Hijacked server
Darrell Shandrow
plug-discuss@lists.plug.phoenix.az.us
Thu, 31 Oct 2002 20:17:51 -0700
This is a multi-part message in MIME format.
------=_NextPart_000_0046_01C2811A.96B321D0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi Charlie,
Typically, this means that the relay on your SMTP server is open to an =
IP address that is being used by a spammer to do his business. Either =
the server's relay is wide open, or you have allowed too wide a range of =
IP addresses to use it as a relay. In either case, you need to close =
this relay, opening it only to the smallest possible range of IP =
addresses you need to get work done! Since this server uses Qmail as =
its MTA, visit the Qmail home page at http://www.qmail.org to find out =
what you need to do to close its relay. Hope this helps.
Thanks.
=20
----- Original Message -----=20
From: charlie bullen=20
To: plug-discuss@lists.plug.phoenix.az.us=20
Sent: Thursday, October 31, 2002 7:07 PM
Subject: Hijacked server
I have a server running e-smith 4.1 which uses qmail. It has been =
hijacked and someone is using it to forward spam. Currently it is of the =
net, but that is only a temporary fix.
here is a listing of running processes: towards the bottom you can see =
7016 and 7017 that seem to be bad guys.
Any help would be appreciated
THanks
Charlie
PID TTY STAT TIME COMMAND
1 ? S 0:07 init [7]
2 ? SW 0:00 [kflushd]
3 ? SW 0:00 [kupdate]
4 ? SW 0:00 [kpiod]
5 ? SW 0:02 [kswapd]
6 ? SW< 0:00 [mdrecoveryd]
68 ? SW 0:00 [khubd]
297 ? S 0:03 syslogd -m 0 -a /home/dns/dev/log
307 ? S 0:00 klogd -c 1
726 ? S 0:00 crond
759 ? S 0:00 xinetd -reuse -pidfile /var/run/xinetd.pid
815 ? S 0:00 lpd Waiting
840 ? S 0:00 /usr/sbin/dhcpd eth0
890 ? S 0:00 /usr/sbin/slapd
932 ? S 0:00 smtpfwdd -d /var/spool/smtpd/spool
962 ? S 0:00 httpd
971 ? S 0:00 httpd
972 ? S 0:00 httpd
973 ? S 0:00 httpd
974 ? S 0:00 httpd
975 ? S 0:00 httpd
976 ? S 0:00 httpd
977 ? S 0:00 httpd
978 ? S 0:00 httpd
979 ? S 0:00 httpd
984 ? S 0:00 httpd
988 ? S 0:00 /usr/sbin/sshd
1143 ? S 0:00 /usr/sbin/httpd-admin -f =
/etc/httpd/admin-conf/httpd.co
1144 ? S 0:00 /usr/sbin/httpd-admin -f =
/etc/httpd/admin-conf/httpd.co
1162 ? S 0:00 sh /usr/bin/safe_mysqld =
--defaults-file=3D/etc/my.cnf
1207 ? S 0:00 /usr/libexec/mysqld =
--defaults-file=3D/etc/my.cnf --based
1213 ? S 0:00 squid -D
1214 ? S 0:00 (squid) -D
1244 ? S 0:00 (unlinkd)
1245 ? S 0:00 /usr/libexec/mysqld =
--defaults-file=3D/etc/my.cnf --based
1246 ? S 0:00 /usr/libexec/mysqld =
--defaults-file=3D/etc/my.cnf --based
1263 ? S 0:00 atalkd
1264 ? S 0:00 smbd -D
1274 ? S 0:00 nmbd -D
1276 ? S 0:00 nmbd -D
1297 ? S 0:01 /usr/sbin/named -f -u dns -g dns -t =
/home/dns
1298 ? S 0:00 /usr/sbin/pptpd -f
1299 tty1 S 0:00 perl -wT /sbin/e-smith/console tty1
1300 tty2 S 0:00 /sbin/mingetty tty2
1301 tty3 S 0:00 /sbin/mingetty tty3
1302 ? Z 0:00 [rpmq <defunct>]
1303 tty1 S 0:00 /usr/bin/logger -p local1.info -t console
1304 tty1 S 0:00 /usr/bin/whiptail --clear --backtitle =
e-smith server an
1321 ? S 0:00 papd
1331 ? S 0:00 afpd -c 20 -n linux-box
3053 ? S 0:00 /usr/sbin/sshd
