Sorry for the brevity here but I woke this morning to find my mailserver sending 1000+ rejected email notices to postmaster@, and it was increasing by the minute. I have shut down Sendmail and am removing all relay permissions (I hope) but have a few issues that need to be resolved quickly before going back online - knowing the spammer will be retrying and my legitimate users are losing services.
What relaying permissions did you have?
1. There are 700+ emails sitting in the outgoing queue, I am using WebMin to delete them but at 20 at-a-time it is useless. I need a command line that will do it without causing more damage.
# cd /var/spool # mv mqueue mqueue.spam # mkdir mqueue # restorecon mqueue
That should leave you with an empty queue, plus the spam messages saved in /var/spool/mqueue.spam. You might want to look in there and see if there are any non-spam messages before you go deleting them all. It would also be useful to see an example of one of the "qf" files in /var/spool/mqueue.spam to see how the message reached your outgoing mail queue. That may indicate the vulnerability being exploited by the spammer.
2. MySql is shut down for some reason, I don't know if it's related to the attack. "service msqld status" returns "msqld dead but subsys locked"
Perhaps it collapsed under the load? Will "service msqld restart" restart it?
Paul.
