Very Computer

Redhat 6.1 set up as mail server/ internet gateway for network of
Windoze PCs.

All has been working fine up until today.  Getting LOTS of POP3
problems.  /var/log/maillog has errors like

"ipop3d [1011]:connection timed out while reading line user=fred
host=[ip address]"

Bottom line is that no user can get the mail from their mailbox!

I also note that telnetting and ftpping into the linux box seems to be
failing a lot which indicates network problems.  BUT, I can happily use
the internet from a Windoze PC with the only route to the internet being
through the network to the linux PC and out!!

Anyone have any clues what is going wrong???

I am using imap-4.5-4

Gene Heskett sends Greetings to Alastair Taylor;

 AT> Redhat 6.1 set up as mail server/ internet gateway for network of
 AT> Windoze PCs.

 AT> All has been working fine up until today.  Getting LOTS of POP3
 AT> problems.  /var/log/maillog has errors like

 AT> "ipop3d [1011]:connection timed out while reading line user=fred
 AT> host=[ip address]"

 AT> Bottom line is that no user can get the mail from their mailbox!

 AT> I also note that telnetting and ftpping into the linux box seems
 AT> to be failing a lot which indicates network problems.  BUT, I can
 AT> happily use the internet from a Windoze PC with the only route to
 AT> the internet being through the network to the linux PC and out!!

 AT> Anyone have any clues what is going wrong???

 AT> I am using imap-4.5-4

Your box could be rootkited, what version of bind are you useing?

Cheers, Gene
--

        email gene underscore heskett at iolinc dot net
#Amiga based X10 home automation program EZHome, see at:#
# <http://www.thirdwave.net/~jimlucia/amigahomeauto> #
ISP's please take note: My spam control policy is explicit!
#Any Class C address# involved in spamming me is added to my killfile
never to be seen again.  Message will be automaticly deleted without dl.
This messages reply content, but not any previously quoted material,
is ? 2000 by Gene Heskett, all rights reserved.
--

8.2.1-7

Gene Heskett sends Greetings to Alastair Taylor;

Quote:>> Your box could be rootkited, what version of bind are you useing?

 AT> 8.2.1-7

And I'd bet you could do a 'locate ADMROCKS' and find it or one of its
rootkit siblings.  Thats IF locate hasn't been hacked to hide it.

I'd take it offline immediately, back up what you need, but not the
system, format the drive and reinstall no earlier than 6.2.  Then check
the redhat sites errata for 6.2 and update your install with
*everything* in that directory on redhat.

The minimum safe version of bind is 8.2.2p7, versions earlier have
probably the most famous exploit going built right in.

You cannot trust your login, ls, ps, and other such maintainance utils
as they have probably been replaced with ones programmed to ignore the
hackers presence.  Been there, done that, and while we did clean up the
mess, the backup, format, and re-install would have been about 3 days
quicker.

Cheers, Gene
--

        email gene underscore heskett at iolinc dot net
#Amiga based X10 home automation program EZHome, see at:#
# <http://www.thirdwave.net/~jimlucia/amigahomeauto> #
ISP's please take note: My spam control policy is explicit!
#Any Class C address# involved in spamming me is added to my killfile
never to be seen again.  Message will be automaticly deleted without dl.
This messages reply content, but not any previously quoted material,
is ? 2000 by Gene Heskett, all rights reserved.
--