3102 pts/0 S 0:00 -bash
3864 ? S 0:06 qmail-send
3865 ? Z 0:00 [accustamp <defunct>]
3866 ? S 0:00 qmail-lspawn ./Maildir/
3867 ? S 0:00 qmail-rspawn
3868 ? S 0:00 qmail-clean
5287 ? S 0:00 smtpd
6612 ? S 0:00 smtpd
6670 ? S 0:00 smtpd
6877 ? S 0:00 smtpd
6878 ? S 0:00 smtpd
6956 ? S 0:00 smbd -D
6987 ? Z 0:00 [smtpfwdd <defunct>]
7006 ? S 0:00 /usr/sbin/httpd-admin -f =
/etc/httpd/admin-conf/httpd.co
7009 ? S 0:00 smtpd
7010 ? S 0:00 smtpd
7016 ? S 0:00 qmail-remote aol.com =
anonymous@thealtacenter.com gasbag
7017 ? S 0:00 qmail-remote aol.com =
anonymous@thealtacenter.com gasbag
7019 ? S 0:00 smtpd
7020 ? S 0:00 smtpd
7021 pts/0 R 0:00 ps -xa
------=_NextPart_000_0046_01C2811A.96B321D0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hi Charlie,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Typically, this means that the relay on =
your SMTP=20
server is open to an IP address that is being used by a spammer to do =
his=20
business. Either the server's relay is wide open, or you have =
allowed too=20
wide a range of IP addresses to use it as a relay. In either case, =
you=20
need to close this relay, opening it only to the smallest possible range =
of IP=20
addresses you need to get work done! Since this server uses =
Qmail as=20
its MTA, visit the Qmail home page at <A=20
href=3D"http://www.qmail.org">http://www.qmail.org</A> to find out what =
you need=20
to do to close its relay. Hope this helps.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Thanks.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> </FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dpcello@mindspring.com =
href=3D"mailto:pcello@mindspring.com">charlie=20
bullen</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
title=3Dplug-discuss@lists.plug.phoenix.az.us=20
=
href=3D"mailto:plug-discuss@lists.plug.phoenix.az.us">plug-discuss@lists.=
plug.phoenix.az.us</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Thursday, October 31, =
2002 7:07=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Hijacked server</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>I have a server running e-smith 4.1 =
which uses=20
qmail. It has been hijacked and someone is using it to forward spam. =
Currently=20
it is of the net, but that is only a temporary fix.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>here is a listing of running =
processes: towards=20
the bottom you can see 7016 and 7017 that seem to be bad =
guys.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Any help would be =
appreciated</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>THanks</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Charlie</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2> PID =
TTY =20
STAT TIME COMMAND<BR> 1=20
? =
S =20
0:07 init [7]<BR> 2=20
? SW =
0:00=20
[kflushd]<BR> 3 =
? =20
SW 0:00 [kupdate]<BR> 4=20
? SW =
0:00=20
[kpiod]<BR> 5 =
? =20
SW 0:02 [kswapd]<BR> 6=20
? SW< =
0:00=20
[mdrecoveryd]<BR> 68 =
? =20
SW 0:00 [khubd]<BR> 297=20
? =
S =20
0:03 syslogd -m 0 -a /home/dns/dev/log<BR> 307=20
? =
S =20
0:00 klogd -c 1<BR> 726 =
? =20
S 0:00 crond<BR> 759=20
? =
S =20
0:00 xinetd -reuse -pidfile /var/run/xinetd.pid<BR> 815=20
? =
S =20
0:00 lpd Waiting<BR> 840 =
? =20
S 0:00 /usr/sbin/dhcpd eth0<BR> =
890=20
? =
S =20
0:00 /usr/sbin/slapd<BR> 932 =
? =20
S 0:00 smtpfwdd -d=20
/var/spool/smtpd/spool<BR> 962=20
? =
S =20
0:00 httpd<BR> 971 ? =20
S 0:00 httpd<BR> 972=20
? =
S =20
0:00 httpd<BR> 973 ? =20
S 0:00 httpd<BR> 974=20
? =
S =20
0:00 httpd<BR> 975 ? =20
S 0:00 httpd<BR> 976=20
? =
S =20
0:00 httpd<BR> 977 ? =20
S 0:00 httpd<BR> 978=20
? =
S =20
0:00 httpd<BR> 979 ? =20
S 0:00 httpd<BR> 984=20
? =
S =20
0:00 httpd<BR> 988 ? =20
S 0:00 /usr/sbin/sshd<BR> 1143=20
? =
S =20
0:00 /usr/sbin/httpd-admin -f =
/etc/httpd/admin-conf/httpd.co<BR> 1144=20
? =
S =20
0:00 /usr/sbin/httpd-admin -f =
/etc/httpd/admin-conf/httpd.co<BR> 1162=20
? =
S =20
0:00 sh /usr/bin/safe_mysqld =
--defaults-file=3D/etc/my.cnf<BR> 1207=20
? =
S =20
0:00 /usr/libexec/mysqld --defaults-file=3D/etc/my.cnf =
--based<BR> 1213=20
? =
S =20
0:00 squid -D<BR> 1214 =
? =20
S 0:00 (squid) -D<BR> 1244=20
? =
S =20
0:00 (unlinkd)<BR> 1245 =
? =20
S 0:00 /usr/libexec/mysqld=20
--defaults-file=3D/etc/my.cnf --based<BR> 1246=20
? =
S =20
0:00 /usr/libexec/mysqld --defaults-file=3D/etc/my.cnf =
--based<BR> 1263=20
? =
S =20
0:00 atalkd<BR> 1264 ? =20
S 0:00 smbd -D<BR> 1274=20
? =
S =20
0:00 nmbd -D<BR> 1276 ? =
S 0:00 nmbd -D<BR> 1297=20
? =
S =20
0:01 /usr/sbin/named -f -u dns -g dns -t /home/dns<BR> 1298=20
? =
S =20
0:00 /usr/sbin/pptpd -f<BR> 1299 tty1 =20
S 0:00 perl -wT /sbin/e-smith/console=20
tty1<BR> 1300 tty2 =20
S 0:00 /sbin/mingetty tty2<BR> 1301 =
tty3 S 0:00=20
/sbin/mingetty tty3<BR> 1302 =
? =20
Z 0:00 [rpmq =
<defunct>]<BR> 1303=20
tty1 S 0:00=20
/usr/bin/logger -p local1.info -t console<BR> 1304=20
tty1 S 0:00=20
/usr/bin/whiptail --clear --backtitle e-smith server an<BR> 1321=20
? =
S =20
0:00 papd<BR> 1331 ? =20
S 0:00 afpd -c 20 -n =
linux-box<BR> 3053=20
? =
S =20
0:00 /usr/sbin/sshd<BR> 3102 pts/0 =20
S 0:00 -bash<BR> 3864=20
? =
S =20
0:06 qmail-send<BR> 3865 =
? =20
Z 0:00 [accustamp =
<defunct>]<BR> 3866=20
? =
S =20
0:00 qmail-lspawn ./Maildir/<BR> 3867=20
? =
S =20
0:00 qmail-rspawn<BR> 3868 =
? =20
S 0:00 qmail-clean<BR> 5287=20
? =
S =20
0:00 smtpd<BR> 6612 ? =20
S 0:00 smtpd<BR> 6670=20
? =
S =20
0:00 smtpd<BR> 6877 ? =20
S 0:00 smtpd<BR> 6878=20
? =
S =20
0:00 smtpd<BR> 6956 ? =20
S 0:00 smbd -D<BR> 6987=20
? =
Z =20
0:00 [smtpfwdd <defunct>]<BR> 7006=20
? =
S =20
0:00 /usr/sbin/httpd-admin -f =
/etc/httpd/admin-conf/httpd.co<BR> 7009=20
? =
S =20
0:00 smtpd<BR> 7010 ? =20
S 0:00 smtpd<BR> 7016=20
? =
S =20
0:00 qmail-remote aol.com <A=20
=
href=3D"mailto:anonymous@thealtacenter.com">anonymous@thealtacenter.com</=
A>=20
gasbag<BR> 7017 ? =20
S 0:00 qmail-remote aol.com <A=20
=
href=3D"mailto:anonymous@thealtacenter.com">anonymous@thealtacenter.com</=
A>=20
gasbag<BR> 7019 ? =20
S 0:00 smtpd<BR> 7020=20
? =
S =20
0:00 smtpd<BR> 7021 pts/0 =20
R 0:00 ps -xa</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial =
size=3D2></FONT> </DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0046_01C2811A.96B321D0--