Debian Hack Warning
It all started with letters saying that my server ran out of space. All 1.5Tb. While I was trying to understand what happened to me and what exactly filled my mail.log & etc files with so many phone records, messages from my MTA began to come to my phone, which made it impossible to receive incoming mail. Then a letter came that my server was involved in spam mailing. Since I was generally in the store, and I only had a phone in my hands, all I managed to do was:
Install old John:
aptitude install john
Set simple password guessing:
john / etc / shadow
Oh terrible! He gave out that I have a spam user with a passwordsp4m
it is clear that then I did
passwd -l spam
grep SASL /var/log/mail.log
Jun 12 16:26:15 gw postfix / smtpd [26608]: warning: unknown [41.138.185.5]: SASL LOGIN authentication failed: authentication failure I
pulled out the address: 41.138.185.5 and blocked it with iptables.
Then I updated the aptitude update; aptitude full-upgrade to squeeze.
And now I'm sitting and thinking, who got me infected with this infection? It was full root access to add the user. Moreover, judging by the date of the / etc / passwd file, it was June 8, 2010, that is, almost a week before spamming. I did not receive any notifications about remote-root-vulnerablilty, a riddle, and that's all.