From owner-freebsd-questions@FreeBSD.ORG Thu Jul 17 05:29:34 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF46A37B401 for ; Thu, 17 Jul 2003 05:29:34 -0700 (PDT) Received: from smmcroute.smmc.qld.edu.au (dsl-210-15-201-90.QLD.netspace.net.au [210.15.201.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 95B8F43F85 for ; Thu, 17 Jul 2003 05:29:32 -0700 (PDT) (envelope-from keith@smmc.qld.edu.au) Received: (qmail 9890 invoked by uid 89); 17 Jul 2003 12:29:18 -0000 Received: from unknown (HELO smmc.qld.edu.au) (127.0.0.1) by 127.0.0.1 with SMTP; 17 Jul 2003 12:29:18 -0000 Received: from 203.221.19.98 (SquirrelMail authenticated user keith) by localhost.smmc.qld.edu.au with HTTP; Thu, 17 Jul 2003 22:29:18 +1000 (EST) Message-ID: <1057.203.221.19.98.1058444958.squirrel@localhost.smmc.qld.edu.au> Date: Thu, 17 Jul 2003 22:29:18 +1000 (EST) From: To: In-Reply-To: <20030717023103.A4775@njamn8or.no-ip.org> References: <2614.10.0.1.109.1058432155.squirrel@localhost.smmc.qld.edu.au> <20030717023103.A4775@njamn8or.no-ip.org> X-Priority: 3 Importance: Normal X-Mailer: SquirrelMail (version 1.2.11) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: Help! Is this an attack or a virus? Qmail on FBSD is flooding X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2003 12:29:35 -0000 Hi Victor thanks, I had deleted that one persons account but it staill happens! What is the qmail-remote thing?? Any ideas? Keith > > On Thu, 17 Jul 2003 keith@smmc.qld.edu.au wrote: > >> Hi good people. >> I am not the cluiest here. >> Suddenly my fbsd 4.7. qmail router/gateway is dead slow and >> ps -ax reports all normal procs plus heaps! of procs like... >> >> 5567 (some flags) 0:00:02 qmail-remote hotmail.com >> reaf_ha99@smmc.qld.edu.au >> >> The address is one of my user email accounts on qmail >> >> What is this? Is it possible FBSD has a virus or is it a suddenly >> rougue/corrupted qmail. >> Wher else can I look to track this down. >> I have ipfilter/ipmon/ipnat on it too. >> >> I disconnected router from internal LAN and rebooted and after a while >> it started doing it again! >> So it is something on the machine. >> Help please needed badly...typical..its mission critical in our school >> Thanks Keith > > Just a guess but if only mail activity is reported and only for that > user's account it sounds like your mail server is being used to churn > out massive amounts of spam or hammer other mail servers to harvest > valid addresses either because it's an open relay or because someone has > cracked that user's account. > > Disable that user's account and set your firewall and your mail server's > access database to block any IP's and hostnames that the activity seems > to be coming from and see if the box returns to normal. If multiple > accounts are being used it's possible the box itself has been rooted > rather than the individual accounts being cracked. > > Cheers, > > Viktor > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"