Re: Help with hijacked sendmail (RESOLVED)
From: Dan Abend (dan_abend@hotmail.com)Date: 09/27/01
- Previous message: Thiago Conde Figueiro: "MAPS RBL (was: help with hijacked sendmail)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Dan Abend" <dan_abend@hotmail.com> To: focus-linux@securityfocus.com Subject: Re: Help with hijacked sendmail (RESOLVED) Date: Thu, 27 Sep 2001 08:34:06 -0400 Message-ID: <F120LfPTnKGW2yL30Pt0000a3e9@hotmail.com>
Just to let you all know how this turned out...
I should have mentioned what version of sendmail I was running. The first
thing I did was check all the open relays and telnet to abuse.net. This
verified all my relays were indeed closed. The real clue was that all the
mail was from user nobody@localhost. One of my clients has an old version of
formmail.pl which was getting abused. We grabbed the latest version from
Matt's Script Archive (http://worldwidemart.com/scripts/formmail.shtml) and
installed it. Once the traffic left in the pipe from all the rejected spams
settled (that took about 4 hours) everything was fine.
I'm very embarassed such abuse of my mail server occurred. I was unaware of
the formmail patch and didn't even consider this might be a web cgi related
hack. Thank you to everyone who helped make my mail server less vulnerable
to spammers.
Dan
>From: "Dan Abend" <dan_abend@hotmail.com> To: focus-linux@securityfocus.com
>Subject: Help with hijacked sendmail Date: Mon, 24 Sep 2001 10:45:31 -0400
>I noticed some odd behavior going on in my maillog file. I've
>checked my sendmail configuration and have no idea how to get this behavior
>to stop. I don't see anything out of the ordinary in any other log. For
>now, sendmail is stopped. I don't even know what to try or where to examine
>next. Any suggestions are appreciated. This is what I see in the log and
>there are a lot of them. (Email addresses have been altered to protect the
>innocent)
>Sep 6 21:09:35 server1 sendmail[22176]: VAA22176: from=nobody, size=1639,
>class=0, pri=271639, nrcpts=9,
msgid=<200109070209.VAA22176@server1.mydomain.com>, relay=nobody@localhost
>Sep 6 21:09:36 server1 sendmail[22178]: VAA22176:
to=someguy1@aol.com,someguy2@aol.com,someguy3@aol.com,someguy4@aol.com,someguy5@aol.com,someguy6@aol.com,someguy7@aol.com,someguy8@aol.com,someguy19@aol.com,
ctladdr=nobody (99/99), delay=00:00:01, xdelay=00:00:01, mailer=esmtp,
relay=mailin-01.mx.aol.com. [152.163.224.26], stat=Sent (OK)
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
- Previous message: Thiago Conde Figueiro: "MAPS RBL (was: help with hijacked sendmail)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
