I have iptables installed on this server, and 25 was NOT open inbound. I did clean out my mail directory, but I'm concerned about how this happened in the first place. Not only that, sendmail only accepts connections from localhost. So, this has to be something other than smtp relay.
[root@sipx1 mail]# cat access # Check the /usr/share/doc/sendmail/README.cf file for a description # of the format of this file. (search for access_db in that file) # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package. # # by default we allow relaying from localhost... Connect:localhost.localdomain RELAY Connect:localhost RELAY Connect:127.0.0.1 RELAY ~Noah On Oct 12, 2012, at 6:40 AM, Michael Picher <[email protected]<mailto:[email protected]>> wrote: sipXecs 4.4.0 has no firewall enabled, so if you have your system raw on the internet or you have port 25 open inbound to it you could have some sort of DoS related thing going on. clean out your mail directory, disallow external connections to the server and see what happens. doesn't sound like you're 'hacked', just broken. mike On Fri, Oct 12, 2012 at 1:55 AM, Davide Poletto <[email protected]<mailto:[email protected]>> wrote: Hi, could be something related to Polycom's phones FTP provisioning ? I've read that the default FTP user name for that is 'PlcmSpIp' and the default password is the same (so well-known credentials). Over ther internet there are some references about that (AFAIK see this one<http://www.mail-archive.com/[email protected]/msg04452.html>, just as example, that has a good explanation about logged messages). Regards, Davide. On Fri, Oct 12, 2012 at 5:48 AM, Noah Mehl <[email protected]<mailto:[email protected]>> wrote: All, I just realized that my emails from my SipXecs 4.4 server were not being delivered. Upon further investigation, I found that my SipXecs VM had a sendmail queue with over 13000 messages in it. I'm trying to figure out how my machine was sending mail, and it doesn't look like the relay is open, but I found something curious: [root@sipx1 log]# cat secure | grep "pam_unix(sshd:session): session opened" Oct 11 06:09:25 sipx1 sshd[22059]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0) Oct 11 18:36:02 sipx1 sshd[29185]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0) Oct 11 18:36:16 sipx1 sshd[29192]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0) Oct 11 18:36:21 sipx1 sshd[29195]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0) Oct 11 20:57:58 sipx1 sshd[30561]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0) Those are what I think to be successful ssh logins with the user PlcmSplp. Is this user part of the SipXecs install? ~Noah Scanned for viruses and content by the Tranet Spam Sentinel service. _______________________________________________ sipx-users mailing list [email protected]<mailto:[email protected]> List Archive: http://list.sipfoundry.org/archive/sipx-users/ _______________________________________________ sipx-users mailing list [email protected]<mailto:[email protected]> List Archive: http://list.sipfoundry.org/archive/sipx-users/ -- Michael Picher, Director of Technical Services eZuce, Inc. 300 Brickstone Square Suite 201 Andover, MA. 01810 O.978-296-1005 X2015 M.207-956-0262 @mpicher <http://twitter.com/mpicher> linkedin<http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro> www.ezuce.com<http://www.ezuce.com/> ------------------------------------------------------------------------------------------------------------ There are 10 kinds of people in the world, those who understand binary and those who don't. _______________________________________________ sipx-users mailing list [email protected]<mailto:[email protected]> List Archive: http://list.sipfoundry.org/archive/sipx-users/
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
