Re: [exim] Am I Hacked?

> Rick Lutowski <rick@???> (Do 04 Jan 2007 18:11:34 CET):
>> Graeme Fowler wrote:
>>> Renaud was using the telnet client application on his machine to talk to
>>> the Exim SMTP server on yours. There's no evidence of a telnet server
>>> existing on your server, but you can betcha someone would already have
>>> got you if there was :)
>> Which is why telnet, ftp, etc is not running!
>
> But qpopper (which had some security problems), and some other
> applications which do not have to be secure per se.
>
>> Is there any way to disable the kind of access he
>> demonstrated without compromising normal exim
>> operation?
>
> I'm not sure if in Exim 3.x you could reject unknown users already at
> SMTP time, but if you'd upgrade to Exim 4.x: you can.
> (AFAIR Debians install script tries to convert the config, but I'm not
> sure, so be prepared to be challenged :))
>

The fact is: given the amount of data we gave you and the amount of
knowledge you have, and also the fact that your configuration is almost
stock as you told, your best move is probably "apt-get install
exim4-daemon-heavy" (minimum requirements are a debian 3.0 mirror) and
answer the questions there. I think this really is your smartest bet.

You should also probably do "apt-get remove --purge portmap" if you
don't use nfs and comment all the lines in /etc/inetd.conf and restart
inetd daemon ("/etc/init.d/inetd restart") afterwards. However, don't
remove pop3 service if you use it.