Autor: Rick Lutowski Data: Para: exim-users Assunto: [exim] Am I Hacked?
I've been using exim on debian 'out of the box' for years with
no apparent problems. Recently I've been getting indications
my server's exim has been compromised and is sending out spam
without my knowledge. I don't know much about exim's capabilities
beyond its out of the box behavior, so do not know what someone
would have to do to use an exim-based server as a spam host.
Without knowing how it might be done, I don't know how it might
be stopped, but the first order of business is to determine if
I am, in fact, being used to send spam. I thus enabled the daily
activity report. The first such report received from exim is
attached as a pdf.
I should point out my server is locked down pretty tight as far
as remote access is concerned. I do not run ftp, telnet, or
any other remote access services. The only active net services
are exim and apache. If someone has gained access, it is most
likely via one of these two packages. I just did a full debian
update a couple days ago, so all recent bug fixes and versions
should be in place and were active at the time the daily activity
report was generated.
The "top 50 destinations" lists seem to indicate unauthorized
sending activity. First question: Is this a correct interpretation
of the report? Second question: If so, how might it be occurring
and so how might it be stopped? Any guidance would be appreciated.
--
Rick Lutowski, GRI, REALTOR
Greg Doering & Associates
Keller Williams Realty
rick@???
512-461-1456
I Reward Referrals