This is a multi-part message in MIME format. ------=_NextPart_000_0046_01C2811A.96B321D0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi Charlie, Typically, this means that the relay on your SMTP server is open to an = IP address that is being used by a spammer to do his business. Either = the server's relay is wide open, or you have allowed too wide a range of = IP addresses to use it as a relay. In either case, you need to close = this relay, opening it only to the smallest possible range of IP = addresses you need to get work done! Since this server uses Qmail as = its MTA, visit the Qmail home page at http://www.qmail.org to find out = what you need to do to close its relay. Hope this helps. Thanks. =20 ----- Original Message -----=20 From: charlie bullen=20 To: plug-discuss@lists.plug.phoenix.az.us=20 Sent: Thursday, October 31, 2002 7:07 PM Subject: Hijacked server I have a server running e-smith 4.1 which uses qmail. It has been = hijacked and someone is using it to forward spam. Currently it is of the = net, but that is only a temporary fix. here is a listing of running processes: towards the bottom you can see = 7016 and 7017 that seem to be bad guys. Any help would be appreciated THanks Charlie PID TTY STAT TIME COMMAND 1 ? S 0:07 init [7] 2 ? SW 0:00 [kflushd] 3 ? SW 0:00 [kupdate] 4 ? SW 0:00 [kpiod] 5 ? SW 0:02 [kswapd] 6 ? SW< 0:00 [mdrecoveryd] 68 ? SW 0:00 [khubd] 297 ? S 0:03 syslogd -m 0 -a /home/dns/dev/log 307 ? S 0:00 klogd -c 1 726 ? S 0:00 crond 759 ? S 0:00 xinetd -reuse -pidfile /var/run/xinetd.pid 815 ? S 0:00 lpd Waiting 840 ? S 0:00 /usr/sbin/dhcpd eth0 890 ? S 0:00 /usr/sbin/slapd 932 ? S 0:00 smtpfwdd -d /var/spool/smtpd/spool 962 ? S 0:00 httpd 971 ? S 0:00 httpd 972 ? S 0:00 httpd 973 ? S 0:00 httpd 974 ? S 0:00 httpd 975 ? S 0:00 httpd 976 ? S 0:00 httpd 977 ? S 0:00 httpd 978 ? S 0:00 httpd 979 ? S 0:00 httpd 984 ? S 0:00 httpd 988 ? S 0:00 /usr/sbin/sshd 1143 ? S 0:00 /usr/sbin/httpd-admin -f = /etc/httpd/admin-conf/httpd.co 1144 ? S 0:00 /usr/sbin/httpd-admin -f = /etc/httpd/admin-conf/httpd.co 1162 ? S 0:00 sh /usr/bin/safe_mysqld = --defaults-file=3D/etc/my.cnf 1207 ? S 0:00 /usr/libexec/mysqld = --defaults-file=3D/etc/my.cnf --based 1213 ? S 0:00 squid -D 1214 ? S 0:00 (squid) -D 1244 ? S 0:00 (unlinkd) 1245 ? S 0:00 /usr/libexec/mysqld = --defaults-file=3D/etc/my.cnf --based 1246 ? S 0:00 /usr/libexec/mysqld = --defaults-file=3D/etc/my.cnf --based 1263 ? S 0:00 atalkd 1264 ? S 0:00 smbd -D 1274 ? S 0:00 nmbd -D 1276 ? S 0:00 nmbd -D 1297 ? S 0:01 /usr/sbin/named -f -u dns -g dns -t = /home/dns 1298 ? S 0:00 /usr/sbin/pptpd -f 1299 tty1 S 0:00 perl -wT /sbin/e-smith/console tty1 1300 tty2 S 0:00 /sbin/mingetty tty2 1301 tty3 S 0:00 /sbin/mingetty tty3 1302 ? Z 0:00 [rpmq ] 1303 tty1 S 0:00 /usr/bin/logger -p local1.info -t console 1304 tty1 S 0:00 /usr/bin/whiptail --clear --backtitle = e-smith server an 1321 ? S 0:00 papd 1331 ? S 0:00 afpd -c 20 -n linux-box 3053 ? S 0:00 /usr/sbin/sshd 3102 pts/0 S 0:00 -bash 3864 ? S 0:06 qmail-send 3865 ? Z 0:00 [accustamp ] 3866 ? S 0:00 qmail-lspawn ./Maildir/ 3867 ? S 0:00 qmail-rspawn 3868 ? S 0:00 qmail-clean 5287 ? S 0:00 smtpd 6612 ? S 0:00 smtpd 6670 ? S 0:00 smtpd 6877 ? S 0:00 smtpd 6878 ? S 0:00 smtpd 6956 ? S 0:00 smbd -D 6987 ? Z 0:00 [smtpfwdd ] 7006 ? S 0:00 /usr/sbin/httpd-admin -f = /etc/httpd/admin-conf/httpd.co 7009 ? S 0:00 smtpd 7010 ? S 0:00 smtpd 7016 ? S 0:00 qmail-remote aol.com = anonymous@thealtacenter.com gasbag 7017 ? S 0:00 qmail-remote aol.com = anonymous@thealtacenter.com gasbag 7019 ? S 0:00 smtpd 7020 ? S 0:00 smtpd 7021 pts/0 R 0:00 ps -xa ------=_NextPart_000_0046_01C2811A.96B321D0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi Charlie,
 
