Tim Jackson wrote:
Guys!!there are many messages that I receive...when i read the logs, this
is what it mostly say...Am i compromised!!!any comment would be of big
help!!!
[snip lots of messages from [EMAIL PROTECTED] to [EMAIL PROTECTED]
Quite possibly, to some extent. You didn't show the log excerpts of the
messages entering your system, nor say what else (if anything) the machine
is doing other than handling mail. There are many possibilities, of which
the below are only some:
- If it's a webserver too, it's quite possible that you just have an
insecure mail form of some description (especially with the current PHP
header injection automated exploits that are doing the rounds). It could
also be a compromise via phpBB or some other vulnerable web app
- you could have a malicious user on your machine
- if you use SMTP AUTH, maybe one of your users has got a weak password
that has been bruteforced
- if this machine is a mail hub, maybe one of your users has a
virus/trojan, or maybe one of the other machines it relays for is
compromised
Tim
Tims suggestion about checking how messages entered the system to begin
with is a good place to start.
However...You may also want to check for the presence a rootkit if you
can't find any other explanation, or start to get paranoid.
I have found "chkrootkit" useful in this respect, but dont immediately
jump to any conclusions if it finds something, I happened to be using
Ollie Cooks "eximstate" on the same port used by a trojan purely by
coincidence and almost trashed the box in moment of insanity.
If you need help with chkrootkit you will need to post to the relevant
list, not back here.
Hope things work out OK,
Jason Meers
website for chkrootkit
http://www.chkrootkit.org
paper on using chkrootkit
http://www.giac.org/practical/gsec/Bill_Hutchison_GSEC.pdf
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
