Gentoo Archives: gentoo-security

From: "Christopher P. Kern" <cpkern@×××××.com>
To: gentoo-security@l.g.o
Subject: [gentoo-security] Strange occurrence of sendmail and disk I/O in background....
Date: Tue, 19 Feb 2008 11:40:18
Can anyone tell me what service/application would start sendmail?

I discovered my Gentoo computer recently very active with I/O on the
harddrive and receive/transmit activity on an invocation of gkrellm. In
researching the activity, I found that I had an smtp connection to a
computer in Toronto, Canada. The connection was on port 43121 and looked
like so:
  bash$  netstat -t -u
  Active Internet connections (w/o servers)
  Proto Recv-Q Send-Q Local Address  Foreign Address  State
  tcp        0      1 [myIP]:43121   [theirIP]:smtp   ESTABLISHED
    ... Other usual stuff ....

    Running a check to see what may be running in the process tables:

 bash$  ps -efl

 showed this process here:
 /usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t

    I could not find the cause for this application invocation. Nothing
in the rc-update, crontab, nor services suggests that sendmail ought to 
be running.

    When I killed the PID for this sendmail process, all disk I/O
immediately stopped. The site for the IP address which had a connection 
to my computer was never one to which I had ever visited. I know of no 
reason I would ever go to it.
    I found vulnerabilities associated with a lower version of sendmail
but none with the version I've installed right now.

    Any suggestions, ideas, or explanations are welcomed.

          Thanks in advance,



File name MIME type
signature.asc application/pgp-signature