Re: Have I been cracked?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MCraig White at <-
MBob Holtzman at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Bob Holtzman
Date:  
To: plug-discuss
Subject: Re: Have I been cracked?
On Fri, 20 Aug 2004, Craig White wrote:

> On Fri, 2004-08-20 at 00:05, Bob Holtzman wrote:
> > I just got logwatch fired up and I'm seeing entries such as:
> >
> > --------------------- sendmail Begin ------------------------
> >
> > 1161352 bytes transferred
> > 267 messages sent
> > ---------------------- sendmail End -------------------------
> >
> > If this refers to outgoing messages from my box, I have a problem, true?
> > I'm running RH 7.3 and checked medium security level when I installed.
> > Any other information required?
> ====
> what's in /var/log/maillog ?
>
> what do you get from
> rpm -qa|grep sendmail
> cat /etc/mail/access
> commands?

I'm getting a bunch of bounce entrys, multiples of each:

Aug 20 19:23:58 localhost sendmail[9563]: i7L2Nv509563:
from=<>, size=22728, class=-100, nrcpts=1,
msgid=<>, bodytype=7BIT,
proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]

Aug 20 19:23:59 localhost sendmail[9572]: i7L2Nx509572:
from=<>, size=6640, class=-30,
nrcpts=1, msgid=<>, proto=ESMTP, daemon=MTA,
relay=localhost.localdomain [127.0.0.1]

rpm -qa|grep sendmail gives:

sendmail-cf-8.11.6-15
sendmail-8.11.6-15

I should have included this in my original post.

The next one, I think, concerns me: 

[holtzm@localhost holtzm]$ cat /etc/mail/access
# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
localhost.localdomain        RELAY
localhost            RELAY
127.0.0.1            RELAY


Does this mean I'm an open relay?

On a related note I saw this in my maillog from July 18:

Jul 18 23:31:13 localhost sendmail[960]: alias database /etc/aliases
rebuilt by root
Jul 18 23:31:13 localhost sendmail[960]: /etc/aliases: 40 aliases, longest
10 bytes, 395 bytes total

/etc/aliases shows redirections for all pseudo accounts to be root except
for: 

newsadm:        news
newsadmin:      news
usenet:         news
ftpadm:         ftp
ftpadmin:       ftp
ftp-adm:        ftp
ftp-admin:      ftp


Am I confused? Damned right I am!

--
Bob Holtzman
"If you think you're getting free lunch,
......check the price of the beer!"


---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-viewing startup messagesRe: viewing startup messages->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)