Hi All,
There is a variant of the Sober worm, purportedly sent by the FBI,
on the loose on the net. The FBI has issued a warning in this regard.
Check the Technology section at www.cnn.com or other news agencies.
The worm has it's own built-in SMTP server and the distribution
level is high.
It is advised that users update their antvirus software in employ.
Regards
Kobus
----- Original Message -----
From: "Jason Meers" <[EMAIL PROTECTED]>
To: "Tim Jackson" <[EMAIL PROTECTED]>
Cc: <[email protected]>; "Ryan Kerwin Macrohon"
<[EMAIL PROTECTED]>
Sent: Wednesday, November 23, 2005 1:24 PM
Subject: Re: [exim] error!am i hacked?
Tim Jackson wrote:
Guys!!there are many messages that I receive...when i read the logs,
this
is what it mostly say...Am i compromised!!!any comment would be of
big
help!!!
[snip lots of messages from [EMAIL PROTECTED] to [EMAIL PROTECTED]
Quite possibly, to some extent. You didn't show the log excerpts of
the
messages entering your system, nor say what else (if anything) the
machine
is doing other than handling mail. There are many possibilities, of
which
the below are only some:
- If it's a webserver too, it's quite possible that you just have an
insecure mail form of some description (especially with the current
PHP
header injection automated exploits that are doing the rounds). It
could
also be a compromise via phpBB or some other vulnerable web app
- you could have a malicious user on your machine
- if you use SMTP AUTH, maybe one of your users has got a weak
password
that has been bruteforced
- if this machine is a mail hub, maybe one of your users has a
virus/trojan, or maybe one of the other machines it relays for is
compromised
Tim
Tims suggestion about checking how messages entered the system to
begin with is a good place to start.
However...You may also want to check for the presence a rootkit if you
can't find any other explanation, or start to get paranoid.
I have found "chkrootkit" useful in this respect, but dont immediately
jump to any conclusions if it finds something, I happened to be using
Ollie Cooks "eximstate" on the same port used by a trojan purely by
coincidence and almost trashed the box in moment of insanity.
If you need help with chkrootkit you will need to post to the relevant
list, not back here.
Hope things work out OK,
Jason Meers
website for chkrootkit
http://www.chkrootkit.org
paper on using chkrootkit
http://www.giac.org/practical/gsec/Bill_Hutchison_GSEC.pdf
--
## List details at http://www.exim.org/mailman/listinfo/exim-users ##
Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
