> I don't want to jump to conclusions, but the sudden high load and heaps of> DNS traffic suggest that your system just sent (or attempted to send) a load> of spam. > > For each recipient of the spam your system will make a DNS query to find > their mailserver. > Knowing a spammers typical mail list, a lot of the addresses are bad which > results in a ton of "Lame Server" and "Bad Referral" messages. It would also explain the high loadavg if they were carpetbombing FormMail.pl -- lots of DNS, lots of Apache instances, lots of mail. What does your mail log show?
Their seems to be a hole in the maillog from 4:45 to 5:07 but perhaps the high load screwed with the logs. When the logs do come back, I get a bunch of "illegal seek" messages (see below). Any ideas on these?
Jan 22 05:07:39 admin in.qpopper[11981]: EOF from at 202.104.161.30 (202.104.161.30): [0] 29 (Illegal seek); 0
(Success)Jan 22 05:07:39 admin in.qpopper[11981]: (null) at 202.104.161.30 (202.104.161.30): -ERR POP EOF or I/O Error: 2
9 (Illegal seek); 0 (Success)Jan 22 05:07:37 admin in.qpopper[11973]: EOF from at 64.252.14.164 (64.252.14.164): [0] 29 (Illegal seek); 0 (S
uccess)Jan 22 05:07:39 admin in.qpopper[11973]: (null) at 64.252.14.164 (64.252.14.164): -ERR POP EOF or I/O Error: 29
(Illegal seek); 0 (Success)There isn't any FormMail.pl on the server but there may be some vulnerable .cgi scripts. I can look for that.
Thanks for all the help so far. Brian