My FC3 machine appears to be compromised, please help

Bob Brennan rbrennan96 at gmail.com
Thu Apr 6 11:14:28 UTC 2006 

On 4/6/06, Paul Howarth <paul at city-fan.org> wrote:
> Bob Brennan wrote:
> > Hello,
> >
> > I have an FC3 machine that has been running about a dozen websites and
> > 3 dozen mail accounts reliably for more than a year, I stopped
> > updating about 6 months ago so the versions might be a bit stale but I
> > would prefer to fix my immediate problem(s) rather than update and
> > cause new ones. The software I am using that is in question, I
> > believe, is Sendmail, Dovecote, Procmail, ClamAv, Spamassasin,and
> > Squirrelmail.
> >
> > The problem - email into my personal account "bob" @ many different
> > domains seems to have stopped a few hours ago with the message
> > "Technical details of permanent failure:
> > PERM_FAILURE: SMTP Error (state 9): 550 5.7.1 <bob at domain>... Relaying
> > denied. Proper authentication required."
> >
> > The log file says -
> > Apr  6 11:05:59 myserver sendmail[5580]: k36A5wFQ005580:
> > ruleset=check_rcpt, arg1=bob at domain.xxx, relay=zproxy.gmail.com
> > [64.233.162.192], reject=550 5.7.1 bob at domain.xxx... Relaying denied.
> > Proper authentication required.
> > Apr  6 11:05:59 myserver sendmail[5580]: k36A5wFQ005580:
> > from=<rbrennan96 at gmail.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
> > daemon=MTA, relay=zproxy.gmail.com [64.233.162.192]
> >
> > And there are suspicious emails queued in Sendmail such as:
> > Thu, 6 Apr 2006 10:17:15 "Bob Brennan"
> > <bob at wc.funnel.revenuedirect.com.akadns.net>bob at wc.funnel.revenuedirect.com.akadns.net1
> > kBDeferred: Connection timed out with
> > wc.funnel.revenuedirect.com.akadns.net.
> >
> > The obvious clue for me is the
> > "wc.funnel.revenuedirect.com.akadns.net" that appears to be the
> > culprit, but it has been too long ago that I considered myself a Linux
> > expert to remember where to start on this type of thing. Wiping the
> > machine and starting over is not a good option, and yes I had rsynced
> > everything important to an FC4 machine only hours before this
> > happened.
> >
> > Any clues as to where to start looking please?
>
> Your sendmail configuration. It doesn't appear to recognize domain.xxx
> as a domain it should be accepting mail for. Check
> /etc/mail/local-host-names.
>
> Paul.
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>

All entries in
/etc/mail/local-host-names
/etc/mail/virtusertable
/etc/aliases
are untouched and identical to the backed up files. The rejected mail
has valid entries in all of those files.

Here's a curious clue though, I have an automated php file that sends
an email to family members when an internal mail system has a message
for them from another family member. The php line reads
"$headers = 'From: "theFamily.net" <Message-System at theFamily.net>'."\r\n".
yet the message is going out as
"theFamily.net" <Message-System at wc.funnel.revenuedirect.com.akadns.net>
??

This is using php4 but somewhere Sendmail is changing the @domain in
both the From and To fields(?). The delivery to Sendmail is through
the php command
mail($to, $subject, $msg, $headers);

Both problems started happening at the same time - somehow, somewhere,
Sendmail thinks my machine domain is
"wc.funnel.revenuedirect.com.akadns.net" it seems? I have searched
sendmail.cf and sendmail.mc and neither contain that name or have been
modified.

bob

More information about the fedora-list mailing list