Date: Tue, 21 Sep 1999 12:30:12 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: bsd@a.servers.aozilla.com (Mr. K.) Cc: security@FreeBSD.ORG Subject: Re: hackers? Message-ID: <199909211930.MAA63783@gndrsh.dnsmgr.net> In-Reply-To: <Pine.BSF.4.10.9909192027150.5171-100000@inbox.org> from "Mr. K." at "Sep 19, 1999 08:31:08 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> I've just recently upgraded to sendmail 8.9, as my host was being used as > a mail relay. I think I am now under some kind of attack. When I do a ps > -x I get the following listings: > > 3814 ?? S 0:00.01 sendmail: server ABD8FFB5.ipt.aol.com > [171.216.255.181] child wait (sendmail) > 3816 ?? I 0:00.02 sendmail: server ABD8FFB5.ipt.aol.com > [171.216.255.181] cmd read (sendmail) Do as the others have suggested, and do this quickly. But a quick first step to mitigate the current damage on your system can be achived by doing the following _right_ _now_. killall sendmail mv /var/spool/mqueue /var/spool/mqueue.spammed mkdir /var/spool/mqueue chown root:daemon /var/spool/mqueue chmod 755 /var/spool/mqueue ipfw add deny tcp from 171.212.240.0/24 to any 25 # For each of the IP's # you see in this list # associated with AOL.com. sendmail -bd -q30m #Or as appropriate for your site. That will get your back on line and running... then you need to go through /var/spool/mqueue.spam and figure out what should be moved over to /var/spool/mqueue, and what should be saved for legal evidence in case it is needed. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909211930.MAA63783>