|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
November 16th, 2004, 07:24 AM
|
|||
|
|||
Qmail spam relay
the conf:
Fedora Core 1 Qmailtoaster based on http://www.qmailtoaster.com 1.0 stable tcp.smtp : Code:
:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" 127.:deny (second line is there temporarily ) i have my hosts in /controls/rcpthosts file somebody is still somehow using server to send large amount of mail throw. in the log it says that it's sent from root@xxxxxxxxxxx.com: @400000004199ea762b469ef4 new msg 596200 @400000004199ea762b484ca4 info msg 596200: bytes 2695 from <root@xxxxxxxxxxxx.com> qp 21034 uid 48 i disabled vchkpwd authentication . don't know if it's the right thing to do but here it is: Code:
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
BLACKLIST=`cat /var/qmail/control/blacklists`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
RBLSMTPD="/usr/bin/rblsmtpd"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
EMPTY="/bin/nothing"
exec /usr/bin/softlimit -m 30000000 \
/usr/bin/tcpserver -v -R -S -p -x $TCP_CDB -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
$RBLSMTPD $BLACKLIST $SMTPD $HOSTNAME dymmy /bin/true 2>&1
#$VCHKPW /bin/true 2>&1
The qmail current log is quite plain. Any ideas how to get full log out of smtp to see who/how da hell is actually logging in. Any other possibilities to get thow to send spam? Desperately need help. Right now i clean up queue from spam every few hours and then start qmail-send for a minute to send all mail.
|
|
#2
November 17th, 2004, 10:54 AM
|
||||
|
||||
|
Quote:
Someone has gained ROOT access to your BOX. I'd take it off line IMMEDIATELY, if not sooner. It is probably a rootkit that has zombied your system. DO you log in as root? have you been accessing your system accross a network? Are you running Tripwire? Man...I wouldn't be surprised if you Weren't able to determine who, what, where, when and HOW. Sorry, My advice...{Which maybe unpopular}...GO NUCLEAR. Take the system down, wipe the drive, reinstall from the ground up ~ Hopefully you have a backup!! DON'T BACK UP AND WIPE AND RECOVER WITH THAT BACK UP, you will only re-install whatever is infecting your system.
__________________
Curious by Nature, Linux by Choice
|
|
#3
November 17th, 2004, 01:34 PM
|
|||
|
|||
hey man you are scaring me.
but logs doesn't sho root loggon or no kind of loggin..at least not from ssh. Also i have stopped mailserver and HE hasn't started it. Also if i stopped mailserver then he left me alone for a day or two. It may be that he has some kind of access, but it doesn't seem like full access. gone doublecheck other logs again ok looked around in the logs and qmail-send logs show that msg came from <> mail address with user id 504 which is qmail-scanner user id. then i presume that it comes in from smtp and after qmail-scanner has checked it it passes it for sending(to qmail-send)
|
|
#4
November 18th, 2004, 07:30 AM
|
||||
|
||||
|
I hope you are at least a little scared...YOU HAVE SOMEONE TAKING OVER YOUR SYSTEM...
 You probably will NOT find the intruder becasue the latest Rootkits modify the PS cmd and other kernel level areas and MASK that the intruder is in there. http://www.linuxfocus.org/English/N...rticle263.shtml Read this article and see if you shouldn't be afraid ! Again...IF you shut down your email server and it stops, and you start your system and spam flows from your system...what do you think is going on? YOU have BeEn OwnEd...  IT suxs...trust me, been there been hacked. Take it as a badge of honor that you appeared on someones radar, wipe your system, ARMOUR your next build and brag to your peeps over a beer that you are so well known on the grid that someone hacked your system. Or, continue to be an OwnEd open Relay, get blacklisted by EVERY anti-spam site out there. ( Check Spamhaus.org and SORBS.net - to make sure your not already ) and sit back and wait for your ISP to ban the whole IP block your on because your system is Zombied and he\she got a bazzillion spam reports on your acct. bearer of bad nuews...Frog
|
|
#5
November 20th, 2004, 07:38 AM
|
|||
|
|||
I would like to come and kick your a ss . You don't know jack shi t actually.. if you got hacked it does't mean everybody else are hacked also.
thanx for no help. Keep you mouth shut nexttime. Don't need any of your bull sh t. Got it all figured out and not thanx to you. The problem was in portal system what one of my users had. It enabled to send mail. Therefore it showed it was send from localhost.
|
|
#6
November 22nd, 2004, 07:59 AM
|
||||
|
||||
|
So basically you were to stoopid to lock down your system, and spend a little time learning the server and software you installed, before letting all your buddies 'play' on your new server...Your Bad !
That you allowed a user the opportunity to change settings that COMPRIMISED your system shows that you need to drink from a big can of Shut-The-F-Up.  ,,,Flamer wanna beThat silly a$$ threat stuff may work in whatever 9th grade special ed class you are in...Don't bring it here.
|
|
| Viewing: Dev Shed Forums > System Administration > Mail Server Help > Qmail spam relay |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