Typically, this means that the relay on = your SMTP=20 server is open to an IP address that is being used by a spammer to do = his=20 business.  Either the server's relay is wide open, or you have = allowed too=20 wide a range of IP addresses to use it as a relay.  In either case, = you=20 need to close this relay, opening it only to the smallest possible range = of IP=20 addresses you need to get work done!  Since this server uses = Qmail as=20 its MTA, visit the Qmail home page at http://www.qmail.org to find out what = you need=20 to do to close its relay.  Hope this helps.
 
Thanks.
   
----- Original Message -----
From:=20 charlie=20 bullen
To: plug-discuss@lists.= plug.phoenix.az.us=20
Sent: Thursday, October 31, = 2002 7:07=20 PM
Subject: Hijacked server

I have a server running e-smith 4.1 = which uses=20 qmail. It has been hijacked and someone is using it to forward spam. = Currently=20 it is of the net, but that is only a temporary fix.
 
here is a listing of running = processes: towards=20 the bottom you can see 7016 and 7017 that seem to be bad = guys.
 
Any help would be = appreciated
 
THanks
 
Charlie
 
 PID = TTY     =20 STAT   TIME COMMAND
    1=20 ?        = S     =20 0:07 init [7]
    2=20 ?        SW     = 0:00=20 [kflushd]
    3 = ?       =20 SW     0:00 [kupdate]
    4=20 ?        SW     = 0:00=20 [kpiod]
    5 = ?       =20 SW     0:02 [kswapd]
    6=20 ?        SW<    = 0:00=20 [mdrecoveryd]
   68 = ?       =20 SW     0:00 [khubd]
  297=20 ?        = S     =20 0:03 syslogd -m 0 -a /home/dns/dev/log
  307=20 ?        = S     =20 0:00 klogd -c 1
  726 = ?       =20 S      0:00 crond
  759=20 ?        = S     =20 0:00 xinetd -reuse -pidfile /var/run/xinetd.pid
  815=20 ?        = S     =20 0:00 lpd Waiting
  840 = ?       =20 S      0:00 /usr/sbin/dhcpd eth0
  = 890=20 ?        = S     =20 0:00 /usr/sbin/slapd
  932 = ?       =20 S      0:00 smtpfwdd -d=20 /var/spool/smtpd/spool
  962=20 ?        = S     =20 0:00 httpd
  971 ?       =20 S      0:00 httpd
  972=20 ?        = S     =20 0:00 httpd
  973 ?       =20 S      0:00 httpd
  974=20 ?        = S     =20 0:00 httpd
  975 ?       =20 S      0:00 httpd
  976=20 ?        = S     =20 0:00 httpd
  977 ?       =20 S      0:00 httpd
  978=20 ?        = S     =20 0:00 httpd
  979 ?       =20 S      0:00 httpd
  984=20 ?        = S     =20 0:00 httpd
  988 ?       =20 S      0:00 /usr/sbin/sshd
 1143=20 ?        = S     =20 0:00 /usr/sbin/httpd-admin -f = /etc/httpd/admin-conf/httpd.co
