My FC3 machine appears to be compromised, please help

Bob Brennan rbrennan96 at gmail.com
Thu Apr 6 12:24:23 UTC 2006 

On 4/6/06, Paul Howarth <paul at city-fan.org> wrote:
> Bob Brennan wrote:
> > On 4/6/06, Paul Howarth <paul at city-fan.org> wrote:
> >> Bob Brennan wrote:
> >>> Hello,
> >>>
> >>> I have an FC3 machine that has been running about a dozen websites and
> >>> 3 dozen mail accounts reliably for more than a year, I stopped
> >>> updating about 6 months ago so the versions might be a bit stale but I
> >>> would prefer to fix my immediate problem(s) rather than update and
> >>> cause new ones. The software I am using that is in question, I
> >>> believe, is Sendmail, Dovecote, Procmail, ClamAv, Spamassasin,and
> >>> Squirrelmail.
> >>>
> >>> The problem - email into my personal account "bob" @ many different
> >>> domains seems to have stopped a few hours ago with the message
> >>> "Technical details of permanent failure:
> >>> PERM_FAILURE: SMTP Error (state 9): 550 5.7.1 <bob at domain>... Relaying
> >>> denied. Proper authentication required."
> >>>
> >>> The log file says -
> >>> Apr  6 11:05:59 myserver sendmail[5580]: k36A5wFQ005580:
> >>> ruleset=check_rcpt, arg1=bob at domain.xxx, relay=zproxy.gmail.com
> >>> [64.233.162.192], reject=550 5.7.1 bob at domain.xxx... Relaying denied.
> >>> Proper authentication required.
> >>> Apr  6 11:05:59 myserver sendmail[5580]: k36A5wFQ005580:
> >>> from=<rbrennan96 at gmail.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
> >>> daemon=MTA, relay=zproxy.gmail.com [64.233.162.192]
> >>>
> >>> And there are suspicious emails queued in Sendmail such as:
> >>> Thu, 6 Apr 2006 10:17:15 "Bob Brennan"
> >>> <bob at wc.funnel.revenuedirect.com.akadns.net>bob at wc.funnel.revenuedirect.com.akadns.net1
> >>> kBDeferred: Connection timed out with
> >>> wc.funnel.revenuedirect.com.akadns.net.
> >>>
> >>> The obvious clue for me is the
> >>> "wc.funnel.revenuedirect.com.akadns.net" that appears to be the
> >>> culprit, but it has been too long ago that I considered myself a Linux
> >>> expert to remember where to start on this type of thing. Wiping the
> >>> machine and starting over is not a good option, and yes I had rsynced
> >>> everything important to an FC4 machine only hours before this
> >>> happened.
> >>>
> >>> Any clues as to where to start looking please?
> >> Your sendmail configuration. It doesn't appear to recognize domain.xxx
> >> as a domain it should be accepting mail for. Check
> >> /etc/mail/local-host-names.
> >>
> >> Paul.
> >>
> >> --
> >> fedora-list mailing list
> >> fedora-list at redhat.com
> >> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> >>
> >
> > All entries in
> > /etc/mail/local-host-names
> > /etc/mail/virtusertable
> > /etc/aliases
> > are untouched and identical to the backed up files. The rejected mail
> > has valid entries in all of those files.
> >
> > Here's a curious clue though, I have an automated php file that sends
> > an email to family members when an internal mail system has a message
> > for them from another family member. The php line reads
> > "$headers = 'From: "theFamily.net" <Message-System at theFamily.net>'."\r\n".
> > yet the message is going out as
> > "theFamily.net" <Message-System at wc.funnel.revenuedirect.com.akadns.net>
> > ??
> >
> > This is using php4 but somewhere Sendmail is changing the @domain in
> > both the From and To fields(?). The delivery to Sendmail is through
> > the php command
> > mail($to, $subject, $msg, $headers);
> >
> > Both problems started happening at the same time - somehow, somewhere,
> > Sendmail thinks my machine domain is
> > "wc.funnel.revenuedirect.com.akadns.net" it seems? I have searched
> > sendmail.cf and sendmail.mc and neither contain that name or have been
> > modified.
>
> Somebody has probably changed a DNS entry for theFamily.net so that
> instead of or as well as A/MX records, there's a:
>
> theFamily.net. CNAME wc.funnel.revenuedirect.com.akadns.net.
>
> record. Sendmail properly rewrites addresses for @theFamily.net to
> @wc.funnel.revenuedirect.com.akadns.net during the address
> canonicalisation stage in this case.
>
> Paul.

All of my DNS entries for all of my domains are managed at
mydomain.com (literally) and I have checked that everything on their
DNS server is correct and there are no canonical entries. The refused
email is being delivered correctly to my own server, so their DNS
records must be correct.

However it is within my own server that things are going wrong. I do
not have an active DNS server but use the "hosts" file instead. The
hosts file is accurate and unchanged.

As I said earlier I searched all files in /etc/ for any entries that
might rewrite anything to or even contain the words
wc.funnel.revenuedirect.com.akadns.net and found nothing.

Is there any other information I can give or look for that might help
narrow this down? Or tests I can do? Or clever magical incantation
command lines I can try?

bob

More information about the fedora-list mailing list