Re: [Exim] exim logs hint at root comprimise?

Top Page
Delete this message
Reply to this message
Author: Adam Henry
Date:  
To: Nico Erfurth
CC: exim-users
Subject: Re: [Exim] exim logs hint at root comprimise?
On Fri, Jan 24, 2003 at 12:15:03AM +0100, Nico Erfurth wrote:
> Adam Henry wrote:
> >Suspicious queue:
>
> .... You really should not post such a list of email addresses .....


It was very stupid of me to do such a thing. I admit to not thinking
about it at all, and hope that it doesn't contribute to much more spam
these people may be receiving. This is clearly a violation of proper
list ettiquete, and I promise to be more careful about what I post
from my log files.

> >Relevant log entries for this message id:
> >
> > 2003-01-20 13:50:36 18ah0G-0001SG-00 <= mftb@??? U=root
> > P=local S=5472 id=000a01c28163$f0dc25a0$dd82570c@oemcomputer
> > T="Litter-A-Chair..." from <root@???> for [...]
> >
> >Doesn't look good. Before I jump the gun, can anyone confirm my fears?
>
> Yep, this looks like the message was generated localy by the user root,
> BUT it's very unlikly, that someone hacked your server to send out mails.
>
> What does the mail contain? spam?
>
> Please try exigrep '000a01c28163$f0dc25a0$dd82570c@oemcomputer'
> main.log to see if the same mail was maybe injected in another way
> first, and came back to exim after some kind of filtering.


These messages ARE spam, but not in the conventional sense. Through
my unfathomable stupidity, I attempted to re-send mail for a user to a
new account, using 'cat [spoolfile] | formail -s exim -t'. Yes, it
resent a copy of the messages in her spool to her new account, but it
also sent another copy to the recipients listed in the messages as
well.

What I have learned from this: Read the complete manpage of a
command:

    the  -t option    causes    the recipients of the message to be
    obtained from the To:, Cc:, and  Bcc:  header lines in the
    message instead of from the command arguments.


This is again evidence that the most dangerous Cracker is the one
which has console access... (well, when the man pages are blatantly
ignored)

I very much appreciate your time,
*bonk hank*