Subject: Re: system possibly compromised
To: Roger Fischer <rgfisch@excite.com>
From: Dave Huang <khym@azeotrope.org>
List: netbsd-help
Date: 02/24/2004 17:17:48
On Tue, Feb 24, 2004 at 06:05:26PM -0500, Roger Fischer wrote:
> From my first email, somebody had been sending mail from my machine or with my domain name because my ISP threatened to close my account if I didn't stop it.  After poking around, that was the only thing I could find that was weird.  I've got relaying off in postfix, so I don't know if somebody compromised my machine or if the headers were forged.

Right, I saw that, but was just pointing out that while the uppercase
CRON looks unusual, it's actually expected behavior. As for spam
coming from your IP address, that's not good... was it specifically
that the spam was from your IP, or did it just have your email address
in the "From" line? The From line is trivial to forge, so spam
claiming to be "From" you means nothing. Also, do you have a static IP
address? If not, maybe someone else had your IP and was spamming
(although I'd think that your ISP would know who was using that IP
when the spam was sent).

So, what's in your crontabs? Check the files in your /var/cron/tabs
directory for anything unusual. Look at /etc/crontab too, if it
exists.
-- 
Name: Dave Huang         |  Mammal, mammal / their names are called /
INet: khym@azeotrope.org |  they raise a paw / the bat, the cat /
FurryMUCK: Dahan         |  dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 28 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++