cancel
Showing results for 
Search instead for 
Did you mean: 

Hacked; recovering

SOLVED
Go to solution
Vernon Brown_2
Frequent Advisor

Hacked; recovering

Hacker changed my root password and did much damage. I reformated and installed RH 7.1. Recovered my data from backups. Have everything going now except pop-3 service. I typed in the ipop3 entry in xinetd.d by memory and maybe missed something.

When I telnet to my.domain 110 I get "connection refused."

How can I know if pop-3 is running ? Here is my ipop3 entry in xinetd.d.



service pop-3
{
protocol = tcp
user = root
socket_type = stream
wait = no
server = /usr/local/sbin/popper qpopper -s
disable = no
}

$ ls -l /usr/local/sbin
total 124
-rwxr-xr-x 1 root root 120980 Aug 13 09:44 popper

Thanks and points for any help !
9 REPLIES
Ron Kinner
Honored Contributor
Solution

Re: Hacked; recovering

netstat -an |grep 110

should show if your PC is listening on port 110 which is pop3's usual port.

Ron

Vernon Brown_2
Frequent Advisor

Re: Hacked; recovering

Many Thanks !!

netstat -an | grep 110 returns empty. So can someone compare my pop-3 entry above with the RedHat ipop3 entry to see if it is correct.

Also; is there a way to update RedHat 7.1 to add stuff that was missed on the original install.
Ron Kinner
Honored Contributor

Re: Hacked; recovering

Don't see anything wrong with your xinet.d entry.

See if either of these helps.

http://a1392.g.akamaitech.net/7/1392/939/0002/www.eudora.com/download/eudora/qpopper/4.0/free/final/Qpopper.pdf

Also:
http://www.naspa.com/PDF/2001/0401%20PDF/T0104006.pdf

Use RPM to add stuff to your Linux.

Ron






Vernon Brown_2
Frequent Advisor

Re: Hacked; recovering

Thanks !

Do you happen to know the rpm module that contains the RedHat pop-3 server. Or what can I grep for on what CD of the 7.1 release.
Ron Kinner
Honored Contributor

Re: Hacked; recovering

I think it's hidden in the imap package:

http://isp-lists.isp-planet.com/isp-unix/0105/msg00093.html

Ron
Vernon Brown_2
Frequent Advisor

Re: Hacked; recovering

Thanks I'll see if I can rpm
the imap package.
Sorrel G. Jakins
Valued Contributor

Re: Hacked; recovering

Ron Kinner,

Why do you use
http://a1392.g.akamaitech.net/7/1392/939/0002/www.eudora.com/download/eudora/qpopper/4.0/free/final/Qpopper.pdf

and not just go straight to eudora like this:
http://www.eudora.com/download/eudora/qpopper/4.0/free/final/Qpopper.pdf

In other words, who is akamai, and why would you want to go there to redirect to eudora?

Sorrel Jakins, pointy-hair boss and no cap/crown/wizard hat.
Ron Kinner
Honored Contributor

Re: Hacked; recovering

Sorrel,

Got a page via a google search and then clicked on a link which had what I wanted and just copied what came up at the top. Too lazy to bother with figuring out what was the real URL.

Ron
Richard Chang
Occasional Visitor

Re: Hacked; recovering

Akamai is just a caching web server. A lot of companies buy their service (cnn.com is another that uses them).

The basic gyst of it is, Akamai puts servers in regions of the US. And, depending on where you are located, the content you are trying to view is provided from the server closest to you.

One of the benefits to the Akamai customer is that their servers don't have to handle the load - Akamai has to deal with that.

So, in this particular case, the download you are trying to get was going to come from a Akamai server that is close to you. This is very beneficial if you are on the east coast, and the origin company is on the west coast.


-Rich