LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Red Hat 6.22 Mailserver hacked : Help. (https://www.linuxquestions.org/questions/linux-security-4/red-hat-6-22-mailserver-hacked-help-19404/)

markng 04-25-2002 03:37 AM

Red Hat 6.22 Mailserver hacked : Help.
 
I have a mail server that I think has been hacked. The reason for saying is that the users(from the system) have been receiving spams with a "From" address coming from the mail server itself.

When i look at the mail log, I keep seeing this message " Mailbox vulnerable - directory /var/spool/mail must have 1777 protection"

Currently the /var/spool/mail directory has permissions lrwxrwxrwx. Another strange thing is that this directory seems to be linked to /home/var_spool/mail.

Can anyone tell me what I can do? Is this mail server comprised? Any help would be greatly appreciated.

Thanks in advance!!

unSpawn 04-25-2002 04:34 AM

IMO the mail message and weird spool location alone aren't proof of the server being cracked, could be some weird DeadRat6 glitch (tho i didn't see this in 5.2).
Does the maillog show the user that sent mail?
Is it a regular user? Privileged? What's the message? Is it garbage or "real"? Did you verify the system against the rpm database? (Note if the rpm database is corrupted/modified this won't matter). Does any log have strange entries for access to services followed by logging in/turning on services?

The next URI's should be a good way to determine if it was compromised, even tho they didn't mention chkrootkit(.org) as one of the usable tools: CERT Intruder Detection Checklist, CERT Steps for Recovering from a UNIX or NT System Compromise and the CERT UNIX Security Checklist v2.0.

markng 05-01-2002 10:50 AM

Thanks for replying. Can you tell me if there's anything wrong with this.

Lets say my domain name is somename.com and my mailserver is dns.somename.com

Recently we have been getting mails (spam) from dns@somename.com. These mails are addressed to unknown@somename.com.. If there's no such person such as "unknown", how come some of the users are getting the mail?

Also when i look at the mail log, it seems that the mail automatically gets delivered to 2 person in the system.

We have been getting a lot of these mails.. all with Chinese or Korean characters. How annoying..

I'll appreciate if u can help.

Thanks!

unSpawn 05-01-2002 02:28 PM

Couldya post some part of the maillog and the headers of such a message? Which "users" receive the mail? is the BIND on the box a really old, not-recently-upgraded version 8.2x? How about the sendmail version? Does it allow relaying?

Any chance in answering some questions in my previous reply as well? :-]

markng 05-01-2002 09:14 PM

Hi unSpawn,

BIND is version v8.2.3 and Sendmail is 8.9.3/8.8.7. Allows relaying only from a specific subnet. I've tried sending email using this server from home and its rejecting so I guess its still functioning.

Here's part of the maillog. I don't know which part its important to you. I've changed the domain name.. I don't need additional attention to this server ;)
-------------------------------

May 1 10:59:15 dns sendmail[12820]: KAA12820: from=<X7hko1BlrS@tpts7.seed.net.tw>, size=13656, class=0, pri=73656, nrcpts=2, msgid=<FPcAz1hIeZDG@tpts1.seed.net.tw>, bodytype=8BITMIME, proto=SMTP, relay=dial160-nk.hitron.net [210.200.140.160]
May 1 10:59:15 dns sendmail[12822]: KAA12820: to=<kelvin@jameshost.com.my>, delay=00:00:15, xdelay=00:00:00, mailer=local, stat=Sent
May 1 10:59:15 dns sendmail[12822]: KAA12820: to=<walter@jameshost.com.my>, delay=00:00:15, xdelay=00:00:00, mailer=local, stat=Sent
---------------------------------------

Kelvin and Walter are both real users in the system. When I look at the email from the sender, it comes from some_chinese_characters@jameshost.com.my. Its destined for ok.OK.004@jameshost.com.my. Question is : the sender and user don't exist in the system. How come only Kelvin and Walter gets the mail and not the other users in the system?

The message content is some advertisements which i don't understand as its in Chinese.

Any help would be greatly appreciated.
Thx!

unSpawn 05-02-2002 06:40 PM

Ok, could it be anti-spam hasn't been set up properly, maybe try to connect from any address and try to spoof your FROM address, by now I've seen references to both seed.net.tw dialups and hitron.net in relation to spam relaying, even tho seed.net.tw claims to be "anti-spam".

markng 05-05-2002 11:02 PM

Hi Unspawn,

I sent an email to the server with the "From" address with the same domain name (even though I'm from a different domain) with a bogus username. Eg.. superman@jameshost.com.my. and the mail was delivered successfully.

However, I can't just enter any username in the "to" field. Eg. idiot@jameshost.com.my. The intended receipient must be a valid user in the system.

Its just that those spammers can spoof the "From" and "To" fields.

Is there anything I can do? My boss keeps asking me if our mailserver has been hacked.

Thx in advance!!

unSpawn 05-06-2002 01:52 AM

I'll redirect you to sendmail.org's anti-spam resource pages where you should check and update your sendmail configs.


All times are GMT -5. The time now is 04:26 AM.