[BlueOnyx:01694] Re: Sendmail attack, again

Gerald Waugh gwaugh at frontstreetnetworks.com
Wed Jul 15 08:14:58 -05 2009 

Please Excuse the toppost

I see things like this in the maillog, how do they do this, and how to stop
Note that all the email's  18333 had one from

Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
from=<vitaly at ihome.net.ua>, size=2749, class=0, nrcpts=49, 
msgid=<200907151305.n6FD4mxh018333 at msi1.portage.net>, proto=ESMTP, 
daemon=MTA, relay=[82.128.35.90]
Jul 15 08:08:49 msi1 dovecot: pop3-login: Login: user=<reynold>, 
method=PLAIN, rip=207.161.72.98, lip=204.112.251.80
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cklimek at amiwra.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<ckidder at ci.cypress.ca.us>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: to=<cjhorn at cox.net>, 
delay=00:03:38, mailer=esmtp, pri=1472749, stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: to=<cjsm at cox.net>, 
delay=00:03:38, mailer=esmtp, pri=1472749, stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: to=<ckirkpat at cox.net>, 
delay=00:03:38, mailer=esmtp, pri=1472749, stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: to=<cjk at dairynet.com>, 
delay=00:03:38, mailer=esmtp, pri=1472749, stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjmel at earthlink.net>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjsebastian at earthlink.net>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<ckcarmar at earthlink.net>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<ckowens at elkhart.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjohnson at frenship.k12.tx.us>, delay=00:03:38, mailer=esmtp, pri=1472749, 
dsn=4.4.3, stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<ckarrowk at gwtc.net>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: to=<cjparks at ktc.com>, 
delay=00:03:38, mailer=esmtp, pri=1472749, stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<ck9594 at mailinator.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjohnston at medrad.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjmadden at myway.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<ck1romany at netscape.net>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjm at positive-thinking.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjtrlo at salsgiver.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<ckrnarrow at usadatanet.net>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: to=<ckramer at wii.com>, 
delay=00:03:38, mailer=esmtp, pri=1472749, stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<ckcckg at wmconnect.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<ckpljsmith at wmconnect.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: to=<cketa at xlo.com>, 
delay=00:03:38, mailer=esmtp, pri=1472749, dsn=4.4.3, stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: to=<cjellf at yahoo.com>, 
delay=00:03:38, mailer=esmtp, pri=1472749, stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjfunkyfree at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjg862004 at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjgdtg33 at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjjelinek at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjndtchss at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjnelson70 at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjohnsontohaali at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjonesbetts at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjpepsi_16 at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjrs1912 at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjrun2345 at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjseay2001 at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: to=<cjsm34 at yahoo.com>, 
delay=00:03:38, mailer=esmtp, pri=1472749, stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjswims at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cjw_1970 at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<ckennedy26062 at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cknapik97 at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<ckpekari at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<ckrisel at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cks1621 at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<ckscrmadm at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cksmith89 at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: to=<cktmbz at yahoo.com>, 
delay=00:03:38, mailer=esmtp, pri=1472749, stat=queued
Jul 15 08:08:49 msi1 sendmail[18333]: n6FD4mxh018333: 
to=<cktodd24 at yahoo.com>, delay=00:03:38, mailer=esmtp, pri=1472749, 
stat=queued

----- Original Message ----- 
From: "Ken Marcus - Precision Web Hosting, Inc." <kenlists at precisionweb.net>
To: "BlueOnyx General Mailing List" <blueonyx at blueonyx.it>
Sent: Tuesday, July 14, 2009 12:44 PM
Subject: [BlueOnyx:01689] Re: Sendmail attack, again


>
> ----- Original Message ----- 
> From: Rodrigo Ordonez Licona
> To: 'BlueOnyx General Mailing List'
> Sent: Tuesday, July 14, 2009 10:04 AM
> Subject: [BlueOnyx:01688] Re: Sendmail attack, again
>
>
> Had this problem before
>
> remove files by names
>
> like
>
> rm dqf01*
> rm dqf02*
>
> HTH
>
> Rodrigo O
>
>
>
> From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-bounces at blueonyx.it] 
> On
> Behalf Of Steve Davis
> Sent: Martes, 14 de Julio de 2009 08:08
> To: blueonyx at blueonyx.it
> Subject: [BlueOnyx:01681] Sendmail attack, again
>
>
> Thought I was all finished with this. Had firewall rules set to block the
> numerous IP's attacking the server, however, it was not enough.
>
> My /var folder is 100% full. Most of it in the /var/spool/mqueue
>
> But I cannot delete or look at the files, when i try to
> [root at raq1 mqueue]# rm -f *
> bash: /bin/rm: Argument list too long
>
> anyone have any ideas.
>
> Also, none of the mail on this server is relevant. It is not being used as 
> a
> mail server, for the most part.
>
> Steve
>>>
>
>
>
> The script I use is below. It deletes old files or based on a keyword in 
> the
> files.
>
>
> \#!/usr/bin/perl
> #deletes q files related to the keyword
> use File::Find;
> use POSIX qw(locale_h strftime);
>
> print "First I will create the ~admin/spam directory. \n";
> system ("mkdir ~admin/spam");
>
> $date_fmt          = '%b %e';
> $date = strftime($date_fmt, localtime);
> #print "The date is $date";
>
> $month = "";
> print "Current Month Abbreviation Older mail files will be deleted. 
> Default
> is $date";
> $month = <STDIN>;
> chomp ($month);
> if ($month eq "") {
>   $month = "$date";
>   print "The month has been set to $month \n";
> }
> chomp ($month);
>
>
> $restart = "";
> print "restart mail server y/n default is y";
> $restart = <STDIN>;
> chomp ($restart);
> if ($restart eq "") {$restart = "y";}
>
> print "Keyword to look for Default is:  viagra";
> $keyword = <STDIN>;
> chomp ($keyword);
> if ($keyword eq "") { $keyword = "viagra";}
> chomp ($keyword);
>
> print "The first keyword is set to $keyword\n";
>
> $keyword2 ="vacationwhateverhere";
> $keyword3 ="excessive unknown";
> $keyword4 ="no such file";
> $keyword5 ="refused by";
> $keyword6 ="pharmac";
> $keyword7 ="somethingelsehere";
>
>
> $number = 0;
> print "Proceeding to delete files related to $keyword or  $keyword2  or
> $keyword3  \n\n";
>
> ##########################################################################
> #process for 4 q files
> $thedirname = "/home/spool/mqueue/q1";
> @DIRLIST="$thedirname";
> find(\&process_file, @DIRLIST);
>
> $thedirname = "/home/spool/mqueue/q2";
> @DIRLIST="$thedirname";
> find(\&process_file, @DIRLIST);
>
> $thedirname = "/home/spool/mqueue/q3";
> @DIRLIST="$thedirname";
> find(\&process_file, @DIRLIST);
>
> $thedirname = "/home/spool/mqueue/q4";
> @DIRLIST="$thedirname";
> find(\&process_file, @DIRLIST);
>
> if ( -e "/home/spool/mqueue/q4") {} else {
>   $thedirname = "/home/spool/mqueue";
>   @DIRLIST="$thedirname";
>   find(\&process_file, @DIRLIST);
> }
>
> if ( -e "/home/spool/mqueue") {} else {
>   $thedirname = "/var/spool/mqueue";
>   @DIRLIST="$thedirname";
>   find(\&process_file, @DIRLIST);
> }
>
> ###########################################################################
> sub process_file    {
>  $newfile = $File::Find::name;
>
>  $lsla=`ls -la $newfile`;
>  if ( ($lsla !~ /$month/ ) and ($month ne "" ) ) {
>            $action = "delete";
>            $reason = "date";
>  }  else {
>    open (FIL,"$newfile") or die "Can't Open newfile\n";
>     print "I am looking at: $newfile\n";
>     $count = 0;
>     while (<FIL>) {
>        $newline =  "$_";
>        $lsla=`ls -la $newfile`;
>        if  ( $newline =~
> /$keyword|$keyword2|$keyword3|$keyword4|$keyword5|$keyword6|$keyword7/i ) 
> {
>            $action = "delete";
>            $reason = "It had something in the newline";
>            last;
>        }
>        $count =      $count  + 1;
>        if ($count == 50) { last; }
>     }
>    close (FIL);
>   }
>  if ( $action eq "delete" ) {
>      #system("cat $newfile\n\n ");
>      system("mv $newfile ~admin/spam");
>      chomp ($newline);
>      print "I moved  $newfile to ~admin/spam.\n It had $newline in 
> it\nlsla
> was $lsla \n Reason was $reason\n\n";
>      #sleep (1);
>      $action = "nothing";
>      $number +=1;
>  }
> }
>
>
> print "Deleted $number files related to $keyword or  $keyword2  or
> $keyword3  \n\n";
>
> if ($restart =~ /y/) {
>   print "Restarting sendmail \n";
>   system ("/etc/rc.d/init.d/sendmail stop");
>   system ("sleep 2");
>   system ("killall -9 sendmail");
>   system ("/etc/rc.d/init.d/sendmail start");
>   #system ("/etc/rc.d/init.d/poprelayd restart");
> }
>
>
> exit;
>
>
>
>
>
>
> ----
> Ken Marcus
> Ecommerce Web Hosting by
> Precision Web Hosting, Inc.
> http://www.precisionweb.net
>
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list