When installing these progs on Lucid it comes with exim4,I noticed this in the terminal output. What has exim4 to do with rkhunter and/or chkrootkit?
View 3 RepliesWhat the best method is for checking for rootkits? I have heard that it is best not to install and run these programs on the distro itself. Would it be possible to install them on another distro/partition and then use them to check for rootkits on my main partition/distro (Ubuntu)?
View 9 Replies View RelatedLet's say you have a host with some kind of locally installed root kit detector/scanner.
If someone managed to get root access to that box. Wouldn't the first thing to do, before installing a root kit, be to remove any kind root kit detector?
My debian server has been attacked due to a security breach in exim4 4.69-9 (probably applies to loads of other versions too). The security breach allows the attacker to get root access by creating a buffer overflow in a header which then can be used to inject code.
[URL]
The securtiy breach is fixed with 4.69-9+lenny1 I want to share my actions with you on what I did to (hopefully) get rid of it. However at the time of writing this, the above website is down due to too much load (DDOS Attack?). How you can check if you've been attacked:
The attack creates a buffer overflow in exim4, which results in paniclog entries.
$ cat /var/log/exim4/paniclog
2010-12-17 07:34:11 string too large in xxxyyy()
2010-12-19 10:42:10 string too large in xxxyyy()
this would be an example of two attacks. One on 2010-12-17 and the other two days later 2010-12-19.with this information you can start find potentially infected files. There may be a better way, but I searched for them with this command:
$ find / -mtime 31 2>/dev/null # files,directories,links created 31 days ago (i.e. 2010-12-17)
My infected files:
/usr/bin/uptime
/usr/bin/pwdx
/usr/bin/slabtop
[code]....
how to install chkrootkit, rkhunter and zenmap in suse 11.2 kde
View 9 Replies View RelatedI'm running a Squeeze minimal install. I don't need exim4, which got installed with the base net-install (I think). So I did
#apt-get remove exim4
and it said it had done it. However, recently I noticed during bootup that there was a line that said "Starting MTA: exim4". Then, another time I did apt-get update and apt-get upgrade, and it wanted to upgrade three exim4 packages. So I thought "Hmm- exim4 must have come back." However, apt-get remove exim4 gets a "It ain't installed" (or words to that effect) response. "Find exim4" gets a list of about 40 files, including /usr/sbin/exim4, /usr/lib/exim4/ /usr/share/exim4, /etc/init.d/exim4, and a whole raft of config and man files. I've done apt-get purge exim4, and I'm now at my wits end- what on earth is going on? Can't apt-get do it? Might Aptitude (never used it) do it? (Don't have Synaptic installed- I try to keep as minmal as possible, it's an old machine.)
Having never used it, I did an apt-get remove --purge exim4this morning. Deborphan doesn't show any orphaned packages. But, I see a 44K file lingers as per below.
rooster@royrogers:~$ su
Password:rooster@royrogers:~$ su
Password:
[code]....
I recently P2V'd a debian box, and the aliases file (/etc/aliases) is no longer working. As the physical machine is still working, this machien has been renamed to buzz1 [from buzz].
I changed /etc/mailname, /etc/exim4/update-exim4.conf.conf [and ran the update-exim4.conf script] and also ran newaliases. however it still does not seem to be applying the aliases file:
Live Physical Machine:
buzz:~# exim -bt root@buzz.domain.com
R: system_aliases for root@buzz.domain.com
R: smarthost for cronjobs@domain.com cronjobs@domain.com
<-- root@buzz.domain.com
[Code]....
I have tried code...
I have tried to install exim4 and then to purge exim4-daemon-light but
that fails too.
How do I get rid of all exim4 stuff?
I've recently had to rebuild our mail server - after the old one over heated - and I've realised I never backed up the config files for exim... so now tyring to work out how the hell to configure what I had....
The setup isn't the most straight forward, so I'll try and explain what happens...
- all emails @longdomain.com are received by an hosted server on the internet
- they are then forwarded to @shortdomain.com, the IP for which is our internet connection which fowards port 25 traffic to the exim server
- the exim server then spam and virus checks the emails and forwards them to an exchange server (sorry but it works well for us)....
I've installed exim4/spamassassin/clamav successfully, and it's setup to receive emails for the relevant domains and relay from the hosted server on the internet (and some local addresses).
how I then setup exim4 to foward all emails on the relevant domains to the exchange server?
I'm trying to set this thing up. I'm running on a residential DSL line so obviously port 25 is blocked. I need a FREE solution to get around this.
