Re: [exim] Am I Hacked?

Startseite
Nachricht löschen
Nachricht beantworten
Autor: W B Hacker
Datum:  
To: exim users
Betreff: Re: [exim] Am I Hacked?
Rick Lutowski wrote:
> I've been using exim on debian 'out of the box' for years with
> no apparent problems. Recently I've been getting indications
> my server's exim has been compromised and is sending out spam
> without my knowledge.


'indications' such as?

> I don't know much about exim's capabilities
> beyond its out of the box behavior, so do not know what someone
> would have to do to use an exim-based server as a spam host.


Presuming 'debian 'out of the box' means debconf et al, you'll need to spend
some time looking at their bespoke documentation, and perhaps on their
debian-specific mailing list.

ISTR that Marc has it pretty tightly controlled, so ...

> Without knowing how it might be done, I don't know how it might
> be stopped, but the first order of business is to determine if
> I am, in fact, being used to send spam. I thus enabled the daily
> activity report. The first such report received from exim is
> attached as a pdf.
>


For a 24-hour period, the counts are very low.

You might also run a report against ~/exim/rejectlog (or wherever it is...) as well.

You may see rejections to a lot of the same servers - (*.tr, *.ru, *.it
especially) that show as 'onesies' in the report.

grep or exigrep your ~/exim/mainlog for some of those <domain>.<tld>, ID a
time-window, then look around that time and see if you can get a better picture
of events - bounces, especially.

Chances are your debian-stock Exim is doing a pretty solid job.

> I should point out my server is locked down pretty tight as far
> as remote access is concerned. I do not run ftp, telnet, or
> any other remote access services. The only active net services
> are exim and apache.


Note that a web-critter shows up - BUT - while a largish message, the count is
migthy low for a 24-hour period.

> If someone has gained access, it is most
> likely via one of these two packages. I just did a full debian
> update a couple days ago, so all recent bug fixes and versions
> should be in place and were active at the time the daily activity
> report was generated.
>


That is 'good practice', but not much help if you have a config error or
too-permissive an httpd environment. (abused script, web forms, etc.)

> The "top 50 destinations" lists seem to indicate unauthorized
> sending activity. First question: Is this a correct interpretation
> of the report?


Probably not.

With message counts of '1' per full-day, even with several recognizably dodgy
correspondent servers, they could simply be bounces - collateral/splatter or
otherwise.

> Second question: If so, how might it be occurring
> and so how might it be stopped? Any guidance would be appreciated.
>


First, you need to confirm that you actually *have* a problem.

The report submitted does not make that clear.

Are you getting bounces or rejections from legitimate hosts? Being blacklisted?
Getting complaints of other kinds?

Keep in mind that the lower the real traffic a server handles, the higher the
apparent percentage of spam attempts.

Nothing necessarily wrong when that shows up, *especially* when arrivals
'handled' (in one way or another...) are ten times as numerous as departures.

HTH,

BIll