Off Topic - Can someone help?

Peter Nitschke email at ace.net.au
Thu Jan 3 04:46:42 GMT 2008 

Very wild guess, but they may be exploiting a web server on that PC.

 relay=localhost.localdomain [127.0.0.1]


*********** REPLY SEPARATOR  ***********

On 3/01/2008 at 4:22 AM ajos1 at onion.demon.co.uk wrote:

>-
>
>Off Topic - Can someone help?
>
>I am sending this for 2 reasons:
>
>(1) To let people know there might be something that they need to look out
>for...
>
>(2) I am hoping someone might tell me what I have got wrong with my
system.
>
>
>I think I have a safe-ish system... (ie) not an open relay and so on...
>but TONIGHT all of a sudden something/someone is "suposably" able to
relay.
>
>
>Hack example one is:  Sending from: dwkscy at yahoo.com to
>a2234455 at tomail.com.tw
>
>Hack example two is:  Sending from: okorfhzoaiadke at yahoo.com to zillions
>of people !!
>
>I tried telneting from a remote IP... and doing:  mail from: <a at yahoo.com>
> and  rcpt to: <b at tomail.com.tw> .  And my system says that Relaying is
>denied...
>
>As a temporary stop... I have had to put this in my /etc/mail/access file
>
>/etc/mail/access
>================
>To:tomail.com.tw     REJECT
>
>
>###########
>#### Does anyone have a clue how I might be getting hacked???
>###########
>
>
>
>[root at www log]# host -t mx tomail.com.tw
>========================================
>tomail.com.tw mail is handled by 10 localhost.
>
>
>
>[root at www log]# grep -i 005955 maillog
>======================================
>Jan  3 01:28:50 www sendmail[5955]: m031SgPv005955:
>from=<dwkscy at yahoo.com>, size=1658, class=0, nrcpts=1,
>msgid=<MESUDDUFSUEWDFVOVABXGNCN at yahoo.com>, bodytype=8BITMIME, proto=SMTP,
>daemon=MTA, relay=localhost.localdomain [127.0.0.1]
>Jan  3 01:28:50 www sendmail[5955]: m031SgPv005955:
>to=<a2234455 at tomail.com.tw>, delay=00:00:02, mailer=esmtp, pri=31658,
>stat=queued
>Jan  3 01:28:53 www sendmail[5963]: m031SgPv005955: SYSERR(root): MX list
>for tomail.com.tw. points back to www.tbshs.herts.sch.uk
>Jan  3 01:28:53 www sendmail[5963]: m031SgPv005955:
>to=<a2234455 at tomail.com.tw>, delay=00:00:05, xdelay=00:00:00,
>mailer=esmtp, pri=121658, relay=tomail.com.tw., dsn=5.3.5, stat=Local
>configuration error
>Jan  3 01:28:53 www sendmail[5963]: m031SgPv005955: m031SrMj005963: DSN:
>Local configuration error
>Jan  3 01:29:03 www MailScanner[26370]: Logging message m031SgPv005955 to
>SQL 
>Jan  3 01:29:03 www MailScanner[5971]: m031SgPv005955: Logged to MailWatch
>SQL 
>
>
>
>[root at www log]# grep -i 008581 maillog
>======================================
>Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581:
>from=<okorfhzoaiadke at yahoo.com>, size=6253, class=0, nrcpts=51,
>msgid=<CYSGRANINJSFZUJCWXBWXXN at yahoo.com>, bodytype=8BITMIME, proto=SMTP,
>daemon=MTA, relay=localhost.localdomain [127.0.0.1]
>Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581:
>to=<s6721 at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253,
>stat=queued
>Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581:
>to=<siask at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253,
>stat=queued
>Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581:
>to=<yuan0312 at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253,
>stat=queued
>Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<acut at mail.com.tw>,
>delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
>Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<dzj at mail.com.tw>,
>delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
>Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581:
>to=<a45211 at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253,
>stat=queued
>Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<yshs at mail.com.tw>,
>delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
>Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<jt10 at mail.com.tw>,
>delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
>Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<gl66 at mail.com.tw>,
>delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
>
>==
>=====================================================================
>=
>= "I should have listened to myself earlier..."
>=
>=====================================================================
>=  Need help with: Parking Tickets, Bailiffs, Capita or HertsGrid???
>=  Call...    +44 8457 90 90 90    http://www.samaritans.org/
>=====================================================================
>-- 
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list