Debian Hack Warning

    Probably hacked not only me. Who administers Debian-like systems, pay attention.

    It all started with letters saying that my server ran out of space. All 1.5Tb. While I was trying to understand what happened to me and what exactly filled my mail.log & etc files with so many phone records, messages from my MTA began to come to my phone, which made it impossible to receive incoming mail. Then a letter came that my server was involved in spam mailing. Since I was generally in the store, and I only had a phone in my hands, all I managed to do was:

    Install old John:

    aptitude install john

    Set simple password guessing:
    john / etc / shadow

    Oh terrible! He gave out that I have a spam user with a passwordsp4m

    it is clear that then I did
    passwd -l spam
    grep SASL /var/log/mail.log
    Jun 12 16:26:15 gw postfix / smtpd [26608]: warning: unknown [41.138.185.5]: SASL LOGIN authentication failed: authentication failure I

    pulled out the address: 41.138.185.5 and blocked it with iptables.

    Then I updated the aptitude update; aptitude full-upgrade to squeeze.

    And now I'm sitting and thinking, who got me infected with this infection? It was full root access to add the user. Moreover, judging by the date of the / etc / passwd file, it was June 8, 2010, that is, almost a week before spamming. I did not receive any notifications about remote-root-vulnerablilty, a riddle, and that's all.

    Also popular now: