From owner-freebsd-stable Fri Sep 27 22: 6:15 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 534A037B401 for ; Fri, 27 Sep 2002 22:06:13 -0700 (PDT) Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id D878443E65 for ; Fri, 27 Sep 2002 22:06:07 -0700 (PDT) (envelope-from davep.freebsd@meduseld.net) Received: from baloo.meduseld.net ([66.30.120.153]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020928050607.HAQN5955.rwcrmhc51.attbi.com@baloo.meduseld.net> for ; Sat, 28 Sep 2002 05:06:07 +0000 Received: from localhost (localhost [127.0.0.1]) by baloo.meduseld.net (8.12.3/8.12.3) with ESMTP id g8S55rfK010399 for ; Sat, 28 Sep 2002 01:05:54 -0400 (EDT) (envelope-from davep.freebsd@meduseld.net) Date: Sat, 28 Sep 2002 01:05:53 -0400 (EDT) Message-Id: <20020928.010553.730557972.davep@meduseld.net> To: freebsd-stable@freebsd.org Subject: Re: Possible trojan since upgrade From: "David A. Panariti" In-Reply-To: <001301c266a7$90784d50$1200a8c0@gsicomp.on.ca> References: <20020928035657.21042.qmail@web21402.mail.yahoo.com> <001301c266a7$90784d50$1200a8c0@gsicomp.on.ca> X-Attribution: davep X-Mailer: Mew version 2.2 on XEmacs 21.4.9 (Informed Management) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Perhaps we should add the following to the the default greeting message used by sendmail (SmtpGreeting in /usr/src/contrib/sendmail/src/main.c) Welcome! This is a for profit mail relay server. We charge $250 per piece of mail relayed. To accept these terms, please type HELO or EHLO. To refuse them, please type QUIT. davep >>>>> "Matthew" == Matthew Emmerton writes: >> Since I upgraded to a recent Stable CVSUP, I've seen this kind >> of message about once a day in the /var/log/maillog file. I >> suspect a trojan as the "root" user did not send email at this >> time, there is no matching entry indicating that the mail was >> sent, queued, or so forth. The system seems to slow after this >> entry shows in the logs. >> >> Don't know for sure whether this came from a CVSUP or somewhere >> else... there are only two users on the system. >> >> Can anyone point me where to look to eliminate whatever is >> causing this email connection? q Matthew> Just because the message comes from 'root@zzzzzz.com' Matthew> doesn't mean it originated on your system. See below for Matthew> details. >> ----------------- from /var/log/maillog >> >> assume host zzzzzz.com >> >> -----------This is the entry in question-------- Sep 27 13:44:40 >> medusa sm-mta[1742]: g8RIiXgt001742: from=, >> size=0, class=0, nrcpts=1, proto=ESMTP, daemon=MTA, >> relay=[202.80.192.29] -------------Next entry------------- Sep >> 27 13:46:59 medusa sm-mta[1746]: ruleset=check_relay, >> arg1=host101-38.pool21 758.interbusiness.it, arg2=217.58.38.101, >> relay=host101-38.pool21758.interbusiness.it [217.58.38.101], >> reject=550 5.7.1 Mail Rejected - see http> //relays.osirusoft.com Matthew> In short, it looks like you're running a mailserver Matthew> configured as an open relay. All these sendmail log Matthew> messages that you see are from people relaying mail Matthew> through your SMTP server. (This is how spammers spread Matthew> their spam to the massess.) Matthew> First, shut down sendmail entirely on your box. Edit Matthew> /etc/rc.conf and set sendmail_enable="NONE" and reboot. Matthew> Second, go to http://www.sendmail.org and read about how Matthew> to configure your machine to be a closed relay. Matthew> -- Matt Emmerton Matthew> To Unsubscribe: send mail to majordomo@FreeBSD.org with Matthew> "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message