Re: Help. My system cracked and used to spam
Hi Chris
Thanks for the reply
It is a stock 2.0 install from CDs with Exim installed and
setup by the scripts. Nothing particular was done to prevent
entry. What does "Properly locked down" mean?
I had some accounts there that may not have had decent
passwords, but they would have needed root access to
change the Exim setup, don't you suppose?
I don't know enough to find whether it could have been set up as
a relay. I do need to understand the spam relay.
I want to stop the spam relay long enough to copy the data to another
machine (which will have Sarge installed).
I still need references to do some reading so I can understand
what I need to do to fix things.
I actually plan to wipe, but the machine is so slow with the spam relay
going on that I cannot do anything. I am replacing it with a much faster
machine with significantly more RAM.
David Teague
----- Original Message -----
From: "Chris Kenrick" <chrisk@aurema.com>
To: "David Teague" <dbt@cs.wcu.edu>
Cc: <debian-user@lists.debian.org>; <teague@jackson.main.nc.us>
Sent: Thursday, August 08, 2002 11:39 PM
Subject: Re: Help. My system cracked and used to spam
> On Thu, Aug 08, 2002 at 11:29:58PM -0400, David Teague wrote:
> >
> > Hi
> >
> >
> > Please CC: response to teague@jackson.main.nc.us
> >
> > The Subject line says it all. One of my machines was
> > cracked and A spam forwarder was installed on it.
>
> Hmm... If the machine truly was "cracked", then probably the best thing
> to do is to take a copy of any data from the machine, then wipe and do I
> complete reinstall. Otherwise it's just a mess trying to work out what
> was trojaned and what wasn't.
>
> >
> > It is an old 486 running Debian 2.0.
> >
> > I disconnected it from the net, since stopping
> > the spam forwarding is very important.
> >
> > Please, will someone give me pointers to FAQs,
> > HOWTOs and books on how to find what was done
> > to the mailer (Exim?) to make it behave so, and
> > how to find how to fix it..
>
> So, was Exim running properly locked down, and then they broke in and
> unlocked it? If so, then they must have found another vulnerability to
> get in (were you keeping up to date with security updates?). If exim
> was configured as an open relay and they just happened to find it, then
> one of the exim experts on here should be able to chime in and help.
>
> Hope that helps...
>
> - Chris
>
>
Reply to: