Re: [Exim] exim logs hint at root comprimise?

Top Page
Delete this message
Reply to this message
Author: Nico Erfurth
Date:  
To: Adam Henry
CC: exim-users
Subject: Re: [Exim] exim logs hint at root comprimise?
Adam Henry wrote:
> Looks certainly like a process having root access to this machine is
> sending outgoing email. Am I reading the hints from the logs
> correctly?
>
> Suspicious queue:


.... You really should not post such a list of email addresses .....

> Relevant log entries for this message id:
>
>    2003-01-20 13:50:36 18ah0G-0001SG-00 <= mftb@??? U=root
>    P=local S=5472 id=000a01c28163$f0dc25a0$dd82570c@oemcomputer
>    T="Litter-A-Chair..." from <root@???> for [...]

>
> Doesn't look good. Before I jump the gun, can anyone confirm my fears?


Yep, this looks like the message was generated localy by the user root,
BUT it's very unlikly, that someone hacked your server to send out mails.

What does the mail contain? spam?

Please try exigrep '000a01c28163$f0dc25a0$dd82570c@oemcomputer'
main.log to see if the same mail was maybe injected in another way
first, and came back to exim after some kind of filtering.

Nico