[cobalt-users] Re: Re: Re: Re: Re: Re: [RaQ2] SMTP server failure after RaQ2-All-Security Release update

[Mike Scioli <mscioli@xxxxxxxxxxxxx>]

On 18 May 2002 06:43:19 -0400 Gerald Waugh wrote:

>
>On Friday 17 May 2002 07:38 pm, Mike Scioli wrote:
>> On 17 May 2002 at 09:18:54, Dan Kriwitsky wrote:
>> >You'll need to check your access log once you found the script being
>> >abused. Then just search for the identical time to one of the entries
>> >from the maillog. You should then see where the, (if it was
>> >formmail.pl), IP of the abuser is.
>> >--
>> >Dan Kriwitsky
>> >
>>
>> Thanks, I will definitely look into that once the current crisis abates!
>
>I thought that was the crisis?
>That user is probably taking sendmail down.
>

Indeed, Gerald, the immediate crisis was to halt the onslaught on the box
and to resurrect SMTP.  My reply to Dan was meant to indicate that locating
the abuser(s) via IP address was on-deck after restoring the SMTP service.

When you're up to your armpits in alligators, it's hard to remember that
you only came to drain the swamp....

It seems that an old version of a web site - complete with a call to an old
version of the formmail script was tucked away in one of the users'
directories.  The find command did not locate it but, when the hammering
continued unabated, I went though the sites manually until I located the
offending script and terminated it with extreme prejudice.

Y'all were correct on both matters - it was the hammering that brought down
SMTP, and it was a formmail script being abused.

Again, a serious thanks to you and to Dan for your patience, guidance, and
expert advice.


-- 

Mike Scioli  <mscioliRUBBISH@xxxxxxxxxxxxxxxxxxxx>
Humble Ecologist, Mad Biometrician, Privacy Advocate
Remove the GARBAGE and RUBBISH to reply by e-mail.