Re: Hmm, have I been rootkitted?

From: Ingo Pakleppa (ingo-immigration@kkeane.com)
Date: 11/19/02


From: Ingo Pakleppa <ingo-immigration@kkeane.com>
Date: Tue, 19 Nov 2002 00:03:47 GMT

On Mon, 18 Nov 2002 07:01:58 -0800, Jared wrote:

> Two weeks ago I was rootkitted (found it thanks to chkrootkit). At the
> time I decided to migrate from MDK 8.2 to RH 8.0. It's in and working,
> as is chkrootkit-0.37.
>
> Now I am seeing something I don't understand. Chkrootkit-0.37 reports
> no anomalies; however, LogWatch reports:
>
>
>
>
> ################## LogWatch 2.6 Begin #####################
>
> ---------------- Connections (secure-log) Begin -------------------
>
> Connections:
> Service imap:
> 127.0.0.1: 263 Time(s)
> 192.168.0.7: 1 Time(s)
>
>
> ----------------- Connections (secure-log) End --------------------
>
>
>
> ###################### LogWatch End #########################
>
> The second line represents me checking my email (hey, it was Sunday, I
> only logged in once. It happens when you have young children).
>
> I am running UW-imap, postfix and fetchmail. Between myself and my wife
> we may have had 150 messages or so (I really have to make an hour or so
> to put in Spamassassin again. Real Soon Now). I don't think we have
> gotten 263 messages in twenty-four hours. I do have fetchmail checking
> our ISP accounts every five minutes, but that would only account for 120
> accesses max, and I question getting 143 messages directly via SMTP.
> System logs don't show anything suspicious. The only possible
> explanation I can come up with is that I left a Squirrelmail window open
> at work and possibly the browser was updating itself; but I saw no
> settings in the browser that would do so. Is there a default? (I am
> forced to labor in a Micro$oft environment, so the browser was IE 6.0).
>
> Does anyone have an idea as to why the localhost imap login would be so
> high?
> Comments, opinions, feedback all welcomed. Please pardon my paranoia,
> but I've been rootkitted twice this year already.

My guess is that Squirrelmail is indeed the culprit. Some of the HTML
pages in Squirrelmail have HTTP refresh headers. I observed the folder
pane (on the left) refreshing itself regularly every few minutes.



Relevant Pages

  • Re: Hmm, have I been rootkitted?
    ... It's IMAP - not SMTP... ... but I saw no settings in the browser that would do so. ... Squirrelmail updates your inbox and related panels every few minutes as long ... enable you to spot real malignant behaviour that much sooner... ...
    (comp.os.linux.security)
  • Re: problems configuring squirrel mail
    ... I`ve installed imap and php5 and apache. ... I`ve configured squirrelmail by running ./configure in the dir ... also, make sure you quit your browser after making changes, esp. ... firefox is very persistent with loading cache, ...
    (freebsd-questions)
  • Re: squirrelmail help.
    ... Is there anywhere that really explains how the installation is to ... In the instructions it says to point your browser to the ... > which directory is to be considered as the squirrelmail directory. ...
    (Fedora)
  • Hmm, have I been rootkitted?
    ... I am running UW-imap, postfix and fetchmail. ... checking our ISP accounts every five minutes, ... Squirrelmail window open at work and possibly the browser was updating ... Does anyone have an idea as to why the localhost imap login would be ...
    (comp.os.linux.security)
  • Re: Squirrelmail replacement
    ... and the 2MB limit from Squirrelmail interferes. ... > email client, I would appreciate it. ... > for some of the users, browser based is the only way to fly. ...
    (RedHat)