Not really sure what to look for, as this is the first time on the box
lsof -p (weird PID) gives the following. (Note the weird hotmail
connection at the bottom)
69.36.2.186:32798->mc1-reserved.bay6.hotmail.com:smtp (SYN_SENT)
********************************
[r...@yourstuff etc]# lsof -p 3687
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
courieres 3687 daemon cwd DIR 3,3 4096 277343 /usr/lib/courier
courieres 3687 daemon rtd DIR 3,1 4096 2 /
courieres 3687 daemon txt REG 3,3 378238 354751
/usr/lib/courier/libexec/courier/modules/esmtp/courieresmtp
courieres 3687 daemon mem REG 3,1 106397 192411 /lib/ld-2.3.4.so
courieres 3687 daemon mem REG 3,1 1454546 192413
/lib/tls/libc-2.3.4.so
courieres 3687 daemon mem REG 3,1 15324 192514
/lib/libdl-2.3.4.so
courieres 3687 daemon mem REG 3,3 29743 276664
/usr/lib/courier-authlib/libcourierauthsaslclient.so.0.0.0
courieres 3687 daemon mem REG 3,3 23616 246963
/usr/lib/libgdbm.so.2.0.0
courieres 3687 daemon mem REG 3,3 112229 275081
/usr/lib/courier-authlib/libcourierauth.so.0.0.0
courieres 3687 daemon 0r FIFO 0,7 10450 pipe
courieres 3687 daemon 1w FIFO 0,7 5524 pipe
courieres 3687 daemon 2u CHR 1,3 1406 /dev/null
courieres 3687 daemon 3u unix 0xd8cd4a80 10451 socket
courieres 3687 daemon 4u REG 3,2 570 32133
/var/spool/courier/msgs/33/C32133
courieres 3687 daemon 5rR REG 3,1 12392 50005
/etc/courier/hosteddomains.dat
courieres 3687 daemon 6u IPv6 19149 TCP
69.36.2.186:32798->mc1-reserved.bay6.hotmail.com:smtp (SYN_SENT)
[r...@yourstuff etc]#
******************************************
Brian Friday wrote:
Well you haven't given us ports or the services that the machine is
"supposed" to be running. So it really could be anything from someone
compromising the webserver to make it a spam relay to an old ${insert
externally accessible program name here} which had a remote
vulnurability that got exploited.
On Jul 24, 2006, at 10:23 PM, Roger Rustad wrote:
A friend called me to see why his Linux server was blacklisted.
I searched, and here's what I got
http://www.robtex.com/rbls/69.36.2.186.html
He gave me the root password, so I went in and ran a netstat. As you
can imagine, tons and tons and tons of connections to outgoing mail
servers.
I ran through some of the commands I found here
http://www.hackinglinuxexposed.com/articles/20030515.html
and found a few interesting things, such as lots and lots of mail
traffic going to the init PID 4702. Also, there was lots of traffic
coming in on weird ports and going out on the SMTP port.
Figuring that init had something to do with root, I rebooted. The
server has been fine for the last 10 minutes or so. The "netstat 1"
command shows no new connections.
Any ideas on what may be the root cause?
Roger
_______________________________________________
909linux mailing list
[email protected]
http://909linux.org/cgi-bin/mailman/listinfo/909linux
Brian Friday
Infrastructure Manager
Information Technology
La Sierra University
Riverside, CA 92515
Tel: (951) 785-2900
Fax: (951) 785-2908
[email protected]
