Re: [exim] error!am i hacked?

Top Page
Delete this message
Reply to this message
Author: Kobus de Wit
Date:  
To: Jason Meers, Tim Jackson
CC: exim-users, Ryan Kerwin Macrohon
Subject: Re: [exim] error!am i hacked?
Hi All,

    There is a variant of the Sober worm, purportedly sent by the FBI, 
on the loose on the net. The FBI has issued a warning in this regard. 
Check the Technology section at www.cnn.com or other news agencies.


    The worm has it's own built-in SMTP server and the distribution 
level is high.


    It is advised that users update their antvirus software in employ.


    Regards


Kobus

----- Original Message -----
From: "Jason Meers" <Jason.Meers@???>
To: "Tim Jackson" <lists@???>
Cc: <exim-users@???>; "Ryan Kerwin Macrohon"
<kerwin@???>
Sent: Wednesday, November 23, 2005 1:24 PM
Subject: Re: [exim] error!am i hacked?


> Tim Jackson wrote:
>>>Guys!!there are many messages that I receive...when i read the logs,
>>>this
>>>is what it mostly say...Am i compromised!!!any comment would be of
>>>big
>>>help!!!
>>
>>
>> [snip lots of messages from mail@??? to mail@???]
>>
>> Quite possibly, to some extent. You didn't show the log excerpts of
>> the
>> messages entering your system, nor say what else (if anything) the
>> machine
>> is doing other than handling mail. There are many possibilities, of
>> which
>> the below are only some:
>>
>> - If it's a webserver too, it's quite possible that you just have an
>> insecure mail form of some description (especially with the current
>> PHP
>> header injection automated exploits that are doing the rounds). It
>> could
>> also be a compromise via phpBB or some other vulnerable web app
>>
>> - you could have a malicious user on your machine
>>
>> - if you use SMTP AUTH, maybe one of your users has got a weak
>> password
>> that has been bruteforced
>>
>> - if this machine is a mail hub, maybe one of your users has a
>> virus/trojan, or maybe one of the other machines it relays for is
>> compromised
>>
>> Tim
>>
>
> Tims suggestion about checking how messages entered the system to
> begin with is a good place to start.
>
> However...You may also want to check for the presence a rootkit if you
> can't find any other explanation, or start to get paranoid.
>
> I have found "chkrootkit" useful in this respect, but dont immediately
> jump to any conclusions if it finds something, I happened to be using
> Ollie Cooks "eximstate" on the same port used by a trojan purely by
> coincidence and almost trashed the box in moment of insanity.
>
> If you need help with chkrootkit you will need to post to the relevant
> list, not back here.
>
> Hope things work out OK,
>
> Jason Meers
>
> website for chkrootkit
> http://www.chkrootkit.org
>
> paper on using chkrootkit
> http://www.giac.org/practical/gsec/Bill_Hutchison_GSEC.pdf
>
>
>
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users ##
> Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
>
>
>