yes, and using the word hacked as your subject is not particularly... helpful...
On Thu, Nov 15, 2012 at 3:32 PM, Tony Graziano <[email protected] > wrote: > you really need to look at the mail log to see where the mail is coming > from regardless of your firewall settings. It can actually come from inside > you see. > > > On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl <[email protected]> wrote: > >> I am seeing more spam in my mail queue. I have iptables installed, and >> here are my rules: >> >> Chain INPUT (policy ACCEPT) >> target prot opt source destination >> RH-Firewall-1-INPUT all -- anywhere anywhere >> >> Chain FORWARD (policy ACCEPT) >> target prot opt source destination >> RH-Firewall-1-INPUT all -- anywhere anywhere >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> >> Chain RH-Firewall-1-INPUT (2 references) >> target prot opt source destination >> ACCEPT all -- anywhere anywhere >> ACCEPT icmp -- anywhere anywhere icmp any >> ACCEPT esp -- anywhere anywhere >> ACCEPT ah -- anywhere anywhere >> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns >> ACCEPT udp -- anywhere anywhere udp dpt:ipp >> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp >> ACCEPT all -- anywhere anywhere state >> RELATED,ESTABLISHED >> ACCEPT tcp -- anywhere anywhere state NEW >> tcp dpt:pcsync-https >> ACCEPT tcp -- anywhere anywhere state NEW >> tcp dpt:http >> ACCEPT tcp -- anywhere anywhere state NEW >> tcp dpt:xmpp-client >> ACCEPT tcp -- anywhere anywhere state NEW >> tcp dpt:5223 >> ACCEPT all -- 192.168.0.0/16 anywhere >> ACCEPT udp -- anywhere anywhere state NEW >> udp dpt:sip >> ACCEPT tcp -- anywhere anywhere state NEW >> tcp dpt:sip >> ACCEPT tcp -- anywhere anywhere state NEW >> tcp dpt:sip-tls >> ACCEPT udp -- sip02.gafachi.com anywhere state NEW >> udp dpts:sip:5080 >> ACCEPT udp -- 204.11.192.0/22 anywhere state NEW >> udp dpts:sip:5080 >> REJECT all -- anywhere anywhere reject-with >> icmp-host-prohibited >> >> As far as I can tell, no one should be able to use port 25 from the >> world. Also, sendmail is only configured to allow relay from localhost: >> >> [root@sipx1 ~]# cat /etc/mail/access >> # Check the /usr/share/doc/sendmail/README.cf file for a description >> # of the format of this file. (search for access_db in that file) >> # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc >> # package. >> # >> # by default we allow relaying from localhost... >> Connect:localhost.localdomain RELAY >> Connect:localhost RELAY >> Connect:127.0.0.1 RELAY >> >> Can someone please help me figure out where this spam is coming from? >> Thanks. >> >> ~Noah >> >> On Oct 13, 2012, at 10:17 AM, Noah Mehl <[email protected]> wrote: >> >> > I did not change the configuration of anything related to the PlcmSpIp >> user. It does however make me feel better that it is related to the vsftpd >> service and the polycom phones. >> > >> >> From /etc/passwd: >> > >> > >> PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin >> > >> > So, that user cannot ssh to a shell. So I don't think it was that. >> > >> > ~Noah >> > >> > On Oct 12, 2012, at 9:05 AM, Tony Graziano < >> [email protected]> wrote: >> > >> >> ... more -- its a user that does not have login to the OS itself, just >> >> vsftpd, which is restricted to certain commands and must present a >> >> request for its mac address in order to get a configuration file. It >> >> is not logging into linux unless someone changed the rights of the >> >> user. >> >> >> >> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <[email protected]> >> wrote: >> >>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano >> >>> <[email protected]> wrote: >> >>>> this is not a valid system user unless you have manually added it to >> the >> >>>> system. I do think the logs would show more if access was granted. >> Why are >> >>>> you exposing sshd to the outside world with an acl or by protecting >> it at >> >>>> your firewall? >> >>>> >> >>> >> >>> PlcmSpIp is the user used by polycom phones for fetching config from >> server >> >>> >> >>> George >> >>> _______________________________________________ >> >>> sipx-users mailing list >> >>> [email protected] >> >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> >> >> >> >> >> >> >> -- >> >> ~~~~~~~~~~~~~~~~~~ >> >> Tony Graziano, Manager >> >> Telephone: 434.984.8430 >> >> sip: [email protected] >> >> Fax: 434.465.6833 >> >> ~~~~~~~~~~~~~~~~~~ >> >> Linked-In Profile: >> >> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 >> >> Ask about our Internet Fax services! >> >> ~~~~~~~~~~~~~~~~~~ >> >> >> >> Using or developing for sipXecs from SIPFoundry? Ask me about >> sipX-CoLab 2013! >> >> >> >> -- >> >> LAN/Telephony/Security and Control Systems Helpdesk: >> >> Telephone: 434.984.8426 >> >> sip: [email protected] >> >> >> >> Helpdesk Customers: http://myhelp.myitdepartment.net >> >> Blog: http://blog.myitdepartment.net >> >> _______________________________________________ >> >> sipx-users mailing list >> >> [email protected] >> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> > >> > >> > Scanned for viruses and content by the Tranet Spam Sentinel service. >> > _______________________________________________ >> > sipx-users mailing list >> > [email protected] >> > List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> >> _______________________________________________ >> sipx-users mailing list >> [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> > > > > -- > ~~~~~~~~~~~~~~~~~~ > Tony Graziano, Manager > Telephone: 434.984.8430 > sip: [email protected] > Fax: 434.465.6833 > ~~~~~~~~~~~~~~~~~~ > Linked-In Profile: > http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 > Ask about our Internet Fax services! > ~~~~~~~~~~~~~~~~~~ > > Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab > 2013! > <http://sipxcolab2013.eventbrite.com/?discount=tony2013> > > > LAN/Telephony/Security and Control Systems Helpdesk: > Telephone: 434.984.8426 > sip: [email protected].**net<[email protected]> > > Helpdesk Customers: > http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net> > Blog: http://blog.myitdepartment.net > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- Michael Picher, Director of Technical Services eZuce, Inc. 300 Brickstone Square**** Suite 201**** Andover, MA. 01810 O.978-296-1005 X2015 M.207-956-0262 @mpicher <http://twitter.com/mpicher> linkedin <http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro> www.ezuce.com ------------------------------------------------------------------------------------------------------------ There are 10 kinds of people in the world, those who understand binary and those who don't.
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
