<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.19170"></HEAD>
<BODY bgColor=#ffffff>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2 face=Arial>I
found a script that was being used to send out spam and removed
it.</FONT></SPAN></DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2 face=Arial>I have
someone else spammin through my server but cannot find out
how.</FONT></SPAN></DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2 face=Arial>This
is from my mailog:</FONT></SPAN></DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2
face=Arial>maillog</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2 face=Arial>Jan 11
03:24:18 hosting2 sendmail[720]: q0B97l0p000689: to=<<A
href="mailto:jiyu0312@163.com">jiyu0312@163.com</A>>, ctladdr=<<A
href="mailto:apache@hosting2.cgeinternet.com">apache@hosting2.cgeinternet.com</A>>
(48/48), delay=01:16:30, xdelay=01:16:30, mailer=esmtp, pri=121546,
relay=163mx00.mxmail.netease.com. [220.181.12.76], dsn=4.0.0, stat=Deferred:
Connection timed out with 163mx00.mxmail.netease.com.</FONT></SPAN></DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2 face=Arial>There
are several of these.</FONT></SPAN></DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2 face=Arial>When I
look at the Running Processes I see several entries like this
one:</FONT></SPAN></DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2 face=Arial>12496
root 22:39 sendmail: ./q0F5KiUI030059 163mx01.mxmail.netease.com.: user
open</FONT></SPAN></DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2 face=Arial>When I
view File and Connections for that PID it pulls up:</FONT></SPAN></DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2
face=Arial>Current dir Directory 12288 262152 /var/spool/mqueue <BR>Root dir
Directory 4096 2 / <BR>Program code Regular file 806460 699239
/usr/sbin/sendmail.sendmail <BR>Shared library Regular file 1011760 1343532
/lib/libdb-4.3.so <BR>Shared library Regular file 31344 1343573
/lib/libwrap.so.0.7.6 <BR>Shared library Regular file 14012 696053
/usr/lib/libhesiod.so.0.0.0 <BR>Shared library Regular file 99060 702926
/usr/lib/libsasl2.so.2.0.22 <BR>Shared library Regular file 53792 698079
/usr/lib/liblber-2.3.so.0.2.31 <BR>Shared library Regular file 1297124 1343685
/lib/libcrypto.so.0.9.8e <BR>Shared library Regular file 240584 698075
/usr/lib/libldap-2.3.so.0.2.31 <BR>Shared library Regular file 1693812 1343646
/lib/libc-2.5.so <BR>Shared library Regular file 7812 1343674
/lib/libcom_err.so.2.1 <BR>Shared library Regular file 20668 1343656
/lib/libdl-2.5.so <BR>Shared library Regular file 190712 696891
/usr/lib/libgssapi_krb5.so.2.2 <BR>Shared library Regular file 50848 1345260
/lib/libnss_files-2.5.so <BR>Shared library Regular file 613716 694940
/usr/lib/libkrb5.so.3.3 <BR>Shared library Regular file 157336 692654
/usr/lib/libk5crypto.so.3.1 <BR>Shared library Regular file 93508 1343672
/lib/libselinux.so.1 <BR>Shared library Regular file 245376 1343671
/lib/libsepol.so.1 <BR>Shared library Regular file 75120 1343676
/lib/libz.so.1.2.3 <BR>Shared library Regular file 129900 1343507 /lib/ld-2.5.so
<BR>Shared library Regular file 80636 1343670 /lib/libresolv-2.5.so <BR>Shared
library Regular file 14752 758091 /usr/lib/sasl2/liblogin.so.2.0.22 <BR>Shared
library Regular file 137908 1343657 /lib/libpthread-2.5.so <BR>Shared library
Regular file 905200 758118 /usr/lib/sasl2/libsasldb.so.2.0.22 <BR>Shared library
Regular file 21948 1344343 /lib/libnss_dns-2.5.so <BR>Shared library Regular
file 33968 692650 /usr/lib/libkrb5support.so.0.1 <BR>Shared library Regular file
16832 758084 /usr/lib/sasl2/libcrammd5.so.2.0.22 <BR>Shared library Regular file
14848 758095 /usr/lib/sasl2/libplain.so.2.0.22 <BR>Shared library Regular file
