Re: netbot'd ?
Douglas Allan Tutty wrote:
On Fri, Feb 02, 2007 at 03:02:18PM -0600, Hugo Vanwoerkom wrote:
What do you call having been infected by a program that sends thousands
of emails out without you knowing it.?
Anyway I received via my ISP's email server several emails that claimed
my box sent out thousands of emails over the weekend.
It asked me to open + execute an attached file for an explanation of how
to avoid it. (Which I did not)
Several things were fishy:
1. The notes were in English and the ISP is Mexican and the userid
Mexican, so why the English?
2. The box is firewalled and chkrootkit 0.47 detects noting.
3. This is a dialup account, so the IP changes all the time.
4. I have tleds installed and I notice no undue activity, but the system
runs unattended often.
But it brings up an interesting question:
How would you find out if this was the case?
Good point. But what am I looking for?
I see an infinite number of:
2007-01-26 09:52:09 Start queue run: pid=20299
2007-01-26 09:52:09 End queue run: pid=20299
2007-01-26 16:13:07 1HAZJj-0004F2-D2 <= root@debian U=root P=local S=618
2007-01-26 16:13:07 1HAZJj-0004F2-D2 => hugo <hugo@debian> R=local_user
2007-01-26 16:13:07 1HAZJj-0004F2-D2 Completed
when something happened in crontab.
And BTW exim is local only: nothing gets to the outside that I know of,
I tried that and gave up.