Hijacked server

Attachments:
Message as email (text/plain)

Author: charlie bullen
Date:
Subject: Hijacked server

This is a multi-part message in MIME format.

------=_NextPart_000_0128_01C28110.BA28EFA0
Content-Type: text/plain;
    charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I have a server running e-smith 4.1 which uses qmail. It has been =
hijacked and someone is using it to forward spam. Currently it is of the =
net, but that is only a temporary fix.

here is a listing of running processes: towards the bottom you can see =
7016 and 7017 that seem to be bad guys.

Any help would be appreciated

THanks

Charlie

 PID TTY      STAT   TIME COMMAND
    1 ?        S      0:07 init [7]
    2 ?        SW     0:00 [kflushd]
    3 ?        SW     0:00 [kupdate]
    4 ?        SW     0:00 [kpiod]
    5 ?        SW     0:02 [kswapd]
    6 ?        SW<    0:00 [mdrecoveryd]
   68 ?        SW     0:00 [khubd]
  297 ?        S      0:03 syslogd -m 0 -a /home/dns/dev/log
  307 ?        S      0:00 klogd -c 1
  726 ?        S      0:00 crond
  759 ?        S      0:00 xinetd -reuse -pidfile /var/run/xinetd.pid
  815 ?        S      0:00 lpd Waiting
  840 ?        S      0:00 /usr/sbin/dhcpd eth0
  890 ?        S      0:00 /usr/sbin/slapd
  932 ?        S      0:00 smtpfwdd -d /var/spool/smtpd/spool
  962 ?        S      0:00 httpd
  971 ?        S      0:00 httpd
  972 ?        S      0:00 httpd
  973 ?        S      0:00 httpd
  974 ?        S      0:00 httpd
  975 ?        S      0:00 httpd
  976 ?        S      0:00 httpd
  977 ?        S      0:00 httpd
  978 ?        S      0:00 httpd
  979 ?        S      0:00 httpd
  984 ?        S      0:00 httpd
  988 ?        S      0:00 /usr/sbin/sshd
 1143 ?        S      0:00 /usr/sbin/httpd-admin -f =
/etc/httpd/admin-conf/httpd.co
 1144 ?        S      0:00 /usr/sbin/httpd-admin -f =
/etc/httpd/admin-conf/httpd.co
 1162 ?        S      0:00 sh /usr/bin/safe_mysqld =
--defaults-file=3D/etc/my.cnf
 1207 ?        S      0:00 /usr/libexec/mysqld =
--defaults-file=3D/etc/my.cnf --based
 1213 ?        S      0:00 squid -D
 1214 ?        S      0:00 (squid) -D
 1244 ?        S      0:00 (unlinkd)
 1245 ?        S      0:00 /usr/libexec/mysqld =
--defaults-file=3D/etc/my.cnf --based
 1246 ?        S      0:00 /usr/libexec/mysqld =
--defaults-file=3D/etc/my.cnf --based
 1263 ?        S      0:00 atalkd
 1264 ?        S      0:00 smbd -D
 1274 ?        S      0:00 nmbd -D
 1276 ?        S      0:00 nmbd -D
 1297 ?        S      0:01 /usr/sbin/named -f -u dns -g dns -t /home/dns
 1298 ?        S      0:00 /usr/sbin/pptpd -f
 1299 tty1     S      0:00 perl -wT /sbin/e-smith/console tty1
 1300 tty2     S      0:00 /sbin/mingetty tty2
 1301 tty3     S      0:00 /sbin/mingetty tty3
 1302 ?        Z      0:00 [rpmq <defunct>]
 1303 tty1     S      0:00 /usr/bin/logger -p local1.info -t console
 1304 tty1     S      0:00 /usr/bin/whiptail --clear --backtitle e-smith =
server an
 1321 ?        S      0:00 papd
 1331 ?        S      0:00 afpd -c 20 -n linux-box
 3053 ?        S      0:00 /usr/sbin/sshd
 3102 pts/0    S      0:00 -bash
 3864 ?        S      0:06 qmail-send
 3865 ?        Z      0:00 [accustamp <defunct>]
 3866 ?        S      0:00 qmail-lspawn ./Maildir/
 3867 ?        S      0:00 qmail-rspawn
 3868 ?        S      0:00 qmail-clean
 5287 ?        S      0:00 smtpd
 6612 ?        S      0:00 smtpd
 6670 ?        S      0:00 smtpd
 6877 ?        S      0:00 smtpd
 6878 ?        S      0:00 smtpd
 6956 ?        S      0:00 smbd -D
 6987 ?        Z      0:00 [smtpfwdd <defunct>]
 7006 ?        S      0:00 /usr/sbin/httpd-admin -f =
/etc/httpd/admin-conf/httpd.co
 7009 ?        S      0:00 smtpd
 7010 ?        S      0:00 smtpd
 7016 ?        S      0:00 qmail-remote aol.com =
anonymous@thealtacenter.com gasbag
 7017 ?        S      0:00 qmail-remote aol.com =
anonymous@thealtacenter.com gasbag
 7019 ?        S      0:00 smtpd
 7020 ?        S      0:00 smtpd
 7021 pts/0    R      0:00 ps -xa

