Tim Jackson wrote:
>>Guys!!there are many messages that I receive...when i read the logs, this
>>is what it mostly say...Am i compromised!!!any comment would be of big
>>help!!!
>
>
> [snip lots of messages from mail@??? to mail@???]
>
> Quite possibly, to some extent. You didn't show the log excerpts of the
> messages entering your system, nor say what else (if anything) the machine
> is doing other than handling mail. There are many possibilities, of which
> the below are only some:
>
> - If it's a webserver too, it's quite possible that you just have an
> insecure mail form of some description (especially with the current PHP
> header injection automated exploits that are doing the rounds). It could
> also be a compromise via phpBB or some other vulnerable web app
>
> - you could have a malicious user on your machine
>
> - if you use SMTP AUTH, maybe one of your users has got a weak password
> that has been bruteforced
>
> - if this machine is a mail hub, maybe one of your users has a
> virus/trojan, or maybe one of the other machines it relays for is
> compromised
>
> Tim
>
Tims suggestion about checking how messages entered the system to begin
with is a good place to start.
However...You may also want to check for the presence a rootkit if you
can't find any other explanation, or start to get paranoid.
I have found "chkrootkit" useful in this respect, but dont immediately
jump to any conclusions if it finds something, I happened to be using
Ollie Cooks "eximstate" on the same port used by a trojan purely by
coincidence and almost trashed the box in moment of insanity.
If you need help with chkrootkit you will need to post to the relevant
list, not back here.
Hope things work out OK,
Jason Meers
website for chkrootkit
http://www.chkrootkit.org
paper on using chkrootkit
http://www.giac.org/practical/gsec/Bill_Hutchison_GSEC.pdf
