Re: Help. My system cracked and used to spam

To: "Chris Kenrick" <chrisk@aurema.com>
Cc: <debian-user@lists.debian.org>
Subject: Re: Help. My system cracked and used to spam
From: "David Teague" <teague@jackson.main.nc.us>
Date: Thu, 8 Aug 2002 23:55:33 -0400
Message-id: <[🔎] 01ec01c23f58$af75cc80$8806fea9@Gandalf>
References: <[🔎] 20020808192410.GA1970@leeds> <[🔎] Pine.LNX.4.21.0208082320450.18715-100000@sol.cs.wcu.edu> <[🔎] 20020809133943.A1481@chrisk.sw.oz.au>

Hi Chris

Thanks for the reply

It is a stock 2.0 install from CDs with Exim installed and 
setup by the scripts. Nothing particular was done to prevent 
entry.  What does "Properly locked down" mean?

I had some accounts there that may not have had decent 
passwords, but they would have needed root access to 
change the Exim setup, don't you suppose?

I don't know enough to find whether it could have been set up as 
a relay.  I do need to understand the spam relay. 

I want to stop the spam relay long enough to copy the data to another 
machine (which will have Sarge installed).

I still need references to do some reading so I can understand
what I need to do to fix things.

I actually plan to wipe, but the machine is so slow with the spam relay
going on that I cannot do anything. I am replacing it with a much faster 
 machine with significantly more RAM. 

David Teague

----- Original Message ----- 
From: "Chris Kenrick" <chrisk@aurema.com>
To: "David Teague" <dbt@cs.wcu.edu>
Cc: <debian-user@lists.debian.org>; <teague@jackson.main.nc.us>
Sent: Thursday, August 08, 2002 11:39 PM
Subject: Re: Help. My system cracked and used to spam

> On Thu, Aug 08, 2002 at 11:29:58PM -0400, David Teague wrote:
> > 
> > Hi 
> > 
> > 
> > Please CC: response to teague@jackson.main.nc.us
> > 
> > The Subject line says it all. One of my machines was 
> > cracked and A spam forwarder was installed on it. 
> 
> Hmm... If the machine truly was "cracked", then probably the best thing
> to do is to take a copy of any data from the machine, then wipe and do I
> complete reinstall.  Otherwise it's just a mess trying to work out what
> was trojaned and what wasn't.
> 
> > 
> > It is an old 486 running Debian 2.0.
> > 
> > I disconnected it from the net, since stopping
> > the spam forwarding is very important.
> > 
> > Please, will someone give me pointers to FAQs,
> > HOWTOs and books on how to find what was done
> > to the mailer (Exim?) to make it behave so, and
> > how to find how to fix it..
> 
> So, was Exim running properly locked down, and then they broke in and
> unlocked it?  If so, then they must have found another vulnerability to
> get in (were you keeping up to date with security updates?).  If exim
> was configured as an open relay and they just happened to find it, then
> one of the exim experts on here should be able to chime in and help.
> 
> Hope that helps...
> 
> - Chris
> 
>

Reply to:

Follow-Ups:
- Re: Help. My system cracked and used to spam
  - From: "Paul Smith" <pausmith@nortelnetworks.com>
- Re: Help. My system cracked and used to spam
  - From: Chris Kenrick <chrisk@aurema.com>

References:
- Re: should . be followed by doublespace?
  - From: David Jardine <david@jardine.de>
- Help. My system cracked and used to spam
  - From: David Teague <dbt@cs.wcu.edu>
- Re: Help. My system cracked and used to spam
  - From: Chris Kenrick <chrisk@aurema.com>

Prev by Date: Re: Help. My system cracked and used to spam
Next by Date: How to use "dpkg -i" properly? (How to find missing packages?)
Previous by thread: Re: Help. My system cracked and used to spam
Next by thread: Re: Help. My system cracked and used to spam
Index(es):
- Date
- Thread