Date: Wed, 22 Sep 1999 15:40:48 -0500 From: TrouBle <trouble@hackfurby.com> To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> Cc: "Mr. K." <bsd@a.servers.aozilla.com>, security@FreeBSD.ORG Subject: Re: hackers? Message-ID: <37E93ECF.D0BB3779@hackfurby.com> References: <199909211930.MAA63783@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
BRAVO... yes this is the best solution immediatley "Rodney W. Grimes" wrote: > > I've just recently upgraded to sendmail 8.9, as my host was being used as > > a mail relay. I think I am now under some kind of attack. When I do a ps > > -x I get the following listings: > > > > 3814 ?? S 0:00.01 sendmail: server ABD8FFB5.ipt.aol.com > > [171.216.255.181] child wait (sendmail) > > 3816 ?? I 0:00.02 sendmail: server ABD8FFB5.ipt.aol.com > > [171.216.255.181] cmd read (sendmail) > > Do as the others have suggested, and do this quickly. But > a quick first step to mitigate the current damage on your system > can be achived by doing the following _right_ _now_. > > killall sendmail > mv /var/spool/mqueue /var/spool/mqueue.spammed > mkdir /var/spool/mqueue > chown root:daemon /var/spool/mqueue > chmod 755 /var/spool/mqueue > ipfw add deny tcp from 171.212.240.0/24 to any 25 # For each of the IP's > # you see in this list > # associated with AOL.com. > > sendmail -bd -q30m #Or as appropriate for your site. > > That will get your back on line and running... then you need to > go through /var/spool/mqueue.spam and figure out what should be > moved over to /var/spool/mqueue, and what should be saved for > legal evidence in case it is needed. > > -- > Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37E93ECF.D0BB3779>