Subject: Re: system possibly compromised
To: None <rkr@olib.org>
From: Roger Fischer <rgfisch@excite.com>
List: netbsd-help
Date: 02/25/2004 02:40:14
Thanks everybody for all the help.  REALLY!

I'm beginning to think that my system has not been compromised,
but I was very concerned for a while.  I think the reason
/USR/BIN/CRON was sticking around for so long is because a
script called by cron was doing it's thing then not ending cleanly. (I'll know tomorrow morning)

Richard, your scenario below sounds very likely.
I'll have to dig into the postfix docs tomorrow to check and
make sure it's checking for a valid account before accepting
mail.

Thanks again,
   - Rog


 --- On Tue 02/24, Richard Rauch < rkr@olib.org > wrote:
From: Richard Rauch [mailto: rkr@olib.org]
To: rgfisch@excite.com, netbsd-help@netbsd.org
Date: Tue, 24 Feb 2004 19:46:32 -0600
Subject: Re: system possibly compromised

 * The MyDoom virus, as I recall, was doing something that spammers could do to "bankshot" spam off of your box: It sent mail to a non-existant address at your machine, and lied about the origin of the email.   By default, Postfix does not check your /etc/passwd (or any other) database before accepting the message.  After it has accepted it and closed the SMTP connection, it finds that the address doesn't exist after all, and tries to bounce the message.  That's where it goes out to whomever the sender chose.

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!