Topic: unknown user on my system

[joop]

after the usual consulting of the maillog, I just discovered an unknow user on my system,  from who mail is sent out (forwarded) to unknow addresses, mail is coming back with different error messages; user unknown, user not listed in public name and address lists etc, etc.
Is this a 'bouncer' or is my system compromized? what to do or check?
This user is not showed in any of the 'usual files', nor is it defined by me.
SME 5.1.2 ,update 2 installed, with some addons like system monitor, antivir, webstatistics.newbie alas...

[Ray Mitchell]

I believe that for v5.1.2 the latest up date is 3. I think it was a security fix too.
ftp://ftp.e-smith.org/pub/e-smith/updates/5.1.2/Update3/
Sorry cannot help diagnose your problem though.
Regards
Ray Mitchell

[Rob Wellesley]

Sounds like a virus

Since qmail handles all mail on your network it could be from any client.

rob

[joop]

of course.. but (my mistake not to mention it) this is happening without any other computer up and  running, client or not. Just the SME server.. 'standalone'

[joop]

and of course, computer is scanning on a regular base by antivir and checked for rootkit..

[joop]

this is a part of the maillog;
Oct 17 12:00:16 sme smtpfwdd[12453]: forwarding to recipient joop@nordap.no
Oct 17 12:00:16 sme smtpfwdd[12453]: smtpdBgjJrz forwarded to 1 recipients
Oct 17 16:00:07 sme avgated[16521]: connection from localhost
Oct 17 16:00:07 sme avgated[16521]: spooled to 16521-6CA360D9
Oct 17 16:00:07 sme avgatefwd[16522]: Message 'incoming/xf-16521-6CA360D9' scheduled for scanning now.
Oct 17 16:00:07 sme avgatefwd[16522]: Virus Scanner will process message 'incoming/qf-16521-6CA360D9'.
Oct 17 16:00:08 sme avgated[16521]: spooled to 16521-63C2F837
Oct 17 16:00:08 sme avgatefwd[16525]: Message 'incoming/xf-16521-63C2F837' scheduled for scanning now.
Oct 17 16:00:08 sme avgatefwd[16525]: Virus Scanner will process message 'incoming/qf-16521-63C2F837'.
Oct 17 16:00:09 sme avgatefwd[16532]: Message 'outgoing/xf-16521-6CA360D9' scheduled for delivery now.
Oct 17 10:00:09 sme smtpd[16533]: SMTP HELO from localhost(127.0.0.1) as "localhost"
Oct 17 10:00:09 sme smtpd[16533]: mail from
Oct 17 10:00:09 sme smtpd[16533]: smtp connection from UNKNOWN@localhost(127.0.0.1) MAIL FROM: RCPT TO: , allowed by line 24 of /etc/smtpd_check_rules
Oct 17 10:00:09 sme smtpd[16533]: Recipient
Oct 17 16:00:09 sme avgated[16521]: spooled to 16521-6F1996C0
Oct 17 16:00:09 sme avgatefwd[16537]: Message 'incoming/xf-16521-6F1996C0' scheduled for scanning now.
Oct 17 16:00:09 sme avgatefwd[16537]: Virus Scanner will process message 'incoming/qf-16521-6F1996C0'.
Oct 17 10:00:09 sme smtpd[16533]: Received 6150 bytes of message body from localhost(127.0.0.1)
Oct 17 16:00:09 sme avgatefwd[16532]: Message 'outgoing/qf-16521-6CA360D9' successfully forwarded.
Oct 17 16:00:09 sme avgated[16521]: spooled to 16521-762C10CF
Oct 17 16:00:09 sme avgatefwd[16538]: Message 'incoming/xf-16521-762C10CF' scheduled for scanning now.
Oct 17 16:00:09 sme avgatefwd[16538]: Virus Scanner will process message 'incoming/qf-16521-762C10CF'.
Oct 17 16:00:10 sme avgated[16521]: spooled to 16521-70E46924
Oct 17 16:00:10 sme avgatefwd[16541]: Message 'incoming/xf-16521-70E46924' scheduled for scanning now.
Oct 17 16:00:10 sme avgatefwd[16541]: Virus Scanner will process message 'incoming/qf-16521-70E46924'.
Oct 17 16:00:10 sme avgated[16521]: spooled to 16521-78C85830
Oct 17 16:00:10 sme avgated[16521]: connection to localhost closed
Oct 17 16:00:10 sme avgatefwd[16542]: Message 'incoming/xf-16521-78C85830' scheduled for scanning now.
Oct 17 16:00:10 sme avgatefwd[16542]: Virus Scanner will process message 'incoming/qf-16521-78C85830'.
Oct 17 16:00:10 sme avgatefwd[16545]: Message 'outgoing/xf-16521-63C2F837' scheduled for delivery now.
Oct 17 10:00:11 sme smtpd[16546]: SMTP HELO from localhost(127.0.0.1) as "localhost"
Oct 17 10:00:11 sme smtpd[16546]: mail from
