[BlueOnyx:03525] Re: Has my system been hacked?

Chris Gebhardt - VIRTBIZ Internet cobaltfacts at virtbiz.com
Mon Feb 8 19:18:29 -05 2010 

Hi Mark,

Mark E. Levy wrote:
> First the root password changes, now I'm getting the following in the
> maillog and the mail server stops:

POSSIBLY, you have been hacked.   I'd start looking around for other 
signs, as well.

> NOQUEUE: SYSERR(root): /etc/mail/sendmail.cf: line 101: fileclass: cannot
> open '/etc/mail/local-host-names': World-writable directory
> 
> I also see /etc/mail/virthosts and /etc/mail/truster-users with the same
> error.
> 
> What should the permissions be for this tree?

Maybe this will help:

# ls -lah /etc/mail
total 336K
drwxr-xr-x  2 root  root 4.0K Feb  7 03:18 .
drwxr-xr-x 83 root  root  12K Feb  8 18:15 ..
-rw-r--r--  1 root  root 2.3K Feb  7 03:18 access
-rw-r-----  1 smmsp root  12K Feb  7 03:18 access.db
-rw-r--r--  1 root  root 1.6K Sep 17 11:15 aliases
-rw-r-----  1 smmsp root  12K Feb  7 04:51 aliases.db
-rw-r--r--  1 root  root    0 Mar 14  2007 domaintable
-rw-r-----  1 smmsp root  12K Oct  3 02:20 domaintable.db
-rw-r--r--  1 root  root  249 Jun  6  2006 fix_sendmail_header.mc
-rw-r--r--  1 root  root 5.4K Mar 14  2007 helpfile
-rw-r--r--  1 root  root  373 Feb  7 03:18 local-host-names
-rw-r--r--  1 root  root   69 Nov  2 18:04 mailertable
-rw-r-----  1 smmsp root  12K Nov  2 18:04 mailertable.db
-rw-r--r--  1 root  root 1.1K Oct  3 02:22 Makefile
-rw-r-----  1 root  root  12K Feb  8 18:15 popip.db
-rw-r-----  1 root  root 3.9K Jun  3  2008 poprelay.conf
-rw-r--r--  1 root  root  59K Feb  7 04:51 sendmail.cf
-rw-r--r--  1 root  root 8.4K Dec  2  2008 sendmail.mc
-r--r--r--  1 root  root  41K Mar 14  2007 submit.cf
-rw-r--r--  1 root  root  940 Mar 14  2007 submit.mc
-rw-r--r--  1 root  root  127 Mar 14  2007 trusted-users
-rw-------  1 root  root    0 Sep 17 11:15 virthosts
-rw-r--r--  1 root  root 2.2K Feb  7 03:18 virtusertable
-rw-r-----  1 smmsp root  12K Feb  7 03:18 virtusertable.db


-- 
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated
www.virtbiz.com | toll-free (866) 4 VIRTBIZ

More information about the Blueonyx mailing list