Re: [Exim] exim logs hint at root comprimise?

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Nico Erfurth
Fecha:  
A: Adam Henry
Cc: exim-users
Asunto: Re: [Exim] exim logs hint at root comprimise?
Adam Henry wrote:
> Looks certainly like a process having root access to this machine is
> sending outgoing email. Am I reading the hints from the logs
> correctly?
>
> Suspicious queue:


.... You really should not post such a list of email addresses .....

> Relevant log entries for this message id:
>
>    2003-01-20 13:50:36 18ah0G-0001SG-00 <= mftb@??? U=root
>    P=local S=5472 id=000a01c28163$f0dc25a0$dd82570c@oemcomputer
>    T="Litter-A-Chair..." from <root@???> for [...]

>
> Doesn't look good. Before I jump the gun, can anyone confirm my fears?


Yep, this looks like the message was generated localy by the user root,
BUT it's very unlikly, that someone hacked your server to send out mails.

What does the mail contain? spam?

Please try exigrep '000a01c28163$f0dc25a0$dd82570c@oemcomputer'
main.log to see if the same mail was maybe injected in another way
first, and came back to exim after some kind of filtering.

Nico