My computer has been trojaned by someone to send spams. It started Jun 10
18:48:55 (that's the first "Email from your Email Service Provider is
currently blocked by Verizon Online's anti-spam system" message, anyhow).
First thing I did was stop Postfix. Turns out it was listening on all
interfaces, instead of just "lo". Fixed.
Now, I need to figure out how I was broken in to. I don't see any holes in
the firewall, and root login is disabled through ssh. Pretty unusual to
come up with my name, so maybe it was another. I see no logins with "last"
since Sun Jun 4 from unfamiliar systems. Also, there are still spams in
Postfix's error queue. As soon as I start it, it tries to send those. The
recipient systems don't allow such actions. How do I delete them -- just
rm /var/spool/postfix/defer{,red}/?/* ?
I ran Postfix for a few seconds while watching for connections with netstat.
I saw none, so I'm guessing the culprit queued up a lot of them and
disconnected.
I noticed this when I saw that this week's /var/log/syslog was 3.4M and the
previous week's was 84k. Hmm.
-- -eben QebWenE01R@vTerYizUonI.nOetP royalty.no-ip.org:81 VIRGO: All Virgos are extremely friendly and intelligent - except for you. Expect a big surprise today when you wind up with your head impaled upon a stick. -- Weird Al, _Your Horoscope for Today_ ----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:09:41 EDT