BTW, all open relay tests thus far show negative.
Brian Friday wrote:
Well you haven't given us ports or the services that the machine is
"supposed" to be running. So it really could be anything from someone
compromising the webserver to make it a spam relay to an old ${insert
externally accessible program name here} which had a remote
vulnurability that got exploited.
On Jul 24, 2006, at 10:23 PM, Roger Rustad wrote:
A friend called me to see why his Linux server was blacklisted.
I searched, and here's what I got
http://www.robtex.com/rbls/69.36.2.186.html
He gave me the root password, so I went in and ran a netstat. As you
can imagine, tons and tons and tons of connections to outgoing mail
servers.
I ran through some of the commands I found here
http://www.hackinglinuxexposed.com/articles/20030515.html
and found a few interesting things, such as lots and lots of mail
traffic going to the init PID 4702. Also, there was lots of traffic
coming in on weird ports and going out on the SMTP port.
Figuring that init had something to do with root, I rebooted. The
server has been fine for the last 10 minutes or so. The "netstat 1"
command shows no new connections.
Any ideas on what may be the root cause?
Roger
_______________________________________________
909linux mailing list
[email protected]
http://909linux.org/cgi-bin/mailman/listinfo/909linux
Brian Friday
Infrastructure Manager
Information Technology
La Sierra University
Riverside, CA 92515
Tel: (951) 785-2900
Fax: (951) 785-2908
[email protected]
