[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Need help securing mail server: already got hacked.

On Friday 01 July 2005 09:10 am, Jacob S wrote:

> [Note: hacking is what knowledgeable sys-admins do when they can't find
> a program that perfectly meets their need. Cracking is what bad guys do
> to break into your server. Hacking is good, cracking is bad.]
> Are you sure it got hacked or did you have exim4 setup as an open relay?
> An open relay is much easier to fix than a cracked server.
> To have your server tested to see if it is an open relay and have the
> results e-mailed to you, go to www.ordb.org.
> If your server was really cracked, you are best doing a full re-install.
> But first, you might try to analyze how they got in and what they used
> to gain root (or if they even got root). Run chkrootkit to see what
> it can find and maybe use a Fire[1] cd to do some forensics on the
> server. Then make sure you are using the latest versions of all of your
> packages and setup an iptables firewall on the machine.
> As an aside, I sometimes wonder if Nationwide would even notice that you
> got cracked. August's service has gone down quite a bit since they were
> bought out. :-(
I really appreciate the info: It will help me figure this out. I have been 
running exim4 as my mta with no pop3 & using it only for intranet mail . I 
now NEED to be able to handle business mail for a new business that I have 
BTW: Your the first person I have run into in 6 years thats serviced by 
August.net. Your absolutely correct about the drop in service level since 
they were bought out. I am currently badgering Verizon to get the new fiber 
optic link up & running that they just installed behind my house so I can get 
rid of Nationwide. If I wanted "big company" service I would have gone with 
them in the first place, so since that's what I'm getting now I might as well 
get the best.....
> HTH,
> Jacob
> [1] http://fire.dmzs.com/

John Foster

Reply to: