On 12/17/2010 12:00 PM, Thorsten Göllner wrote:
> Hi,
>
> I have installed Debian 5.0.7. Since 2 days my exim4 does not deliver
> mails. I always get the message, that the mail is not routeable. I only
> used "dpkg-reconfigure exim4-config" without touching one config file by
> hand. I detected a log message (panic log) which says, that there was a
> "too large message". Since that point exim4 stopped working.
>
> The other point is that pstree reports a process "zinit" I never saw in the
> past:
> (see last line of output)
>
> # pstree -A
> init-+-acpid
> |-apache2---17*[apache2]
> |-atd
> |-cron
> |-exim4
> |-6*[getty]
> |-inetd
> |-mysqld_safe-+-logger
> | `-mysqld---41*[{mysqld}]
> |-ntpd---ntpd
> |-portmap
> |-python
> |-rpc.statd
> |-rsyslogd---3*[{rsyslogd}]
> |-sensord
> |-smartd
> |-sshd---sshd---sshd---bash---su---bash---pstree
> |-udevd
> `-zinit---{zinit}
>
> I found it here:
> # ls -lah /sbin/zinit
> -rwxr-x--x 1 root root 1.9M 2008-08-12 16:09 /sbin/zinit
>
> But I do not have any idea what it is. And I can not see the process with
> "ps":
>
> # ps aux | grep zinit
> root 5125 0.0 0.0 3120 708 pts/0 R+ 12:00 0:00 grep zinit
>
Try first to identify the package the file belongs to:
# dpkg -S /sbin/zinit
If no package is found then most probably your machine were compromised
(using the exim exploit [1] )and you should delete the zinit file
immediately and do a detailed audit of your machine security.
You can check if zinit is listening in any port
# netstat -anp | grep zinit
And try to connect to the port with telnet/netcat to see what is happening
there.
If the file belongs to a package then you can check the integrity of the
file with debsums
# debsums packagename
----------
[1] http://seclists.org/fulldisclosure/2010/Dec/222
Attachment:
signature.asc
Description: OpenPGP digital signature