I have a Red Hat Linux server, and while I can typically decipher any of the problems that I have on it, I am totally stuck on the latest one.

I can restart Sendmail, and it appears to stop and start okay (every once in a while it does not say "Start: OK", it will just say "Start:", but it's the same end result). It doesn't work right!

I can check the email process with "sendmail -bt", and that appears to run. However, when I use "sendmail -vt" I get the following error:

[root@webserver mail]# sendmail -vt
Can't create transcript file ./xff7HLo7b25266: Permission denied

Also, I get the same kind of message when I try to send a message from the command line:

[root@webserver mail]# mail amcnallymail
Subject: Wondering if this...
Might make a difference

Cc: [root@webserver mail]# Can't create transcript file ./xff7HLaJ025201: Permission denied

These errors lead me to believe that somehow a permission has been changed somehow??? I am starting to think that I have been hacked, and some of the following information seems to lend itself to that possibility. Either that, or I have been hit by some sort of a virus or worm.

I checked all of my spool files, and there are no new messages from all of the test messages that I have been sending. However, when someone sends me an email, it does not send them an error message back either. It acts like it is working just find from the outside, but once you log onto the server, you see that something is desperately wrong!

My husbands messages are supposed to be forwarded to his other email address from our domain names. However, he is not receiving any messages through the system, nor do we get any errors on his emails to the sender of the email.

After doing more searching around, I found that in /var spool has ownership of lpd (line printer daemon?). If you go to /var/spool everything in that directory has ownership of lpd and if you go to /var/spool/mail all of the mail files have ownership of lpd.

As I recall, those should be owned by the mailbox holder, but I could be wrong about that. None the less, I do not remember them being owned by lpd. There does appear to be a user lpd in the passwd file:

lpd:x:1212:1212:lpd:/var/spool/lpd:/bin/bash

And, it also appears that this would be the "line print daemon" that I referenced earlier. I cannot imagine that lpd needs to own those. By doing this, is someone capable of having my emails sent to them or their server or something?

I looked in /var/spool/lpd and there is the lpd.lock file, which when I looked at it, it had a number in it. from what I can tell, that means that a session was terminated abnormally, so I emptied that file, but that did not fix the problem.

I checked my cron jobs, (I have some things that are supposed to run once an hour for site statistics) and they are not running either. I noticed that in /var/spool there is a cron directory, so I do not know if that has something to do with it.

I could reinstall the Sendmail program again, as has been suggested to me, but with this new information, I don't think that it will come close to fixing my problem.

Any suggestions on what to do? Am I going to have to reinstall everything?!?!?! If I do not, it could take me forever to find all of the things that have been fixed, couldn't it???

If I have to totally redo my server, does that have to be done locally, or can I do it remotely (my server is in NJ, and I am in Florida). They (the NJ company) will charge me $300 to reinstall everything. I know that it should not take that much to redo it. That is 2 hours at $150 per hour!!!

This evening I have been looking around, and in /etc I noticed that some files have new dates on them. These include passwd, hosts.allow, hosts.deny, inetd.conf, psdevtab, resolv.conf, services, shadow, and ssh_random_seed.

In the host.allow file I see that there is the following:

ALL: .navipath.net
ALL: localhost.localdomain
ALL: localhost
ALL: .dialinx.net
ALL: .dk

I cannot imagine any reason that dialinx.net and dk are supposed to be there. Is that normal???

In the hosts.deny, there are so many IP addresses that it fills my buffer when I do a "cat" to view it.

Also, if I go to /var/logs, the only logs that show anything at all are wtmp and xferlog. The rest of them were reset at the same time that all of the rest of the files were changed. (Most of the changed files were done on Aug 17 01 4:28, which would seem to indicate that either someone ran a program that made the changed, or that it was a virus or trojan that did this.)

I am really starting to think that I have been hacked into, but I do not know how. I was hacked about a year to a year and a half ago, and my admin supposedly locked everything up tight. Now, all of a sudden, it sure seems that way! Unfortunately, I cannot locate the guy that worked on it. I haven't needed him since then, and we have lost touch.

We had been trying out some bulk mail software for our newsletter opt-in list, and I am starting to wonder if one of the authors had something in his program that would send him (or her) the mail server information so that they can use it for bulk spam or something.

Please, any assistance you can give would be great. I have a really bad feeling that my server is being used for unsavory things right now!

Please email my husband at rmcnally@bellsouth.net with any information. I will be happy to give you my phone number so that we can talk it through if that will help too. I am pretty proficient at this Linux thing, but I have my limits, and this is one of those times.

Since no one knows that I am not getting my emails, I just HAVE to get this fixed IMMEDIATELY!!! It wouldn't be so bad if people were getting a message or something.

PLEASE HELP!?!?!?!?

I would suggest you take, or let em, tear all services on the box down, because for the lpd ownage, hosts.* entries and considering multiple failures in running stuff, you might want to let them install and run chrootkit (http://www.chrootkit.org) to verify youve been hit by something like Lpd exploit for RH7/ Ramen worm.

