From owner-freebsd-stable Fri Sep 27 21:29: 2 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F05BC37B401 for ; Fri, 27 Sep 2002 21:29:00 -0700 (PDT) Received: from tomts17-srv.bellnexxia.net (tomts17.bellnexxia.net [209.226.175.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E84E43E6A for ; Fri, 27 Sep 2002 21:29:00 -0700 (PDT) (envelope-from matt@gsicomp.on.ca) Received: from xena.gsicomp.on.ca ([65.95.177.134]) by tomts17-srv.bellnexxia.net (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with ESMTP id <20020928042858.KXIQ3718.tomts17-srv.bellnexxia.net@xena.gsicomp.on.ca>; Sat, 28 Sep 2002 00:28:58 -0400 Received: from hermes (hermes.gsicomp.on.ca [192.168.0.18]) by xena.gsicomp.on.ca (8.11.3/8.11.3) with SMTP id g8S3F7X21241; Fri, 27 Sep 2002 23:15:08 -0400 (EDT) (envelope-from matt@gsicomp.on.ca) Message-ID: <001301c266a7$90784d50$1200a8c0@gsicomp.on.ca> From: "Matthew Emmerton" To: "Heywood Jblome" , References: <20020928035657.21042.qmail@web21402.mail.yahoo.com> Subject: Re: Possible trojan since upgrade Date: Sat, 28 Sep 2002 00:28:56 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Since I upgraded to a recent Stable CVSUP, I've seen > this kind of message about once a day in the > /var/log/maillog file. I suspect a trojan as the > "root" user did not send email at this time, there is > no matching entry indicating that the mail was sent, > queued, or so forth. The system seems to slow after > this entry shows in the logs. > > Don't know for sure whether this came from a CVSUP or > somewhere else... there are only two users on the > system. > > Can anyone point me where to look to eliminate > whatever is causing this email connection? Just because the message comes from 'root@zzzzzz.com' doesn't mean it originated on your system. See below for details. > ----------------- > from /var/log/maillog > > assume host zzzzzz.com > > -----------This is the entry in question-------- > Sep 27 13:44:40 medusa sm-mta[1742]: g8RIiXgt001742: > from=, size=0, class=0, nrcpts=1, > proto=ESMTP, daemon=MTA, relay=[202.80.192.29] > -------------Next entry------------- > Sep 27 13:46:59 medusa sm-mta[1746]: > ruleset=check_relay, arg1=host101-38.pool21 > 758.interbusiness.it, arg2=217.58.38.101, > relay=host101-38.pool21758.interbusiness.it > [217.58.38.101], reject=550 5.7.1 Mail Rejected - see > http://relays.osirusoft.com In short, it looks like you're running a mailserver configured as an open relay. All these sendmail log messages that you see are from people relaying mail through your SMTP server. (This is how spammers spread their spam to the massess.) First, shut down sendmail entirely on your box. Edit /etc/rc.conf and set sendmail_enable="NONE" and reboot. Second, go to http://www.sendmail.org and read about how to configure your machine to be a closed relay. -- Matt Emmerton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message