invasão

1. invasão

Daniel
hpvoltage

(usa Debian)

Enviado em 25/01/2008 - 17:52h

pessoal,
ontem pela tarde, meu servidor web debian etch kernel 2.6.18-5-686 (apache 1.3) c/ o sendmail instalado apresentou Kernel Panic. Estou suspeitando que ele foi invadido, pois ao dar um tail -f no /var/log/syslog retorna a mensagem;

Jan 25 17:40:18 server-web sm-msp-queue[4743]: m0KJK1Ot018605: to=postmaster, delay=5+00:15:23, xdelay=00:00:00, mailer=relay, pri=30284064, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Jan 25 17:40:18 server-web sm-msp-queue[4743]: m0KJK1Ot018605: m0PJe1f3004743: return to sender: Cannot send message for 5 days
Jan 25 17:40:18 server-web sm-msp-queue[4743]: m0PJe1f3004743: to=postmaster, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=45631, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]

Jan 25 17:40:18 server-web sm-msp-queue[4743]: m0KJK1Os018605: m0PJe1f2004743: return to sender: Cannot send message for 5 days
Jan 25 17:40:18 server-web sm-msp-queue[4743]: m0PJe1f2004743: to=www-data, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=44075, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Jan 25 17:40:19 server-web sm-msp-queue[4743]: m0KJK1Ot018605: to=www-data, delay=5+00:15:23, xdelay=00:00:00, mailer=relay, pri=30284064, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Jan 25 17:40:19 server-web sm-msp-queue[4743]: m0KJK1Ot018605: m0PJe1f3004743: return to sender: Cannot send message for 5 days
Jan 25 17:40:19 server-web sm-msp-queue[4743]: m0PJe1f3004743: to=www-data, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=45631, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]

Acho estranho o fato, pois sao inúmeras tentativas sempre nos mesmos minutos de cada hora (essas mensagens dão as 13:40, 14:40, 15:40....) num intervalo muito pequeno de alguns segundos, normalmente inúmeras tentativas em 50 segundos.

Peço ajuda, pois não estou conseguindo identificar o processo que esta fazendo essas tentativas de envio de e-mail e eliminar as possibilidades de invasão.

Desde já agradeço a atenção


  






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts