[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Relay Mail Issue
- Subject: RE: [cobalt-security] Relay Mail Issue
- From: "Malcolm Wild" <malcolm@xxxxxxxxxxx>
- Date: Tue, 22 Aug 2000 09:49:11 -0700
the account used for the spam was an already existing one (thoweb122), using
the original password, even after we had changed this.
This morning it started again Alex at Cobalt Euro asked me to leave it with
them for a few hours(!)
There first answer was to disable PROCMAIL, but this would switch off ALL
mail forwarding on every account, not good :(
& I don't fancy migrating 150+ websites and user to a different server just
because of a F##@in hole in the OS
doing a PS AX at the bottom of the list is this...
16463 ? S 0:12 procmail -f wusweek@xxxxxxxxxxxxxxxxxxx -Y -a -d
thoweb122
16468 ? S 0:12 procmail -f wusweek@xxxxxxxxxxxxxxxxxxx -Y -a -d
thoweb122
16470 ? S 0:12 procmail -f wusweek@xxxxxxxxxxxxxxxxxxx -Y -a -d
thoweb122
16474 ? S 0:12 procmail -f wusweek@xxxxxxxxxxxxxxxxxxx -Y -a -d
thoweb122
16690 ? S N 0:13 procmail -f wusweek@xxxxxxxxxxxxxxxxxxx -Y -a -d
thoweb122
17307 ? S N 0:13 procmail -f wusweek@xxxxxxxxxxxxxxxxxxx -Y -a -d
thoweb122
17887 ? S N 0:13 procmail -f wusweek@xxxxxxxxxxxxxxxxxxx -Y -a -d
thoweb122
18428 ? S N 0:13 procmail -f wusweek@xxxxxxxxxxxxxxxxxxx -Y -a -d
thoweb122
PATCHES ON A POSTCARD - please!
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Seth Mos
Sent: Monday, August 21, 2000 1:47 PM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Relay Mail Issue
At 04:30 PM 8/21/00 -0400, you wrote:
> > Information:
> > The user account in question does not have shell access
> > Had never FTP'd into the site
> > The only logon is via POP
> > His SMTP is handled via his own ISP
> > He has no mailing lists (majardomo) running
> > He has no CGI scripts running
> > He does not have mail forwarding enabled
> > No FrontPage Extensions
> > No Server Side Includes
>
>Does the user show up in the GUI admin? If not, it was obviously added
>surreptitiously... otherwise, a hacker could have gotten into the system
and
>stolen the account info/changed the password.
>
>I would do a portscan on your system to check for trojans, and advise users
>to change their passwords. Your system might still be compromised.
You could try going into the root of your system and do
find -name "..."
There is a often used rootkit with this dir in it.
Then again he could have used another or no rootkit at all.
I'm bad in forensics. But be sure to check /tmp for . entries
reinstall the base-<version>.rpm which includes ls and some other standard
utils.
reinstall pam and login versions (getty's ??) make sure you install it with:
rpm -ivh --force as to make sure it overwrites the neccesary stuff.
Check your bootscripts for weird entries that do funny stuff (ideal time to
make root shells!)
Most rootkits patch ls w who top uptime netstat ping login mingetty
telnetd? useradd userdel.
Check your /etc/passwd and /etc/shadow for entries with 0 as uid or gid.
check in your paths for entries starting or ending with x
I have excperienced a root only once.
Salvage what's left of the system. Wipe the disk clean and start over.
Make sure that the data you salvaged does not contain root shells in some
users home dir.
Bye
--
Seth
"Have you gone mad?"
"Well, yes, but that's beyond the scope of this email."
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security