293428 1343492 /lib/libssl.so.0.9.8e <BR>Shared library Regular file 7880
1343667 /lib/libkeyutils-1.2.so <BR>Shared library Regular file 109740 1343717
/lib/libnsl-2.5.so <BR>Shared library Regular file 47172 758088
/usr/lib/sasl2/libdigestmd5.so.2.0.22 <BR>Shared library Regular file 45432
1343707 /lib/libcrypt-2.5.so <BR>Shared library Regular file 14372 757564
/usr/lib/sasl2/libanonymous.so.2.0.22 <BR>0r Character special <BR> 1600
/dev/null <BR>1w Character special <BR> 1600 /dev/null <BR>2w Character
special <BR> 1600 /dev/null <BR>4uw Regular file 1174 262185
/var/spool/mqueue/qfq0F5KiUI030059 <BR>5r Regular file 53033 262167
/var/spool/mqueue/dfq0F5KiUI030059 <BR>6r Regular file 172032 66405
/etc/mail/virtusertable.db <BR>7r Regular file 172032 66405
/etc/mail/virtusertable.db <BR>8r Regular file 12288 66408
/etc/mail/mailertable.db <BR>9r Regular file 12288 66408
/etc/mail/mailertable.db </FONT></SPAN></DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2 face=Arial>Open
Network Connections<BR>IPV4 TCP 10u 65.39.71.4:44891 -> 220.181.12.63:smtp
SYN_SENT </FONT></SPAN></DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2 face=Arial>copy
of message header from mqueue:<BR>Return-Path <g> <BR>Received from
hosting2.cgeinternet.com (localhost [127.0.0.1])by hosting2.cgeinternet.com
(8.13.8/8.13.8) with ESMTP id q0F5IaOh006469(version=TLSv1/SSLv3
cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)for <<A
href="mailto:cmq@cnuninet.com">cmq@cnuninet.com</A>>; Sat, 14 Jan 2012
22:18:37 -0700 <BR>Full-Name Apache <BR>Received (from <A
href="mailto:apache@localhost)by">apache@localhost)by</A>
hosting2.cgeinternet.com (8.13.8/8.13.8/Submit) id q0F5ITBF004465;Sat, 14 Jan
2012 22:18:29 -0700 <BR>Date Sat, 14 Jan 2012 22:18:29 -0700 <BR>Message-Id
<<A
href="mailto:201201150518.q0F5ITBF004465@hosting2.cgeinternet.com">201201150518.q0F5ITBF004465@hosting2.cgeinternet.com</A>>
<BR>To <A href="mailto:cmq@cnuninet.com">cmq@cnuninet.com</A> <BR>Subject Your
order has been completed <BR>From "American Airlines" <<A
href="mailto:account-no572@aa.com">account-no572@aa.com</A>> <BR>X-Mailer
aerobacterkatowicefairport <BR>Reply-To "American Airlines" <<A
href="mailto:account-no572@aa.com">account-no572@aa.com</A>> <BR>Mime-Version
1.0 <BR>Content-Type
multipart/mixed;boundary="----------13266047094F1261A50346C" <BR>X-Virus-Scanned
clamav-milter 0.97.3 at hosting2.cgeinternet.com <BR>X-Virus-Status Clean
</FONT></SPAN></DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2 face=Arial>Can
someone please point me in the right direction?</FONT></SPAN></DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2 face=Arial>Thank
you.</FONT></SPAN></DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=137083306-15012012><FONT color=#0000ff size=2
face=Arial>jimmy</FONT></SPAN></DIV>
<BLOCKQUOTE>
<DIV dir=ltr class=OutlookMessageHeader align=left><FONT size=2
face=Tahoma>-----Original Message-----<BR><B>From:</B>
blueonyx-bounces@mail.blueonyx.it
[mailto:blueonyx-bounces@mail.blueonyx.it]<B>On Behalf Of </B>Chuck
Tetlow<BR><B>Sent:</B> Sunday, January 08, 2012 3:01 PM<BR><B>To:</B> BlueOnyx
General Mailing List<BR><B>Subject:</B> [BlueOnyx:09335] Re: /var/spool is at
3GB causing /var to fil<BR><BR></FONT></DIV><FONT size=2>> Jimmy Gross
wrote: <BR>> > <BR>> > /var/spool is at 3GB which is making the
directory get full which is causing <BR>> > mail to stop. <BR>> >
<BR>> > How do I clear this? <BR>> <BR>> What file(s) inside
/var/spool are growing? Find that out, and you'll <BR>> know what to
clear. <BR>> <BR>> If your /var/spool/mqueue directory is growing with a
bunch of files, <BR>> you'll want to find out why. Maybe you've been
mailbombed, hacked, <BR>> spammed or have some sort of delivery problem.
