Hi Peter,
The rootkit had already been removed up to that point. The user of the Blitz process was the mailman user.
Taking steps to secure the server more now.
On Tue, 17 Oct 2023, 22:23 , <peter@chubb.wattle.id.au> wrote:
Some more info on the issue after running RKhunter: [09:47:54] Warning: Network TCP port 47018 is being used by /tmp/.X291-unix/.rsync/c/blitz64. Possible rootkit: Possible Universal Rootkit (URK) component
You need to remove the rootkit. Someone has hacked into your system. This has nothing to do with Mailman3 as such.
If you do a ps axfu | grep blitz64
you should be able to find which uid is being used (first column of output). You'll then be able to find the bits of the rootkit by looking at that user's processes and open files, and delete them.
And then you can fix that user's permissions/password so it's less likely to be compromised again, or delete the user entirely if the user isn't being used for anything else.
-- Peter C
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...
This message sent to kyriakos.terzopoulos@gmail.com