Achieve IT wrote:
Hello, A user has reported that he is receiving spam email messages from himself. I run IPChains & Portsentry on my RaQ4. How can I check if the server has been compromised. Below is a new strange message in the log for this user. Feb 12 08:33:04 ns spamd[10668]: clean message (-4.9/5.0) for mdwyer:119 in 3.0 seconds, 3016 bytes. Feb 12 08:33:04 ns procmail[10664]: Suspicious rcfile "/home/sites/site5/users/mdwyer/.procmailrc" Thanks, Declan.
Declan,The "suspicious rcfile" message is just procmail complaining that its configuration file can be edited by users other than the owner.
IIRC, procmail requires permissions on the user's home directory to be set more restrictively than the default.
Our procmail users seem to be set to: drwxr-s--x while the default users are set to: drwxrws--x Regards, Richard.