In /var/spool, that <BR>> would be my first guess to look for.
<BR>> <BR>> > I have rebooted the server twice but no change.
<BR>> <BR>> Right. Rebooting a server isn't going to remove files.
Besides, I try <BR>> and reboot as infrequently as possible, using
reboots only for when <BR>> there is no other option, or to load a new
kernel. <BR>> <BR>> -- <BR>> Chris Gebhardt <BR><BR><BR><BR></FONT>In
my experience - its almost always /var/spool/mqueue. I've had to clean
at least a dozen servers that have had the same thing happen. A single
user account on the box gets hacked because of a guessable password - and then
some scumbag starts relaying millions of SPAM through your server.
<BR><BR>And I'm not exaggerating! One of my BQ customers had a couple of
accounts guessed because they had passwords like "password" or a password same
as the username. In the four/five days it took them to realize there was
a problem and call me - the logs recorded just over 2 million SPAMS dropped
into that machine for relay. In fact, the reason they knew there was a
problem - the big companies like YahooMail and Gmail were blacklisting their
server!! <BR><BR>To find what in /var/spool is growing so much - go to the
command line and run "du -hs /var/spool/*". That will give you a list of
the files/directories in /var/spool along with their size (in KB, MB, and
GB). Look to see what is ridiculously large and that directory is your
problem. <BR><BR>If its /var/spool/mqueue - its probably someone using your
server to relay SPAM through a hacked account. Its actually a easy
fix. But you risk loosing a valid e-mail or two. To fix it - just
shutdown your e-mail server with "service sendmail stop". E-mail waiting
to be sent out to their destination server is stored in
/var/spool/mqueue. So just go into that directory and run "rm -f
/var/spool/mqueue/*". That will get rid of all the build-up in
/var/spool/mqueue. Then restart the mail server with "service sendmail
start". <BR><BR>(Oh - once or twice I've had to do a similar cleanup, and
there were so many messages that the server couldn't delete them with a simple
"rm -f *". I had to do it in chunks, like "rm -f dfq0*", "rm -f dfq1*",
"rm -f dfq2*", and so on) <BR><BR>BUT! Don't forget to find the root
cause and fix it. The best bet is to carefully go through
/var/log/maillog and see who is sending/relaying a lot of messages.
Other places to look for clues is /var/log/messages and /var/log/secure.
Of course, if you've got a webmail package installed - you may have to go
through /var/log/httpd/access to see who is sending those messages. But
where ever you find the clues - either shutdown the account being used or
change its password. That will lock out the scum using your server.
<BR><BR><BR>And this is a very good answer to that discussion on the list last
week - about disabling strong password enforcement! If you let users
choose weak passwords, they will. Those weak passwords will be guessed
and exploited - the the point that it can deny services to your valid users,
take down your server, and possibly get your server blacklisted as a SPAM
relay. Then you'll spend hours cleaning up the mess, tracking down the
exploited account, getting your server un-blacklisted, and apologizing to your
customers about the service interruption (IF you can keep them). Its
just not worth it - leave the system set to REQUIRE strong passwords!!
<BR><BR><BR><BR>Chuck <BR><BR><BR></BLOCKQUOTE></BODY></HTML>