Date: Thu, 17 Jul 2003 22:29:18 +1000 (EST) From: <keith@smmc.qld.edu.au> To: <freebsd-questions@freebsd.org> Subject: Re: Help! Is this an attack or a virus? Qmail on FBSD is flooding Message-ID: <1057.203.221.19.98.1058444958.squirrel@localhost.smmc.qld.edu.au> In-Reply-To: <20030717023103.A4775@njamn8or.no-ip.org> References: <2614.10.0.1.109.1058432155.squirrel@localhost.smmc.qld.edu.au> <20030717023103.A4775@njamn8or.no-ip.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Victor thanks, I had deleted that one persons account but it staill happens! What is the qmail-remote thing?? Any ideas? Keith > > On Thu, 17 Jul 2003 keith@smmc.qld.edu.au wrote: > >> Hi good people. >> I am not the cluiest here. >> Suddenly my fbsd 4.7. qmail router/gateway is dead slow and >> ps -ax reports all normal procs plus heaps! of procs like... >> >> 5567 (some flags) 0:00:02 qmail-remote hotmail.com >> reaf_ha99@smmc.qld.edu.au >> >> The address is one of my user email accounts on qmail >> >> What is this? Is it possible FBSD has a virus or is it a suddenly >> rougue/corrupted qmail. >> Wher else can I look to track this down. >> I have ipfilter/ipmon/ipnat on it too. >> >> I disconnected router from internal LAN and rebooted and after a while >> it started doing it again! >> So it is something on the machine. >> Help please needed badly...typical..its mission critical in our school >> Thanks Keith > > Just a guess but if only mail activity is reported and only for that > user's account it sounds like your mail server is being used to churn > out massive amounts of spam or hammer other mail servers to harvest > valid addresses either because it's an open relay or because someone has > cracked that user's account. > > Disable that user's account and set your firewall and your mail server's > access database to block any IP's and hostnames that the activity seems > to be coming from and see if the box returns to normal. If multiple > accounts are being used it's possible the box itself has been rooted > rather than the individual accounts being cracked. > > Cheers, > > Viktor > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1057.203.221.19.98.1058444958.squirrel>