Gentoo Archives: gentoo-security

From: "Christopher P. Kern" <cpkern@×××××.com>
To: gentoo-security@l.g.o
Subject: [gentoo-security] Strange occurrence of sendmail and disk I/O in background....
Date: Tue, 19 Feb 2008 11:45:01
Message-Id: 47BAC0A3.50304@gmail.com
Can anyone tell me what service/application would start sendmail?

I discovered my Gentoo computer recently very active with I/O on the
harddrive and receive/transmit activity on an invocation of gkrellm. In
researching the activity, I found that I had an smtp connection to a
computer in Toronto, Canada. The connection was on port 43121 and looked
like so:
  
  bash$  netstat -t -u
  Active Internet connections (w/o servers)
  Proto Recv-Q Send-Q Local Address  Foreign Address  State
  tcp        0      1 [myIP]:43121   [theirIP]:smtp   ESTABLISHED
    ... Other usual stuff ....

    Running a check to see what may be running in the process tables:

 bash$  ps -efl

 showed this process here:
 /usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t

    I could not find the cause for this application invocation. Nothing
in the rc-update, crontab, nor services suggests that sendmail ought to 
be running.

    When I killed the PID for this sendmail process, all disk I/O
immediately stopped. The site for the IP address which had a connection 
to my computer was never one to which I had ever visited. I know of no 
reason I would ever go to it.
   
    I found vulnerabilities associated with a lower version of sendmail
but none with the version I've installed right now.

    Any suggestions, ideas, or explanations are welcomed.

          Thanks in advance,
      

                      Kern.

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies