[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] odd spamming problem

Subject: [cobalt-users] odd spamming problem
From: Ursula <ursulasays@xxxxxxxxxxxx>
Date: Wed Jun 25 01:25:01 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

this is a raq4, it's got the solarspeed sendmail and
qpop patches installed. 

someone (who needs to be strung up by their more
sensitive parts) has been managing to send spam
through the server, check the log excerpt:

Jun 25 09:13:29 crux sendmail[28247]: h5ONDTN28247:
from=<tease4KMo@xxxxxxxxxxxxxx>, size=5398, class=0,
nrcpts=1,
msgid=<200306242313.h5ONDTN28247@xxxxxxxxxxx>,
proto=SMTP, daemon=MTA, relay=localhost [127.0.0.1]
Jun 25 09:13:30 crux sendmail[28251]: h5ONDUN28251:
from=<tease4r2c@xxxxxxxxxxxxxx>, size=5398, class=0,
nrcpts=1,
msgid=<200306242313.h5ONDUN28251@xxxxxxxxxxx>,
proto=SMTP, daemon=MTA, relay=localhost [127.0.0.1]
Jun 25 09:13:31 crux sendmail[28249]: h5ONDTN28247:
to=<dennis381@xxxxxxx>, delay=00:00:02,
xdelay=00:00:02, mailer=esmtp, pri=35398,
relay=smtpin.mx.xxx.net. [209.240.213.109], dsn=2.0.0,
stat=Sent (Ok: queued as 41D5BFE23)
Jun 25 09:13:35 crux sendmail[28253]: h5ONDUN28251:
to=<berati@xxxxxxx>, delay=00:00:05, xdelay=00:00:05,
mailer=esmtp, pri=35398, relay=booster.xxx.hu.
[212.75.128.38], dsn=5.1.1, stat=User unknown
Jun 25 09:13:36 crux sendmail[28260]: h5ONDaN28260:
from=<teasePcLN@xxxxxxxxxxxxxx>, size=5400, class=0,
nrcpts=1,
msgid=<200306242313.h5ONDaN28260@xxxxxxxxxxx>,
proto=SMTP, daemon=MTA, relay=localhost [127.0.0.1]
Jun 25 09:13:36 crux sendmail[28262]: h5ONDaN28260:
to=<george.jones@xxxxxxx>, delay=00:00:00,
xdelay=00:00:00, mailer=esmtp, pri=35400,
relay=mail.xxx.net. [205.173.230.2], dsn=4.0.0,
stat=Deferred: Connection refused by mail.tins.net.

what I can't understand about this is there's no
ctrladdr= and the relay is just localhost (not
nobody@localhost, or httpd@localhost as you'd expect
if it came through a bad script). Apart from the
actual emails being sent, I can't see anything
suspicious in the other logs.

I've removed all the trusted users so the actual
username will get logged as the sender, but there
doesn't seem to be any user at all associated with
those emails.

I've run a lot of open relay testers, and the server
always passes.

neomail is installed - netstat -apn reveals this:

udp        0      0 0.0.0.0:3049            0.0.0.0:* 
                         2787/

ps 2787 shows [neomail], but I'm not seeing that
behaviour on other raq4s with neomail installed.

chkrootkit does suspect a bindshell on udp3049 - not
sure if that's a false positive because of the above.

Anyone have any ideas on how to investigate further
and hopefully close up the hole?





=====

--

Ursula


http://mobile.yahoo.com.au - Yahoo! Mobile
- Check & compose your email via SMS on your Telstra or Vodafone mobile.

Follow-Ups:
- RE: [cobalt-users] odd spamming problem
  - From: Dan Kriwitsky
- RE: [cobalt-users] odd spamming problem
  - From: Bob Lenaerts

Prev by Date: RE: [cobalt-users] Seeing sites before propogation
Next by Date: [cobalt-users] RaQ550-All-Security-0.0.1-16358.pkg and vi
Previous by thread: Re: [cobalt-users] Moving Thawte SSL Certs
Next by thread: RE: [cobalt-users] odd spamming problem

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index