Re: Need help securing mail server: already got hacked.
On Friday 01 July 2005 09:10 am, Jacob S wrote:
>
> [Note: hacking is what knowledgeable sys-admins do when they can't find
> a program that perfectly meets their need. Cracking is what bad guys do
> to break into your server. Hacking is good, cracking is bad.]
>
> Are you sure it got hacked or did you have exim4 setup as an open relay?
> An open relay is much easier to fix than a cracked server.
>
> To have your server tested to see if it is an open relay and have the
> results e-mailed to you, go to www.ordb.org.
>
> If your server was really cracked, you are best doing a full re-install.
> But first, you might try to analyze how they got in and what they used
> to gain root (or if they even got root). Run chkrootkit to see what
> it can find and maybe use a Fire[1] cd to do some forensics on the
> server. Then make sure you are using the latest versions of all of your
> packages and setup an iptables firewall on the machine.
>
> As an aside, I sometimes wonder if Nationwide would even notice that you
> got cracked. August's service has gone down quite a bit since they were
> bought out. :-(
I really appreciate the info: It will help me figure this out. I have been
running exim4 as my mta with no pop3 & using it only for intranet mail . I
now NEED to be able to handle business mail for a new business that I have
started.
BTW: Your the first person I have run into in 6 years thats serviced by
August.net. Your absolutely correct about the drop in service level since
they were bought out. I am currently badgering Verizon to get the new fiber
optic link up & running that they just installed behind my house so I can get
rid of Nationwide. If I wanted "big company" service I would have gone with
them in the first place, so since that's what I'm getting now I might as well
get the best.....
>
> HTH,
> Jacob
>
> [1] http://fire.dmzs.com/
--
John Foster
Reply to: