At our company, we have hundreds of employees that access this server for reporting purposes.
However, someone was familiar enough with sendmail and used it to send an email that was crafted to look like it came from a specific person and was sent to the entire company with private information. Huge security concern.
I have been tasked with helping figure out this spoof. Here is what I need to figure out.
The mail was sent at 11:12PM on May 17th.
I need to find the IP address of the system that made a shell/terminal connection to the server around this time and used the sendmail command to send an email to a specific mailing list.
Any ideas ? I'm not entirely familiar with logging yet. The mail log file doesn't seem to provide much useful information.
Last edited by Yogesh Sawant; 05-24-2010 at 03:20 AM..
Reason: added code tags
Perfect thanks! I was able to last -f that file and get what I was looking for. Now I have run into another road block with SunOS 5.8.
The wtmp file on the Linux server showed that a connection was made from another server at the time/date I was interested in.
So now I am tasked with figuring out the same thing on a SunOS box as I trace backwards in this mess.
The SunOS box doesn't have any wtmp files in /var/log , but it does have some large wtmpx and utmpx files in /var/adm
I cannot figure out how to view these files properly. There is no 'last' command on SunOS 5.8 (at least not this installation anyways). who -a doesn't give me any useful information.
I copied the wtmpx and utmpx files to a linux box and tried running 'last -f' on them, but the formatting is all screwed up. So I tried other tools like 'rawtmp' and 'dump-utmp' but they still do not look correct.
Is there any way I can dump or view wtmpx & utmpx on the SunOS box properly so that I can see who logged on and when?
There is a dumpadm tool, but I have no idea how to get it to work.
I tried to run the command " /usr/lib/acct/fwtmp", the curser just sat there. I looked at the file (ls -al), which was very small and should not have hanged. Can anyone tell me why this happened?
What exactly do you mean when you say "input file" being too big? Can you give me an example of input file?
---------- Post updated at 02:02 PM ---------- Previous update was at 01:55 PM ----------
---------- Post updated at 02:05 PM ---------- Previous update was at 02:02 PM ----------
I get this error when I log in through console "fatal: Read from socket failed: Connection reset by peer". Can you tell me what this is and why it happens, and how to stop it? Thank you.
Hi all,
I have read about sendmail running as 2 separate process.
1 as a MSP, and the other as the real daemon or MTA.
In my current configuration,
the sendmail-client is disabled.
Both submit.cf and sendmail.cf are left as default untouch
I do not specified any mailhost... (3 Replies)
Hello, my first post here.
I have a script to install a program which runs the user through installation interface offering several options. What I want to do is to trace the possible mistakes during the installation and send them to a logfile. I.e if a user interrupts the installation, I would... (2 Replies)
Hi,
i need to get a log of all the commands typed and output of those commands fired by a specific user on my sun machine.
Also i need to trace all commands and inputs given from a specific IP on my machine.
Regards
Rochit (1 Reply)
Kindly correct me if any of the foll is wrong:
I want to trace the current process from the C program itself which I think can be done using
ptrace(PTRACE_ATTACH,getpid(),0,0);
I would like to get control back after a segmentation fault, or arithmetric exception (i.e. all signals that end... (1 Reply)
hello every one
can any one help me out i just want to trace what ever i am doing in linux 8.0 in the text mode to be saved in a text file so that at the end i can see my work what i have do. its just like oracle spool so you can see your work at the end .
for example what ever command u gave... (2 Replies)
hello every one
can any one help me out i just want to trace what ever i am doing in linux 8.0 in the text mode to be saved in a text file so that at the end i can see my work what i have do. its just like oracle spool so you can see your work at the end .
for example what ever command u gave... (1 Reply)
hi,
does anyone knows how to trace a user session on a unix system:
i want to log these things
1- login
2- date of starting session
3- date of closing session
i've tryed who and last but they don't give closing time of session
regards
hmaiida (2 Replies)
Hi you all, any of you know how to monitor what is going on in another terminal?
I mean if somebody will install an application on my server remotely and I want to "watch" what he is doing. I remember that some one use the "audit" command but now I just can't remember.
thanx.:mad: (2 Replies)