LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 07-05-2005, 08:41 PM   #1
ERBRMN
Member
 
Registered: Mar 2005
Location: Japan
Distribution: TurboLinux, RHEL, SUSE
Posts: 96

Rep: Reputation: 15
Help for SENDMAIL, . . . auto sending mail


Hi ...

Have you any to advice me !!!!

I have Web and FTP server which is use sendmail and MySQL server.
There is some script that to using sendmail command on my server.
Only send some e-mail to other user when user use mail sending web page.
All user information (registered user's e-mail address) has be registered on MySQL database table.

My Problem :

- On my server has some THINGS that is auto send BLANK mail to registered user on mysql .
- Mail sender is nobody@my-domain
- When I see "maillog" there is too many log that is nobody send some e-mail to all registered user and not registered user , ..... on maillog
- I am one of registered user, But i have recieved that blank mail.

What is it ? VIRUS ?

 
Old 07-05-2005, 11:00 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Take a look at your mail logs and see if you can find any information on the user sending mail. Also post a few examples from the log if possible.

Take a look at your system logs (including webserver and ftp logs) for anything abnormal such as errors or panics. Also look at the output of ps -aux for any processes that look abnormal. I would also highly recommend downloading and running rkhunter or chkrootkit.
 
Old 07-06-2005, 12:31 AM   #3
hardcorelinux
Member
 
Registered: Jan 2005
Location: India
Distribution: RHEL,CentOS,SUSE,Solaris10
Posts: 183

Rep: Reputation: 31
Check the mail header's,looks like some of your user's sending through php ..try to enable phpsuexec then you can find the orginal user's
 
Old 07-06-2005, 01:09 AM   #4
ERBRMN
Member
 
Registered: Mar 2005
Location: Japan
Distribution: TurboLinux, RHEL, SUSE
Posts: 96

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by Capt_Caveman
Take a look at your mail logs and see if you can find any information on the user sending mail. Also post a few examples from the log if possible.
Thk u, Capt_Caveman

I have attached my server maillog some log which is I have think it NOD CORRECT.

*******************

Jul 3 07:43:58 pweb-srv2 sendmail[20654]: /etc/mail/submit.cf: WARNING: dangerous write permissions
Jul 3 07:43:58 pweb-srv2 sendmail[20654]: j62MhwGW020654: from=nobody, size=1869, class=0, nrcpts=1, msgid=<200507022243.j62MhwGW020654@pwe
b-srv2.other-server-domain>, relay=nobody@localhost
Jul 3 07:43:58 pweb-srv2 sm-mta[20656]: j62MhwhH020656: from=<nobody@my-server-domain>, size=2104, class=0, nrcpts=1, msgid=<200507022
243.j62MhwGW020654@my-server-domain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Jul 3 07:43:58 pweb-srv2 sendmail[20654]: j62MhwGW020654: to=member@other-server-domain, ctladdr=nobody (99/99), delay=00:00:00, xdelay=00:00:00, m
ailer=relay, pri=30128, relay=localhost.localdomain. [127.0.0.1], dsn=2.0.0, stat=Sent (j62MhwhH020656 Message accepted for delivery)
Jul 3 07:43:58 pweb-srv2 sendmail[20659]: /etc/mail/submit.cf: WARNING: dangerous write permissions
Jul 3 07:43:58 pweb-srv2 sendmail[20659]: j62MhwtR020659: from=nobody, size=1894, class=0, nrcpts=1, msgid=<200507022243.j62MhwtR020659@pwe
b-srv2.other-server-domain>, relay=nobody@localhost
Jul 3 07:43:58 pweb-srv2 sm-mta[20661]: j62MhwhH020661: from=<nobody@my-server-domain>, size=2129, class=0, nrcpts=1, msgid=<200507022
243.j62MhwtR020659@my-server-domain>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Jul 3 07:43:58 pweb-srv2 sendmail[20659]: j62MhwtR020659: to=rin_2125@yahoo.co.jp, ctladdr=nobody (99/99), delay=00:00:00, xdelay=00:00:00,
mailer=relay, pri=30130, relay=localhost.localdomain. [127.0.0.1], dsn=2.0.0, stat=Sent (j62MhwhH020661 Message accepted for delivery)
Jul 3 07:43:59 pweb-srv2 sm-mta[20663]: j62MhwhH020661: to=<rin_2125@yahoo.co.jp>, ctladdr=<nobody@my-server-domain> (99/99), delay=00
:00:01, xdelay=00:00:01, mailer=esmtp, pri=30365, relay=mta08.mail.yahoo.co.jp. [202.93.87.210], dsn=2.0.0, stat=Sent (ok dirdel)
Jul 3 07:44:15 pweb-srv2 sm-mta[20658]: j62MhwhH020656: to=<member@other-server-domain>, ctladdr=<nobody@my-server-domain> (99/99), delay=00:0
0:17, xdelay=00:00:17, mailer=esmtp, pri=30363, relay=other-dns-name. [xxx.zzz.www.qqq], dsn=2.0.0, stat=Sent (ok 1120337504 qp 15957)
Jul 3 07:54:12 pweb-srv2 sendmail[20675]: /etc/mail/submit.cf: WARNING: dangerous write permissions
Jul 3 07:54:12 pweb-srv2 sendmail[20675]: j62MsCdf020675: from=nobody, size=2506, class=0, nrcpts=1, msgid=<200507022254.j62MsCdf020675@pwe


