Re: [exim] Am I Hacked?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MJohn Burnham at <-
M+\Peter Bowyer at ->
Delete this message
Reply to this message
Author: Renaud Allard
Date:  
To: Rick Lutowski
CC: exim-users
Subject: Re: [exim] Am I Hacked?


Rick Lutowski wrote: 

>>     mail.jreality.com:
>>     Interesting ports on adsl-65-68-229-225.jreality.com (65.68.229.225):
>>     PORT    STATE SERVICE   VERSION
>>     9/tcp   open  discard?
>>     13/tcp  open  daytime
>>     25/tcp  open  smtp      Exim smtpd 3.36
>>     37/tcp  open  time       (32 bits)
>>     80/tcp  open  http      Apache httpd 1.3.33 ((Debian GNU/Linux))
>>     98/tcp  open  linuxconf Linuxconf (Access denied)
>>     110/tcp open  pop3      Qpopper pop3d 4.0.5
>>     111/tcp open  rpcbind    2 (rpc #100000)
>>     113/tcp open  ident     OpenBSD identd
>>     Device type: general purpose
>>     Running: Linux 2.1.X|2.2.X
>>     OS details: Linux 2.1.19 - 2.2.25
>>     Uptime 2.430 days (since Mon Jan  1 23:13:58 2007)
>>     Service Info: Host: www.jreality.com; OS: OpenBSD

>
> Curious as to how you got this list. What command?
>

nmap -A -O mail.jreality.com does this kind of output.

Most theses services on debian are activated by inetd. You can edit
/etc/inetd.conf to remove unnecessary services, then restart inetd.

>From the scan, I guess you have or at least had a very old debian system
(probably 2.2 potato). It is worth noting that exim 3.x is not supported
anymore by this list and you should really upgrade to 4.x.

Here is a way to send spam from your server:
telnet mail.jreality.com 25
Trying 65.68.229.225...
Connected to jreality.com.
Escape character is '^]'.
220 www.jreality.com ESMTP Exim 3.36 #1 Thu, 04 Jan 2007 11:12:50 -0600
helo test
250 www.jreality.com Hello mail.eriador.org [85.201.63.39]
mail from:<renaud@???>
250 <renaud@???> is syntactically correct
rcpt to:<nonexistentuser@???>
250 <nonexistentuser@???> is syntactically correct
data
354 Enter message, ending with "." on a line by itself
this is spam
.
250 OK id=1H2W9c-0006p4-00
quit
221 www.jreality.com closing connection


This delivers a bounce to the sender containing the spam message. (my
spam filters destroyed it, but I received it)

2007-01-04 16:44:55 1H2Ulz-0006uX-37 <= <> H=(www.jreality.com)
[65.68.229.225]:4969 I=[209.216.230.19]:25 P=esmtp S=1420
id=E1H2W9g-0006p8-00@www.jreality.com
T="Mail delivery failed: returning message to sender" from <> for
renaud@???
2007-01-04 16:44:55 1H2Ulz-0006uX-37 => blackhole (DATA ACL discarded
recipients): bogus bounce for <renaud@???>.
2007-01-04 16:44:55 1H2Ulz-0006uX-37 Completed





--
010100100110010101101110011000010111010101100100
010000010110110001101100011000010111001001100100
This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Am I Hacked?Re: [exim] Am I Hacked?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)