sendmail hacked

Tosh toshlinux at gmail.com
Mon May 25 11:42:53 UTC 2009


Manuel Aróstegui wrote:
> On Mon, 2009-05-25 at 11:47 +0200, redhat at r71.nl wrote:
>> Hi,
>>
>> A few days ago my Fedora10 Linux server had a problem. CPU was 100% and I could not log in via SSH or on the console anymore to find the cause. Had to reboot.
>>
>> The server is used as a mail relay server. After the reboot it seemed that sendmail was not working correctly. It did not accept connections anymore on port 25.
>>
>> The i found that the sendmail.cf file had changed. It looks like that this file has been generated on the 23rd of may. And it was not me who generated it!
>>
>> It looks like this is a hack. Has anybody got an idea about how to confirm this? How did they do this? And about how to prevent this?
>
>
> Hi there,
>
> Are you sure any application changed it? Maybe an installation of a new
> package put its own configuration in there.
>
> You might want to take a look at the connection logs and the root
> "history" to trace what was done in the CLI.
>
> The bad news is you rebooted the machine, which can mean if the "hacker"
> was clever enough he might left a logical bomb to delete all his traces
> when rebooting or powering off :(
>
> Manuel.
>
check the log files, both the sshd and the sendmail logs
only root users can change anything in the /etc/mail folder
so look out for any root access and check whether it was you or anybody else

also look if you can find when sendmail last restarted, as sendmail only 
reeds the config file on startup

and then the most obvious, change ALL PASSWORDS, use complex passwords 
or use key files to ssh into your boxes
guideline : http://wiki.centos.org/HowTos/Network/SecuringSSH


-- 
Toshaan <toshlinux at gmail.com> - http://www.toshaan.be




More information about the redhat-list mailing list