My FC3 machine appears to be compromised, please help

[Bob Brennan]

On 4/6/06, Les Mikesell <lesmikesell at gmail.com> wrote:
> On Thu, 2006-04-06 at 12:24, Paul Howarth wrote:
> > >
> > > Couldnt similar be achieved by making temporary entries in /etc/hosts
> > > without having to install anything?
> >
> > No, because sendmail can't lookup MX records using the hosts file and
> > will always try DNS first, regardless of nsswitch.conf settings.
>
> >From what has been posted so far, the MX records appear to
> be right and CNAMES aren't particularly involved in mail
> delivery except to the extent that any MX records associated
> with the target are inherited by the CNAME, but that doesn't
> seem to be the case here.
>
> The only thing that might confuse sendmail about its name
> is the reverse lookup for its interface address and that
> still looks right from here:
>
> nslookup 83.104.235.34
> Non-authoritative answer:
> 34.235.104.83.in-addr.arpa      name = rbrennan.demon.co.uk.
>
> Does that give a different answer on the machine in question?
>
> --
>  Les Mikesell
>   lesmikesell at gmail.com

Below is the results of nslookups both ways. As you can see the
nslookup of mi-server.net does not include the proper IP, only Mr
Nasty's whoever it is that is taking all my email from me. What does
http://mi-server.net deiver on the outside world? I can't see it since
my own hosts file keeps me on my LAN.

C:\nslookup 83.104.235.34
Server:  cache-1.ns.demon.net
Address:  158.152.1.58

Name:    rbrennan.demon.co.uk
Address:  83.104.235.34


C:\nslookup mi-server.net
Server:  cache-1.ns.demon.net
Address:  158.152.1.58

Non-authoritative answer:
Name:    wc.funnel.revenuedirect.com.akadns.net
Addresses:  69.25.47.165, 66.150.161.58
Aliases:  mi-server.net, wc.traffic.puredns.com