On Sunday 04 Jul 2004 15:40, Terence Golightly wrote: > List, > > Postfix has quit working and I suspect someone has broken in, but I > don't know where to begin looking on my system. Below is an attempt to > start postfix: > > [EMAIL PROTECTED] root]# postfix start > postfix: fatal: parameter inet_interfaces: no local interface found for > 220.80.108.83 > > I have included a run of nampfe at the end. In the meantime, > I was barely able to setup postfix to supply me with system emails, so > your basic help with how/where do I look to fix this problem is greatly > appreciated. > > Thanks, > > Terry > > p.s. If I have been hacked by the ip above, what can I do (shorewall/other) > to keep them out. > > > Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-07-04 01:15 > EDT sendto in send_tcp_raw: sendto(3, packet, 60, 0, 220.80.108.83, 16) => > Operation not permitted sendto in send_tcp_raw: sendto(3, packet, 60, 0, > 220.80.108.83, 16) => Operation not permitted Interesting ports on > 220.80.108.83: > (The 1646 ports scanned but not shown below are in state: closed) > PORT STATE SERVICE > 21/tcp open ftp > 22/tcp open ssh > 53/tcp open domain > 80/tcp open http > 111/tcp open rpcbind > 135/tcp filtered msrpc > 139/tcp filtered netbios-ssn > 445/tcp filtered microsoft-ds > 3306/tcp open mysql > 4444/tcp filtered krb524 > 5800/tcp filtered vnc-http > 5900/tcp filtered vnc > 17300/tcp filtered kuang2 > Device type: general purpose > Running: Linux 2.4.X|2.5.X > OS details: Linux Kernel 2.4.0 - 2.5.20 > > Nmap run completed -- 1 IP address (1 host up) scanned in 49.309 seconds > > > > Terry Golightly ... [EMAIL PROTECTED] ... Pittsburgh, Pa
Hmmm Your mail header includes the line Message-Id: <[EMAIL PROTECTED]> tbox.blrm.myhouse.net resolves to 220.80.108.83 which is a block belonging to an ISP in Korea. It does not seem likely that someone in the US would use a Korean ISP, but how is that line getting into your email headers? It looks like your Postfix config file may have been tampered with to turn you into a spam relay. derek -- www.jennings.homelinux.net http://twiki.mdklinuxfaq.org
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
