based on these scans and the vger results, I don't think postfix is misconfigured at all; the attacker is logging in and sending those mails from localhost. format the drive and start over.
On Thu, 2003-11-06 at 08:00, Praedor Atrebates wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Geesh. Disable ftp at least, if you disable no other service. If you don't > do remote X at all, disable X service as well. > > Are you serving a webpage locally? Disable http and perhaps https. > > I have the following nmap output: > PORT STATE SERVICE > 22/tcp open ssh > 25/tcp open smtp > 631/tcp open ipp > 1241/tcp open nessus > 6000/tcp open X11 > 10000/tcp open snet-sensor-mgmt > > I run my own postfix mailserver for me, myself, and I. It is not a relay (and > as others have indicated, it doesn't quite look like yours is really). > > I could disable X11 and nessusd I suppose as though I do the occassional > remote X thing and sometimes use nessus against those who scan me (I like to > light up their "warning lights" if they have any such thing to let them know > that their target is on to them), it is rare. > > Basically, do you actually NEED the services you are running? Any that are > not really used/needed, turn them off. > > praedor > > On Thursday 06 November 2003 03:44 am, Stefan Rijnhart wrote: > > Op donderdag 6 november 2003 06:18, schreef David E. Fox: > > > Folks - especially postfix people - I need some help - > > > my box seems to have been turned into an open relay. I am > > > running the same postfix configuration file I had installed > > > when I was running 9.0 and later versions (currently I > > > am running 9.2/cooker).. > > > > > > > > > I have not been able to post to the list or send out any > > > smtp email until I fix this.... and in the meantime have > > > simply flushed (deleted) the outgoing queue in /var/spool > > > /postfix via > > > > > > # find . /var/spool/postfix -type -f | xargs exec rm > > > > > > which (quickly) removes it. I removed many megabytes' worth > > > of stuck email this way earlier today only to find that at > > > 9 pm there was 4 megs more waiting and my isp admin had sent > > > me a mail saying he disabled my smtp. > > > > > > > > > I was under the impression postfix was relay proof - any > > > advice will be helpful... > > > > > > Thanks! > > > > Hi David, > > > > Maybe my behaviour is a bit unmannered but I have ran some tests against > > your IP, to help you fix your box (We are talking about > > m206-157.dsl.tsoft.com, aren't we?) > > > > Your postfix says: > > > > 554 <[EMAIL PROTECTED]>: Relay access denied. > > > > Seems ok. > > > > Portscanner Nmap says: > > > > Port State Service > > 21/tcp open ftp > > 22/tcp open ssh > > 25/tcp open smtp > > 80/tcp open http > > 111/tcp open sunrpc > > 135/tcp filtered loc-srv > > 137/tcp filtered netbios-ns > > 138/tcp filtered netbios-dgm > > 139/tcp filtered netbios-ssn > > 443/tcp open https > > 445/tcp filtered microsoft-ds > > 631/tcp open ipp > > 642/tcp open unknown > > 6000/tcp open X11 > > > > Do these ports corresond to the services that you want to offer? Otherwise, > > shield them off. Do you know how to work with shorewall to accomplish that? > > > > Good luck, > > Stefan. > > - -- > "Our ship is in the hands of pilots who are steering directly under full sail > for a rock. The whole crew may see this course to violate our liberties in > full view if they look the right way." > - --Samuel Adams, 1771 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (GNU/Linux) > > iD8DBQE/qnAAaKr9sJYeTxgRAv4SAJ9GatteTgmMSVQpL81QD04nTEZIuACfbvy0 > tKZxRkF3Ixg55x6kbf2By/g= > =yG6x > -----END PGP SIGNATURE----- > > > ______________________________________________________________________ > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com -- Jack Coates Monkeynoodle: A Scientific Venture...
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
