|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Is my box being used to attack someone?
From: /dev/rob0 (rob0
gmx.co.uk)
Date: Thu Jun 22 2006 - 14:33:37 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thursday 2006-June-22 14:08, Tim Hogan wrote:
> Over the past few days I have noticed that my postfix installation is
> bouncing about 1100 messages a day. I have tried to figure out what
> is going on and I am not sure what to look at next. As far as I can
> tell all of the connections that are bouncing create the following
> entries in the log;
>
> Jun 21 07:08:19 wolf postfix/pickup[9372]: 61921672652: uid=0
> from=<smokealertcompany.xy>
UID 0 (yes, that's root, The Big Guy) submitted mail via sendmail(1)
claiming to be smokealertcompany.xy. Since you have munged that we
don't know if there's any chance that it's legitimate, but you can
guess for yourself.
If this is you, it seems odd that you'd be using the root account for
mail submission. I'm guessing you are compromised, rooted.
> OK, I am confused here. I have had this installation running for
> over a year and have never seen this before. My configuration will
> drop anyone that it can't resolve before the data part of the
> handshake so there should be nothing to "bounce". The log doesn't
> say who is connecting to me and I haven't been able to capture to
> connection with a snoop. I have tried adding "company.xy" to my
> header check and that seems to have done nothing.
Right. No one is connecting. A local process is generating the mail,
submitting it using /usr/sbin/sendmail .
> How can I stop this ?
Pull the plug ASAP. Reinstall.
> How can I figure out where this is coming from?
The most commonly exploited thing on Unix these days are PHP Web
scripts. Are you running a Web server on here? PHP content?
> How can I tell if I am spaming someone else because of this?
> How can I turn up the logging to figure this out?
Too late. If an attacker has root on your system, you cannot trust its
logging. Surprising that this attacker didn't turn off your syslogd!
> PS. Here is my configs
>
> $ cat main.cf
It's not a Postfix issue, but if it was, "postconf -n" would be the
preferred means of doing this.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]