[BlueOnyx:01689] Re: Sendmail attack, again

Ken Marcus - Precision Web Hosting, Inc. kenlists at precisionweb.net
Tue Jul 14 12:44:16 -05 2009 

----- Original Message ----- 
From: Rodrigo Ordonez Licona
To: 'BlueOnyx General Mailing List'
Sent: Tuesday, July 14, 2009 10:04 AM
Subject: [BlueOnyx:01688] Re: Sendmail attack, again


Had this problem before

remove files by names

like

rm dqf01*
rm dqf02*

HTH

Rodrigo O



From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-bounces at blueonyx.it] On 
Behalf Of Steve Davis
Sent: Martes, 14 de Julio de 2009 08:08
To: blueonyx at blueonyx.it
Subject: [BlueOnyx:01681] Sendmail attack, again


Thought I was all finished with this. Had firewall rules set to block the 
numerous IP's attacking the server, however, it was not enough.

My /var folder is 100% full. Most of it in the /var/spool/mqueue

But I cannot delete or look at the files, when i try to
[root at raq1 mqueue]# rm -f *
bash: /bin/rm: Argument list too long

anyone have any ideas.

Also, none of the mail on this server is relevant. It is not being used as a 
mail server, for the most part.

Steve
>>



The script I use is below. It deletes old files or based on a keyword in the 
files.


\#!/usr/bin/perl
#deletes q files related to the keyword
use File::Find;
use POSIX qw(locale_h strftime);

print "First I will create the ~admin/spam directory. \n";
system ("mkdir ~admin/spam");

$date_fmt          = '%b %e';
$date = strftime($date_fmt, localtime);
#print "The date is $date";

$month = "";
print "Current Month Abbreviation Older mail files will be deleted. Default 
is $date";
$month = <STDIN>;
chomp ($month);
if ($month eq "") {
   $month = "$date";
   print "The month has been set to $month \n";
}
chomp ($month);


$restart = "";
print "restart mail server y/n default is y";
$restart = <STDIN>;
chomp ($restart);
if ($restart eq "") {$restart = "y";}

print "Keyword to look for Default is:  viagra";
$keyword = <STDIN>;
chomp ($keyword);
if ($keyword eq "") { $keyword = "viagra";}
chomp ($keyword);

print "The first keyword is set to $keyword\n";

$keyword2 ="vacationwhateverhere";
$keyword3 ="excessive unknown";
$keyword4 ="no such file";
$keyword5 ="refused by";
$keyword6 ="pharmac";
$keyword7 ="somethingelsehere";


$number = 0;
print "Proceeding to delete files related to $keyword or  $keyword2  or 
$keyword3  \n\n";

##########################################################################
#process for 4 q files
$thedirname = "/home/spool/mqueue/q1";
@DIRLIST="$thedirname";
find(\&process_file, @DIRLIST);

$thedirname = "/home/spool/mqueue/q2";
@DIRLIST="$thedirname";
find(\&process_file, @DIRLIST);

$thedirname = "/home/spool/mqueue/q3";
@DIRLIST="$thedirname";
find(\&process_file, @DIRLIST);

$thedirname = "/home/spool/mqueue/q4";
@DIRLIST="$thedirname";
find(\&process_file, @DIRLIST);

if ( -e "/home/spool/mqueue/q4") {} else {
   $thedirname = "/home/spool/mqueue";
   @DIRLIST="$thedirname";
   find(\&process_file, @DIRLIST);
}

if ( -e "/home/spool/mqueue") {} else {
   $thedirname = "/var/spool/mqueue";
   @DIRLIST="$thedirname";
   find(\&process_file, @DIRLIST);
}

###########################################################################
sub process_file    {
  $newfile = $File::Find::name;

  $lsla=`ls -la $newfile`;
  if ( ($lsla !~ /$month/ ) and ($month ne "" ) ) {
            $action = "delete";
            $reason = "date";
  }  else {
    open (FIL,"$newfile") or die "Can't Open newfile\n";
     print "I am looking at: $newfile\n";
     $count = 0;
     while (<FIL>) {
        $newline =  "$_";
        $lsla=`ls -la $newfile`;
        if  ( $newline =~ 
/$keyword|$keyword2|$keyword3|$keyword4|$keyword5|$keyword6|$keyword7/i ) {
            $action = "delete";
            $reason = "It had something in the newline";
            last;
        }
        $count =      $count  + 1;
        if ($count == 50) { last; }
     }
    close (FIL);
   }
  if ( $action eq "delete" ) {
      #system("cat $newfile\n\n ");
      system("mv $newfile ~admin/spam");
      chomp ($newline);
      print "I moved  $newfile to ~admin/spam.\n It had $newline in it\nlsla 
was $lsla \n Reason was $reason\n\n";
      #sleep (1);
      $action = "nothing";
      $number +=1;
  }
}


print "Deleted $number files related to $keyword or  $keyword2  or 
$keyword3  \n\n";

if ($restart =~ /y/) {
   print "Restarting sendmail \n";
   system ("/etc/rc.d/init.d/sendmail stop");
   system ("sleep 2");
   system ("killall -9 sendmail");
   system ("/etc/rc.d/init.d/sendmail start");
   #system ("/etc/rc.d/init.d/poprelayd restart");
}


exit;






----
Ken Marcus
Ecommerce Web Hosting by
Precision Web Hosting, Inc.
http://www.precisionweb.net

More information about the Blueonyx mailing list