Date: Tue, 21 Sep 1999 11:55:59 -0700 From: John Armstrong <siberian@siberian.org> To: "Mr. K." <bsd@a.servers.aozilla.com> Cc: security@FreeBSD.ORG Subject: Re: hackers? Message-ID: <v04210115b40d84be18ca@[216.112.76.84]> In-Reply-To: <Pine.BSF.4.10.9909192027150.5171-100000@inbox.org> References: <Pine.BSF.4.10.9909192027150.5171-100000@inbox.org>
next in thread | previous in thread | raw e-mail | index | archive | help
You really really need to turn off relaying and turn on pop authentication ( or use a pop database if your pop users are coming from static IP addresses ). Is your load high? What do you maillogs indicate? Can you trace the source of the problem? Are emails bouncing back to your root acct? When this happened to me not only did I get nailed with the outgoing traffic, I got nailed with tens of thousands of bounces because the idiot spammer did not get a current mailing list. On top of that I got nailed into the blackhole and my ISP shut me down until I fixed it. its a nightmare. If you need a sendmail.cf file that blocks relaying as well as the perl daemon to do pop authentication let me know and I will send it offlist. John- At 8:31 PM -0400 9/19/99, Mr. K. wrote: >I've just recently upgraded to sendmail 8.9, as my host was being used as >a mail relay. I think I am now under some kind of attack. When I do a ps >-x I get the following listings: > > 3814 ?? S 0:00.01 sendmail: server ABD8FFB5.ipt.aol.com >[171.216.255.181] child wait (sendmail) > 3816 ?? I 0:00.02 sendmail: server ABD8FFB5.ipt.aol.com >[171.216.255.181] cmd read (sendmail) > 3829 ?? I 0:00.01 sendmail: server ABD4F010.ipt.aol.com >[171.212.240.16] child wait (sendmail) > 3832 ?? I 0:00.02 sendmail: server ABD4F010.ipt.aol.com >[171.212.240.16] cmd read (sendmail) > 3839 ?? I 0:00.01 sendmail: server 98AC79DB.ipt.aol.com >[152.172.121.219] child wait (sendmail) > 3843 ?? I 0:00.02 sendmail: server 98AC79DB.ipt.aol.com >[152.172.121.219] cmd read (sendmail) > 3855 ?? I 0:00.01 sendmail: server ABD8452B.ipt.aol.com >[171.216.69.43] child wait (sendmail) > 3856 ?? I 0:00.02 sendmail: server ABD8452B.ipt.aol.com >[171.216.69.43] cmd read (sendmail) > 3858 ?? I 0:00.01 sendmail: server 98CB05B2.ipt.aol.com >[152.203.5.178] child wait (sendmail) > 3859 ?? I 0:00.02 sendmail: server 98CB05B2.ipt.aol.com >[152.203.5.178] cmd read (sendmail) > 3863 ?? I 0:00.01 sendmail: server ABD57D59.ipt.aol.com >[171.213.125.89] child wait (sendmail) > 3866 ?? I 0:00.02 sendmail: server ABD57D59.ipt.aol.com >[171.213.125.89] cmd read (sendmail) > 3899 ?? I 0:00.01 sendmail: server >dialup-209.245.42.236.SanDiego1.Level3.net [209.245.42.236] chi > 3900 ?? I 0:00.02 sendmail: server >dialup-209.245.42.236.SanDiego1.Level3.net [209.245.42.236] cmd > 3919 ?? I 0:00.01 sendmail: server 98A6ACF8.ipt.aol.com >[152.166.172.248] child wait (sendmail) > 3921 ?? I 0:00.02 sendmail: server 98A6ACF8.ipt.aol.com >[152.166.172.248] cmd read (sendmail) > 3933 ?? I 0:00.01 sendmail: server ABD8F59A.ipt.aol.com >[171.216.245.154] child wait (sendmail) > 3934 ?? I 0:00.02 sendmail: server ABD8F59A.ipt.aol.com >[171.216.245.154] cmd read (sendmail) > 3965 ?? I 0:00.01 sendmail: server ABD1158F.ipt.aol.com >[171.209.21.143] child wait (sendmail) > 3968 ?? I 0:00.02 sendmail: server ABD1158F.ipt.aol.com >[171.209.21.143] cmd read (sendmail) > 3979 ?? I 0:00.01 sendmail: server dlp61.wilm.eri.net >[207.90.108.189] child wait (sendmail) > 3980 ?? I 0:00.01 sendmail: server dlp61.wilm.eri.net >[207.90.108.189] cmd read (sendmail) > 3982 ?? I 0:00.01 sendmail: server 98AD84A0.ipt.aol.com >[152.173.132.160] child wait (sendmail) > 3983 ?? I 0:00.02 sendmail: server 98AD84A0.ipt.aol.com >[152.173.132.160] cmd read (sendmail) > 4046 ?? I 0:00.01 sendmail: server ABD306AA.ipt.aol.com >[171.211.6.170] child wait (sendmail) > 4047 ?? I 0:00.02 sendmail: server ABD306AA.ipt.aol.com >[171.211.6.170] cmd read (sendmail) > 4256 ?? I 0:00.01 sendmail: server 98AEC8C1.ipt.aol.com >[152.174.200.193] child wait (sendmail) > 4258 ?? I 0:00.02 sendmail: server 98AEC8C1.ipt.aol.com >[152.174.200.193] cmd read (sendmail) > 4274 ?? I 0:00.01 sendmail: server 98CE2C1D.ipt.aol.com >[152.206.44.29] child wait (sendmail) > 4277 ?? I 0:00.02 sendmail: server 98CE2C1D.ipt.aol.com >[152.206.44.29] cmd read (sendmail) > 4287 ?? I 0:00.01 sendmail: server ABD857C8.ipt.aol.com >[171.216.87.200] child wait (sendmail) > 4288 ?? I 0:00.02 sendmail: server ABD857C8.ipt.aol.com >[171.216.87.200] cmd read (sendmail) > 4328 ?? I 0:00.01 sendmail: server 98C8972D.ipt.aol.com >[152.200.151.45] child wait (sendmail) > 4329 ?? I 0:00.02 sendmail: server 98C8972D.ipt.aol.com >[152.200.151.45] cmd read (sendmail) > 4361 ?? I 0:00.01 sendmail: server 98CC072E.ipt.aol.com >[152.204.7.46] child wait (sendmail) > 4362 ?? I 0:00.02 sendmail: server 98CC072E.ipt.aol.com >[152.204.7.46] cmd read (sendmail) > 4364 ?? I 0:00.01 sendmail: server 98A68AEA.ipt.aol.com >[152.166.138.234] child wait (sendmail) > 4367 ?? I 0:00.02 sendmail: server 98A68AEA.ipt.aol.com >[152.166.138.234] cmd read (sendmail) > 4369 ?? I 0:00.01 sendmail: server 98CD50D8.ipt.aol.com >[152.205.80.216] child wait (sendmail) > 4370 ?? I 0:00.02 sendmail: server 98CD50D8.ipt.aol.com >[152.205.80.216] cmd read (sendmail) > 4471 ?? I 0:00.01 sendmail: server ABD028A4.ipt.aol.com >[171.208.40.164] child wait (sendmail) > 4472 ?? I 0:00.01 sendmail: server ABD028A4.ipt.aol.com >[171.208.40.164] child wait (sendmail) > 4473 ?? I 0:00.01 sendmail: server ABD028A4.ipt.aol.com >[171.208.40.164] child wait (sendmail) > 4474 ?? I 0:00.02 sendmail: server ABD028A4.ipt.aol.com >[171.208.40.164] cmd read (sendmail) > 4475 ?? I 0:00.02 sendmail: server ABD028A4.ipt.aol.com >[171.208.40.164] cmd read (sendmail) > 4476 ?? I 0:00.02 sendmail: server ABD028A4.ipt.aol.com >[171.208.40.164] cmd read (sendmail) > 4507 ?? I 0:00.01 sendmail: server ABD86D5D.ipt.aol.com >[171.216.109.93] child wait (sendmail) > 4508 ?? I 0:00.02 sendmail: server ABD86D5D.ipt.aol.com >[171.216.109.93] cmd read (sendmail) > 4510 ?? I 0:00.01 sendmail: server ABD96F8E.ipt.aol.com >[171.217.111.142] child wait (sendmail) > 4511 ?? I 0:00.02 sendmail: server ABD96F8E.ipt.aol.com >[171.217.111.142] cmd read (sendmail) > 4525 ?? I 0:00.01 sendmail: server 98A9E892.ipt.aol.com >[152.169.232.146] child wait (sendmail) > 4526 ?? I 0:00.01 sendmail: server 98A9E892.ipt.aol.com >[152.169.232.146] child wait (sendmail) > 4527 ?? I 0:00.02 sendmail: server 98A9E892.ipt.aol.com >[152.169.232.146] cmd read (sendmail) > 4528 ?? I 0:00.02 sendmail: server 98A9E892.ipt.aol.com >[152.169.232.146] cmd read (sendmail) > 4529 ?? I 0:00.01 sendmail: server ABD96E5D.ipt.aol.com >[171.217.110.93] child wait (sendmail) > 4530 ?? I 0:00.02 sendmail: server ABD96E5D.ipt.aol.com >[171.217.110.93] cmd read (sendmail) > 4564 ?? I 0:00.01 sendmail: server >dialup-209.245.41.221.SanDiego1.Level3.net [209.245.41.221] chi > 4565 ?? I 0:00.02 sendmail: server >dialup-209.245.41.221.SanDiego1.Level3.net [209.245.41.221] cmd > 4602 ?? I 0:00.01 sendmail: server ABD6CDDE.ipt.aol.com >[171.214.205.222] child wait (sendmail) > 4603 ?? I 0:00.02 sendmail: server ABD6CDDE.ipt.aol.com >[171.214.205.222] cmd read (sendmail) > 4637 ?? I 0:00.01 sendmail: server 98A68AEA.ipt.aol.com >[152.166.138.234] child wait (sendmail) > 4638 ?? I 0:00.02 sendmail: server 98A68AEA.ipt.aol.com >[152.166.138.234] cmd read (sendmail) > 4646 ?? I 0:00.01 sendmail: server ABD78E3B.ipt.aol.com >[171.215.142.59] child wait (sendmail) > 4647 ?? I 0:00.02 sendmail: server ABD78E3B.ipt.aol.com >[171.215.142.59] cmd read (sendmail) > 4652 ?? I 0:00.01 sendmail: server 98CD01D6.ipt.aol.com >[152.205.1.214] child wait (sendmail) > 4653 ?? I 0:00.02 sendmail: server 98CD01D6.ipt.aol.com >[152.205.1.214] cmd read (sendmail) > 4666 ?? I 0:00.01 sendmail: server 98CD0B4A.ipt.aol.com >[152.205.11.74] child wait (sendmail) > 4667 ?? I 0:00.01 sendmail: server 98CD0B4A.ipt.aol.com >[152.205.11.74] child wait (sendmail) > 4671 ?? I 0:00.02 sendmail: server 98CD0B4A.ipt.aol.com >[152.205.11.74] cmd read (sendmail) > 4672 ?? I 0:00.02 sendmail: server 98CD0B4A.ipt.aol.com >[152.205.11.74] cmd read (sendmail) > 4695 ?? I 0:00.01 sendmail: server cc405899-a.brick1.nj.home.com >[24.6.84.63] child wait (sendmail > 4696 ?? I 0:00.01 sendmail: server cc405899-a.brick1.nj.home.com >[24.6.84.63] child wait (sendmail > 4697 ?? I 0:00.02 sendmail: server cc405899-a.brick1.nj.home.com >[24.6.84.63] cmd read (sendmail) > 4698 ?? I 0:00.02 sendmail: server cc405899-a.brick1.nj.home.com >[24.6.84.63] cmd read (sendmail) > 4700 ?? I 0:00.01 sendmail: server 98A68AEA.ipt.aol.com >[152.166.138.234] child wait (sendmail) > 4701 ?? I 0:00.02 sendmail: server 98A68AEA.ipt.aol.com >[152.166.138.234] cmd read (sendmail) > 4709 ?? I 0:00.01 sendmail: server 98CD4F2A.ipt.aol.com >[152.205.79.42] child wait (sendmail) > 4711 ?? I 0:00.02 sendmail: server 98CD4F2A.ipt.aol.com >[152.205.79.42] cmd read (sendmail) > 4801 ?? I 0:00.01 sendmail: server 98A72163.ipt.aol.com >[152.167.33.99] child wait (sendmail) > 4802 ?? I 0:00.02 sendmail: server 98A72163.ipt.aol.com >[152.167.33.99] cmd read (sendmail) > 4830 ?? I 0:00.01 sendmail: server ABD605BD.ipt.aol.com >[171.214.5.189] child wait (sendmail) > 4831 ?? I 0:00.02 sendmail: server ABD605BD.ipt.aol.com >[171.214.5.189] cmd read (sendmail) > 4839 ?? I 0:00.01 sendmail: server cc353189-a.owml1.md.home.com >[24.3.39.239] child wait (sendmail > 4840 ?? I 0:00.02 sendmail: server cc353189-a.owml1.md.home.com >[24.3.39.239] cmd read (sendmail) > 4845 ?? I 0:00.01 sendmail: server 98C992C9.ipt.aol.com >[152.201.146.201] child wait (sendmail) > 4846 ?? I 0:00.01 sendmail: server 98C992C9.ipt.aol.com >[152.201.146.201] child wait (sendmail) > 4847 ?? I 0:00.01 sendmail: server 98C992C9.ipt.aol.com >[152.201.146.201] child wait (sendmail) > 4848 ?? I 0:00.01 sendmail: server 98C992C9.ipt.aol.com >[152.201.146.201] child wait (sendmail) > 4849 ?? I 0:00.02 sendmail: server 98C992C9.ipt.aol.com >[152.201.146.201] cmd read (sendmail) > 4850 ?? I 0:00.02 sendmail: server 98C992C9.ipt.aol.com >[152.201.146.201] cmd read (sendmail) > 4851 ?? I 0:00.02 sendmail: server 98C992C9.ipt.aol.com >[152.201.146.201] cmd read (sendmail) > 4852 ?? I 0:00.02 sendmail: server 98C992C9.ipt.aol.com >[152.201.146.201] cmd read (sendmail) > 4860 ?? S 0:00.59 /usr/local/sbin/sshd (sshd1) > 4896 ?? I 0:00.01 sendmail: server 98CD742E.ipt.aol.com >[152.205.116.46] child wait (sendmail) > 4897 ?? I 0:00.02 sendmail: server 98CD742E.ipt.aol.com >[152.205.116.46] cmd read (sendmail) > 4904 ?? I 0:00.01 sendmail: server 98ADEA9D.ipt.aol.com >[152.173.234.157] child wait (sendmail) > 4905 ?? I 0:00.02 sendmail: server 98ADEA9D.ipt.aol.com >[152.173.234.157] cmd read (sendmail) > 4906 ?? I 0:00.01 sendmail: server 98A9848F.ipt.aol.com >[152.169.132.143] child wait (sendmail) > 4907 ?? I 0:00.02 sendmail: server 98A9848F.ipt.aol.com >[152.169.132.143] cmd read (sendmail) > 4918 ?? I 0:00.01 sendmail: server ABD4D9A4.ipt.aol.com >[171.212.217.164] child wait (sendmail) > 4919 ?? I 0:00.02 sendmail: server ABD4D9A4.ipt.aol.com >[171.212.217.164] cmd read (sendmail) > 5034 ?? I 0:00.01 sendmail: server host92.iline.com >[207.30.115.92] child wait (sendmail) > 5036 ?? I 0:00.02 sendmail: server host92.iline.com >[207.30.115.92] cmd read (sendmail) > 5055 ?? I 0:00.01 sendmail: server 98CB1D1B.ipt.aol.com >[152.203.29.27] child wait (sendmail) > 5057 ?? I 0:00.02 sendmail: server 98CB1D1B.ipt.aol.com >[152.203.29.27] cmd read (sendmail) > 5089 ?? I 0:00.01 sendmail: server ABD9AEE0.ipt.aol.com >[171.217.174.224] child wait (sendmail) > 5090 ?? I 0:00.02 sendmail: server ABD9AEE0.ipt.aol.com >[171.217.174.224] cmd read (sendmail) > 5091 ?? I 0:00.01 sendmail: server 98A7BAF4.ipt.aol.com >[152.167.186.244] child wait (sendmail) > 5092 ?? I 0:00.02 sendmail: server 98A7BAF4.ipt.aol.com >[152.167.186.244] cmd read (sendmail) > 5097 ?? I 0:00.01 sendmail: server 98A73695.ipt.aol.com >[152.167.54.149] child wait (sendmail) > 5098 ?? I 0:00.02 sendmail: server 98A73695.ipt.aol.com >[152.167.54.149] cmd read (sendmail) > 5114 ?? I 0:00.01 sendmail: server 98CD4F2A.ipt.aol.com >[152.205.79.42] child wait (sendmail) > 5115 ?? I 0:00.02 sendmail: server 98CD4F2A.ipt.aol.com >[152.205.79.42] cmd read (sendmail) > 5116 ?? I 0:00.01 sendmail: server 98AA2318.ipt.aol.com >[152.170.35.24] child wait (sendmail) > 5117 ?? I 0:00.02 sendmail: server 98AA2318.ipt.aol.com >[152.170.35.24] cmd read (sendmail) > 5137 ?? I 0:00.01 sendmail: server ABD15CDE.ipt.aol.com >[171.209.92.222] child wait (sendmail) > 5138 ?? I 0:00.02 sendmail: server ABD15CDE.ipt.aol.com >[171.209.92.222] cmd read (sendmail) > 5149 ?? I 0:00.01 sendmail: server 98C992C9.ipt.aol.com >[152.201.146.201] child wait (sendmail) > 5150 ?? I 0:00.02 sendmail: server 98C992C9.ipt.aol.com >[152.201.146.201] cmd read (sendmail) > 5158 ?? I 0:00.01 sendmail: server p359.gnt.com [204.49.91.167] >child wait (sendmail) > 5159 ?? I 0:00.02 sendmail: server p359.gnt.com [204.49.91.167] >cmd read (sendmail) > 5172 ?? I 0:00.01 sendmail: server pm4-249.dialup.flinet.com >[208.14.24.249] child wait (sendmail) > 5173 ?? I 0:00.02 sendmail: server pm4-249.dialup.flinet.com >[208.14.24.249] cmd read (sendmail) > >Is there anything I can do to stop this? > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message ------------------------------------------- Remember, ever ask a geek'why', just nod your head and back away slowly.. --CmdrTaco , http://www.slashdot.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v04210115b40d84be18ca>