Re: EMERGENCY - need to secure my server against an ongoing SPAMMER

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 11 Mar 2005 10:48:29 +0000, Paul Howarth <paul@xxxxxxxxxxxx> wrote:
> Bob Brennan wrote:
> > Sorry for the brevity here but I woke this morning to find my
> > mailserver sending 1000+ rejected email notices to postmaster@, and it
> > was increasing by the minute. I have shut down Sendmail and am
> > removing all relay permissions (I hope) but have a few issues that
> > need to be resolved quickly before going back online - knowing the
> > spammer will be retrying and my legitimate users are losing services.
> 
> What relaying permissions did you have?

FEATURE('relay_entire_domain')
HACK('popauth')
...none of which worked for *me* in my continuing struggle to find a
secure way to let my users use a remote MUA
...both commented out for now, as well as removed all domains in the
"Relay Domains" (Webmin again) file

> 
> > 1. There are 700+ emails sitting in the outgoing queue, I am using
> > WebMin to delete them but at 20 at-a-time it is useless. I need a
> > command line that will do it without causing more damage.
> 
> # cd /var/spool
> # mv mqueue mqueue.spam
> # mkdir mqueue
> # restorecon mqueue

done it - 1 problem sorted!

> That should leave you with an empty queue, plus the spam messages saved
> in /var/spool/mqueue.spam. You might want to look in there and see if
> there are any non-spam messages before you go deleting them all. It
> would also be useful to see an example of one of the "qf" files in
> /var/spool/mqueue.spam to see how the message reached your outgoing mail
> queue. That may indicate the vulnerability being exploited by the spammer.
> 
> > 2. MySql is shut down for some reason, I don't know if it's related to
> > the attack. "service msqld status" returns "msqld dead but subsys
> > locked"
> 
> Perhaps it collapsed under the load? Will "service msqld restart"
> restart it?

"Timeout error occured trying to start MySQL Deamon"
"Starting MySQL    [FAILED]
... having to do with the "subsys locked" problem above I believe -
but how to fix that?

bob

> Paul.
> 
> --
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux