sendmail hacked
Manuel Aróstegui
manuel at todo-linux.com
Mon May 25 11:15:53 UTC 2009
On Mon, 2009-05-25 at 11:47 +0200, redhat at r71.nl wrote:
> Hi,
>
> A few days ago my Fedora10 Linux server had a problem. CPU was 100% and I could not log in via SSH or on the console anymore to find the cause. Had to reboot.
>
> The server is used as a mail relay server. After the reboot it seemed that sendmail was not working correctly. It did not accept connections anymore on port 25.
>
> The i found that the sendmail.cf file had changed. It looks like that this file has been generated on the 23rd of may. And it was not me who generated it!
>
> It looks like this is a hack. Has anybody got an idea about how to confirm this? How did they do this? And about how to prevent this?
Hi there,
Are you sure any application changed it? Maybe an installation of a new
package put its own configuration in there.
You might want to take a look at the connection logs and the root
"history" to trace what was done in the CLI.
The bad news is you rebooted the machine, which can mean if the "hacker"
was clever enough he might left a logical bomb to delete all his traces
when rebooting or powering off :(
Manuel.
More information about the redhat-list
mailing list