Some more info on the issue after running RKhunter:
[09:47:54] Warning: Network TCP port 47018 is being used by /tmp/.X291-unix/.rsync/c/blitz64. Possible rootkit: Possible Universal Rootkit (URK) component
Warning: Suspicious file types found in /dev: [09:47:58] /dev/shm/PostgreSQL.2417704720: data 10
Rootkit process: mailman 1593549 0.0 0.0 5776 1032 ? S 08:59 0:00 timeout 24h ./blitz -t 515 -f 1 -s 12 -S 8 -p 0 -d 1 p ip mailman 1593550 0.0 0.0 7368 3376 ? S 08:59 0:00 /bin/bash ./blitz -t 515 -f 1 -s 12 -S 8 -p 0 -d 1 p ip mailman 1593554 24.1 0.4 111404 34932 ? Sl 08:59 12:59 /usr/sbin/httpd .rsync/c/blitz64 -t 515 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
*Kyriakos Terzopoulos *Web developer / e-learning expert
*Tel:*+30 211 213 9858
*Mobile:* +30 694 526 4512
- E-mail: *kyriakos.terzopoulos@gmail.com
- Skype:* kyriakos.terzopoulos Find me on Facebook <http://www.facebook.com/cirrus3d> Follow me on Twitter <http://twitter.com/#%21/cirrus3d>
On Tue, 17 Oct 2023 at 10:40, Kyriakos Terzopoulos < kyriakos.terzopoulos@gmail.com> wrote:
Hi,
After installing mailman and using it for a few days, I got several complaints from my hosting company for abuse.
After checking the server, it seems that there is a rootkit (Blitz) running with the mailman process.
Has anyone come across this issue? Are there any specific steps to secure the mailman user?
Thank you
*Kyriakos Terzopoulos *Web developer / e-learning expert
*Tel:*+30 211 213 9858
*Mobile:* +30 694 526 4512
- E-mail: *kyriakos.terzopoulos@gmail.com
- Skype:* kyriakos.terzopoulos Find me on Facebook <http://www.facebook.com/cirrus3d> Follow me on Twitter <http://twitter.com/#%21/cirrus3d>