Re: netbot'd ?

[Hugo Vanwoerkom <hvw59601@care2.com>]

Douglas Allan Tutty wrote:
> On Fri, Feb 02, 2007 at 03:02:18PM -0600, Hugo Vanwoerkom wrote:
> > Hi,
> >
> > What do you call having been infected by a program that sends thousands 
> > of emails out without you knowing it.?
> >
> > Anyway I received via my ISP's email server several emails that claimed 
> > my box sent out thousands of emails over the weekend.
> >
> > It asked me to open + execute an attached file for an explanation of how 
> > to avoid it. (Which I did not)
> >
> > Several things were fishy:
> > 1. The notes were in English and the ISP is Mexican and the userid 
> > Mexican, so why the English?
> > 2. The box is firewalled and chkrootkit 0.47 detects noting.
> > 3. This is a dialup account, so the IP changes all the time.
> > 4. I have tleds installed and I notice no undue activity, but the system 
> > runs unattended often.
> >
> > But it brings up an interesting question:
> >
> > How would you find out if this was the case?
>
> Exim logs?

Good point. But what am I looking for?
I see an infinite number of:

2007-01-26 09:52:09 Start queue run: pid=20299
2007-01-26 09:52:09 End queue run: pid=20299

and

2007-01-26 16:13:07 1HAZJj-0004F2-D2 <= root@debian U=root P=local S=618
2007-01-26 16:13:07 1HAZJj-0004F2-D2 => hugo <hugo@debian> R=local_user 
T=mail_spool
2007-01-26 16:13:07 1HAZJj-0004F2-D2 Completed

when something happened in crontab.

Nothing else.

And BTW exim is local only: nothing gets to the outside that I know of, 
I tried that and gave up.

Hugo