[BlueOnyx:09174] Re: Some kind of attack?
Maurice de Laat
mdlaat at muisnetwerken.nl
Tue Dec 6 18:37:06 -05 2011
Hi Rashid
On Tue, Dec 06, 2011 at 06:10:17PM -0500, Abdul Rashid Abdullah wrote:
> I just had a situation in which my server became overwhelmed. Fortunately
> I was able to login and found a lot of processes such as the following on
> the system:
>
> root 5031 18125 0 17:21 ? 00:00:00 sendmail: server
> 115-64-9-98.static.tpgi.com.au [115.64.9.98] cmd read
>
> I stopped sendmail services and then restarted them which killed of all of
> these processes. What else should I do and is there a vulnerability in
> the system that is being exploited? Does it require a patch or is it a
> configuration issue?
I had something simular a few weeks ago. In my case it was someone who
succesfully did a brute force attack on the POP3 protocol, which allowed
them to use the server as a smtp server.
You could check the mailqueue (command mailq) to see if there are a lot of
outgoing messages waiting to be send. Mailq displays the messagenumber,
which on turn can be found in the maillog giving you the local user that
sent the message.
--
Maurice de Laat
More information about the Blueonyx
mailing list