> Setup consists of firestarter firewall running IPTABLES, Webmin (latest
> release 0.990 and running HTTPS) RH 7.2 with 22.214.171.124 kernel, and a
> NAT'd mailserver running sendmail 8.12. The only ports open on the
> firewall are SSH and a redirect to 25 for sendmail. All ICMP packets are
> dumped, and SSH, webmin and sendmail can only be accessed from either
> 1 fixed external IP address or something in the range 192.168.0.x.
> Anti-relaying is turned on in sendmail. SSH is version 2.9P2 and I
> only allow V2 access. Even the greeting msg in sendmail is changed.
Are you running sendmail in a chroot() jail?
...and is there free space on both your /var and /tmp partitions?
OpenSSH / OpenSSL should be upgraded to 3.4p1 / 0.96d or better if you
want to maintain actual SSH security, there are now a number of scripts
out there that use the published vulnerability details from the OpenBSD
advisory to exploit privilege seperation - as well as the round-robin
attacks that could be performed without logging up until 3.1p1.
You might also want to try an updated kernel, 2.4.7-10 (well, anything
to to 2.4.19pre10 really) is known to have a broken shm implementation
that does funkey things wrt sendmail, AutoFS was also majorly worked
over in 2.4.13 or so, so you could be hitting a bug there.
( note: there was also a thread on linux-kernel about one of the -rc
candidates breaking compatibility with flock() - so you might want to
hunt around the google groups archives before doing anything drastic. )
> Absoloutely nothing out of the ordinary in the firewall, access,
> security logs etc on either machine. Portsentry seems happy with no
> strange entries. No additional user accounts, no extra home
> directories, no ". ." directories or anything like that. Before I
> jump off the deep end and assume I have been hacked from the outside,
> is the above likely ?
If you run Portsentry with any of the stealth mode options turned on,
you *will* trigger false negatives in Portsentries logfiles.
I'd also run a copy of chkrootkit (http://www.chkrootkit.org) on:
* a bog standard RedHat 7.2 installation (to get a fair base of what
your executables look like)
* on your mail server
and pick off the differences case-by-case - if glibc, sendmail or bash
has been tampered with, i'd start whatever damage control methods you
have in place are (ie, fix the server - change all the passwords, etc)