On Sunday 15 April 2007 19:47, Will Parkinson wrote: > No it was our sever that was sending the spam, so there must of been a > script placed on our server by someone else (ie we were hacked or > something)
This is somewhat unusual; relaying is much more common. I assume you have carefully checked the spam headers to verify that they originated on your server and are not forgeries or relays. The next and urgent step is to shut the server down. While the server is potentially or actually compromised, you don't know what the attacker can do. For example, the attacker may have a script which (a) hides itself from ls and ps and (b) notes any passwords you use to access the system whether remotely or locally and (c) repeatedly attempts to mail them out at random intervals perhaps days or weeks apart. Remove the disks from the server, attach them to a known secure system, and mount them read-only and noexec. Without booting from them or executing any programs or scripts on them, verify that they have no material that should not be there. If that is impossible or impractical (and it usually is) then copy off the portion that you can verify is safe - perhaps some email messages and/or some web pages - and completely wipe the suspect drives. Then reinstall Linux and copy only the safe saved data back. If possible, before wiping the drives, and again without booting or executing, attempt to determine the attack vector from your logs and from changed files. File a bug report if the attack used a previously unknown vector. Limiting your firewall to AU IP addresses, even if the attacker can't circumvent it, is not an option. You do not know what attacks your box may be perpetrating against other innocent parties. If in doubt, turn it off, consult a good lawyer, and ask him or her if it's OK to turn it back on. --Mike Bird -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
