Larry Brown said: > Thanks Nate, > > Yes w gave me the station name connecting to it. However, w didn't show > the user logged into :0. I had 5 users showing and the first line of w > stated there were 6 users currently connected. Who gave me all six but > the machine remotely connecting in did not show. Between the two I get a > better view of what is going on. All of this stemmed from an e-mail from > [EMAIL PROTECTED] stating that they were receiving spam from my > network and I'm the only user back here. I started scrutinizing > everything I could find and have not found any evidence of tampering other > than that unidentified :0 (till now). I only have my internal network set > up under relay-domains and I checked sendmail.cf to make sure someone > hadn't changed the name and location of the relay file. I think I am > going to set up accounting and set up a log server just to be sure. I > think though, that the spam message was spam in and of itself.
while it is quite rare in my experience these days, it is possible that your wtmp/utmp(I forget which, or both?) could be partially curropted. That results in skewed output from w/finger/who. did that person from spamhaus.org send the original spam to you with full headers? If not, ask them for it, it's standard procedure when reporting spam to include such information. another thing to check is netstat, if the system is not heavily trafficed running netstat -an may show if there is another user logged into the system(perhaps an intruder). Of course if the system is compromised for whatever reason all bets are off. setting up a log server is a good idea. also, not completely related but may help.. a month or 2 ago I was troubleshooting a friend's mandrake box who was relaying spam. turns out his cable modem's NAT implimentation was broken. He had his real (static) IP in the lists of systems to allow relay, but inbound connections to the system ALL showed comming from his real IP instead of the IP of the remote host. Resetting the modem would fix the problem, but a few minutes later it would start occuring again. Since he didn't need his real IP in that list we removed it. He's since migrated to another router model. luckily his ISP was friendly(rr.com), and didn't cut his account off or do anything other then warn him about the open relay. even though technically I think he is not allowed to run a SMTP server on that kind of connection. nate -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
