Re: [tanya-jawab] Mohon Bantuan Analisa Log

Wed, 03 Jan 2007 03:04:41 -0800 

Hello Hari,

Wednesday, January 3, 2007, 6:47:54 PM, you wrote:

> Nyoman D wrote:
>> Hello tanya-jawab,
>> 
>>   Hari ini saya dapat email dari mailer-daemon yang tidak bisa
>>   dimengerti, kenapa laporan LogWatch server saya yang dikirim oleh
>>   root ke root nyasar ke email orang? Saya jadi curiga, masalahnya
>>   server ini pernah kebobolan lewat scripts php yang gak secure.
>>   Walaupun pada saat itu tidak berhasil di exploit lebih dalam (dapat
>>   access root).
>> 
>>   Berikut cuplikannya:
>> 
>> ==== Start of Cuplikan =====
>>   
>> Hi. This is the qmail-send program at rr.com.au.
>> I'm afraid I wasn't able to deliver your message to the following addresses.
>> This is a permanent error; I've given up. Sorry it didn't work out.
>> 
>> <pointer'[EMAIL PROTECTED]>:
>> 193.252.22.141 failed after I sent the message.
>> Remote host said: 550 Error: Message content rejected 
>> <cc40629b8352bf2f65dc6c663f26ffb5>
>> 
>> --- Below this line is a copy of the message.
>> 
>> Return-Path: <[EMAIL PROTECTED]>
>> Received: (qmail 7624 invoked by uid 0); 26 Dec 2006 04:02:06 -0800
>> Date: 26 Dec 2006 04:02:06 -0800
>> Message-ID: <[EMAIL PROTECTED]>
>> From: [EMAIL PROTECTED]
>> To: [EMAIL PROTECTED]
>> Subject: LogWatch for www.rr.com.au
>> 
>> 
>>  ################### LogWatch 4.3.2 (02/18/03) #################### 
>>        Processing Initiated: Tue Dec 26 04:02:03 2006
>>        Date Range Processed: yesterday
>>      Detail Level of Output: 0
>>           Logfiles for Host: www.rr.com.au
>>  ################################################################ 
>> 
>>  --------------------- Named Begin ------------------------
>> 
>> ==== Selesai of Cuplikan ====
>> 
>> Email tersebut dikirim oleh mailer-daemon, berikut envelopenya:
>> From: [EMAIL PROTECTED]
>> To: [EMAIL PROTECTED]
>> Subject: failure notice
>>

> From:, To:, Subject: adalah header bukan 
> envelope. envelope MAIL FROM: , RCPT TO: 
> (sewaktu smtp conversation berlangsung 
> setelah HELO/EHLO)

> coba liat isi 
> /etc/cron.daily/00-logwatch (biasanya 
> logwatch set crontabnya di situ)

> $Config{'mailto'} = "root";

> isinya seperti contoh di atas atau yg lain?

>> Ada yang bisa menjelaskan kenapa ini bisa terjadi ?
>> 
>> Thanks,
>> 
>> Nyoman.


Ops sorry, maksud saya headernya :) sering kebalik

Potongan file /etc/cron.daily/00-logwatch

# Default config here...
$Config{'detail'} = 0;
$Config{'logdir'} = "/var/log";
$Config{'mailto'} = "root";


Nyoman.

Attachment: pgp4GAwMmKjwQ.pgp
Description: PGP signature

Kirim email ke