Manuel Aróstegui wrote:
On Mon, 2009-05-25 at 11:47 +0200, redhat@xxxxxx wrote:
A few days ago my Fedora10 Linux server had a problem. CPU was 100% and I could not log in via SSH or on the console anymore to find the cause. Had to reboot.
The server is used as a mail relay server. After the reboot it seemed that sendmail was not working correctly. It did not accept connections anymore on port 25.
The i found that the file had changed. It looks like that this file has been generated on the 23rd of may. And it was not me who generated it!
It looks like this is a hack. Has anybody got an idea about how to confirm this? How did they do this? And about how to prevent this?
Hi there,
Are you sure any application changed it? Maybe an installation of a new
package put its own configuration in there.
You might want to take a look at the connection logs and the root
"history" to trace what was done in the CLI.
The bad news is you rebooted the machine, which can mean if the "hacker"
was clever enough he might left a logical bomb to delete all his traces
when rebooting or powering off :(
check the log files, both the sshd and the sendmail logs
only root users can change anything in the /etc/mail folder
so look out for any root access and check whether it was you or anybody else
also look if you can find when sendmail last restarted, as sendmail only
reeds the config file on startup
and then the most obvious, change ALL PASSWORDS, use complex passwords
or use key files to ssh into your boxes
guideline :
Toshaan <toshlinux@xxxxxxxxx> -
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe