hpvoltage
(usa Debian)
Enviado em 25/01/2008 - 17:52h
pessoal,
ontem pela tarde, meu servidor web debian etch kernel 2.6.18-5-686 (apache 1.3) c/ o sendmail instalado apresentou Kernel Panic. Estou suspeitando que ele foi invadido, pois ao dar um tail -f no /var/log/syslog retorna a mensagem;
Jan 25 17:40:18 server-web sm-msp-queue[4743]: m0KJK1Ot018605: to=postmaster, delay=5+00:15:23, xdelay=00:00:00, mailer=relay, pri=30284064, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Jan 25 17:40:18 server-web sm-msp-queue[4743]: m0KJK1Ot018605: m0PJe1f3004743: return to sender: Cannot send message for 5 days
Jan 25 17:40:18 server-web sm-msp-queue[4743]: m0PJe1f3004743: to=postmaster, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=45631, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Jan 25 17:40:18 server-web sm-msp-queue[4743]: m0KJK1Os018605: m0PJe1f2004743: return to sender: Cannot send message for 5 days
Jan 25 17:40:18 server-web sm-msp-queue[4743]: m0PJe1f2004743: to=www-data, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=44075, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Jan 25 17:40:19 server-web sm-msp-queue[4743]: m0KJK1Ot018605: to=www-data, delay=5+00:15:23, xdelay=00:00:00, mailer=relay, pri=30284064, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Jan 25 17:40:19 server-web sm-msp-queue[4743]: m0KJK1Ot018605: m0PJe1f3004743: return to sender: Cannot send message for 5 days
Jan 25 17:40:19 server-web sm-msp-queue[4743]: m0PJe1f3004743: to=www-data, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=45631, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Acho estranho o fato, pois sao inúmeras tentativas sempre nos mesmos minutos de cada hora (essas mensagens dão as 13:40, 14:40, 15:40....) num intervalo muito pequeno de alguns segundos, normalmente inúmeras tentativas em 50 segundos.
Peço ajuda, pois não estou conseguindo identificar o processo que esta fazendo essas tentativas de envio de e-mail e eliminar as possibilidades de invasão.
Desde já agradeço a atenção