My FC3 machine appears to be compromised, please help

[Paul Howarth]

Bob Brennan wrote:
> On 4/6/06, Paul Howarth <paul at city-fan.org> wrote:
>> Bob Brennan wrote:
>>> Hello,
>>>
>>> I have an FC3 machine that has been running about a dozen websites and
>>> 3 dozen mail accounts reliably for more than a year, I stopped
>>> updating about 6 months ago so the versions might be a bit stale but I
>>> would prefer to fix my immediate problem(s) rather than update and
>>> cause new ones. The software I am using that is in question, I
>>> believe, is Sendmail, Dovecote, Procmail, ClamAv, Spamassasin,and
>>> Squirrelmail.
>>>
>>> The problem - email into my personal account "bob" @ many different
>>> domains seems to have stopped a few hours ago with the message
>>> "Technical details of permanent failure:
>>> PERM_FAILURE: SMTP Error (state 9): 550 5.7.1 <bob at domain>... Relaying
>>> denied. Proper authentication required."
>>>
>>> The log file says -
>>> Apr  6 11:05:59 myserver sendmail[5580]: k36A5wFQ005580:
>>> ruleset=check_rcpt, arg1=bob at domain.xxx, relay=zproxy.gmail.com
>>> [64.233.162.192], reject=550 5.7.1 bob at domain.xxx... Relaying denied.
>>> Proper authentication required.
>>> Apr  6 11:05:59 myserver sendmail[5580]: k36A5wFQ005580:
>>> from=<rbrennan96 at gmail.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
>>> daemon=MTA, relay=zproxy.gmail.com [64.233.162.192]
>>>
>>> And there are suspicious emails queued in Sendmail such as:
>>> Thu, 6 Apr 2006 10:17:15 "Bob Brennan"
>>> <bob at wc.funnel.revenuedirect.com.akadns.net>bob at wc.funnel.revenuedirect.com.akadns.net1
>>> kBDeferred: Connection timed out with
>>> wc.funnel.revenuedirect.com.akadns.net.
>>>
>>> The obvious clue for me is the
>>> "wc.funnel.revenuedirect.com.akadns.net" that appears to be the
>>> culprit, but it has been too long ago that I considered myself a Linux
>>> expert to remember where to start on this type of thing. Wiping the
>>> machine and starting over is not a good option, and yes I had rsynced
>>> everything important to an FC4 machine only hours before this
>>> happened.
>>>
>>> Any clues as to where to start looking please?
>> Your sendmail configuration. It doesn't appear to recognize domain.xxx
>> as a domain it should be accepting mail for. Check
>> /etc/mail/local-host-names.
>>
>> Paul.
>>
>> --
>> fedora-list mailing list
>> fedora-list at redhat.com
>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>>
> 
> All entries in
> /etc/mail/local-host-names
> /etc/mail/virtusertable
> /etc/aliases
> are untouched and identical to the backed up files. The rejected mail
> has valid entries in all of those files.
> 
> Here's a curious clue though, I have an automated php file that sends
> an email to family members when an internal mail system has a message
> for them from another family member. The php line reads
> "$headers = 'From: "theFamily.net" <Message-System at theFamily.net>'."\r\n".
> yet the message is going out as
> "theFamily.net" <Message-System at wc.funnel.revenuedirect.com.akadns.net>
> ??
> 
> This is using php4 but somewhere Sendmail is changing the @domain in
> both the From and To fields(?). The delivery to Sendmail is through
> the php command
> mail($to, $subject, $msg, $headers);
> 
> Both problems started happening at the same time - somehow, somewhere,
> Sendmail thinks my machine domain is
> "wc.funnel.revenuedirect.com.akadns.net" it seems? I have searched
> sendmail.cf and sendmail.mc and neither contain that name or have been
> modified.

Somebody has probably changed a DNS entry for theFamily.net so that 
instead of or as well as A/MX records, there's a:

theFamily.net. CNAME wc.funnel.revenuedirect.com.akadns.net.

record. Sendmail properly rewrites addresses for @theFamily.net to 
@wc.funnel.revenuedirect.com.akadns.net during the address 
canonicalisation stage in this case.

Paul.