[cobalt-users] Re: Re: Re: [RaQ2] SMTP server failure after RaQ2-All-Security Release update

[Mike Scioli <mscioli@xxxxxxxxxxxxx>]

Dan Kriwitsky wrote:

[logfile entries deleted for brevity]
>
>I hope you found whatever script was owned by the user nobody and
>stopped it. At least the spammer was only in the "A"s.
>
>
>--
>Dan Kriwitsky
>


Not at that hour of the morning....  But I that brings up a couple more
questions/comments.  [Hey, I'm trying to learn!]

We've never received any complaints that we were the source of spam or open
for relaying spam....  Who is the moron hammering at my box (from whence
does he/she/it hammer at my box)?  What can be done - aside from testing us
for the presence of an open relay and pop-before-smtp - to harden the RaQ2?

What are the spammers accomplishing by hammering at a box that reports that
its SMTP service is not operating?  I reported earlier today that
chkrootkit-0.35 seems to indicate that I am not 'owned'.  What do I need to
do to restore smtp service and get the mail (to/from legitimate users of
the domains hosted on this box) flowing?

Is it going to take the drastic measure of taking everything down and using
the restore OS CD (and Lord knows how many sequential updates since the ISO
seems to date from sometime in 2000)?


I believe that I remember that the processes running and their PIDs are
obtained from the command

ps -ex

and that the command to kill a given process

kill -9 [pid]

[OK, I tested the above on the current dozens of processes from
mx.eudoramail.com and it seems to work - like whack-a-mole.]

Anything you can offer to help me learn by the experience is most greatly
appreciated.


-- 

Mike Scioli  <mscioliRUBBISH@xxxxxxxxxxxxxxxxxxxx>
Humble Ecologist, Mad Biometrician, Privacy Advocate
Remove the GARBAGE and RUBBISH to reply by e-mail.