Re: Sendmail Hacked
From: John (John_at_somewhere.com)
Date: 04/11/04
- Next message: Robert: "Dsniff (arpspoof problem)..."
- Previous message: Jean Lutrin: "different acces times in xinetd.d for CVS"
- In reply to: Jim Jawn: "Sendmail Hacked"
- Next in thread: shadow: "Re: Sendmail Hacked"
- Reply: shadow: "Re: Sendmail Hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 11 Apr 2004 14:53:03 GMT
On Sun, 11 Apr 2004 05:22:12 -0700, Jim Jawn wrote:
> I recently inherited a Linux nightmare. I've never worked on Linux
> before so I'm a relative newbie and while I'm more and more impressed
> by the absolute coolness of the OS, the previous sys admins bit ass
> when it came to security. There are holes upon holes upon holes.
>
> As of right now, I've got my sendmail disabled because its the only
> way that I'm able to stop my server from spamming the rest of the
> world. The second I turn on sendmail and check my mqueue folder, I
> get about 100 messages ready to go and a server that just shoots them
> out. I'm not sure if I'm posting to the right group or not, but I
> hope so.
>
> Anyways, I turned off relaying which was killing me earlier in the
> week. I also installed spamassassin and MailScanner which are working
> like a charm (all the spam I'm sending has {SPAM?} appended to the
> title. Also got f-prot installed and working to make sure I didn't
> have a virus and that that was my problem.
>
> Now, its something new. This morning in my LogWatch, I got an ftp
> connection which is weird because I didn't know I had ftp running. I
> reversed the IP address and traced it to a huge netblock I didn't
> recognize. I checked the ftp logs and they've all been cleared. No
> entries at all. Around 4:00 this afternoon, my server started firing
> off messages.
>
> Can anyone point me in the right direction for figuring out where
> these emails are coming from locally? Is there a log file that I can
> check? The only thing in common that I can see is this in the email
> messages that I get...
>
> procmail: Assigning "LOGFILE=/tmp/check.out.procmailrc.log"
> procmail: Opening "/tmp/check.out.procmailrc.log" <user@domain.to>...
> Deferred: local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL
>
> When I check the log in the tmp directory, I get THOUSANDS of these
> messages...
> procmail: Assigning "DROPPRIVS=yes"
> procmail: Assuming identity of the recipient, VERBOSE=off
> procmail: [fake address]
> All.spammers.must.be.crucified@truth-saver.com
>
> I'm not sure what this means in sum total. Are these logs supposed to
> be in the /tmp/ directory? Can they help me find out what is sending
> this garbage? Has my system been compromised to the point of
> rebuilding? Any thoughts?
>
> Jim Jawn
You are about a week away from getting a warning from your ISP. "Stop
sending spam or you're cut off". They trace the spam back to you by the
mac address on your network card. This happened to me too - I had no
firewall and sendmail running. It's amazing how fast you get picked off
by the bad guys - I was spam central within 2 days (without knowing it)
and got a warning from my ISP shortly thereafter.
Start by unplugging your connection to the internet until you are able to
go and buy a cable/adsl router. I recommend Linksys BEFSR41 but there are
other good ones too. You will be able to get one for about $50 - to
provide a *good enough* firewall. Easy to set up too.
Next, you have to shut down unnecessary net interfaces. I doubt if you
need sendmail running, or FTP, or telnet. I can't tell you how to shut
them down but the Linksys will give you time to figure it out.
Start by reading up on security on Linux. Here is a good starting point:
http://www.tldp.org/HOWTO/DSL-HOWTO/
It's time for you to move fast. Good luck.
- Next message: Robert: "Dsniff (arpspoof problem)..."
- Previous message: Jean Lutrin: "different acces times in xinetd.d for CVS"
- In reply to: Jim Jawn: "Sendmail Hacked"
- Next in thread: shadow: "Re: Sendmail Hacked"
- Reply: shadow: "Re: Sendmail Hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
