[BlueOnyx:12312] Re: Server hacked?

Drew Happli drew at happli.org
Wed Feb 27 11:04:46 -05 2013 

 

That IP address is a Latin American address belonging to 

SERVICIOS
DE SISTEMAS Y TECNOLOGIA HIWAY NETWORKS

If you do a netstat what types
of connections to that IP address do you show? What does your mail queue
show? What do the sendmail logs show? 

Those would be the next things I
would look at troubleshooting the issue. 

Do you show root logged on
from somewhere else? (If so, why is root able to remote into the box to
begin with?) 

Drew.

On 02/27/2013 8:30 am, Steven Howes wrote: 

> On
27 Feb 2013, at 13:23, Will Nordmeyer wrote: 
> 
>> I've been monitoring
the ssh vulnerability and don't see anything there, but I did notice
that I have multiple processes when I do a PS looking like this: 
>> 
>>
root 7499 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243]
cmd read
>> root 7550 24331 0 14:13 ? 00:00:00 sendmail: server
[201.238.254.243] cmd read
>> root 8127 24331 0 14:13 ? 00:00:00
sendmail: server [201.238.254.243] cmd read
>> root 8523 24331 0 14:13 ?
00:00:00 sendmail: server [201.238.254.243] cmd read
>> root 9165 24331
0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read
>> root
10050 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd
read
>> root 10562 24331 0 14:13 ? 00:00:00 sendmail: server
[201.238.254.243] cmd read
>> root 10706 24331 0 14:13 ? 00:00:00
sendmail: server [201.238.254.243] cmd read
>> root 11208 24331 0 14:13
? 00:00:00 sendmail: server [201.238.254.243] startup
>> 
>> I don't
know who 201.238.254.243 is - and I'm not sure where that server startup
is coming from. Any advice? Quick? help?
> Well that's not ssh. Could be
someone exploiting your sendmail (well, trying random passwords at
least). Just firewall them out... It's unlikely to be real mail,
201.238.254.243 doesn't listen on SMTP. 
> S 
> 
>
_______________________________________________
> Blueonyx mailing
list
> Blueonyx at mail.blueonyx.it
>
http://mail.blueonyx.it/mailman/listinfo/blueonyx [1]



Links:
------
[1] http://mail.blueonyx.it/mailman/listinfo/blueonyx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130227/c49a5dba/attachment.html>

More information about the Blueonyx mailing list