Hi. On Thu, Mar 30, 2023 at 12:19:24PM +0100, Julian Gilbey wrote: > The log seems quite unhelpful here, though I may be missing > something. Here is an example:
I disagree. There's nothing to miss here, thus you're correct. > 2023-03-29 00:07:19 1phIPT-0047NQ-0H <= <> H=(LOCALHOSTNAME) [::1] P=smtp > S=2878 That, my friend, is a locally queued mail. I.e. some process on that very host connected to exim on tcp:25 on the same host and > 2023-03-29 00:07:19 1phIPT-0047NQ-0H ** frpjxbkek...@sport.qc.ca > <frpjxbkek...@sport.qc.ca> R=nonlocal: Mailing to remote domains not supported tried to send a e-mail to that e-mail above. That exim is probably configured as "local" MTA, so it refused to send that e-mail. > It seems to have originated locally ([::1]), which is why I wonder > whether I've got a virus of some sort. "Virus" is such a harsh word. It's a malware, plain and simple. I suggest you to: 1) Poweroff problematic host ASAP. 2) Remove HDD from that host. 3) Attach the HDD to known clean host, preferably with a different CPU architecture, mount filesystems. 4) Check Debian software for validity (debsums -ac -r ...). 5) Check crontabs (both system and users'), double-check www-data crontab. 6) Check systemd timers, both system and users'. 7) Consider using very strict Apparmor policy for any LAN-facing services that you have there in the future (aa-genprof). > On my internet-facing host, these messages appear to originate from a > Canadian ISP, but I don't know whether to believe it, given what's > happening on my other machine. Be generous, ban whole AS of that ISP via iptables/nft first. Consider repeating the steps outlined above for internet-facing host too. Reco
