[BlueOnyx:12311] Re: Server hacked?
Will Nordmeyer
will at wnahosting.com
Wed Feb 27 08:37:50 -05 2013
On Wed, 27 Feb 2013 13:30:13 +0000, Steven Howes wrote:
On 27 Feb
2013, at 13:23, Will Nordmeyer wrote:
I've been monitoring the ssh
vulnerability and don't see anything there, but I did notice that I have
multiple processes when I do a PS looking like this:
root 7499 24331 0
14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read
root 7550
24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd
read
root 8127 24331 0 14:13 ? 00:00:00 sendmail: server
[201.238.254.243] cmd read
root 8523 24331 0 14:13 ? 00:00:00 sendmail:
server [201.238.254.243] cmd read
root 9165 24331 0 14:13 ? 00:00:00
sendmail: server [201.238.254.243] cmd read
root 10050 24331 0 14:13 ?
00:00:00 sendmail: server [201.238.254.243] cmd read
root 10562 24331 0
14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read
root 10706
24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd
read
root 11208 24331 0 14:13 ? 00:00:00 sendmail: server
[201.238.254.243] startup
I don't know who 201.238.254.243 is - and I'm
not sure where that server startup is coming from. Any advice? Quick?
help? Well that's not ssh. Could be someone exploiting your sendmail
(well, trying random passwords at least). Just firewall them out... It's
unlikely to be real mail, 201.238.254.243 doesn't listen on SMTP.
S
I blocked them input and output via iptables:
iptables -A INPUT
--source 201.238.254.243
iptables -A OUTPUT --destination
201.238.254.243
and added them to deny.hosts.rules in apf but when I
restart sendmail, there they are.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130227/c19cd669/attachment.html>
More information about the Blueonyx
mailing list