Eli wrote:
>Paul wrote:
>
>
>>Eli wrote:
>>
>>
>>>I have a feeling Exim is just fine, and instead what you are
>>>
>>>
>>all seeing is the result of a recent series of server hacks?
>>
>>
>>I doubt that: I'm quite sure that we're not dealing with a
>>hacked server here, and I just noticed the entries in my logs as well.
>>
>>
>Server doesn't have to be "hacked" to be compromised. As stated, the phpBB
>and AWStats exploits can leave no traces except what is in your web server
>log entries. I know, I've got servers that have been hit by these exploits.
>
> Ok, but well - there is really nothing else on the system, exim is
jailed, there is both a host based firewall and there are (router) acls
in place, it uses token based authentication for access, it's even hard
for me to get in! ;-)
(Even if someone compromised the system they won't have anything usefull.)
>This doesn't seem to look like the work of a leaked file descriptor though.
>I would expect random behaviour in that -
> Well, it's not with all synchronization errors: in my logs only for 0,4
% of them (about 2500 sync. errors today). But all of them are listed in
some RBL, and some of them reappear.
> Unless you have lookups set to query those
>files, I thought any user lookups were done via system calls, not directly
>querying the files? That's pure speculation - I haven't checked source code
>to be sure or not.
>
> Well, we don't have those lookups anyway.
>>I just found the remote IP in sorbs btw, so I also assume
>>it's no legitimate user.
>>
>>
>Do the other services the system offers have logs as well? Cross reference
>that IP with all your other system logs and see what you turn up.
>
> There are no other services (well, I can log in with ssh somehow ;-)),
the machine is completely locked in. (So I couldn't find anything really.)