhat-list
mailing list