View 5 Replies View Related(Desktop with Debian sid) How do I configure Exim4 to send local mail locally and other mail through my ISP? I just did dpkg-reconfigure exim4-config and none of the choices seemed to give me the answer. I have a lot of frozen email addressed to:
root@<My_ISP_SMTP_URL>. I also don't know what happens to regular email sent from Mutt. I have no problem sending email through my laptop on the same LAN.
Linux [URL] 2.6.26-2-686 #1 SMP Wed Feb 10 08:59:21 UTC 2010 i686 GNU/Linux Currently I have exim4 configured to use my mail server as a relay to send php emails. Though I don�t think I want this setup. My goal is to be able to track emails sent out to make sure that nothing happened and they got bounced back. I need to be able to find the emails that are bounced.
If I configure exim4 to send emails from the current (apache2 / php) server any emails that bounce will end up there, correct? We have clients that are expecting emails and are complaining they do not always get them so something is not 100% configured correctly. I am going to re-run #dpkg-reconfigure exim4-config
Running exim4 on debian and trying to forward all emails destined for root@mydomain.com to me@mydomain.com, I did setup the entry in the /etc/alias file in the following way:
root: me@mydomain.com
run newaliases restart exim "although not needed if I am not mistaken"
then on command line mail root@mydomain.com and the email still goes out for root@Mydomain.com and not me@mydomain.com I am using a smarthost, and that smarthost refuses to serve emails going for root@. I am OK with that as I should be able to easily rewrite those message to go to me@mydomain.com
But it is simply not working, anything I might have missed here ?
My ISP recently decided to kill outbound traffic on port 25 for some reason. Therefore, I change the SMTP port to 24, everything work fine so far i can send email to local domain and remote. However, i cannot receive Emails from remote domain. i try use online "mail server test services" and all i got is timeout.
View 2 Replies View RelatedI'm more of a CentOS person, but after some issues on my new box I switched to Ubuntu server. I am working on getting it setup as a mail server (mainly for testing at the moment and soon be live). I performed apt-get install sendmail then apt-get install exim4 and got the message:Could not perform immediate configuration on 'exim4-daemon-light'. Please see man 5 apt.conf under APT:: Immediate-Configure for details. I have Ubuntu Server 10.10 32-bit on a Dell Intel Poweredge.
View 7 Replies View RelatedI've installed it properly until it works now, it does send emails and receive them, but heres the problem.
1) it does not send emails to a certain domain, unless i do dpkg-reconfigure on exim4 and put the domain on allowed relay... can't i just put something on settings which allow to send emails to ALL domains?
2) EVERYONE can connect to the server by telnet from any position, terminal or pc, and just use an existing user to send emails to anyone.... example, i have testuser123 setted up in debian/exim4 .. then they simply write "mail from:testuser123@host.dot" and the server accepts it.. without even request an authentication for that. And this is a problem, because everyone can use my email addresses to send emails to whoever.. heaven for spammers/hackers..
I'm trying to set up a *simple* MTA in my local network. The only thing it should be able to do is send system / daemon mails to admin@mylocaldomain. but at the moment I'm pretty much overwhelmed by everything i *should* know in order to set up this MTA
my infrastructure:
- servers:
* test01.mylocaldomain --> should send mails (with exim) to admin@mylocaldomain
* dns01.mylocaldomain --> dns-server
* mail.mylocaldomain --> mail-server (postfix / iredmail package)
I configured exim to be in "internet"-mode. now i have a variety of errors I can choose from (and a variety of solutions that i don't like ).. my test is always an email from test01.mylocaldomain:
echo "Hello World" | mail -s Testmail admin@mylocaldomain
- after running the config, i get the error: admin@mylocaldomain: all relevant MX records point to non-existent hosts --> google says, edit and udpate update-exim4.conf.conf --> dc_relay_domains='mylocaldomain' --> but this exim installation should not be a relay at all. it should only be able to SEND (to this domain), not deliver it. or do i get something wrong?
- after i added dc_relay_domains='mylocaldomain', i get --> SMTP error from remote mail server after RCPT TO:<admin@mylocaldomain>: host mail.mylocaldomain [192.168.x.x]: 550 5.1.1 <root@mylocaldomain>: Sender address rejected: User unknown in virtual mailbox table --> but i don't want to create an account on the mailserver for the SENDER...
- ...so i thought, i'd config exim with the domain "test01.mylocaldomain" (including the server name), so that the sender is clearly from another domain than the mail server handles (e.g. user@test01.mylocaldomain).. but then i get this --> SMTP error from remote mail server after RCPT TO:<admin@mylocaldomain>: host mail.mylocaldomain [192.168.x.x]: 450 4.1.8 <root@test01.mylocaldomain>: Sender address rejected: Domain not found
I really just wanna send mails in my local network.
