[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: netbot'd ?

Douglas Allan Tutty wrote:
On Fri, Feb 02, 2007 at 03:02:18PM -0600, Hugo Vanwoerkom wrote:

What do you call having been infected by a program that sends thousands of emails out without you knowing it.?

Anyway I received via my ISP's email server several emails that claimed my box sent out thousands of emails over the weekend.

It asked me to open + execute an attached file for an explanation of how to avoid it. (Which I did not)

Several things were fishy:
1. The notes were in English and the ISP is Mexican and the userid Mexican, so why the English?
2. The box is firewalled and chkrootkit 0.47 detects noting.
3. This is a dialup account, so the IP changes all the time.
4. I have tleds installed and I notice no undue activity, but the system runs unattended often.

But it brings up an interesting question:

How would you find out if this was the case?

Exim logs?

Good point. But what am I looking for?
I see an infinite number of:

2007-01-26 09:52:09 Start queue run: pid=20299
2007-01-26 09:52:09 End queue run: pid=20299


2007-01-26 16:13:07 1HAZJj-0004F2-D2 <= root@debian U=root P=local S=618
2007-01-26 16:13:07 1HAZJj-0004F2-D2 => hugo <hugo@debian> R=local_user T=mail_spool
2007-01-26 16:13:07 1HAZJj-0004F2-D2 Completed

when something happened in crontab.

Nothing else.

And BTW exim is local only: nothing gets to the outside that I know of, I tried that and gave up.


Reply to: