Is this a compromise? Cron /root/chkrootkit.sh | grep -v .packlist‏




Here are the details of the email:

find: /proc/15118: No such file or directory
find: /proc/15141: No such file or directory
find: /proc/16388: No such file or directory
find: /proc/16392: No such file or directory

/usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.registry /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.doc.php.net /usr/lib/php/.registry/.channel.pecl.php.net
INFECTED (PORTS: 465)

so i did a quick check on the server for what is listening on port 465

root@host [/]# fuser -vn tcp 465

USER PID ACCESS COMMAND
465/tcp: mailnull 1046 F…. exim

Which confirmed that exim is in fact using this port.

For those who do not know what is fuser  (“fuser – identify processes using files or sockets  ” please refer to this page:

http://linux.about.com/library/cmd/blcmdl1_fuser.htm

 

 

Written by