------=_NextPart_000_0128_01C28110.BA28EFA0
Content-Type: text/html;
    charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4807.2300" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>I have a server running e-smith 4.1 =
which uses=20
qmail. It has been hijacked and someone is using it to forward spam. =
Currently=20
it is of the net, but that is only a temporary fix.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>here is a listing of running processes: =
towards the=20
bottom you can see 7016 and 7017 that seem to be bad guys.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Any help would be =
appreciated</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>THanks</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Charlie</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2> PID =
TTY     =20
STAT   TIME COMMAND<BR>    1=20
?        =
S      0:07=20
init [7]<BR>    2 =
?       =20
SW     0:00 [kflushd]<BR>    3=20
?        SW     =
0:00=20
[kupdate]<BR>    4 =
?       =20
SW     0:00 [kpiod]<BR>    5=20
?        SW     =
0:02=20
[kswapd]<BR>    6 =
?       =20
SW<    0:00 [mdrecoveryd]<BR>   68=20
?        SW     =
0:00=20
[khubd]<BR>  297 ?       =20
S      0:03 syslogd -m 0 -a =
/home/dns/dev/log<BR> =20
307 ?        =
S     =20
0:00 klogd -c 1<BR>  726 =
?       =20
S      0:00 crond<BR>  759=20
?        =
S      0:00=20
xinetd -reuse -pidfile /var/run/xinetd.pid<BR>  815=20
?        =
S      0:00=20
lpd Waiting<BR>  840 ?       =20
S      0:00 /usr/sbin/dhcpd eth0<BR>  890=20
?        =
S      0:00=20
/usr/sbin/slapd<BR>  932 =
?       =20
S      0:00 smtpfwdd -d=20
/var/spool/smtpd/spool<BR>  962 =
?       =20
S      0:00 httpd<BR>  971=20
?        =
S      0:00=20
httpd<BR>  972 ?       =20
S      0:00 httpd<BR>  973=20
?        =
S      0:00=20
httpd<BR>  974 ?       =20
S      0:00 httpd<BR>  975=20
?        =
S      0:00=20
httpd<BR>  976 ?       =20
S      0:00 httpd<BR>  977=20
?        =
S      0:00=20
httpd<BR>  978 ?       =20
S      0:00 httpd<BR>  979=20
?        =
S      0:00=20
httpd<BR>  984 ?       =20
S      0:00 httpd<BR>  988=20
?        =
S      0:00=20
/usr/sbin/sshd<BR> 1143 ?        =

