sendmail hacked
George Magklaras
georgios at biotek.uio.no
Mon May 25 12:42:01 UTC 2009
I would check connection logs from a firewall if I were you. Most
sysadmins syslogd each of the server logs into a central host for
security. The logs in your sendmail host might not be trustworthy, if
somebody got root. If you do not have such logs that confirm the
activity of an intruder, your only chance is to shutdown the box and use
the sleuthkit to recover wtmp, utmp and any previous versions of the
sendmail config files that might shed light on what happened and how. If
that is not an option, I suggest you re-install the box, patch it fully
and re-configure passwords and access rules. This time though, syslogd
the logs into another box.
GM
--
--
George Magklaras BSc Hons MPhil
RHCE:805008309135525
Senior Computer Systems Engineer/UNIX-Linux Systems Administrator
EMBnet Technical Management Board
The Biotechnology Centre of Oslo,
University of Oslo
http://folk.uio.no/georgios
redhat at r71.nl wrote:
> Hi,
>
> A few days ago my Fedora10 Linux server had a problem. CPU was 100% and I could not log in via SSH or on the console anymore to find the cause. Had to reboot.
>
> The server is used as a mail relay server. After the reboot it seemed that sendmail was not working correctly. It did not accept connections anymore on port 25.
>
> The i found that the sendmail.cf file had changed. It looks like that this file has been generated on the 23rd of may. And it was not me who generated it!
>
> It looks like this is a hack. Has anybody got an idea about how to confirm this? How did they do this? And about how to prevent this?
>
> Cheers,
> Roderick
Tel: +47-22840535
--
More information about the redhat-list
mailing list