RE: [TCLUG:2438] Somethings ... STATUS REPORT

To: <tclug-list@listserv.real-time.com>
Subject: RE: [TCLUG:2438] Somethings ... STATUS REPORT
From: "Eric Hillman" <ehillman@cccu.com>
Date: Wed, 2 Dec 1998 14:25:05 -0600
Importance: Normal
In-Reply-To: <500031854.912629257440.JavaMail.jschewe@grinch.htc.honeywell.com>

> Richar> * Was / Is there a process running on my system that
> needs to be removed
> Richar> or cleaned up?
> Richar> * How can I set up a better (more suited to my needs)
> firewall that will
> Richar> be more preventive in nature, but still allow me to get
> my work done?
> Richar> * What else might have been comprimised? Passwords?
> Richar> * Who did this? What were they doing? Will I get blamed
> for it? Etc.?
> Richar> * If this _wasn't_ an attack from the outside, what could
> it have been?
> Richar>
>
> Chances are that someone figured out that your machine was
> accepting relaying and so they atarted spamming off you.  What
> should help would be to make sure you have relaying turned off in
> sendmail.  If you want to be able to relay from some machines put
> those in /etc/mail/allow_relay, or something like that.


	You'll need to upgrade to sendmail 8 to do that, remember.  (In most
sendmail 8 distributions, relaying is *already* turned off, so I'm guessing
you haven't got it yet.)

	Chances are, if these were all just sendmail relays, nothing was
compromised besides your reputation.  Your long-distance pal was most likely
bouncing ads for "We'll Register Your Site with 900 Search Engines" off of
you -- remote sysadmins who actually take the trouble to track down the
sources of such junk may be a little ticked at you, but at least now you can
tell them the site of origin.  You may even find your IP address blocked
from sending mail to some sites.  Nonetheless, I'd change all your
passwords, at least.

	I'd suggest, again, that you disable snmp, samba and any services in
inetd.conf that you don't need (especially IMAP and nntpd).
	What I've done on any exposed systems I have is start with a totally
locked-down system -- that is, block incoming IP traffic on *all* ports (put
a line in /etc/hosts.deny that says "ALL: ALL").  Then, I put lines in
hosts.allow that allow my internal network total access, a few key sites
like work or my upstairs neighbor access to telnet & ftp, and the rest of
the world access to httpd.
	If you want to get clever, you can add stuff to hosts.deny that sends you
an e-mail when somebody tries something sneaky.  Can be very educational.
It seems like the number of script kiddies and spammers looking for
unprotected relay hosts is really exploding lately.

References:
- Re: [TCLUG:2438] Somethings ... STATUS REPORT
  - From: Jon Schewe <jpschewe@usa.net>

Prev by Date: TCLUG Meeting topic?
Next by Date: Re: [TCLUG:2449] Boot from hard drive using NT bootloader?
Prev by thread: Re: [TCLUG:2438] Somethings ... STATUS REPORT
Next by thread: TCLUG Meeting topic?
Index(es):
- Date
- Thread