Oct 17 10:00:11 sme smtpd[16546]: smtp connection from UNKNOWN@localhost(127.0.0.1) MAIL FROM: RCPT TO: , allowed by line 24 of /etc/smtpd_check_rules
Oct 17 10:00:11 sme smtpd[16546]: Recipient
Oct 17 10:00:11 sme smtpd[16546]: Received 6043 bytes of message body from localhost(127.0.0.1)
Oct 17 16:00:11 sme avgatefwd[16545]: Message 'outgoing/qf-16521-63C2F837' successfully forwarded.
Oct 17 16:00:13 sme avgatefwd[16562]: Message 'outgoing/xf-16521-6F1996C0' scheduled for delivery now.
Oct 17 10:00:13 sme smtpd[16563]: SMTP HELO from localhost(127.0.0.1) as "localhost"
Oct 17 10:00:13 sme smtpd[16563]: mail from
Oct 17 10:00:13 sme smtpd[16563]: smtp connection from UNKNOWN@localhost(127.0.0.1) MAIL FROM: RCPT TO: , allowed by line 24 of /etc/smtpd_check_rules
Oct 17 10:00:13 sme smtpd[16563]: Recipient
Oct 17 10:00:13 sme smtpd[16563]: Received 6036 bytes of message body from localhost(127.0.0.1)
Oct 17 16:00:13 sme avgatefwd[16562]: Message 'outgoing/qf-16521-6F1996C0' successfully forwarded.
Oct 17 16:00:13 sme avgatefwd[16569]: Message 'outgoing/xf-16521-762C10CF' scheduled for delivery now.
Oct 17 10:00:14 sme smtpd[16570]: SMTP HELO from localhost(127.0.0.1) as "localhost"
Oct 17 10:00:14 sme smtpd[16570]: mail from
Oct 17 10:00:14 sme smtpd[16570]: smtp connection from UNKNOWN@localhost(127.0.0.1) MAIL FROM: RCPT TO: , allowed by line 24 of /etc/smtpd_check_rules
Oct 17 10:00:14 sme smtpd[16570]: Recipient
Oct 17 10:00:14 sme smtpd[16570]: Received 6034 bytes of message body from localhost(127.0.0.1)
Oct 17 16:00:14 sme avgatefwd[16569]: Message 'outgoing/qf-16521-762C10CF' successfully forwarded.
Oct 17 16:00:14 sme avgatefwd[16574]: Message 'outgoing/xf-16521-70E46924' scheduled for delivery now.
Oct 17 10:00:14 sme smtpd[16575]: SMTP HELO from localhost(127.0.0.1) as "localhost"
Oct 17 10:00:14 sme smtpd[16575]: mail from
Oct 17 16:00:14 sme avgatefwd[16579]: Message 'outgoing/xf-16521-78C85830' scheduled for delivery now.
Oct 17 10:00:14 sme smtpd[16575]: smtp connection from UNKNOWN@localhost(127.0.0.1) MAIL FROM: RCPT TO: , allowed by line 24 of /etc/smtpd_check_rules
Oct 17 10:00:14 sme smtpd[16575]: Recipient
Oct 17 10:00:14 sme smtpd[16575]: Received 6041 bytes of message body from localhost(127.0.0.1)
Oct 17 16:00:14 sme avgatefwd[16574]: Message 'outgoing/qf-16521-70E46924' successfully forwarded.
Oct 17 10:00:15 sme smtpd[16580]: SMTP HELO from localhost(127.0.0.1) as "localhost"
Oct 17 10:00:15 sme smtpd[16580]: mail from
Oct 17 10:00:15 sme smtpd[16580]: smtp connection from UNKNOWN@localhost(127.0.0.1) MAIL FROM: RCPT TO: , allowed by line 24 of /etc/smtpd_check_rules
Oct 17 10:00:15 sme smtpd[16580]: Recipient
Oct 17 10:00:15 sme smtpd[16580]: Received 6036 bytes of message body from localhost(127.0.0.1)
Oct 17 16:00:15 sme avgatefwd[16579]: Message 'outgoing/qf-16521-78C85830' successfully forwarded.
Oct 17 16:00:18 sme smtpfwdd[16582]: forwarding to recipient ahkHlE5@nordap.no
Oct 17 16:00:18 sme smtpfwdd[16583]: forwarding to recipient ahkHlE5@nordap.no
Oct 17 16:00:18 sme smtpfwdd[16584]: forwarding to recipient ahkHlE5@nordap.no
Oct 17 16:00:18 sme smtpfwdd[16585]: forwarding to recipient ahkHlE5@nordap.no
Oct 17 16:00:18 sme smtpfwdd[16586]: forwarding to recipient ahkHlE5@nordap.no
Oct 17 16:00:18 sme smtpfwdd[16587]: forwarding to recipient ahkHlE5@nordap.no
Oct 17 16:00:18 sme smtpfwdd[16582]: smtpdovUWsK forwarded to 1 recipients
Oct 17 16:00:19 sme smtpfwdd[16583]: smtpdr0cFtj forwarded to 1 recipients
Oct 17 16:00:19 sme smtpfwdd[16584]: smtpdq5QZVG forwarded to 1 recipients
Oct 17 16:00:19 sme smtpfwdd[16585]: smtpdSUpXZt forwarded to 1 recipients
Oct 17 16:00:19 sme smtpfwdd[16586]: smtpdhtQhOa forwarded to 1 recipients
Oct 17 16:00:19 sme smtpfwdd[16587]: smtpd5rnUhp forwarded to 1 recipients

joop@nordap.no is a regular user (me) ahkHlE5@nordap.no is the unknown part....

[jeroen]

Joop, zie: http://forum.minddigger.com/phpBB/viewtopic.php?topic=2262&forum=7&5

jeroen