I installed exim4 package on my debian server as MTA. Now I want to send mail with this by SMTP. But when I connect to this via telnet, it returns this banner:
Code:
220 *******************************************************
And when I try to execute a command like EHLO, it says:
Code:
500 unrecognized command
I set up an exim4 server successfully and was able to send/receive mail! I fired off a couple emails to my friend and never got a response. Oh well, I thought, must be because my domain name might be considered spam.Flash forward to today and I get an email from the people who host my server, telling me that I have left my exim4 relay open. Looking through some of my users' email, I see a series of messages with the subject 'Message frozen':
Code:
Message 1QCCQJ-0004FP-OY has been frozen (delivery error message).
The sender is <>.
[code]....
Here is the senario...
2 round robin dns servers
x.x.x.1 mydomain.com (hostname)
x.x.x.2 mydomain.com (hostname)
My problem is that when I try and send an email that is part of the domain, it ends up trying to deliver it locally. I realize it is supposed to, but I don't want that for non-users of the server.
I want to be able to deliver certain emails []@mydomain.com remotely. (info@mydomain.com)
exim4 setup "internet site; mail is sent and received directly using SMTP". This works well as long as it is not an email from mydomain.com.
Is there a way to have exim check the users first and then deliver based on local user or not?
Next question. Is having the domain name as the hostname the best way to setup a round robin? (web server)
Using exim4 only for sending email SMTP
I'd like to use Exim to remove the line header:
Received: from [111.111.111.111]
by HOSTNAME with esmtp (Exim 4.69)
what setting i should use and where should i put it in the exim4 configuration file, transport, router etc.
I have a ubuntu server 9.10 installed with exim4 as MTA. I configured a mail address on it (let's say me@example.com). Before i had it working i had a other email configured (let's say me_2@example.com). At the time i had this one it didn't work i removed exim4.
Now i can successfully send mails with it by the configured me@example.com. I also configured the password for this, but when i receive the mail the old configured mail is presented as "from" (so from: me_2@example.com).
Anyone knows how this can be changed so it says the mail is from me@example.com? The mail is not an alias, and in a mail client they work separately.
Is there a way to configure exim4 to bcc all new incoming emails to another email address? My boss wants a copy of all outgoing emails.
I know postfix can do this with a bcc_always option. Im sure exim4 should be able to also.
I am working on a Debian 2.6.26-19 Distribution with exim4 as MTA. After a system restart a problem occurred with delivering emails to local addresses. These local addresses use a 1and1 mailserver for email. The MX records for the local domain are set correctly but exim does not use a DNS lookup for these addresses because it identifies them as local addresses. I figured this out by executing the exim4 -d -bt command. The dns lookup part of the result looks like this (I replaced the actual address with placeholders):
[Code]....
The eventual result of the exim4 -d -bt command is: [user]@[domain.ext] is undeliverable: Unrouteable address How can I make sure, that exim4 makes a DNS lookup for the local addresses instead of skipping it? I know that I have to edit a exim4 configuration file, but I could not figure out which and how.
Looks like my firefox has been compromised and i have a packet sniffer. Not sure what to do.Should I just delete the suspicous files? here's the chkrootkit log:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
[code]....
I am going through the motions of testing the checkrootkit and rootkit hunter applications on one of our servers. I wanted to get feedback from those who know both as to which of the two is better at 'sniffing' out rootkits. Alternatively, can both be installed without their interfering with the other?
View 4 Replies View RelatedI ran a chkrootkit scan and found this: The following suspicious files and directories were found: /usr/lib/pymodules/python2.6/.path /usr/lib/xulrunner-1.9.2.8/.autoreg /usr/lib/firefox 3.6.8/.autoreg /usr/lib/jvm/.java-6-openjdk.jinfo
How do I get rid of this suspicious file?
Two days ago we started to receive the following message:
/etc/cron.daily/chkrootkit:
The following suspicious files and directories were found:
/lib/init/rw/.mdadm /lib/init/rw/.ramfs
/lib/init/rw/.mdadm
INFECTED (PORTS: 4369)
You have 2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
And about at the same time (a day before that) we have set up new rules for the queueing disciplines using 'tc' on our Debian lenny box (these rules are for some of the experiments we are carrying out). I have ran the chkrootkit manually and this message (as above) keeps appearing, while the rkhunter tool does not complain about these items. Could there be a connection between setting up the new qdisc's and the chkrootkit "INFECTED" messages?
Just I install the rkhunter tool via apt-get install rkhunter. When I had run the rkhunter check, rkhunter comes with a warning about "GasKit Rootkit", i dont understand what it is
This server is install new last and maby 1 week old, so i don't understand why this happends.