Been blacklisted >_< Was: Re:Is this spam coming from inside my network?
Vlad
shiwan-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Tue Feb 14 00:59:22 UTC 2006
All right, let's see what we can do...
(As a preamble, apologies if some of these steps have already
been suggested in previous threads; I'm just jumping in now.)
* Run something like chkrootkit, although I doubt it'll detect
anything - but you never know when people will be sloppy.
* If at all possible, reboot the server. I recommend
re-installing the same Kernel before you reboot, too.
* Check /etc/passwd for discrepancies, such as another user having UID 0
* Check /etc/shadow for discrepancies, such as an account having
a password that shouldn't have one.
From the
it's-a-little-late-but-could-be-entertaining-if-you-have-the-spare-time
department:
* Try rolling out host-based IDS, like TripWire, perhaps? It's a
little late, but it could point out weirdness, or intrusions.
* Try rolling out network-based IDS in front of the server?
* Try setting the firewall(s) in front of the server to log all.
If anything is allowed outbound, you'll need to set up a `permit ip
any any log`-style ACL and watch for oddities.
Of course, the only sage advice here is "wipe, reinstall,
patch up to latest, restore 'clean' backups".
Hope this helps, and earns you some good overtime. ;)
Cheers,
-- Vlad
On 2/13/06, Madison Kelly <linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org> wrote:
> Madison Kelly wrote:
> > Jason Shein wrote:
> >> On Monday 13 February 2006 14:04, Madison Kelly wrote:
> >>> How could I check to see if I am an open relay?
> >>
> >> These will work.
> >>
> >> http://members.iinet.net.au/~remmie/relay/
> >> http://www.globedom.com/cgi-bin/relay
> >
> > Thanks for the links! My server passed (not open).
> >
> > Since then I've been digging through my logs and found this in
> > '/var/log/messages'
> >
> > Feb 12 05:01:01 srv01 crond(pam_unix)[2456]: session opened for user
> > root by (uid=0)
> > Feb 12 05:01:01 srv01 crond(pam_unix)[2456]: session closed for user root
> >
> > Which is just seconds before the first spam from my 'apache' user was
> > sent. From '/var/log/maillog':
> >
> > Feb 12 05:01:15 srv01 sendmail[2445]: k186LxI0005105:
> > to=<mdenika-5SK1gwG8BQs at public.gmane.org>, ctladdr=<apache-RdzIV7WH+z2kJxZZvsxEJOqUGfbH9hYC at public.gmane.org> (48/48),
> > delay=4+03:39:16, xdelay=00:02:00, mailer=esmtp, pri=11822817,
> > relay=qaol.com. [38.119.83.27], dsn=4.0.0, stat=Deferred: Connection
> > timed out with qaol.com.
> >
> > So it looks like something connected for less than a second and then
> > somehow started the flood. I've tried upgrading to Apache 2.0.54 and I
> > (re)set the user password for 'apache' but the mail is still being sent.
> > Needless to say, I am starting to get desperate!
> >
> > Madison
>
> For what it's worth, the site in all the spam being sent from my domain
> point to 'http://dy-yellow.com'. Anyone else been hit by them?
>
> Arsehats.
>
> Madison
>
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Madison Kelly (Digimer)
> TLE-BU; The Linux Experience, Back Up
> Main Project Page: http://tle-bu.org
> Community Forum: http://forum.tle-bu.org
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> --
> The Toronto Linux Users Group. Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
>
--
end
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list