On 12/17/2010 12:00 PM, Thorsten Göllner wrote: > Hi, > > I have installed Debian 5.0.7. Since 2 days my exim4 does not deliver > mails. I always get the message, that the mail is not routeable. I only > used "dpkg-reconfigure exim4-config" without touching one config file by > hand. I detected a log message (panic log) which says, that there was a > "too large message". Since that point exim4 stopped working. > > The other point is that pstree reports a process "zinit" I never saw in the > past: > (see last line of output) > > # pstree -A > init-+-acpid > |-apache2---17*[apache2] > |-atd > |-cron > |-exim4 > |-6*[getty] > |-inetd > |-mysqld_safe-+-logger > | `-mysqld---41*[{mysqld}] > |-ntpd---ntpd > |-portmap > |-python > |-rpc.statd > |-rsyslogd---3*[{rsyslogd}] > |-sensord > |-smartd > |-sshd---sshd---sshd---bash---su---bash---pstree > |-udevd > `-zinit---{zinit} > > I found it here: > # ls -lah /sbin/zinit > -rwxr-x--x 1 root root 1.9M 2008-08-12 16:09 /sbin/zinit > > But I do not have any idea what it is. And I can not see the process with > "ps": > > # ps aux | grep zinit > root 5125 0.0 0.0 3120 708 pts/0 R+ 12:00 0:00 grep zinit > Try first to identify the package the file belongs to: # dpkg -S /sbin/zinit If no package is found then most probably your machine were compromised (using the exim exploit [1] )and you should delete the zinit file immediately and do a detailed audit of your machine security. You can check if zinit is listening in any port # netstat -anp | grep zinit And try to connect to the port with telnet/netcat to see what is happening there. If the file belongs to a package then you can check the integrity of the file with debsums # debsums packagename ---------- [1] http://seclists.org/fulldisclosure/2010/Dec/222
Attachment:
signature.asc
Description: OpenPGP digital signature