On Fri, Mar 11, 2005 at 10:41:03AM +0000, Bob Brennan wrote: > Sorry for the brevity here but I woke this morning to find my > mailserver sending 1000+ rejected email notices to postmaster@, and it > was increasing by the minute. I have shut down Sendmail and am > removing all relay permissions (I hope) but have a few issues that > need to be resolved quickly before going back online - knowing the > spammer will be retrying and my legitimate users are losing services. In addition to the other stuff that people mentioned, you should probably check your HTTP logs and running processes to see if someone compromised a user account (via a hole in an insecure PHP or Perl script, for example) on your system. If you were running a vulnerable kernel, you'd want to strongly consider the possibility of a root exploit. I'd suggest checking ps and netstat output (copying ps and netstat from a known good machine), and also running nmap on the machine from another machine to see if any weird ports are open. Deleting the messages was a bad idea... viewing the contents of the messages could have been helpful in figuring out what was going on. However, looking in your LOGS might also give you an idea of what UID was sending the messages, where they were sending them, etc. w