*******************

Last edited by ERBRMN; 07-06-2005 at 01:39 AM.
 
Old 07-06-2005, 01:15 AM   #5
ERBRMN
Member
 
Registered: Mar 2005
Location: Japan
Distribution: TurboLinux, RHEL, SUSE
Posts: 96

Original Poster
Rep: Reputation: 15
Also I attached BLANK mail which auto sending from nobody user:

> ------------------------------------------------------------
>
> Return-Path: <nobody@my-server-domain>
> Received: from virmxi04.aics.ne.jp ([157.205.253.20])
> by imlmta10.aics.ne.jp
> (InterMail vM.5.02.12.00 201-264-126-133-106-20040103) with ESMTP
> id
> <20050704083340.GHMA15096.imlmta10.aics.ne.jp@virmxi04.aics.ne.jp>
> for <okw@xxxxxxxxx.xxx>; Mon, 4 Jul 2005 17:33:40 +0900
> Received: from my-server-domain ([yyy.eee.ttt.rrr])
> by virmxi04.aics.ne.jp
> (InterMail vM.5.02.12.00 201-264-126-133-106-20040103) with ESMTP
> id
> <20050704083340.YDIT1273.virmxi04.aics.ne.jp@my-server-domain>
> for <okw@xxxxxxxxx.xxx>; Mon, 4 Jul 2005 17:33:40 +0900
> Received: from my-server-domain (localhost.localdomain [127.0.0.1])
> by my-server-domain (8.12.6/8.12.6) with ESMTP id j648kRhH031216
> for <okw@xxxxxxxxx.xxx>; Mon, 4 Jul 2005 17:46:27 +0900
> Received: (from nobody@localhost)
> by my-server-domain (8.12.6/8.12.6/Submit) id j648kRGU031214;
> Mon, 4 Jul 2005 17:46:27 +0900
> Date: Mon, 4 Jul 2005 17:46:27 +0900
> From: Nobody <nobody@my-server-domain>
> Message-Id: <200507040846.j648kRGU031214@my-server-domain>
> To: okw@xxxxxxxxx.xxx
> Subject: =?iso-2022-jp?B??=
>
>
> ------------------------------------------------------------
>

Sorry, I must change some IP address and my server domain name.
There are :
okw@xxxxxxxxx.xxx - person who is recieved this blank mail.
yyy.eee.ttt.rrr - My server IP address
my-server-domain - My server domain name with host name.

Last edited by ERBRMN; 07-06-2005 at 01:19 AM.
 
Old 07-06-2005, 08:19 PM   #6
ERBRMN
Member
 
Registered: Mar 2005
Location: Japan
Distribution: TurboLinux, RHEL, SUSE
Posts: 96

Original Poster
Rep: Reputation: 15
How could I make configuration "MAIL SNEDING - DISABLE" of "nobody" account ?
 
Old 07-06-2005, 09:21 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Those messages look like they're originating from outside your network with the nobody@your-domain being forged, so you should probably work on banning that host first rather than preventing the nobody user from sending mail (which may actually cause problems with local message delivery). From you the mail header, you can see the IP of the host that is sending these messages (157.205.253.20). So try blocking that host entirely with:

iptables -I INPUT -s 157.205.253.20 -j DROP
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sendmail - not sending mail movitto Linux - Software 8 04-11-2007 12:04 AM
sendmail not sending mail dtra Linux - Software 1 06-09-2005 07:47 PM
sending picture with mail/sendmail ziox Linux - Networking 1 01-17-2005 11:56 AM
Sending mail without sendmail geomonap Linux - Security 2 12-21-2004 01:32 AM
sendmail not sending mail clinger Linux - Software 8 07-30-2004 02:29 AM


All times are GMT -5. The time now is 07:56 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration