From owner-freebsd-security Tue Sep 21 12:31: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 2537715BC2 for ; Tue, 21 Sep 1999 12:31:01 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id MAA63783; Tue, 21 Sep 1999 12:30:12 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909211930.MAA63783@gndrsh.dnsmgr.net> Subject: Re: hackers? In-Reply-To: from "Mr. K." at "Sep 19, 1999 08:31:08 pm" To: bsd@a.servers.aozilla.com (Mr. K.) Date: Tue, 21 Sep 1999 12:30:12 -0700 (PDT) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I've just recently upgraded to sendmail 8.9, as my host was being used as > a mail relay. I think I am now under some kind of attack. When I do a ps > -x I get the following listings: > > 3814 ?? S 0:00.01 sendmail: server ABD8FFB5.ipt.aol.com > [171.216.255.181] child wait (sendmail) > 3816 ?? I 0:00.02 sendmail: server ABD8FFB5.ipt.aol.com > [171.216.255.181] cmd read (sendmail) Do as the others have suggested, and do this quickly. But a quick first step to mitigate the current damage on your system can be achived by doing the following _right_ _now_. killall sendmail mv /var/spool/mqueue /var/spool/mqueue.spammed mkdir /var/spool/mqueue chown root:daemon /var/spool/mqueue chmod 755 /var/spool/mqueue ipfw add deny tcp from 171.212.240.0/24 to any 25 # For each of the IP's # you see in this list # associated with AOL.com. sendmail -bd -q30m #Or as appropriate for your site. That will get your back on line and running... then you need to go through /var/spool/mqueue.spam and figure out what should be moved over to /var/spool/mqueue, and what should be saved for legal evidence in case it is needed. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message