[NTLUG:Discuss] Have I been hacked?
Stephen Davidson
gorky at freenet.carleton.ca
Wed Apr 10 07:02:12 CDT 2002
David Stanaway wrote:
> On Wed, 2002-04-10 at 00:20, Bobby Sanders wrote:
>
>>On April 5th LogWatch shows:
>>
>>Connections:
>> Service in.telnetd:
>> 216.139.215.3: 1 Time(s)
>>
>>On April 9th LogWatch shows:
>>
>> --------------------- sendmail Begin ------------------------
>>
>>676590 bytes transferred
>>96 messages sent
>>
>>**Unmatched Entries**
>>
>>gethostbyaddr(206.50.48.104) failed: 2
>>
>> ---------------------- sendmail End -------------------------
>>
>>I've never sent 96 messages at once on purpose. (This machine is not
>>on a local area network.)
>>
>
>
> Do you have an open relay?
> (Sorry, I don't use senmail, so I don't know the relay settings in the
> sentmail config off the top of my head)
>
> Are there exploits for your version of telnetd? I haven't heard of any
> exploits for telnetd recently (Other than tcpdump) Look at you wtmp logs
> last -f /var/log/wtmp.1 etc.. for around the time of the telnet login to
> see who logged in, and where from.
>
> Thats a start anyway.
>
> --
> David Stanaway
>
Hi Bobby.
The older versions of sendmail, including the ones that were shipped with RH 6.x (and other distros of that timeframe), were configured to relay by
default.
The newer ones are not configured to relay by default. Also, the older versions of sendmails had some interesting "holes". They would still relay
even when properly configured if they were properly hacked. I would strongly recommend replacing your sendmail installation, if at all possible.
-Steve
--
Stephen Davidson
Java Consultant
Delphi Consultants, LLC
http://www.delphis.com
Phone: 214-696-6224 x208
More information about the Discuss
mailing list