[BlueOnyx:03527] Re: Has my system been hacked?

Mark E. Levy mark at levysplace.us
Mon Feb 8 23:15:18 -05 2010 

Thank you Gerald,

I didn't see any "i"s in the list that resulted from the lsattr command on
those directories. Hopefully, that means all is well. It's still a mystery
how the root password got changed, though, but that's straightened out too.

Thanks to everyone who replied.

-Mark


-----Original Message-----
From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-bounces at blueonyx.it] On
Behalf Of Gerald Waugh
Sent: Monday, February 08, 2010 10:05 PM
To: BlueOnyx General Mailing List
Subject: [BlueOnyx:03526] Re: Has my system been hacked?


On Mon, 2010-02-08 at 18:18 -0600, Chris Gebhardt - VIRTBIZ Internet
wrote:
> Hi Mark,
> 
> Mark E. Levy wrote:
> > First the root password changes, now I'm getting the following in the
> > maillog and the mail server stops:
> 
> POSSIBLY, you have been hacked.   I'd start looking around for other 
> signs, as well.
> 
> > NOQUEUE: SYSERR(root): /etc/mail/sendmail.cf: line 101: fileclass:
cannot
> > open '/etc/mail/local-host-names': World-writable directory
> > 
> > I also see /etc/mail/virthosts and /etc/mail/truster-users with the same
> > error.
> > 
> > What should the permissions be for this tree?
> 
> Maybe this will help:
> 
> # ls -lah /etc/mail
> total 336K
> drwxr-xr-x  2 root  root 4.0K Feb  7 03:18 .
> drwxr-xr-x 83 root  root  12K Feb  8 18:15 ..
> -rw-r--r--  1 root  root 2.3K Feb  7 03:18 access
> -rw-r-----  1 smmsp root  12K Feb  7 03:18 access.db
> -rw-r--r--  1 root  root 1.6K Sep 17 11:15 aliases
> -rw-r-----  1 smmsp root  12K Feb  7 04:51 aliases.db
> -rw-r--r--  1 root  root    0 Mar 14  2007 domaintable
> -rw-r-----  1 smmsp root  12K Oct  3 02:20 domaintable.db
> -rw-r--r--  1 root  root  249 Jun  6  2006 fix_sendmail_header.mc
> -rw-r--r--  1 root  root 5.4K Mar 14  2007 helpfile
> -rw-r--r--  1 root  root  373 Feb  7 03:18 local-host-names
> -rw-r--r--  1 root  root   69 Nov  2 18:04 mailertable
> -rw-r-----  1 smmsp root  12K Nov  2 18:04 mailertable.db
> -rw-r--r--  1 root  root 1.1K Oct  3 02:22 Makefile
> -rw-r-----  1 root  root  12K Feb  8 18:15 popip.db
> -rw-r-----  1 root  root 3.9K Jun  3  2008 poprelay.conf
> -rw-r--r--  1 root  root  59K Feb  7 04:51 sendmail.cf
> -rw-r--r--  1 root  root 8.4K Dec  2  2008 sendmail.mc
> -r--r--r--  1 root  root  41K Mar 14  2007 submit.cf
> -rw-r--r--  1 root  root  940 Mar 14  2007 submit.mc
> -rw-r--r--  1 root  root  127 Mar 14  2007 trusted-users
> -rw-------  1 root  root    0 Sep 17 11:15 virthosts
> -rw-r--r--  1 root  root 2.2K Feb  7 03:18 virtusertable
> -rw-r-----  1 smmsp root  12K Feb  7 03:18 virtusertable.db
> 
A sure sign of a hack is immutable bit being set in a file's attributes.
do an lsattr on some directories
  lsattr /bin /sbin /usr/bin /usr/sbin | more
the immutable bit is 'i'

Gerald


_______________________________________________
Blueonyx mailing list
Blueonyx at blueonyx.it
http://www.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list