[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Annoying email "service" seems to be "servicing" my RaQ3
- Subject: Re: [cobalt-users] Annoying email "service" seems to be "servicing" my RaQ3
- From: "Jelmer Jellema" <cobalt@xxxxxxxxxxxxxxx>
- Date: Thu Feb 14 10:58:02 2002
- Organization: Spin in het Web (www.spininhetweb.nl)
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> (By the way, this box is on an IP address
> that was hacked a few weeks ago, and it keeps "disappearing" every once in
> a while (See "The case of the missing remote Raq" elsewhere on this list),
> and I don't trust anybody that touches it now...) Any idea what they're
> after? As far as I can tell, there are no open relays on this box...
>
> In ps, they show up like this...
>
> root 21003 0.0 0.9 2388 1232 ? S 12:15 0:00 sendmail:
> OAA15019 a.mx.quickydeals.com.: user open
>
> In netstat, like this...
>
> tcp 0 1 www.xxxxxx.com:xxxx mailer.hispeedoffe:smtp SYN_SENT
>
Well,
First of all, if you think this has to do with your machine being hacked:
make some notes about what en when and notify the same officer you talked to
about the hack. You did go to the police about the hack didn't you?
Then: use ipchains to block them. if you haven't got ipchains, get it, see:
http://list.cobalt.com/pipermail/cobalt-users/2001-December/058573.html
Or you can block the route back to them:
/sbin/route add -host 64.32.63.34 reject
Hope this helps,
Jelmer
-----------------------------------------------------------------
Jelmer Jellema - Spin in het Web
www.spininhetweb.nl
Spin in het Web: Alle Touwtjes In Handen
-----------------------------------------------------------------
Spin in het Web is de producent van:
www.visinhetnet.nl: Niet Het Laatste Nieuws