TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TCLUG:16949] Sendmail/Linux Help
Yeah, you need to keep the logfiles and determine how they got in.
CERT has a good resource on what to do when you get hacked. I believe
it's something like:
Unplug the machine from the network
COMPLETELY back up the system (to preserve logs, ownership, binaries,
password files, etc for later)
have a beer
determine how they got in (analyze logs, look for point of entry)
identify any backdoors that may have been installed
find out where they came from (IP) - e-mail /call admin of their network
with date/time/IP and what happened
(if the admin isn't helpful contact their upstream)
wipe the drive (simply re-installing doesn't cut it - some backdoors may
not be overwritten)
re-install with a fix for the problem that allowed them to get in in the
first place.
You may want to look at packages like Aide or tripwire. There are also
some honeypot products that are supposed to divert attention from your
servers to the dummy machine.
Subscribe to bugtraq
Eric F Crist wrote:
>
> Hey,
>
> My web server got hacked on Thursday. I had to do a complete reinstall due to
> the fact that shadow/password and init files were deleted.
>
> Since I reinstalled linux, sendmail doesn't recognize any users.
> I can send mail from localhost to any users, but I can't send mail to
> myemail@<myhost.com>, as I get errors 550 (Relaying not allowed) and 551
> (Unknown user)
>
> The other problem:
>
> Ever since I installed linux, new users show up unexpectedly. For example,
> It's like someone is going into my server and creating accounts with names like
> reboot, system (UID 0, GRP 0), and other accounts that look legit, but I know
> they're not (Caldera, by default, enters Caldera OpenLinux User in the Name
> field, Unless you change it manually).
>
> Can someone please help me?
>
> I don't understand ipchains, and I need help setting up as a gateway.
>
> I also need to know how to setup sendmail so that it'll accept the correct
> accounts (note: it won't even accept mail for root, postmaster, and
> MAILER-DAEMON)
>
> If you would like to see the error message, send an email to
> ecrist@ardent-hacker.net. (This is the account I am logged in as usually)
>
> Thanks
>
> Eric F Crist
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> For additional commands, e-mail: tclug-list-help@mn-linux.org
--
Adam Maloney
Systems Administrator
Internet Exposure, Inc.