Look at var/spool/mail/root There is a report you can find in there that shows system activity. Look for entries below --------------------- pam_unix Begin ------------------------ and I think you will find the source of your aggravation.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Noah Mehl Sent: Thursday, November 15, 2012 6:29 AM To: Discussion list for users of sipXecs software Subject: Re: [sipx-users] Hacked SipXecs 4.4 I am seeing more spam in my mail queue. I have iptables installed, and here are my rules: Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:xmpp-client ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5223 ACCEPT all -- 192.168.0.0/16 anywhere ACCEPT udp -- anywhere anywhere state NEW udp dpt:sip ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip-tls ACCEPT udp -- sip02.gafachi.com anywhere state NEW udp dpts:sip:5080 ACCEPT udp -- 204.11.192.0/22 anywhere state NEW udp dpts:sip:5080 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited As far as I can tell, no one should be able to use port 25 from the world. Also, sendmail is only configured to allow relay from localhost: [root@sipx1 ~]# cat /etc/mail/access # Check the /usr/share/doc/sendmail/README.cf file for a description # of the format of this file. (search for access_db in that file) # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package. # # by default we allow relaying from localhost... Connect:localhost.localdomain RELAY Connect:localhost RELAY Connect:127.0.0.1 RELAY Can someone please help me figure out where this spam is coming from? Thanks. ~Noah On Oct 13, 2012, at 10:17 AM, Noah Mehl <[email protected]> wrote: > I did not change the configuration of anything related to the PlcmSpIp user. It does however make me feel better that it is related to the vsftpd service and the polycom phones. > >> From /etc/passwd: > > PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot: > /sbin/nologin > > So, that user cannot ssh to a shell. So I don't think it was that. > > ~Noah > > On Oct 12, 2012, at 9:05 AM, Tony Graziano <[email protected]> wrote: > >> ... more -- its a user that does not have login to the OS itself, >> just vsftpd, which is restricted to certain commands and must present >> a request for its mac address in order to get a configuration file. >> It is not logging into linux unless someone changed the rights of the >> user. >> >> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <[email protected]> wrote: >>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano >>> <[email protected]> wrote: >>>> this is not a valid system user unless you have manually added it >>>> to the system. I do think the logs would show more if access was >>>> granted. Why are you exposing sshd to the outside world with an acl >>>> or by protecting it at your firewall? >>>> >>> >>> PlcmSpIp is the user used by polycom phones for fetching config from >>> server >>> >>> George >>> _______________________________________________ >>> sipx-users mailing list >>> [email protected] >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> >> >> >> -- >> ~~~~~~~~~~~~~~~~~~ >> Tony Graziano, Manager >> Telephone: 434.984.8430 >> sip: [email protected] >> Fax: 434.465.6833 >> ~~~~~~~~~~~~~~~~~~ >> Linked-In Profile: >> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 >> Ask about our Internet Fax services! >> ~~~~~~~~~~~~~~~~~~ >> >> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013! >> >> -- >> LAN/Telephony/Security and Control Systems Helpdesk: >> Telephone: 434.984.8426 >> sip: [email protected] >> >> Helpdesk Customers: http://myhelp.myitdepartment.net >> Blog: http://blog.myitdepartment.net >> _______________________________________________ >> sipx-users mailing list >> [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > Scanned for viruses and content by the Tranet Spam Sentinel service. > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/ _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
