[BlueOnyx:03526] Re: Has my system been hacked?

Gerald Waugh gwaugh at raqware.com
Mon Feb 8 23:05:02 -05 2010 

On Mon, 2010-02-08 at 18:18 -0600, Chris Gebhardt - VIRTBIZ Internet
wrote:
> Hi Mark,
> 
> Mark E. Levy wrote:
> > First the root password changes, now I'm getting the following in the
> > maillog and the mail server stops:
> 
> POSSIBLY, you have been hacked.   I'd start looking around for other 
> signs, as well.
> 
> > NOQUEUE: SYSERR(root): /etc/mail/sendmail.cf: line 101: fileclass: cannot
> > open '/etc/mail/local-host-names': World-writable directory
> > 
> > I also see /etc/mail/virthosts and /etc/mail/truster-users with the same
> > error.
> > 
> > What should the permissions be for this tree?
> 
> Maybe this will help:
> 
> # ls -lah /etc/mail
> total 336K
> drwxr-xr-x  2 root  root 4.0K Feb  7 03:18 .
> drwxr-xr-x 83 root  root  12K Feb  8 18:15 ..
> -rw-r--r--  1 root  root 2.3K Feb  7 03:18 access
> -rw-r-----  1 smmsp root  12K Feb  7 03:18 access.db
> -rw-r--r--  1 root  root 1.6K Sep 17 11:15 aliases
> -rw-r-----  1 smmsp root  12K Feb  7 04:51 aliases.db
> -rw-r--r--  1 root  root    0 Mar 14  2007 domaintable
> -rw-r-----  1 smmsp root  12K Oct  3 02:20 domaintable.db
> -rw-r--r--  1 root  root  249 Jun  6  2006 fix_sendmail_header.mc
> -rw-r--r--  1 root  root 5.4K Mar 14  2007 helpfile
> -rw-r--r--  1 root  root  373 Feb  7 03:18 local-host-names
> -rw-r--r--  1 root  root   69 Nov  2 18:04 mailertable
> -rw-r-----  1 smmsp root  12K Nov  2 18:04 mailertable.db
> -rw-r--r--  1 root  root 1.1K Oct  3 02:22 Makefile
> -rw-r-----  1 root  root  12K Feb  8 18:15 popip.db
> -rw-r-----  1 root  root 3.9K Jun  3  2008 poprelay.conf
> -rw-r--r--  1 root  root  59K Feb  7 04:51 sendmail.cf
> -rw-r--r--  1 root  root 8.4K Dec  2  2008 sendmail.mc
> -r--r--r--  1 root  root  41K Mar 14  2007 submit.cf
> -rw-r--r--  1 root  root  940 Mar 14  2007 submit.mc
> -rw-r--r--  1 root  root  127 Mar 14  2007 trusted-users
> -rw-------  1 root  root    0 Sep 17 11:15 virthosts
> -rw-r--r--  1 root  root 2.2K Feb  7 03:18 virtusertable
> -rw-r-----  1 smmsp root  12K Feb  7 03:18 virtusertable.db
> 
A sure sign of a hack is immutable bit being set in a file's attributes.
do an lsattr on some directories
  lsattr /bin /sbin /usr/bin /usr/sbin | more
the immutable bit is 'i'

Gerald

More information about the Blueonyx mailing list