Michael Grier <[EMAIL PROTECTED]> wrote:
>
> > > The spammer seems to somehow be using the user qmailt as the originator.
> > > A copy follows. uid 12355 is the user qmailt.
> >
> > There is no such user in a normal qmail install.
> >
> > Are you sure they didn't get into your system another way? A broken
> > formmail CGI, or something else?
>
> I've now found that this user was most likely created yesterday when this
> problem started, so now I probably have to figure out how I was hacked. I've
> deleted the user.
I saw the other message you sent to me privately. Yes, you were hacked. If
you don't have md5sums of all the files on your system, you should probably
start out fresh -- you don't know what he ftp'd in, but he probably installed
a rootkit and left all kinds of backdoors for him to come back. Plus, you
still don't know how he gained access in the first place.
Charles
--
-----------------------------------------------------------------------
Charles Cazabon <[EMAIL PROTECTED]>
GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/
-----------------------------------------------------------------------
