LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-25-2002, 02:37 AM   #1
markng
LQ Newbie
 
Registered: Jan 2002
Posts: 19

Rep: Reputation: 0
Red Hat 6.22 Mailserver hacked : Help.


I have a mail server that I think has been hacked. The reason for saying is that the users(from the system) have been receiving spams with a "From" address coming from the mail server itself.

When i look at the mail log, I keep seeing this message " Mailbox vulnerable - directory /var/spool/mail must have 1777 protection"

Currently the /var/spool/mail directory has permissions lrwxrwxrwx. Another strange thing is that this directory seems to be linked to /home/var_spool/mail.

Can anyone tell me what I can do? Is this mail server comprised? Any help would be greatly appreciated.

Thanks in advance!!
 
Old 04-25-2002, 03:34 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
IMO the mail message and weird spool location alone aren't proof of the server being cracked, could be some weird DeadRat6 glitch (tho i didn't see this in 5.2).
Does the maillog show the user that sent mail?
Is it a regular user? Privileged? What's the message? Is it garbage or "real"? Did you verify the system against the rpm database? (Note if the rpm database is corrupted/modified this won't matter). Does any log have strange entries for access to services followed by logging in/turning on services?

The next URI's should be a good way to determine if it was compromised, even tho they didn't mention chkrootkit(.org) as one of the usable tools: CERT Intruder Detection Checklist, CERT Steps for Recovering from a UNIX or NT System Compromise and the CERT UNIX Security Checklist v2.0.
 
Old 05-01-2002, 09:50 AM   #3
markng
LQ Newbie
 
Registered: Jan 2002
Posts: 19

Original Poster
Rep: Reputation: 0
Thanks for replying. Can you tell me if there's anything wrong with this.

Lets say my domain name is somename.com and my mailserver is dns.somename.com

Recently we have been getting mails (spam) from dns@somename.com. These mails are addressed to unknown@somename.com.. If there's no such person such as "unknown", how come some of the users are getting the mail?

Also when i look at the mail log, it seems that the mail automatically gets delivered to 2 person in the system.

We have been getting a lot of these mails.. all with Chinese or Korean characters. How annoying..

I'll appreciate if u can help.

Thanks!
 
Old 05-01-2002, 01:28 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Couldya post some part of the maillog and the headers of such a message? Which "users" receive the mail? is the BIND on the box a really old, not-recently-upgraded version 8.2x? How about the sendmail version? Does it allow relaying?

Any chance in answering some questions in my previous reply as well? :-]
 
Old 05-01-2002, 08:14 PM   #5
markng
LQ Newbie
 
Registered: Jan 2002
Posts: 19

Original Poster
Rep: Reputation: 0
Hi unSpawn,

BIND is version v8.2.3 and Sendmail is 8.9.3/8.8.7. Allows relaying only from a specific subnet. I've tried sending email using this server from home and its rejecting so I guess its still functioning.

Here's part of the maillog. I don't know which part its important to you. I've changed the domain name.. I don't need additional attention to this server
-------------------------------

May 1 10:59:15 dns sendmail[12820]: KAA12820: from=<X7hko1BlrS@tpts7.seed.net.tw>, size=13656, class=0, pri=73656, nrcpts=2, msgid=<FPcAz1hIeZDG@tpts1.seed.net.tw>, bodytype=8BITMIME, proto=SMTP, relay=dial160-nk.hitron.net [210.200.140.160]
May 1 10:59:15 dns sendmail[12822]: KAA12820: to=<kelvin@jameshost.com.my>, delay=00:00:15, xdelay=00:00:00, mailer=local, stat=Sent
May 1 10:59:15 dns sendmail[12822]: KAA12820: to=<walter@jameshost.com.my>, delay=00:00:15, xdelay=00:00:00, mailer=local, stat=Sent
---------------------------------------

Kelvin and Walter are both real users in the system. When I look at the email from the sender, it comes from some_chinese_characters@jameshost.com.my. Its destined for ok.OK.004@jameshost.com.my. Question is : the sender and user don't exist in the system. How come only Kelvin and Walter gets the mail and not the other users in the system?

The message content is some advertisements which i don't understand as its in Chinese.

Any help would be greatly appreciated.
Thx!
 
Old 05-02-2002, 05:40 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Ok, could it be anti-spam hasn't been set up properly, maybe try to connect from any address and try to spoof your FROM address, by now I've seen references to both seed.net.tw dialups and hitron.net in relation to spam relaying, even tho seed.net.tw claims to be "anti-spam".
 
Old 05-05-2002, 10:02 PM   #7
markng
LQ Newbie
 
Registered: Jan 2002
Posts: 19

Original Poster
Rep: Reputation: 0
Hi Unspawn,

I sent an email to the server with the "From" address with the same domain name (even though I'm from a different domain) with a bogus username. Eg.. superman@jameshost.com.my. and the mail was delivered successfully.

However, I can't just enter any username in the "to" field. Eg. idiot@jameshost.com.my. The intended receipient must be a valid user in the system.

Its just that those spammers can spoof the "From" and "To" fields.

Is there anything I can do? My boss keeps asking me if our mailserver has been hacked.

Thx in advance!!
 
Old 05-06-2002, 12:52 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
I'll redirect you to sendmail.org's anti-spam resource pages where you should check and update your sendmail configs.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Red Hat custom Kernel compilation mini-How-To for Red Hat 8-9 Thetargos Red Hat 431 04-13-2007 05:19 AM
Red Hat does not plan to release another product in the red hat linux line... Whitehat General 5 11-03-2003 06:33 PM
Red Hat Router/Webserver/Mailserver/File Server SixShooterz Linux - Networking 3 07-11-2003 03:13 PM
Apache 2 on Linux Red Hat 7.3: have I been hacked? Zingaro2002 Linux - Security 4 06-03-2003 11:37 AM
Red Hat 7.2... & a modem with Red Hat 7.1 driver support rahduku Linux - Distributions 1 02-14-2002 11:49 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration