[ale] Hacked to spam??

Bob Toxen bob at verysecurelinux.com
Sun Dec 19 19:34:16 EST 2004 

186 messages sent is nothing.  If you had been "hacked to use as a
spam relay" you'd see 10,000-1,000,000 messages sent.  Keep an eye
on the logs (preferably using Logcheck instead of LogWatch), but I
don't see this as evidence of any problems.

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002

On Sat, Dec 18, 2004 at 12:11:44PM -0500, John Mills wrote:
> ALErs -
> 
> I found suspicious reports in the last few 'logwatch' reports on my 
> RH-7.3 setup. The latest couple say:
> 
> =-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-=
>  --------------------- sendmail Begin ------------------------
> 
> 1011642 bytes transferred
> 186 messages sent
> 
> **Unmatched Entries**
> 
> iBE2IgI27139: Authentication-Warning: otter.localdomain: jmills owned 
> process doing -bs
> iBE2R4927161: Authentication-Warning: otter.localdomain: jmills owned 
> process doing -bs
> iBE2UeP27173: Authentication-Warning: otter.localdomain: jmills owned 
> process doing -bs
> iBE2Yri27184: Authentication-Warning: otter.localdomain: jmills owned 
> process doing -bs
> 
> 
>  ---------------------- sendmail End -------------------------
> ...
> =-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-=
> 
> and:
> =-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-=
> ...
>  --------------------- sendmail Begin ------------------------
> 
> 9038537 bytes transferred
> 390 messages sent
>  
>  ---------------------- sendmail End -------------------------
> ...
> =-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-=
> 
> I've been seeing those "doing -bs" lines since setting up my mail service, 
> but I can't account for those massive numbers of messages.
> 
> Coincidentally(?), I no longer see those bogus attempts at SSH logins 
> from scripts that try all manner of ususal accounts and passwords.
> 
> I'm running 'sendmail-8.11.6-23.73' from the RH rpms, and use 
> 'fetchmail-5.9.0-21.7.3' to collect mail from my ISP's POP server.
> 
> What should I look for in /var/log/maillog (or elsewhere) to track this 
> down?
> 
> TIA.
> 
>  - John Mills
>    john.m.mills at alum.mit.edu
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list