S      0:00 /usr/sbin/httpd-admin -f=20
/etc/httpd/admin-conf/httpd.co<BR> 1144=20
?        =
S      0:00=20
/usr/sbin/httpd-admin -f /etc/httpd/admin-conf/httpd.co<BR> 1162=20
?        =
S      0:00=20
sh /usr/bin/safe_mysqld --defaults-file=3D/etc/my.cnf<BR> 1207=20
?        =
S      0:00=20
/usr/libexec/mysqld --defaults-file=3D/etc/my.cnf --based<BR> 1213=20
?        =
S      0:00=20
squid -D<BR> 1214 ?       =20
S      0:00 (squid) -D<BR> 1244=20
?        =
S      0:00=20
(unlinkd)<BR> 1245 ?       =20
S      0:00 /usr/libexec/mysqld=20
--defaults-file=3D/etc/my.cnf --based<BR> 1246=20
?        =
S      0:00=20
/usr/libexec/mysqld --defaults-file=3D/etc/my.cnf --based<BR> 1263=20
?        =
S      0:00=20
atalkd<BR> 1264 ?       =20
S      0:00 smbd -D<BR> 1274=20
?        =
S      0:00=20
nmbd -D<BR> 1276 ?       =20
S      0:00 nmbd -D<BR> 1297=20
?        =
S      0:01=20
/usr/sbin/named -f -u dns -g dns -t /home/dns<BR> 1298=20
?        =
S      0:00=20
/usr/sbin/pptpd -f<BR> 1299 tty1    =20
S      0:00 perl -wT /sbin/e-smith/console=20
tty1<BR> 1300 tty2     =
S     =20
0:00 /sbin/mingetty tty2<BR> 1301 tty3    =20
S      0:00 /sbin/mingetty tty3<BR> 1302=20
?        =
Z      0:00=20
[rpmq <defunct>]<BR> 1303 tty1    =20
S      0:00 /usr/bin/logger -p local1.info -t=20
console<BR> 1304 tty1    =20
S      0:00 /usr/bin/whiptail --clear =
--backtitle=20
e-smith server an<BR> 1321 =
?       =20
S      0:00 papd<BR> 1331=20
?        =
S      0:00=20
afpd -c 20 -n linux-box<BR> 3053=20
?        =
S      0:00=20
/usr/sbin/sshd<BR> 3102 pts/0   =20
S      0:00 -bash<BR> 3864=20
?        =
S      0:06=20
qmail-send<BR> 3865 ?       =20
Z      0:00 [accustamp =
<defunct>]<BR> 3866=20
?        =
S      0:00=20
qmail-lspawn ./Maildir/<BR> 3867=20
?        =
S      0:00=20
qmail-rspawn<BR> 3868 ?       =20
S      0:00 qmail-clean<BR> 5287=20
?        =
S      0:00=20
smtpd<BR> 6612 ?       =20
S      0:00 smtpd<BR> 6670=20
?        =
S      0:00=20
smtpd<BR> 6877 ?       =20
S      0:00 smtpd<BR> 6878=20
?        =
S      0:00=20
smtpd<BR> 6956 ?       =20
S      0:00 smbd -D<BR> 6987=20
?        =
Z      0:00=20
[smtpfwdd <defunct>]<BR> 7006=20
?        =
S      0:00=20
/usr/sbin/httpd-admin -f /etc/httpd/admin-conf/httpd.co<BR> 7009=20
?        =
S      0:00=20
smtpd<BR> 7010 ?       =20
S      0:00 smtpd<BR> 7016=20
?        =
S      0:00=20
qmail-remote aol.com <A=20
href=3D"mailto:anonymous@thealtacenter.com">anonymous@thealtacenter.com</=
A>=20
gasbag<BR> 7017 ?       =20
S      0:00 qmail-remote aol.com <A=20
href=3D"mailto:anonymous@thealtacenter.com">anonymous@thealtacenter.com</=
A>=20
gasbag<BR> 7019 ?       =20
S      0:00 smtpd<BR> 7020=20
?        =
S      0:00=20
smtpd<BR> 7021 pts/0    =
R      0:00=20
ps -xa</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML>

------=_NextPart_000_0128_01C28110.BA28EFA0--

This message is part of the following thread:
	the complete thread tree sorted by date

	Bill Nash at