[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: my isp is being told *i* am broadcasting spam?

On Fri, Apr 19, 2002 at 11:29:51AM -0700, Vineet Kumar wrote:
> * dman (dman@dman.ddts.net) [020419 09:10]:
> Well, there may be other issues on the table here. Will's original
> question was "can I tell if I've been hacked?" His exim setup could be
> sound, but it's definitely feasible that a rootkit could install a mail
> relay listening on another port and sending out a ton of spam
> unbeknownst to ps and top. Are your hub lights blinking, Will?

yep. lots.

when i first set up ipCop (ipcop.org) i got about 18mb of
logfile in one afternoon from the default firewall logging rules
(via ipchains on potato):

Apr  2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 63.64.14.221:65535 224.0.0.5:65535 L=64 S=0x00 I=21723 F=0x0000 T=1 (#8)
Apr  2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 63.110.253.177:65535 224.0.0.5:65535 L=64 S=0x00 I=21731 F=0x0000 T= 1 (#8)
Apr  2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 63.121.237.41:65535 224.0.0.5:65535 L=64 S=0x00 I=21743 F=0x0000 T=1 (#8)
Apr  2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 65.195.103.241:65535 224.0.0.5:65535 L=64 S=0x00 I=21747 F=0x0000 T= 1 (#8)
Apr  2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 65.195.98.249:65535 224.0.0.5:65535 L=64 S=0x00 I=21753 F=0x0000 T=1 (#8)

hundreds upon thousands of those, from the moment the firewall
(ipcop v0.1.1) came up. to keep from sucking up all available
space, i deleted the final (reject-and-log) rule of the incoming
ruleset...

is all this activity from a goofy setup by my isp?  is it
something i'm doing?  surely this much probing must mean
something...

> If that rootkit was installed by somebody exploiting a samba which
> should have been blocked from The Outside, this could potentially have
> been prevented if a packet filter was installed to allow incoming
> connections only to tcp/25.

no samba -- never had it, never will. (considered it at home, but
figured out a better way.)

-- 
I use Debian/GNU Linux version 2.2;
Linux server 2.2.17 #1 Sun Jun 25 09:24:41 EST 2000 i586 unknown
 
DEBIAN NEWBIE TIP #72 from USM Bish <bish@nde.vsnl.net.in>
:
Prefer to LOGIN IN VIA CONSOLE INSTEAD OF VIA GUI? No problem.
A freshly-installed "X" window display system by default boots
into GUI, instead of having you log in at the text console.
This is because of "xdm" or "gdm" or "kdm". To avoid this and
boot into console mode instead:
	update-rc.d -f xdm remove
This will remove all system startup links in /etc/init.d for
xdm. You can still get X up and running via "startx" but it
won't intervene in your login process.

Also see http://newbieDoc.sourceForge.net/ ...


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: