My FC3 machine appears to be compromised, please help

Rudolf Kastl che666 at gmail.com
Thu Apr 6 12:28:53 UTC 2006 

2006/4/6, Bob Brennan <rbrennan96 at gmail.com>:
> On 4/6/06, Paul Howarth <paul at city-fan.org> wrote:
> > Bob Brennan wrote:
> > > On 4/6/06, Paul Howarth <paul at city-fan.org> wrote:
> > >> Bob Brennan wrote:
> > >>> Hello,
> > >>>
> > >>> I have an FC3 machine that has been running about a dozen websites and
> > >>> 3 dozen mail accounts reliably for more than a year, I stopped
> > >>> updating about 6 months ago so the versions might be a bit stale but I
> > >>> would prefer to fix my immediate problem(s) rather than update and
> > >>> cause new ones. The software I am using that is in question, I
> > >>> believe, is Sendmail, Dovecote, Procmail, ClamAv, Spamassasin,and
> > >>> Squirrelmail.
> > >>>
> > >>> The problem - email into my personal account "bob" @ many different
> > >>> domains seems to have stopped a few hours ago with the message
> > >>> "Technical details of permanent failure:
> > >>> PERM_FAILURE: SMTP Error (state 9): 550 5.7.1 <bob at domain>... Relaying
> > >>> denied. Proper authentication required."
> > >>>
> > >>> The log file says -
> > >>> Apr  6 11:05:59 myserver sendmail[5580]: k36A5wFQ005580:
> > >>> ruleset=check_rcpt, arg1=bob at domain.xxx, relay=zproxy.gmail.com
> > >>> [64.233.162.192], reject=550 5.7.1 bob at domain.xxx... Relaying denied.
> > >>> Proper authentication required.
> > >>> Apr  6 11:05:59 myserver sendmail[5580]: k36A5wFQ005580:
> > >>> from=<rbrennan96 at gmail.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
> > >>> daemon=MTA, relay=zproxy.gmail.com [64.233.162.192]
> > >>>
> > >>> And there are suspicious emails queued in Sendmail such as:
> > >>> Thu, 6 Apr 2006 10:17:15 "Bob Brennan"
> > >>> <bob at wc.funnel.revenuedirect.com.akadns.net>bob at wc.funnel.revenuedirect.com.akadns.net1
> > >>> kBDeferred: Connection timed out with
> > >>> wc.funnel.revenuedirect.com.akadns.net.
> > >>>
> > >>> The obvious clue for me is the
> > >>> "wc.funnel.revenuedirect.com.akadns.net" that appears to be the
> > >>> culprit, but it has been too long ago that I considered myself a Linux
> > >>> expert to remember where to start on this type of thing. Wiping the
> > >>> machine and starting over is not a good option, and yes I had rsynced
> > >>> everything important to an FC4 machine only hours before this
> > >>> happened.
> > >>>
> > >>> Any clues as to where to start looking please?
> > >> Your sendmail configuration. It doesn't appear to recognize domain.xxx
> > >> as a domain it should be accepting mail for. Check
> > >> /etc/mail/local-host-names.
> > >>
> > >> Paul.
> > >>
> > >> --
> > >> fedora-list mailing list
> > >> fedora-list at redhat.com
> > >> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> > >>
> > >
> > > All entries in
> > > /etc/mail/local-host-names
> > > /etc/mail/virtusertable
> > > /etc/aliases
> > > are untouched and identical to the backed up files. The rejected mail
> > > has valid entries in all of those files.
> > >
> > > Here's a curious clue though, I have an automated php file that sends
> > > an email to family members when an internal mail system has a message
> > > for them from another family member. The php line reads
> > > "$headers = 'From: "theFamily.net" <Message-System at theFamily.net>'."\r\n".
> > > yet the message is going out as
> > > "theFamily.net" <Message-System at wc.funnel.revenuedirect.com.akadns.net>
> > > ??
> > >
> > > This is using php4 but somewhere Sendmail is changing the @domain in
> > > both the From and To fields(?). The delivery to Sendmail is through
> > > the php command
> > > mail($to, $subject, $msg, $headers);
> > >
> > > Both problems started happening at the same time - somehow, somewhere,
> > > Sendmail thinks my machine domain is
> > > "wc.funnel.revenuedirect.com.akadns.net" it seems? I have searched
> > > sendmail.cf and sendmail.mc and neither contain that name or have been
> > > modified.
> >
> > Somebody has probably changed a DNS entry for theFamily.net so that
> > instead of or as well as A/MX records, there's a:
> >
> > theFamily.net. CNAME wc.funnel.revenuedirect.com.akadns.net.
> >
> > record. Sendmail properly rewrites addresses for @theFamily.net to
> > @wc.funnel.revenuedirect.com.akadns.net during the address
> > canonicalisation stage in this case.
> >
> > Paul.
>
> All of my DNS entries for all of my domains are managed at
> mydomain.com (literally) and I have checked that everything on their
> DNS server is correct and there are no canonical entries. The refused
> email is being delivered correctly to my own server, so their DNS
> records must be correct.
>
> However it is within my own server that things are going wrong. I do
> not have an active DNS server but use the "hosts" file instead. The
> hosts file is accurate and unchanged.
>
> As I said earlier I searched all files in /etc/ for any entries that
> might rewrite anything to or even contain the words
> wc.funnel.revenuedirect.com.akadns.net and found nothing.
>
> Is there any other information I can give or look for that might help
> narrow this down? Or tests I can do? Or clever magical incantation
> command lines I can try?
>
> bob
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>


not updating can introduce new security problems.

regards,
Rudolf Kastl

More information about the fedora-list mailing list