I had this same thing about 3 weeks ago. (27th Feb, 12:27pm)
Basically, you've been hacked.
I found on my machine, it had sent a copy of /etc/passwd, /etc/shadow, plus
numerous other config/security files.
Also, you'll probably find there's a portscan program running from your
computer now. Actively looking for other hosts to compromise.
The results of this also get emailed to that china.com address.
There was also a directory in the /dev directory which had all the hack tools.
These were built on the system. Check /usr/src
First indication on my system was that my internet traffic was flatlining in
the Outward direction ( quite noticible on a modem connection).
Also, the Syslog stopped at the same time.
Check /etc/inet.d there was a line in there for a telnet on port 1008.
(Since I rebuilt, I have noticed a frequent attempt to access port 1008 from
host 209.57.90.3)
Also, /etc/hosts.deny was erased, /etc/hosts.allow had ALL : 0.0.0.0 added
as did the appropriate files in the sendmail configuration.
ie. they set the machine up to be a open relay.
It appears on my system they may have done something with Bind.
It went offline at the same time that the attack occured.
I took the safe option and pulled the plug and rebuilt the machine on a new
HDD.
Once the system has been compromised, you can't trust anything on it.
Hope this helps.
-Vince
Wayne Innes wrote:
> Hi,
>
> Yesterday I received this in my email :-
>
> The original message was received at Mon, 19 Mar 2001 15:52:14 +1100
> from root@localhost
>
> ----- The following addresses had permanent fatal errors -----
> [EMAIL PROTECTED]
>
> ----- Transcript of session follows -----
> ... while talking to smtp.idx.com.au.:
> >>> MAIL From:<[EMAIL PROTECTED]> SIZE=2358
> <<< 501 <[EMAIL PROTECTED]>... Sender domain must exist
> 501 [EMAIL PROTECTED] Data format error
>
> <<SNIP>>
>
>
> I have the feeling I should be worried, can anyone who knows more than me
> shed any light on whats happened.
>
> --
> SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
> More Info: http://slug.org.au/lists/listinfo/slug
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
