From owner-freebsd-security Tue Sep 21 12:39: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from bekool.com (ns2.netquick.net [216.48.34.2]) by hub.freebsd.org (Postfix) with ESMTP id C41DE1573E for ; Tue, 21 Sep 1999 12:38:56 -0700 (PDT) (envelope-from trouble@hackfurby.com) Received: from bastille.netquick.net ([216.48.32.159] helo=hackfurby.com) by bekool.com with esmtp (Exim 3.03 #1) id 11TW9f-0003c6-00; Tue, 21 Sep 1999 20:04:47 +0000 Message-ID: <37E93ECF.D0BB3779@hackfurby.com> Date: Wed, 22 Sep 1999 15:40:48 -0500 From: TrouBle Reply-To: trouble@hackfurby.com X-Mailer: Mozilla 4.61 [en] (X11; I; FreeBSD 4.0-19990816-CURRENT i386) X-Accept-Language: en MIME-Version: 1.0 To: "Rodney W. Grimes" Cc: "Mr. K." , security@FreeBSD.ORG Subject: Re: hackers? References: <199909211930.MAA63783@gndrsh.dnsmgr.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org BRAVO... yes this is the best solution immediatley "Rodney W. Grimes" wrote: > > I've just recently upgraded to sendmail 8.9, as my host was being used as > > a mail relay. I think I am now under some kind of attack. When I do a ps > > -x I get the following listings: > > > > 3814 ?? S 0:00.01 sendmail: server ABD8FFB5.ipt.aol.com > > [171.216.255.181] child wait (sendmail) > > 3816 ?? I 0:00.02 sendmail: server ABD8FFB5.ipt.aol.com > > [171.216.255.181] cmd read (sendmail) > > Do as the others have suggested, and do this quickly. But > a quick first step to mitigate the current damage on your system > can be achived by doing the following _right_ _now_. > > killall sendmail > mv /var/spool/mqueue /var/spool/mqueue.spammed > mkdir /var/spool/mqueue > chown root:daemon /var/spool/mqueue > chmod 755 /var/spool/mqueue > ipfw add deny tcp from 171.212.240.0/24 to any 25 # For each of the IP's > # you see in this list > # associated with AOL.com. > > sendmail -bd -q30m #Or as appropriate for your site. > > That will get your back on line and running... then you need to > go through /var/spool/mqueue.spam and figure out what should be > moved over to /var/spool/mqueue, and what should be saved for > legal evidence in case it is needed. > > -- > Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message