18 Oct
2023
18 Oct
'23
6:49 a.m.
Odhiambo Washington writes:
It's the de facto install method and very secure.
I don't consider anything related to email secure. :-)
How did Mailman get involved? My guess is that the rootkit did a ps, discovered that the 'mailman' user runs a lot of long-lived daemon processes, and sudo'd its own daemon with that user to hide among them.
The rootkit author is probably smarter than this, but if you're lucky they did suid in process and "ps -o euser,ruser" will give you the effective user (mailman) and the real user (a compromised account).
Don't assume only one account was compromised. If they had root (implied), they probably have /etc/passwd and /etc/shadow, and have run a password cracker on them.