Re: [exim] Am I Hacked?

Renaud Allard Thu, 04 Jan 2007 08:07:50 -0800


Rick Lutowski wrote:


>>     mail.jreality.com:
>>     Interesting ports on adsl-65-68-229-225.jreality.com (65.68.229.225):
>>     PORT    STATE SERVICE   VERSION
>>     9/tcp   open  discard?
>>     13/tcp  open  daytime
>>     25/tcp  open  smtp      Exim smtpd 3.36
>>     37/tcp  open  time       (32 bits)
>>     80/tcp  open  http      Apache httpd 1.3.33 ((Debian GNU/Linux))
>>     98/tcp  open  linuxconf Linuxconf (Access denied)
>>     110/tcp open  pop3      Qpopper pop3d 4.0.5
>>     111/tcp open  rpcbind    2 (rpc #100000)
>>     113/tcp open  ident     OpenBSD identd
>>     Device type: general purpose
>>     Running: Linux 2.1.X|2.2.X
>>     OS details: Linux 2.1.19 - 2.2.25
>>     Uptime 2.430 days (since Mon Jan  1 23:13:58 2007)
>>     Service Info: Host: www.jreality.com; OS: OpenBSD
> 
> Curious as to how you got this list.  What command?
> 

nmap -A -O mail.jreality.com does this kind of output.

Most theses services on debian are activated by inetd. You can edit
/etc/inetd.conf to remove unnecessary services, then restart inetd.

>From the scan, I guess you have or at least had a very old debian system
(probably 2.2 potato). It is worth noting that exim 3.x is not supported
anymore by this list and you should really upgrade to 4.x.

Here is a way to send spam from your server:
telnet mail.jreality.com 25
Trying 65.68.229.225...
Connected to jreality.com.
Escape character is '^]'.
220 www.jreality.com ESMTP Exim 3.36 #1 Thu, 04 Jan 2007 11:12:50 -0600
helo test
250 www.jreality.com Hello mail.eriador.org [85.201.63.39]
mail from:<[EMAIL PROTECTED]>
250 <[EMAIL PROTECTED]> is syntactically correct
rcpt to:<[EMAIL PROTECTED]>
250 <[EMAIL PROTECTED]> is syntactically correct
data
354 Enter message, ending with "." on a line by itself
this is spam
.
250 OK id=1H2W9c-0006p4-00
quit
221 www.jreality.com closing connection


This delivers a bounce to the sender containing the spam message. (my
spam filters destroyed it, but I received it)

2007-01-04 16:44:55 1H2Ulz-0006uX-37 <= <> H=(www.jreality.com)
[65.68.229.225]:4969 I=[209.216.230.19]:25 P=esmtp S=1420
[EMAIL PROTECTED]
T="Mail delivery failed: returning message to sender" from <> for
[EMAIL PROTECTED]
2007-01-04 16:44:55 1H2Ulz-0006uX-37 => blackhole (DATA ACL discarded
recipients): bogus bounce for <[EMAIL PROTECTED]>.
2007-01-04 16:44:55 1H2Ulz-0006uX-37 Completed





-- 
010100100110010101101110011000010111010101100100
010000010110110001101100011000010111001001100100

smime.p7s
Description: S/MIME Cryptographic Signature

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Re: [exim] Am I Hacked?

Reply via email to