Date: Thu, 17 Jul 2003 02:51:47 -0700 (PDT) From: Viktor Lazlo <viktorlazlo@telus.net> To: keith@smmc.qld.edu.au Cc: Free bsd <freebsd-questions@freebsd.org> Subject: Re: Help! Is this an attack or a virus? Qmail on FBSD is flooding Message-ID: <20030717023103.A4775@njamn8or.no-ip.org> In-Reply-To: <2614.10.0.1.109.1058432155.squirrel@localhost.smmc.qld.edu.au> References: <2614.10.0.1.109.1058432155.squirrel@localhost.smmc.qld.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 17 Jul 2003 keith@smmc.qld.edu.au wrote: > Hi good people. > I am not the cluiest here. > Suddenly my fbsd 4.7. qmail router/gateway is dead slow and > ps -ax reports all normal procs plus heaps! of procs like... > > 5567 (some flags) 0:00:02 qmail-remote hotmail.com > reaf_ha99@smmc.qld.edu.au > > The address is one of my user email accounts on qmail > > What is this? Is it possible FBSD has a virus or is it a suddenly > rougue/corrupted qmail. > Wher else can I look to track this down. > I have ipfilter/ipmon/ipnat on it too. > > I disconnected router from internal LAN and rebooted and after a while it > started doing it again! > So it is something on the machine. > Help please needed badly...typical..its mission critical in our school > Thanks Keith Just a guess but if only mail activity is reported and only for that user's account it sounds like your mail server is being used to churn out massive amounts of spam or hammer other mail servers to harvest valid addresses either because it's an open relay or because someone has cracked that user's account. Disable that user's account and set your firewall and your mail server's access database to block any IP's and hostnames that the activity seems to be coming from and see if the box returns to normal. If multiple accounts are being used it's possible the box itself has been rooted rather than the individual accounts being cracked. Cheers, Viktor
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030717023103.A4775>