|Mike Sheinberg on 31 Dec 2009 16:25:32 -0800|
I'm looking for advice on where to start looking for tracking down a particular entry in my logwatch reports that look suspicious. Specifically I am seeing an unknown user under the sendmail portion of logwatch as one of the top 10 e-mail recipients. I started sifting through the sendmail logs and noticed that this user was receiving email from firstname.lastname@example.org. Therefore I suspect there may be some malicious script installed sending out unauthorized server information to others. Sendmail isn't configured to relay outside addresses and currently iptables is configured to block anything but 22,80, and 443. I didn't see anything useful in the /var/spool directory; does anyone have some good pointers on where I can start here? I'm using Red Hat EL 5.4 if that helps with file locations....
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug