member my hacked server? well I locked it up, tight as a drum (ipchains) and secured it in other ways, and things were fine. Sendmail was always functioning but mail client connections from the "internal" network were being refused... that was the tip-off. That was repaired and all was well... AFTER the lock down.
Mail, telnet, and ftp were all good-to-go for a week... then BANG. Mail clients cannot connect. Telnet connections are "refuesed" as are ftp sessions - from the internal network!!!
I can't even telnet to the server hostname from the fricking console! Log in as root telnet hostname "connection refused..."
- I've checked /etc/inetd.conf (it's fine),
- hosts.deny and allow are blank,
- ipchains rules do not exclude internal network connections (i'm going back to the console to re-verify the rules one at a time!!!)
- root password is being changed every 24 hours
- the 'secure' log is fine... nothing odd...
remember the problem just appeared... I have no event I can point to ... so I was thinking hackers but I cant see where they got in... although if they did come in through named (it's a dns server! as well as a sendmail host) what the hell did they do? to make the system refuse telnet sessions from the inside. ???