On Tue, 2002-02-05 at 04:02, Bob Tanner wrote: > Looks like maybe your DSL router got compromised and they setup SMTP port > forwarding SMTP traffic? > > Or you got NAT running on the DSL router with port forwarding? Yes, I was running postfix, but no more. I wasn't really using it for anything (yet) anyway. And I have disabled port forwarding for the time being -- I can afford to take my server offline for a couple of days to clean up this mess. <sigh> According to my logs, someone started abusing the mail server on Feb 3rd. Normally, Postfix sends me a daily report of mail processed, but of course I've been so busy the last two days that I didn't bother to read the report -- if I had, I would've seen the large amounts of mail being processed and known right away that something was wrong. "Eternal vigilance is the price of freedom." Unfortunately, I got somewhat lax in the vigilance department. Tripwire hasn't found anything unusual, so that's good I guess. It looks like it was only my mail server that was compromised. I also manually checked modification dates on ps, etc. just to make sure. I have checked the /dev directory for odd-looking items, but nothing sent up an alarm. I also rebooted, and checked /proc for anything unusual. Is there anything else anyone might recommend to me, besides formatting and reinstalling the system (which I intend to do Real Soon Now (TM) anyway, to upgrade to RH 7.2)? Dave -- Beware the wrath of dragons, for you are crunchy, and good with ketchup. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: This is a digitally signed message part Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20020205/a25c6ef1/attachment.pgp