My FC3 machine appears to be compromised, please help

Paul Howarth paul at city-fan.org
Thu Apr 6 10:43:40 UTC 2006


Bob Brennan wrote:
> Hello,
> 
> I have an FC3 machine that has been running about a dozen websites and
> 3 dozen mail accounts reliably for more than a year, I stopped
> updating about 6 months ago so the versions might be a bit stale but I
> would prefer to fix my immediate problem(s) rather than update and
> cause new ones. The software I am using that is in question, I
> believe, is Sendmail, Dovecote, Procmail, ClamAv, Spamassasin,and
> Squirrelmail.
> 
> The problem - email into my personal account "bob" @ many different
> domains seems to have stopped a few hours ago with the message
> "Technical details of permanent failure:
> PERM_FAILURE: SMTP Error (state 9): 550 5.7.1 <bob at domain>... Relaying
> denied. Proper authentication required."
> 
> The log file says -
> Apr  6 11:05:59 myserver sendmail[5580]: k36A5wFQ005580:
> ruleset=check_rcpt, arg1=bob at domain.xxx, relay=zproxy.gmail.com
> [64.233.162.192], reject=550 5.7.1 bob at domain.xxx... Relaying denied.
> Proper authentication required.
> Apr  6 11:05:59 myserver sendmail[5580]: k36A5wFQ005580:
> from=<rbrennan96 at gmail.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
> daemon=MTA, relay=zproxy.gmail.com [64.233.162.192]
> 
> And there are suspicious emails queued in Sendmail such as:
> Thu, 6 Apr 2006 10:17:15 "Bob Brennan"
> <bob at wc.funnel.revenuedirect.com.akadns.net>bob at wc.funnel.revenuedirect.com.akadns.net1
> kBDeferred: Connection timed out with
> wc.funnel.revenuedirect.com.akadns.net.
> 
> The obvious clue for me is the
> "wc.funnel.revenuedirect.com.akadns.net" that appears to be the
> culprit, but it has been too long ago that I considered myself a Linux
> expert to remember where to start on this type of thing. Wiping the
> machine and starting over is not a good option, and yes I had rsynced
> everything important to an FC4 machine only hours before this
> happened.
> 
> Any clues as to where to start looking please?

Your sendmail configuration. It doesn't appear to recognize domain.xxx 
as a domain it should be accepting mail for. Check 
/etc/mail/local-host-names.

Paul.




More information about the fedora-list mailing list