[PLUG] Suspicious sendmail logwatch entry

Mike Sheinberg on 31 Dec 2009 16:25:32 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Suspicious sendmail logwatch entry

From: Mike Sheinberg <m.sheiny@gmail.com>

To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>

Subject: [PLUG] Suspicious sendmail logwatch entry

Date: Thu, 31 Dec 2009 19:25:26 -0500

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

Hello,

I'm looking for advice on where to start looking for tracking down a particular entry in my logwatch reports that look suspicious. Specifically I am seeing an unknown user under the sendmail portion of logwatch as one of the top 10 e-mail recipients. I started sifting through the sendmail logs and noticed that this user was receiving email from apache@myserver.com. Therefore I suspect there may be some malicious script installed sending out unauthorized server information to others. Sendmail isn't configured to relay outside addresses and currently iptables is configured to block anything but 22,80, and 443. I didn't see anything useful in the /var/spool directory; does anyone have some good pointers on where I can start here? I'm using Red Hat EL 5.4 if that helps with file locations....

Thanks,
Mike

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Prev by Date: [PLUG] Update: How To Diagnose System Instability?

Next by Date: Re: [PLUG] Remote access to Gnome or KDE

Previous by thread: Re: [PLUG] Reflogging the dead hard drive horse

Next by thread: [PLUG] Help save MySQL; Sign the petition

Index(es):

Date

Thread