[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Getting Hacked! Please HELP ASAP!

Subject: RE: [cobalt-users] Getting Hacked! Please HELP ASAP!
From: "John Cordeiro" <jcordeiro@xxxxxxxx>
Date: Thu Aug 24 17:46:18 2000

Port 25 is the SMTP port for the server. the first # is the process the root
is the user SENDMAIL uses root.

-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Casselman, Chad
Sent: Thursday, August 24, 2000 5:41 PM
To: ''cobalt-users@xxxxxxxxxxxxxxx ' '
Subject: RE: [cobalt-users] Getting Hacked! Please HELP ASAP!


Can someone explain these 2 lines to me.

 1377 root       0   0  1380 1380  1148 S       0  0.0  0.5   0:00 sendmail:
OAA11595 www.mciworld.com.: user
 1373 root       0   0  1176 1176  1012 S       0  0.0  0.4   0:00 sendmail:
accepting connections on port 25


Thanks,
chad

-----Original Message-----
From: Casselman, Chad
To: 'cobalt-users@xxxxxxxxxxxxxxx '
Sent: 8/24/00 3:49 PM
Subject: RE: [cobalt-users] Getting Hacked!  Please HELP ASAP!

Ok, I rebooted, it kept happening. I installed the lastest patches and
rebooted, it kept happening.  I have shutdown sendmail and this is all
in my
maillog.  Can you help me figure this out?

Aug 24 15:36:21 server1 sendmail[607]: OAA11523:
to=hash@xxxxxxxxxxxxxxxxx,
delay=00:47:36, xdelay=00:03:09, mailer=esmtp, relay=ial4.jsc.nasa.gov.
[139.169.196.93], stat=Deferred: Connection timed out with
ial4.jsc.nasa.gov.
Aug 24 15:36:25 server1 sendmail[607]: OAA11523:
to=dys29@xxxxxxx,dys10871@xxxxxxx,phalanx411@xxxxxxx, delay=00:47:40,
xdelay=00:00:04, mailer=esmtp, relay=yg.mx.aol.com. [205.188.156.228],
stat=Service unavailable
Aug 24 15:36:26 vsendmail[607]: OAA11523: to=dys099l@xxxxxxxxx,
delay=00:47:41, xdelay=00:00:01, mailer=esmtp, relay=mailgw.tninet.se.
[195.100.94.25], stat=User unknown
Aug 24 15:36:29 server1 sendmail[607]: OAA11523: to=phalanx1@xxxxxxxxxx,
delay=00:47:44, xdelay=00:00:02, mailer=esmtp, relay=y.mx.execpc.com.
[169.207.1.4], stat=Deferred: 451 <gtd8@xxxxxxxxxx>... Sender domain
must
resolve
Aug 24 15:36:36 server1 sendmail[607]: OAA11523:
to=johnnysc@xxxxxxxxxxxxx,
delay=00:47:51, xdelay=00:00:07, mailer=esmtp,
relay=mail01.dfw.mindspring.net. [199.174.33.5], stat=Sent
(sqauh0.qj3.33qs885 Message accepted for delivery)
Aug 24 15:36:37 server1 sendmail[607]: OAA11523:
to=cs94mpb@xxxxxxxxxxxx,
delay=00:47:52, xdelay=00:00:01, mailer=esmtp, relay=eros.brunel.ac.uk.
[134.83.128.60], stat=User unknown
Aug 24 15:36:38 server1 sendmail[607]: OAA11523: to=wylie@xxxxxxxxxxxx,
delay=00:47:53, xdelay=00:00:01, mailer=esmtp, relay=mail.rconnect.com.
[209.163.30.241], stat=Data format error
Aug 24 15:36:48 server1 sendmail[607]: OAA11523:
to=HerbalV@xxxxxxxxxxxxxx,
delay=00:48:03, xdelay=00:00:10, mailer=esmtp, relay=uio.uio.satnet.net.
[207.243.59.1], stat=User unknown


Thanks,
chad

-----Original Message-----
From: Steven Werby
To: cobalt-users@xxxxxxxxxxxxxxx
Sent: 8/24/00 3:42 PM
Subject: Re: [cobalt-users] Getting Hacked!  Please HELP ASAP!

Casselman, Chad <chad.casselman@xxxxxxxxxxxxxxxxx> wrote:
> All of a sudden I start getting tons of bounce emails that I am not
sending.
> I look at top and sendmail is going nutz and sending all these emails
and
> most are bouncing.

Are you sure that they are originating on your server?  On several
occasions
I've had spammers in China send millions of emails from a 3rd party
server using
one of my addresses as the from address.  I got hundreds of thousands of
bounced
messages, but none of the messages originated on my server.  I resorted
to
disabling the email address by adding the following to
/etc/virtusertable:

the_address@xxxxxxxxxx                                error:nouser

  So someone is using my system to spam thousands of
> people.  How can I turn sendmail off

/etc/rc.d/init.d/sendmail stop

> or get to the bottom of this.

Check your logs.  /var/log/maillog

--
Steven Werby {steven-lists@xxxxxxxxxxxx}


_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users


_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users


_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

References:
- RE: [cobalt-users] Getting Hacked! Please HELP ASAP!
  - From: Casselman, Chad

Prev by Date: Re: [cobalt-users] All Security 3.0.1-6579 - Just Released
Next by Date: RE: [cobalt-users] Anybody experienced problems with All Security 3.0.1-6682?
Previous by thread: RE: [cobalt-users] Getting Hacked! Please HELP ASAP!
Next by thread: [cobalt-users] SERIOUS problem with hosts.allow and hosts.deny (RaQ 3i with OS update 3)

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index