Mike Sheinberg on 31 Dec 2009 16:25:32 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Suspicious sendmail logwatch entry


I'm looking for advice on where to start looking for tracking down a particular entry in my logwatch reports that look suspicious. Specifically I am seeing an unknown user under the sendmail portion of logwatch as one of the top 10 e-mail recipients. I started sifting through the sendmail logs and noticed that this user was receiving email from apache@myserver.com. Therefore I suspect there may be some malicious script installed sending out unauthorized server information to others. Sendmail isn't configured to relay outside addresses and currently iptables is configured to block anything but 22,80, and 443. I didn't see anything useful in the /var/spool directory; does anyone have some good pointers on where I can start here? I'm using Red Hat EL 5.4 if that helps with file locations....

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug