Just turned on extended logging in exim. Went through the log (exim_mainlog) and have thousands of these:
2007-01-08 01:44:10 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
2007-01-08 01:44:12 cwd=/tmp 2 args: /usr/sbin/sendmail -ti
2007-01-08 01:44:50 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
They are going out at about 100 per min. Bandwidth use way up.
Looked in the /tmp dir. and see nothing interesting. /tmp seems secure. Looks like sendmail has been hijacked. Not sure what to look for now.
# mount
/dev/hda3 on / type ext3 (rw,usrquota)
none on /proc type proc (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
usbdevfs on /proc/bus/usb type usbdevfs (rw)
/dev/hda1 on /boot type ext3 (rw)
/dev/hdb1 on /backup type ext3 (rw,usrquota)
/usr/tmpDSK on /tmp type ext3 (rw,noexec,nosuid,loop=/dev/loop0)
/tmp on /var/tmp type none (rw,noexec,nosuid,bind)
none on /dev/shm type tmpfs (rw,noexec,nosuid)
# cat /etc/fstab |grep tmp
none /dev/shm tmpfs noexec,nosuid 0 0
2007-01-08 01:44:10 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
2007-01-08 01:44:12 cwd=/tmp 2 args: /usr/sbin/sendmail -ti
2007-01-08 01:44:50 cwd=/tmp 2 args: /usr/sbin/sendmail -bS
They are going out at about 100 per min. Bandwidth use way up.
Looked in the /tmp dir. and see nothing interesting. /tmp seems secure. Looks like sendmail has been hijacked. Not sure what to look for now.
# mount
/dev/hda3 on / type ext3 (rw,usrquota)
none on /proc type proc (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
usbdevfs on /proc/bus/usb type usbdevfs (rw)
/dev/hda1 on /boot type ext3 (rw)
/dev/hdb1 on /backup type ext3 (rw,usrquota)
/usr/tmpDSK on /tmp type ext3 (rw,noexec,nosuid,loop=/dev/loop0)
/tmp on /var/tmp type none (rw,noexec,nosuid,bind)
none on /dev/shm type tmpfs (rw,noexec,nosuid)
# cat /etc/fstab |grep tmp
none /dev/shm tmpfs noexec,nosuid 0 0