 1144=20 ?        = S     =20 0:00 /usr/sbin/httpd-admin -f = /etc/httpd/admin-conf/httpd.co
 1162=20 ?        = S     =20 0:00 sh /usr/bin/safe_mysqld = --defaults-file=3D/etc/my.cnf
 1207=20 ?        = S     =20 0:00 /usr/libexec/mysqld --defaults-file=3D/etc/my.cnf = --based
 1213=20 ?        = S     =20 0:00 squid -D
 1214 = ?       =20 S      0:00 (squid) -D
 1244=20 ?        = S     =20 0:00 (unlinkd)
 1245 = ?       =20 S      0:00 /usr/libexec/mysqld=20 --defaults-file=3D/etc/my.cnf --based
 1246=20 ?        = S     =20 0:00 /usr/libexec/mysqld --defaults-file=3D/etc/my.cnf = --based
 1263=20 ?        = S     =20 0:00 atalkd
 1264 ?       =20 S      0:00 smbd -D
 1274=20 ?        = S     =20 0:00 nmbd -D
 1276 ?        = S      0:00 nmbd -D
 1297=20 ?        = S     =20 0:01 /usr/sbin/named -f -u dns -g dns -t /home/dns
 1298=20 ?        = S     =20 0:00 /usr/sbin/pptpd -f
 1299 tty1    =20 S      0:00 perl -wT /sbin/e-smith/console=20 tty1
 1300 tty2    =20 S      0:00 /sbin/mingetty tty2
 1301 = tty3     S      0:00=20 /sbin/mingetty tty3
 1302 = ?       =20 Z      0:00 [rpmq = <defunct>]
 1303=20 tty1     S      0:00=20 /usr/bin/logger -p local1.info -t console
 1304=20 tty1     S      0:00=20 /usr/bin/whiptail --clear --backtitle e-smith server an
 1321=20 ?        = S     =20 0:00 papd
 1331 ?       =20 S      0:00 afpd -c 20 -n = linux-box
 3053=20 ?        = S     =20 0:00 /usr/sbin/sshd
 3102 pts/0   =20 S      0:00 -bash
 3864=20 ?        = S     =20 0:06 qmail-send
 3865 = ?       =20 Z      0:00 [accustamp = <defunct>]
 3866=20 ?        = S     =20 0:00 qmail-lspawn ./Maildir/
 3867=20 ?        = S     =20 0:00 qmail-rspawn
 3868 = ?       =20 S      0:00 qmail-clean
 5287=20 ?        = S     =20 0:00 smtpd
 6612 ?       =20 S      0:00 smtpd
 6670=20 ?        = S     =20 0:00 smtpd
 6877 ?       =20 S      0:00 smtpd
 6878=20 ?        = S     =20 0:00 smtpd
 6956 ?       =20 S      0:00 smbd -D
 6987=20 ?        = Z     =20 0:00 [smtpfwdd <defunct>]
 7006=20 ?        = S     =20 0:00 /usr/sbin/httpd-admin -f = /etc/httpd/admin-conf/httpd.co
 7009=20 ?        = S     =20 0:00 smtpd
 7010 ?       =20 S      0:00 smtpd
 7016=20 ?        = S     =20 0:00 qmail-remote aol.com anonymous@thealtacenter.com=20 gasbag
 7017 ?       =20 S      0:00 qmail-remote aol.com anonymous@thealtacenter.com=20 gasbag
 7019 ?       =20 S      0:00 smtpd
 7020=20 ?        = S     =20 0:00 smtpd
 7021 pts/0   =20 R      0:00 ps -xa
 
 
------=_NextPart_000_0046_01C2811A.96B321D0--