Mailing List Archive

Strange occurrence of sendmail and disk I/O in background....
Can anyone tell me what service/application would start sendmail?

I discovered my Gentoo computer recently very active with I/O on the
harddrive and receive/transmit activity on an invocation of gkrellm. In
researching the activity, I found that I had an smtp connection to a
computer in Toronto, Canada. The connection was on port 43121 and looked
like so:

bash$ netstat -t -u
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 1 [myIP]:43121 [theirIP]:smtp ESTABLISHED
... Other usual stuff ....

Running a check to see what may be running in the process tables:

bash$ ps -efl

showed this process here:
/usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t

I could not find the cause for this application invocation. Nothing
in the rc-update, crontab, nor services suggests that sendmail ought to
be running.

When I killed the PID for this sendmail process, all disk I/O
immediately stopped. The site for the IP address which had a connection
to my computer was never one to which I had ever visited. I know of no
reason I would ever go to it.

I found vulnerabilities associated with a lower version of sendmail
but none with the version I've installed right now.

Any suggestions, ideas, or explanations are welcomed.

Thanks in advance,


Kern.
Strange occurrence of sendmail and disk I/O in background.... [ In reply to ]
Can anyone tell me what service/application would start sendmail?

I discovered my Gentoo computer recently very active with I/O on the
harddrive and receive/transmit activity on an invocation of gkrellm. In
researching the activity, I found that I had an smtp connection to a
computer in Toronto, Canada. The connection was on port 43121 and looked
like so:

bash$ netstat -t -u
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 1 [myIP]:43121 [theirIP]:smtp ESTABLISHED
... Other usual stuff ....

Running a check to see what may be running in the process tables:

bash$ ps -efl

showed this process here:
/usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t

I could not find the cause for this application invocation. Nothing
in the rc-update, crontab, nor services suggests that sendmail ought to
be running.

When I killed the PID for this sendmail process, all disk I/O
immediately stopped. The site for the IP address which had a connection
to my computer was never one to which I had ever visited. I know of no
reason I would ever go to it.

I found vulnerabilities associated with a lower version of sendmail
but none with the version I've installed right now.

Any suggestions, ideas, or explanations are welcomed.

Thanks in advance,


Kern.
Re: Strange occurrence of sendmail and disk I/O in background.... [ In reply to ]
> I found vulnerabilities associated with a lower version of
> sendmail but none with the version I've installed right now.
>
> Any suggestions, ideas, or explanations are welcomed.

It seems you could be owned by someone, maybe due to a combination of a
web-app vulnerability which led to an apache shell which led to a
kernel exploit execution, which led to root, which led to executing
whatever, in that case, making your machine to be a spammer zombie or
so. You know, the usual shit nowadays.

Run the usual tools, chkrootkit, rkhunter, etc.

Good luck.
--
echo "dpefsAgmv{p/psh" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
GnuPG key ID 0x6D2FF8B5 @ pgp.rediris.es
http://www.fluzo.org/
<º ))))><
Re: Strange occurrence of sendmail and disk I/O in background.... [ In reply to ]
On Feb 19, 2008 6:14 AM, Javier Barrio <coder@fluzo.org> wrote:
>
> > I found vulnerabilities associated with a lower version of
> > sendmail but none with the version I've installed right now.
> >
> > Any suggestions, ideas, or explanations are welcomed.
>
> It seems you could be owned by someone,

I'd agree. But, the only way to be sure you're no longer compromised
is to re-load the machine from scratch. Running chkrootkit and all of
those tools might find something, but you can't be sure you've found
everything that's been changed.

Mike
--
gentoo-security@lists.gentoo.org mailing list
Re: Strange occurrence of sendmail and disk I/O in background.... [ In reply to ]
Christopher P. Kern wrote:
> Can anyone tell me what service/application would start sendmail?

Cron would. And your message makes it sounds like
cron/vixie-cron/anacron/etc may have been involved.

If you have a crontab entry that doesn't control output (stderr and
stdout), you could have a large file of output that's been queued by cron.
That could explain the disk activity and an outbound SMTP connection.

Why it's sending mail to that specific address is another story. It sounds
like you're using sendmail, but /usr/sbin/sendmail could be any of several
mailer packages. You need to look at how the mail program is configured.

While it's possible that someone else now owns your box (and you should be
prepared to deal with that), it's also possible--based solely on what I've
read in your message--that this is a simple misconfiguration. Before you
go re-imaging the system, you probably want to analyze what's going on
fully... rebuilding, in my experience, isn't a great strategy for fixing
configuration problems.

-Bill
--
William Yang
wyang@gcfn.net
--
gentoo-security@lists.gentoo.org mailing list