If compromised, I would suggest taking the box offline, preserve an image of the disk if necessary, and rebuild the thing.

If not, on to the mail. the mail queue /var/spool/mqueue should be owned by owner root, group root. the mail spool /var/spool/mail is owner root, group mail. each users mail spool is owned by its user, group mail, except for root, thats root/root (on my box, that is).
chown that stuff and restart sendmail in debug mode for checks.

*btw couldnt send a message here, the system is full :-]

I fixed most of my problems already, but still cannot get it to parse my email addresses correctly.

I can't get my email, and it says "user unknown". I am sure that this is a simple fix, but I am stumped. Can you help me?

I can't leave the whole file here, as this forum limits the characters. Here is part of it...if you would like the rest to assist, please contact me at Yahoo IM - amcnally68 or AIM - amcnally30

[root@webserver mail]# sendmail -bv -d amcnally@southfl.net
Version 8.10.1
Compiled with: LOG MATCHGECOS MIME7TO8 MIME8TO7 NAMED_BIND NETINET
NETUNIX NEWDB QUEUE SCANF SMTP USERDB XDEBUG
getla(): 0.00
setoption SevenBitInput (7)=False
setoption EightBitMode (8)=pass8
setoption AliasWait (a)=10
setoption AliasFile (A)=/etc/mail/aliases
setoption MinFreeBlocks (b)=100
setoption BlankSub (B)=.
setoption HoldExpensive (c)=False
setoption DeliveryMode (d)=background
setoption TempFileMode (F)=0600
setoption HelpFile (H)=/etc/mail/helpfile
setoption SendMimeErrors (j)=True
setoption ForwardPath (J)=$z/.forward.$w+$h:$z/.forward+$h:$z/.forward.$w:$z/.forward
setoption ConnectionCacheSize (k)=2
setoption ConnectionCacheTimeout (K)=5m
setoption UseErrorsTo (l)=False
setoption LogLevel (L)=9
setoption CheckAliases (n)=False
setoption OldStyleHeaders (o)=True
setoption DaemonPortOptions (O)=Name=MTA
Daemon MTA flags:
setoption DaemonPortOptions (O)=Port=587, Name=MSA, M=E
Daemon MSA flags: NOETRN
setoption PrivacyOptions (p)=authwarnings
setoption QueueDirectory (Q)=/var/spool/mqueue
setoption Timeout (r).queuereturn=5d
setoption Timeout (r).queuewarn=4h
setoption SuperSafe (s)=True
setoption StatusFile (S)=/etc/mail/statistics
setoption SmtpGreetingMessage (0x90)=$j Sendmail $v/$Z; $b
setoption UnixFromLine (0x91)=From $g $d
setoption OperatorChars (0x92)=.:%@!^/[]+
setoption DontProbeInterfaces (0xa1)=False
setoption MaxHeadersLength (0xaa)=32768
drop_privileges(0): Real[UG]id=0:0, RunAs[UG]id=0:0
getauthinfo: root@localhost

============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = webserver
(canonical domain name) $j = webserver.imaginiqueinc.com
(subdomain name) $m = imaginiqueinc.com
(node name) $k = webserver.imaginiqueinc.com
========================================================

assign_queueid: assigned id f7J4i0P01896, e=809d9a0
assign_queueid: assigned id f7J4i0Q01896, e=809d9a0
getla(): 0.00
setsender()

--parseaddr(admin)
rewrite: ruleset canonify input: admin
rewrite: ruleset Canonify2 input: admin
rewrite: ruleset Canonify2 returns: admin
rewrite: ruleset canonify returns: admin
rewrite: ruleset parse input: admin
rewrite: ruleset Parse0 input: admin
map_lookup(dequote, admin) => NOT FOUND (0)
rewrite: ruleset Parse0 returns: admin
rewrite: ruleset ParseLocal input: admin
rewrite: ruleset ParseLocal returns: admin
rewrite: ruleset Parse1 input: admin
rewrite: ruleset Parse1 returns: $# local $: admin
rewrite: ruleset parse returns: $# local $: admin
rewrite: ruleset final input: admin
rewrite: ruleset final returns: admin
parseaddr-->809d9b0=admin:
mailer 3 (local), host `'
user `admin', ruser `<null>'
state=OK, next=0, alias 0, uid 0, gid 0
flags=180<QPINGONFAILURE,QPINGONDELAY>
owner=(none), home="(none)", fullname="(none)"
orcpt="(none)", statmta=(none), status=(none)
rstatus="(none)"
specificity=0, statdate=(none)
udbmatch(admin, mailname)
rewrite: ruleset canonify input: admin
rewrite: ruleset Canonify2 input: admin
rewrite: ruleset Canonify2 returns: admin
rewrite: ruleset canonify returns: admin
rewrite: ruleset 1 input: admin
rewrite: ruleset 1 returns: admin
rewrite: ruleset final input: admin
rewrite: ruleset final returns: admin
sendto: amcnally@southfl.net
ctladdr=[NULL]

