Off Topic - Can someone help?
Hugo van der Kooij
hvdkooij at vanderkooij.org
Thu Jan 3 06:29:25 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ajos1 at onion.demon.co.uk wrote:
> I think I have a safe-ish system... (ie) not an open relay and so on... but TONIGHT all of a sudden something/someone is "suposably" able to relay.
You are broken in to in some manner. Unless you take the system offline
you will be sending spam and are to be held accountable.
> Jan 3 01:28:50 www sendmail[5955]: m031SgPv005955: from=<dwkscy at yahoo.com>, size=1658, class=0, nrcpts=1, msgid=<MESUDDUFSUEWDFVOVABXGNCN at yahoo.com>, bodytype=8BITMIME, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Your SMTP client lives localy.
> Jan 3 01:49:36 www sendmail[8581]: m031mFpI008581: from=<okorfhzoaiadke at yahoo.com>, size=6253, class=0, nrcpts=51, msgid=<CYSGRANINJSFZUJCWXBWXXN at yahoo.com>, bodytype=8BITMIME, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
And agaim.
So you need to take the system offline and start forensics on the unit.
As it is you should not trust ANYTHING on that machine. So anything you
use to investigate needs to be started from a ReadOnly medium and not
the system itself.
I would start with the usual suspects like an SSH break in, ....
Hugo.
- --
hvdkooij at vanderkooij.org http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc
A: Yes.
>Q: Are you sure?
>>A: Because it reverses the logical flow of conversation.
>>>Q: Why is top posting frowned upon?
Bored? Click on http://spamornot.org/ and rate those images.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFHfIDCBvzDRVjxmYERAt5+AJ4o3lMKzJvK9NiklyXEQuGDmE7pxwCgiAAo
zu88W1I9IC4qsfICJENFR6Q=
=JPNK
-----END PGP SIGNATURE-----
More information about the MailScanner
mailing list