* [gentoo-security] Strange occurrence of sendmail and disk I/O in background....
@ 2008-02-19 11:39 Christopher P. Kern
0 siblings, 0 replies; 5+ messages in thread
From: Christopher P. Kern @ 2008-02-19 11:39 UTC (permalink / raw
To: gentoo-security
[-- Attachment #1: Type: text/plain, Size: 1462 bytes --]
Can anyone tell me what service/application would start sendmail?
I discovered my Gentoo computer recently very active with I/O on the
harddrive and receive/transmit activity on an invocation of gkrellm. In
researching the activity, I found that I had an smtp connection to a
computer in Toronto, Canada. The connection was on port 43121 and looked
like so:
bash$ netstat -t -u
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 1 [myIP]:43121 [theirIP]:smtp ESTABLISHED
... Other usual stuff ....
Running a check to see what may be running in the process tables:
bash$ ps -efl
showed this process here:
/usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t
I could not find the cause for this application invocation. Nothing
in the rc-update, crontab, nor services suggests that sendmail ought to
be running.
When I killed the PID for this sendmail process, all disk I/O
immediately stopped. The site for the IP address which had a connection
to my computer was never one to which I had ever visited. I know of no
reason I would ever go to it.
I found vulnerabilities associated with a lower version of sendmail
but none with the version I've installed right now.
Any suggestions, ideas, or explanations are welcomed.
Thanks in advance,
Kern.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* [gentoo-security] Strange occurrence of sendmail and disk I/O in background....
@ 2008-02-19 11:42 Christopher P. Kern
2008-02-19 12:14 ` Javier Barrio
2008-02-26 12:44 ` William Yang
0 siblings, 2 replies; 5+ messages in thread
From: Christopher P. Kern @ 2008-02-19 11:42 UTC (permalink / raw
To: gentoo-security
[-- Attachment #1: Type: text/plain, Size: 1462 bytes --]
Can anyone tell me what service/application would start sendmail?
I discovered my Gentoo computer recently very active with I/O on the
harddrive and receive/transmit activity on an invocation of gkrellm. In
researching the activity, I found that I had an smtp connection to a
computer in Toronto, Canada. The connection was on port 43121 and looked
like so:
bash$ netstat -t -u
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 1 [myIP]:43121 [theirIP]:smtp ESTABLISHED
... Other usual stuff ....
Running a check to see what may be running in the process tables:
bash$ ps -efl
showed this process here:
/usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t
I could not find the cause for this application invocation. Nothing
in the rc-update, crontab, nor services suggests that sendmail ought to
be running.
When I killed the PID for this sendmail process, all disk I/O
immediately stopped. The site for the IP address which had a connection
to my computer was never one to which I had ever visited. I know of no
reason I would ever go to it.
I found vulnerabilities associated with a lower version of sendmail
but none with the version I've installed right now.
Any suggestions, ideas, or explanations are welcomed.
Thanks in advance,
Kern.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-security] Strange occurrence of sendmail and disk I/O in background....
2008-02-19 11:42 [gentoo-security] Strange occurrence of sendmail and disk I/O in background Christopher P. Kern
@ 2008-02-19 12:14 ` Javier Barrio
2008-02-19 13:39 ` Michael W Spitzer
2008-02-26 12:44 ` William Yang
1 sibling, 1 reply; 5+ messages in thread
From: Javier Barrio @ 2008-02-19 12:14 UTC (permalink / raw
To: gentoo-security
[-- Attachment #1: Type: text/plain, Size: 727 bytes --]
> I found vulnerabilities associated with a lower version of
> sendmail but none with the version I've installed right now.
>
> Any suggestions, ideas, or explanations are welcomed.
It seems you could be owned by someone, maybe due to a combination of a
web-app vulnerability which led to an apache shell which led to a
kernel exploit execution, which led to root, which led to executing
whatever, in that case, making your machine to be a spammer zombie or
so. You know, the usual shit nowadays.
Run the usual tools, chkrootkit, rkhunter, etc.
Good luck.
--
echo "dpefsAgmv{p/psh" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
GnuPG key ID 0x6D2FF8B5 @ pgp.rediris.es
http://www.fluzo.org/
<º ))))><
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-security] Strange occurrence of sendmail and disk I/O in background....
2008-02-19 12:14 ` Javier Barrio
@ 2008-02-19 13:39 ` Michael W Spitzer
0 siblings, 0 replies; 5+ messages in thread
From: Michael W Spitzer @ 2008-02-19 13:39 UTC (permalink / raw
To: gentoo-security
On Feb 19, 2008 6:14 AM, Javier Barrio <coder@fluzo.org> wrote:
>
> > I found vulnerabilities associated with a lower version of
> > sendmail but none with the version I've installed right now.
> >
> > Any suggestions, ideas, or explanations are welcomed.
>
> It seems you could be owned by someone,
I'd agree. But, the only way to be sure you're no longer compromised
is to re-load the machine from scratch. Running chkrootkit and all of
those tools might find something, but you can't be sure you've found
everything that's been changed.
Mike
--
gentoo-security@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-security] Strange occurrence of sendmail and disk I/O in background....
2008-02-19 11:42 [gentoo-security] Strange occurrence of sendmail and disk I/O in background Christopher P. Kern
2008-02-19 12:14 ` Javier Barrio
@ 2008-02-26 12:44 ` William Yang
1 sibling, 0 replies; 5+ messages in thread
From: William Yang @ 2008-02-26 12:44 UTC (permalink / raw
To: gentoo-security
Christopher P. Kern wrote:
> Can anyone tell me what service/application would start sendmail?
Cron would. And your message makes it sounds like
cron/vixie-cron/anacron/etc may have been involved.
If you have a crontab entry that doesn't control output (stderr and
stdout), you could have a large file of output that's been queued by cron.
That could explain the disk activity and an outbound SMTP connection.
Why it's sending mail to that specific address is another story. It sounds
like you're using sendmail, but /usr/sbin/sendmail could be any of several
mailer packages. You need to look at how the mail program is configured.
While it's possible that someone else now owns your box (and you should be
prepared to deal with that), it's also possible--based solely on what I've
read in your message--that this is a simple misconfiguration. Before you
go re-imaging the system, you probably want to analyze what's going on
fully... rebuilding, in my experience, isn't a great strategy for fixing
configuration problems.
-Bill
--
William Yang
wyang@gcfn.net
--
gentoo-security@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2008-02-26 12:45 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-02-19 11:42 [gentoo-security] Strange occurrence of sendmail and disk I/O in background Christopher P. Kern
2008-02-19 12:14 ` Javier Barrio
2008-02-19 13:39 ` Michael W Spitzer
2008-02-26 12:44 ` William Yang
-- strict thread matches above, loose matches on Subject: below --
2008-02-19 11:39 Christopher P. Kern
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox