[CLUE-Tech] SUSE 9.0 syslog files, hackers, and emails...

[Kevin Cullis]

Hi all,

Am in the process of building a new AMD64 machine and will be upgrading
my older PIII to SUSE 9.1 (from Novell, thanks Jeff) and was going
through my syslog files and found this because of some weird email
traffic:

Jul 24 20:53:42 linux kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC=
SRC=4.225.214.132 DST=4.228.150.39 LEN=48 TOS=0x00 PREC=0x00 TTL=125
ID=26413 DF PROTO=TCP SPT=2832 DPT=445 WINDOW=8760 RES=0x00 SYN
URGP=22913 OPT (020405B401010402)

I guess that I've been hacked.  I thought I had done everything, but
what clued me into this was rather than doing a:

$tail -100 /var/log/messages | grep "message"

I did a straight:

$tail -100 /var/log/messages

I been using the first method to find out how many messages are
downloading and when they are done and when I can get offline (hey, if
you know a way of automating this, I'd be interested) but got lazy one
day recently and found the above /var/log/message with the second
command.

1. I would like to copy my /home directory and do a fresh install of
9.1.  With that in mind, in the Security HOWTO by Kevin Fenzi he stated
that make sure you don't copy binaries. What else should I not copy?

2.  Is a copied virus from one machine to another active or inert?

3.  How can I look at what is being sent (it's a German liberal
political message to a company in Italy, I think) via Postfix and then
stop the outgoing hackers emails?

I know that I need to "plug the security holes" first, but I want to
learn about this a little more before I do a "reinstall" to fix it.

Any suggestions as always are appreciated.

Kevin