--parseaddr(amcnally@southfl.net)
rewrite: ruleset canonify input: amcnally @ southfl . net
rewrite: ruleset Canonify2 input: amcnally < @ southfl . net >
map_lookup(host, southfl.net) => host_map_lookup(southfl.net) => map_rewrite(southfl.net), av =
southfl.net
map_rewrite => southfl.net.
southfl.net. (0)
rewrite: ruleset Canonify2 returns: amcnally < @ southfl . net . >
rewrite: ruleset canonify returns: amcnally < @ southfl . net . >
rewrite: ruleset parse input: amcnally < @ southfl . net . >
rewrite: ruleset Parse0 input: amcnally < @ southfl . net . >
map_lookup(dequote, amcnally) => NOT FOUND (0)
rewrite: ruleset Parse0 returns: amcnally < @ southfl . net . >
rewrite: ruleset ParseLocal input: amcnally < @ southfl . net . >
rewrite: ruleset ParseLocal returns: amcnally < @ southfl . net . >
rewrite: ruleset Parse1 input: amcnally < @ southfl . net . >
rewrite: ruleset Parse1 returns: $# local $: amcnally
rewrite: ruleset parse returns: $# local $: amcnally
rewrite: ruleset 2 input: amcnally
rewrite: ruleset 2 returns: amcnally
rewrite: ruleset EnvToL input: amcnally
rewrite: ruleset EnvToL returns: amcnally
rewrite: ruleset final input: amcnally
rewrite: ruleset final returns: amcnally
parseaddr-->80d23a8=amcnally@southfl.net:
mailer 3 (local), host `'
user `amcnally', ruser `<null>'
state=OK, next=0, alias 0, uid 0, gid 0
flags=180<QPINGONFAILURE,QPINGONDELAY>
owner=(none), home="(none)", fullname="(none)"
orcpt="(none)", statmta=(none), status=(none)
rstatus="(none)"
specificity=0, statdate=(none)

recipient (0): 80d23a8=amcnally@southfl.net:
mailer 3 (local), host `'
user `amcnally', ruser `<null>'
state=OK, next=0, alias 0, uid 0, gid 0
flags=182<QPRIMARY,QPINGONFAILURE,QPINGONDELAY>
owner=(none), home="(none)", fullname="(none)"
orcpt="(none)", statmta=(none), status=(none)
rstatus="(none)"
specificity=0, statdate=(none)
alias(amcnally)
map_rewrite(@), av = (nullv)
map_rewrite => @
udbexpand(amcnally@southfl.net)
maplocaluser: 80d23a8=amcnally@southfl.net:
mailer 3 (local), host `'
user `amcnally', ruser `<null>'
state=OK, next=0, alias 0, uid 0, gid 0
flags=182<QPRIMARY,QPINGONFAILURE,QPINGONDELAY>
owner=(none), home="(none)", fullname="(none)"
orcpt="(none)", statmta=(none), status=(none)
rstatus="(none)"
specificity=0, statdate=(none)
rewrite: ruleset localaddr input: amcnally
rewrite: ruleset Local_localaddr input: amcnally
rewrite: ruleset Local_localaddr returns: amcnally
rewrite: ruleset localaddr returns: amcnally
amcnally@southfl.net... User unknown
From person = "admin"
getla(): 0.00

===== SENDALL: mode v, id f7J4i0Q01896, e_from 809d9b0=admin:
mailer 3 (local), host `'
user `admin', ruser `<null>'
state=SENDER, next=0, alias 0, uid 500, gid 500
flags=181<QGOODUID,QPINGONFAILURE,QPINGONDELAY>
owner=(none), home="/home/admin", fullname="(none)"
orcpt="(none)", statmta=(none), status=(none)
rstatus="(none)"
specificity=0, statdate=(none)
e_flags = 4001<OLDSTYLE,METOO>
sendqueue:
80d23a8=amcnally@southfl.net:
mailer 3 (local), host `'
user `amcnally', ruser `<null>'
state=BADADDR, next=0, alias 0, uid 0, gid 0
flags=80000182<QPRIMARY,QPINGONFAILURE,QPINGONDELAY,QRCPTOK>
owner=(none), home="(none)", fullname="(none)"
orcpt="(none)", statmta=(none), status=5.1.1
rstatus="550 5.1.1 User unknown"
specificity=0, statdate=(none)
dropenvelope 809d9a0: id=f7J4i0Q01896, flags=5001<OLDSTYLE,GLOBALERRS,METOO>

===== Dropping [dq]ff7J4i0Q01896... queueit=0, e_flags=5001<OLDSTYLE,GLOBALERRS,METOO>

====finis: stat 67 e_id=NOQUEUE e_flags=5001<OLDSTYLE,GLOBALERRS,METOO>


Any ideas???