[SlugBug] Spamming program?

Sat Sep 6 01:15:30 BST 2003

And Lo! The Great Prophet Neil McGovern uttered these words of wisdom:
>
> I just chesked my mailq and found this:
> 

...[SNIP]...

> -- 11 Kbytes in 2 Requests.
> 
> Now, I know I didn't send these messages, so could it be some shitty
> program on my comp. doing it?

If you didn't send them then their's a few possibilities:

1. Check all the crontabs on the system. cd /var/spool/cron/crontabs (at
	least that's the location on my system) to see all the crontabs on
	your system, and look for anything suspicious.

2. ps ax and check your process list for unusual daemons.

3. Is your firewall and MTA configured correctly? You aren't an open relay
	are you, and someone's found your machine? If you have access to a
	machine outside your network, then test it to be sure.

4. Hacked? There could be a library compromised on your machine, dodgy 
	entries in inetd.conf (or xinetd.conf, or whatever inet derivitive
	you have installed), login...

Things to do:

cd to the queue directory for your MTA and find the messages; you should 
be able to cat them, so you can see what's in them - give you some possible
clues.

Have you checked syslog? What's your MTA sent to the mail log? Any pointers
in there? Do you use a mail client that can understand HTML, and thus dodgy
email could have triggered Javascript/Java (probably unlikely but if your
paranoid enough it's summat to worry about :) )

I think that's about all you can do for preliminary checks. Whatever you
find from there should give you an idea for futher checking. 

Cheers,

Chris...

- -- 
\ Chris Johnson           \ NP: Classic Experience - 04. Mozart - Horn Conce
 \ cej at nightwolf.org.uk    ~-----,  rto No. 4 in E Flat 
  \ http://cej.nightwolf.org.uk/  ~-----------------------------------, 
   \ Redclaw chat - http://redclaw.org.uk - telnet redclaw.org.uk 2000 \____

------- End of Forwarded Message