[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] odd spamming problem
- Subject: RE: [cobalt-users] odd spamming problem
- From: "Bob Lenaerts" <bob@xxxxxxxxxx>
- Date: Wed Jun 25 08:01:53 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Your got also the linux virus dude :(((
I had it to, and most of the /bin files are infected :(
See in /home/tmp if there are suspisious files instaaled by httpd or
something
DON'T get them out, because there are a lot of virtual links to those
dirs. And when you delete these, then shit happens :(
Try to get rid of the virus
Good luck, but it didn't helped me.
Clean start is the best way
bob
-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx] On Behalf Of Ursula
Sent: woensdag 25 juni 2003 10:24
To: Cobalt-users
Subject: [cobalt-users] odd spamming problem
this is a raq4, it's got the solarspeed sendmail and
qpop patches installed.
someone (who needs to be strung up by their more
sensitive parts) has been managing to send spam
through the server, check the log excerpt:
Jun 25 09:13:29 crux sendmail[28247]: h5ONDTN28247:
from=<tease4KMo@xxxxxxxxxxxxxx>, size=5398, class=0, nrcpts=1,
msgid=<200306242313.h5ONDTN28247@xxxxxxxxxxx>,
proto=SMTP, daemon=MTA, relay=localhost [127.0.0.1]
Jun 25 09:13:30 crux sendmail[28251]: h5ONDUN28251:
from=<tease4r2c@xxxxxxxxxxxxxx>, size=5398, class=0, nrcpts=1,
msgid=<200306242313.h5ONDUN28251@xxxxxxxxxxx>,
proto=SMTP, daemon=MTA, relay=localhost [127.0.0.1]
Jun 25 09:13:31 crux sendmail[28249]: h5ONDTN28247:
to=<dennis381@xxxxxxx>, delay=00:00:02, xdelay=00:00:02, mailer=esmtp,
pri=35398, relay=smtpin.mx.xxx.net. [209.240.213.109], dsn=2.0.0,
stat=Sent (Ok: queued as 41D5BFE23) Jun 25 09:13:35 crux
sendmail[28253]: h5ONDUN28251: to=<berati@xxxxxxx>, delay=00:00:05,
xdelay=00:00:05, mailer=esmtp, pri=35398, relay=booster.xxx.hu.
[212.75.128.38], dsn=5.1.1, stat=User unknown Jun 25 09:13:36 crux
sendmail[28260]: h5ONDaN28260: from=<teasePcLN@xxxxxxxxxxxxxx>,
size=5400, class=0, nrcpts=1,
msgid=<200306242313.h5ONDaN28260@xxxxxxxxxxx>,
proto=SMTP, daemon=MTA, relay=localhost [127.0.0.1]
Jun 25 09:13:36 crux sendmail[28262]: h5ONDaN28260:
to=<george.jones@xxxxxxx>, delay=00:00:00, xdelay=00:00:00,
mailer=esmtp, pri=35400, relay=mail.xxx.net. [205.173.230.2], dsn=4.0.0,
stat=Deferred: Connection refused by mail.tins.net.
what I can't understand about this is there's no
ctrladdr= and the relay is just localhost (not nobody@localhost, or
httpd@localhost as you'd expect if it came through a bad script). Apart
from the actual emails being sent, I can't see anything suspicious in
the other logs.
I've removed all the trusted users so the actual
username will get logged as the sender, but there
doesn't seem to be any user at all associated with
those emails.
I've run a lot of open relay testers, and the server
always passes.
neomail is installed - netstat -apn reveals this:
udp 0 0 0.0.0.0:3049 0.0.0.0:*
2787/
ps 2787 shows [neomail], but I'm not seeing that
behaviour on other raq4s with neomail installed.
chkrootkit does suspect a bindshell on udp3049 - not
sure if that's a false positive because of the above.
Anyone have any ideas on how to investigate further
and hopefully close up the hole?
=====
--
Ursula
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check & compose your email via SMS on your Telstra or Vodafone mobile.