On Sat, 12 Apr 2008, ronan wrote:
> Eben King wrote:
>> I just got 6-7 bounces from mail I didn't send. SoI've probably been the
>> victim of either a joe-job or a rootkit. I've got the bounce messages. How
>> do I tell the difference?
>>
> Leave a copy of tcpdump running in a terminal, watching outgoing packets, for
> several hours, while you are not using your machine. Any outbound traffic is
> suspicious (except for NTP or deliberately scheduled network activity).
Noted, thanks. I also need to bring down samba, thttpd, and gaim. NFS too,
if I get the circular tuits to use it. Actually, I don't need to bring them
down if there's a way to see only TCP packets where DESTPORT==25. Anyone
speak tcpdump?
Turns out someone joe-jobbed a broadcast address at my school. :-( Several
hundred of us got 70+ bounces each. Mail server load test in 5, 4, 3, ...
Isn't there a log file for outgoing mail? /var/log/mail.log logs incoming
mail.
--
-eben QebWenE01R@vTerYizUonI.nOetP royalty.mine.nu:81
Your pretended fear lest error might step in is like the man who
would keep all wine out of the country lest men should be drunk.
-- Oliver Cromwell
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:39:00 EDT