Re: [Exim] exim logs hint at root comprimise?

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Nico Erfurth
Dátum:  
Címzett: Adam Henry
CC: exim-users
Tárgy: Re: [Exim] exim logs hint at root comprimise?
Adam Henry wrote:
> Looks certainly like a process having root access to this machine is
> sending outgoing email. Am I reading the hints from the logs
> correctly?
>
> Suspicious queue:


.... You really should not post such a list of email addresses .....

> Relevant log entries for this message id:
>
>    2003-01-20 13:50:36 18ah0G-0001SG-00 <= mftb@??? U=root
>    P=local S=5472 id=000a01c28163$f0dc25a0$dd82570c@oemcomputer
>    T="Litter-A-Chair..." from <root@???> for [...]

>
> Doesn't look good. Before I jump the gun, can anyone confirm my fears?


Yep, this looks like the message was generated localy by the user root,
BUT it's very unlikly, that someone hacked your server to send out mails.

What does the mail contain? spam?

Please try exigrep '000a01c28163$f0dc25a0$dd82570c@oemcomputer'
main.log to see if the same mail was maybe injected in another way
first, and came back to exim after some kind of filtering.

Nico