Re: [SLUG] Need help, I appear to victim of mischief

From: Paul M Foster (paulf@quillandmouse.com)
Date: Sat Aug 17 2002 - 14:07:24 EDT


On Sat, Aug 17, 2002 at 11:36:54AM -0400, Darr Palmer wrote:

> Hi all,
>
> Last Friday I left my previous job to go to work for a new employer. Lets
> just say that my parting was not happy because of the immature actions of my
> previous employer.
>
> Suddenly, as in since last Saturday, I have appeared to become the victim of
> some very ingenious mischief. My server appears to be the victim of DOS
> attacks. And I suddenly have began getting several virus attacks via email.
>
> I tried to install RAV anti virus for PostFix and my server went berserk,
> although it may have been coincidental with a DOS attack.
>
> I am now getting messages on my terminal when I reboot the server to the
> effect, "Sorry I was gone, but I am back now".
>
> Can anyone lead me in the direction of verifying if in fact I just happen to
> be getting random emails with viruses, or is it a deliberate attempt to
> interfere with my website and email.
>
> And specifically where it is being generated from. If it is as I suspect, I
> would like to have the proof before I confront the party responsible with my
> attorney.
>
> Any help would be appreciated
>
> Please feel free to contact me off list.
>
> Darr Palmer
> darr@darrpalmer.com
>

More data is needed. Are the problems you're having on a Windows or
Linux box? Are you on a LAN? Is your router Linux or Windows? Etc.

As for the email stuff, this can be shunted off to /dev/null or a
holding file with procmail. You can check the headers on these to
determine the origins and relay points. A common thread should show up.
Postfix itself won't be effected by viruses, unless they use some known
and unrepaired exploit.

Messages from the console on boot sound like a rootkit or something.

One other point-- IANAL, but I've heard that if you wish to make a case
against someone using data from your hard drive, you basically have to
treat it as the police would-- remove and bag it. Otherwise, a case
could be made that you yourself created the problems out of spite or
some other nefarious motive. Check with a lawyer familiar with this type
of thing.

If you find (and can prove) an attack is being made on you from a single
point, you can possibly enlist the help or their ISP. Try the abuse@
address for their ISP, once you have proof in hand.

Good luck.

Paul



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:26:09 EDT