Re: Help with hijacked sendmail
From: Anthony Baratta (Anthony@Baratta.com)Date: 09/26/01
- Previous message: Andrew Hatfield: "RE: Floppy Linuxes, Kickstart"
- In reply to: Dan Abend: "Help with hijacked sendmail"
- Next in thread: Xno Xutz: "Re: Help with hijacked sendmail"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <5.1.0.14.2.20010925191740.029ddb00@mail.areamail.net> Date: Tue, 25 Sep 2001 19:21:43 -0700 To: "Dan Abend" <dan_abend@hotmail.com>, focus-linux@securityfocus.com From: Anthony Baratta <Anthony@Baratta.com> Subject: Re: Help with hijacked sendmail
At 07:45 AM 9/24/2001, Dan Abend wrote:
>I noticed some odd behavior going on in my maillog file. I've checked my
>sendmail configuration and have no idea how to get this behavior to stop.
>I don't see anything out of the ordinary in any other log. For now,
>sendmail is stopped. I don't even know what to try or where to examine
>next. Any suggestions are appreciated. This is what I see in the log and
>there are a lot of them. (Email addresses have been altered to protect the
>innocent)
Make sure your box has not been rooted.
I just cleaned up a friend's box that was rooted via the rpc.statd exploit.
The person appeared to use the t0rn root kit to install an SMTP daemon on a
port that accepted delivery requests and passed them on to the real SMTP
service for delivery as user nobody.
Make sure that your alias file has not been mucked with, user nobody will
have mail routed to /dev/null and that all your binaries pass the checksum
test. You'll need to import some clean binaries from a CD or clean machine
to see the rogue processes.
--- Anthony Baratta President Keyboard Jockeys"Conformity is the refuge of the unimaginative."
- Previous message: Andrew Hatfield: "RE: Floppy Linuxes, Kickstart"
- In reply to: Dan Abend: "Help with hijacked sendmail"
- Next in thread: Xno Xutz: "Re: Help with hijacked sendmail"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
