[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How do I fix this?

They sent it to me in an email,
 
Tried writing back but got no reply am thinking w/e and all.
 
The thing I tried to make it secure, took all the neccessary steps, although I am no expert
 
I have dug through all my logs and still can;t find anything suspect ..
 
As far as running a webserver, yes I am running tomcat, but that is chrooted also,
the only thing I had that wasnt was sshd, and qmail ..
 
sshd only allows 1 user to log in, and that user has a complicated and long password.
 
however, when looking through the smtp logs .. I got tonnes of these,
 
>>
@40000000443810481324891c tcpserver: pid 2018 from 64.194.241.14
@40000000443810481379ec7c tcpserver: ok 2018 mail.mydomain.com:xx.xxx.xxx.xx:25 14.24
1.194.64.rev.arces.net:64.194.241.14::3367
 40000000443810481909fb14 2018 > 220 mail.mydomain.com ESMTP
 40000000443810481fdca39c 2018 < EHLO web01.text-link-ads.com
 40000000443810481fde8414 2018 > 250-mail.mydomain.com
 40000000443810481fdefd2c 2018 > 250-AUTH LOGIN CRAM-MD5 PLAIN
 40000000443810481fdf3f94 2018 > 250-AUTH=LOGIN CRAM-MD5 PLAIN
 40000000443810481fdf89cc 2018 > 250-STARTTLS
 40000000443810481fdfcc34 2018 > 250-PIPELINING
 40000000443810481fe00e9c 2018 > 250 8BITMIME
 400000004438104826e056d4 2018 < STARTTLS
 40000000443810482c46770c 2018 > 220 ready for tls
@400000004438104833285a04 2018 < |c985
@40000000443810483329407c 2018 < À32/cba        @ed_7r´ÈòÞçÑuôC+
@4000000044381048336f6d54 tcpserver: end 2018 status 256
@4000000044381048337076f4 tcpserver: status: 0/30
@400000004438104833718c4c 2018 > [EOF]
@4000000044381750266bbb44 tcpserver: status: 1/30
 
I have since blocked those IP addresses in my IPTABLES ..
 
Still cant find any trace of this activity though ..
off to run chkrootkit now ..
 


 
On 4/8/06, Kevin Mark <kmark+debian-user@pipeline.com> wrote:
On Sat, Apr 08, 2006 at 05:04:10PM +0100, M A wrote:
> Hi there Got this from my ISP the other day
>
> We have been forced to take your server off line, since your server is
Hi MA,
did you actually call your ISP yourself and they said this? I'd do that
and confirm that this is not phishing.
Cheers,
Kev
--
|  .''`.  == Debian GNU/Linux == |       my web site:       |
| : :' :      The  Universal     | debian.home.pipeline.com |
| `. `'      Operating System    | go to counter.li.org and |
|   `-    http://www.debian.org/ |    be counted! #238656   |
|     my keysever: pgp.mit.edu    |     my NPO: cfsg.org     |


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEOCEwv8UcC1qRZVMRAnUqAKCGc/+JH+8JT13QaGiCJOWllqEKeQCfcRXD
MoDfHnnDXcaKMTU3l3ah81c=
=1myV
-----END PGP SIGNATURE-----



Reply to: