Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: cgetty on June 26, 2006, 08:55:26 PM
-
Hello ALL
I'm having a problem with a security issue & I'm looking for guidance.
This is my current version SME Server 7.0rc2
I received automated email from my SME server saying this
/etc/cron.daily/01-rkhunter:
Line:
Watch out Root login possible. Possible risk!
-----------------------------------------------------------------
Found warnings:
[04:04:07] Warning: root login possible. Change for your safety the 'PermitRootLogin'
Then I received another automated email from my SME server (this time from Clam Antivirus) saying this
LibClamAV Warning: Multipart MIME message contains no boundaries
//dev/shm/send/text: HTML.Phishing.Bank-28 FOUND
//dev/shm/send/text: moved to '/var/spool/clamav/quarantine//text'
//dev/shm/send.tgz: HTML.Phishing.Bank-28 FOUND
//dev/shm/send.tgz: moved to '/var/spool/clamav/quarantine//send.tgz'
----------- SCAN SUMMARY -----------
Known viruses: 60082
Engine version: 0.88.2
Scanned directories: 11442
Scanned files: 19112
Infected files: 2
Data scanned: 5458.33 MB
Time: 19047.406 sec (317 m 27 s)
After reviewing the files in the quarantine directory it seems like someone wants to use my server to do some Pay Pal Phishing.
Whats the best way I can keep this from happing in the future & how can I make sure my
system is secure now?
New to running a server & to linux, I have lots to learn.
Thanks
Clark
-
If you think SMEServer has security issues you should email security (at) contribs.org
Emailing security is going to get your message to the people who need to know about security issues and can resolve any problems.
Dave
-
Hi Dave
At this point its more likely that I have not secured my server as good as I should have. I just installed it and ran it. everything is pretty much default settings.
For a while I allowed remote login with ssh. Then I noticed a ton of login attempts so I set the server-manager settings to No for ssh & passwords.
I would like to know how someone was able to gain access.
I looked on this forum but did not anything like what I'm experiencing now, I'll look harder, someone must have has a similar problem like this in the passed.
I would also like to see the tools that others are using to monitor their systems with. As it is now there is much data (log files) but I don't know where to start.
The two automated emails I got let me know there is a problem. I 'm still not sure that my server is not being used as a relay for spam email or some other dark purpose.
Any tips would be welcome.
Clark
-
I would like to know how someone was able to gain access.
Weak password?
Any tips would be welcome.
I would recommend if you have ssh open to world you should change port from 22 to say port 2222
-
As has already been mentioned please do not discuss this here. Please send the info to security@contribs.org
Jon
-
=
I received automated email from my SME server saying this
/etc/cron.daily/01-rkhunter:
Line:
Watch out Root login possible. Possible risk!
This simply indicates that you have chosen to configure SSH to allow root access (either using the root password, or using an RSA key). If you don't want to see this warning, then change the SSH configuration, using the server-manager.
After reviewing the files in the quarantine directory it seems like someone wants to use my server to do some Pay Pal Phishing.
Not likely. More likely is that one or more of your users has received Pay Pal Phishing SPAM. But hasn't everyone?
-
Charlie,
I disagree with your comments. cgetty has already stated that he had disabled SSH.
For a while I allowed remote login with ssh. Then I noticed a ton of login attempts so I set the server-manager settings to No for ssh & passwords.
If he suddenly gets a rkhunter report that SSH is enabled then surely that is a security issue.
Also ClamAV reported finding the suspicious files mounted in shared memory /dev/shm.
/dev/shm is known a mounting point for rootkits if they cant access /tmp or /var/tmp
i think this still needs to be reported to security@comptroub.com
-
Charlie,
I disagree with your comments. cgetty has already stated that he had disabled SSH.
Perhaps. But rkhunter doesn't know that, and ssh is still configured to allow root login.
If he suddenly gets a rkhunter report that SSH is enabled then surely that is a security issue.
Also ClamAV reported finding the suspicious files mounted in shared memory /dev/shm.
/dev/shm is known a mounting point for rootkits if they cant access /tmp or /var/tmp
i think this still needs to be reported to security@comptroub.com
Fair enough. No harm in that.
-
Thanks everyone for your input.
I've reported my concerns to security@comptroub.com.
I'm interested in tips on system monitoring. For example maybe some have written some scrips that pick out useful data from log files that could alert admins to unusual activity on the server.
thanks again for the help
Clark
-
Thanks everyone for your input.
I've reported my concerns to security@comptroub.com.
They will be confused, I expect. security@contribs.org is the correct address (as it says every time you post to this board, under "PLEASE READ THIS BEFORE YOU POST").
-
Thanks everyone for your input.
I've reported my concerns to security@comptroub.com.
They will be confused, I expect. security@contribs.org is the correct address (as it says every time you post to this board, under "PLEASE READ THIS BEFORE YOU POST").
Oops :oops: That was my bad. Mind you they won't be confused because I look after that domain and I will get the email when I download the admin emails.
contribs, comptroub. Its easy to get them confused. Time for bed methinks.
Jon
-
Did you receive any response? I have the same issue and would like to know if I should get worried ;-)
-
Hi sjee
I sent an email to security@comptroub.com. back on June 26. My email was bounced back to me after floating around the Internet for many days, I thought they just diden't respond so I started looking else where for help, not much hand holding at this forum.
For a while I access my server from work using ssh (for only about a month). I diden't feel comfortable so I stopped doing it. I think it may have been during this time that my server security was breached.
There were files installed so someone could use my server to do some phishing and maybe other dark activity too.
The only message I get from ClamAV now is this
“LibClamAV Warning: Multipart MIME message contains no boundaries”
Still don't know what it means.
I'm still not sure regarding the security status of my server. I'm learning & this is a test server a work in progress.
Try security@comptroub.com, maybe they can help.
Clark
-
Try security@comptroub.com, maybe they can help.
As noted above, *and* at the top of the form you see when you enter comments in this forum, the correct address is security@contribs.org.