[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]
Re: suspicious act in my server

From: Joe Polk <listuser javelinux com>
To: redhat-list redhat com
Subject: Re: suspicious act in my server
Date: Fri Mar 21 10:12:00 2003
This appears to be someone bouncing mail off your box. You need to turn
off relaying. If you notice, the outgoing domain is being appended to
your domain as a hostname (Nameserver: prizepalace44.com.heathnet...).
It's failing because the host doesn't exist. This is probably a good
thing because you are not likely filling up someone else's mail server.
But your's is being beat to death.

<<JAV>>


On Fri, 2003-03-21 at 09:35, nlimbu HEALTHNET ORG NP wrote:
> Hi!
> 
> After looking maillog, I found lots of message like this.  What is this host name 
> lookup failure and how am I getting all these things?
> 
> 
> Mar 21 20:04:46 mailhost sendmail[28291]: h2L6e1x15637: to=<opinions prizepalace44 com>, delay=07:39:45, xdelay=00:00:00, mailer=esmtp, pri=26912052, relay=prizepalace44.com.healthnet.org.np., dsn=4.0.0, stat=Deferred: Name server: prizepalace44.com.healthnet.org.np.: host name lookup failure21 
> 20:04:46 mailhost sendmail[28291]: h2K992n25368: to=<conniesytfmmxc poptok com>, ctladdr=<nec healthnet org np > (770/998), delay=1+05:10:40, xdelay=00:00:00, mailer=esmtp, pri=27129015, relay=poptok.com.healthnet.org.np., dsn=4.0.0, stat=Deferred: Name server: poptok.com.healthnet.org.np.: host 
> name lookup failure21 20:04:47 mailhost sendmail[28291]: h2L6e8x15663: to=<ealjaua omi o>, delay=07:39:39, xdelay=00:00:00, mailer=esmtp, pri=27182006, relay=omi.o.healthnet.org.np., dsn=4.0.0, stat=Deferred: Name server: omi.o.healthnet.org.np.: host name lookup failure21 20:04:47 mailhost 
> sendmail[28291]: h2K6chn19399: to=<yccect nagput dot in>, ctladdr=<nec healthnet org np > (770/998), delay=1+07:41:03, xdelay=00:00:00, mailer=esmtp, pri=27220066, relay=nagput.dot.in.healthnet.org.np., dsn=4.0.0, stat=Deferred: Name server: nagput.dot.in.healthnet.org.np.: host name lookup 
> failure21 20:04:47 mailhost sendmail[28291]: h2K9Srn25926: to=<28866_12955_200303190600 merchantmail mailsession com>, ctladdr=<nec healthnet org np > (770/998), delay=1+04:50:45, xdelay=00:00:00, mailer=esmtp, pri=27849194, relay=merchantmail.mails....healthnet.org.np., dsn=4.0.0, stat=Deferred: 
> Name server: merchantmail.mailsession.com.healthnet.org.np.: host name lookup failure21 20:04:47 mailhost sendmail[28291]: h2K7vPn22478: to=<downloads prizepalace44 com>, ctladdr=<nec healthnet org np > (770/998), delay=1+06:22:21, xdelay=00:00:00, mailer=esmtp, pri=28568629, 
> relay=prizepalace44.com.healthnet.org.np., dsn=4.0.0, stat=Deferred: Name server: prizepalace44.com.healthnet.org.np.: host name lookup failure21 20:04:47 mailhost sendmail[28291]: h2K6e8n19466: to=<ealmhs_ omi o>, ctladdr=<nec healthnet org np > (770/998), delay=1+07:39:37, xdelay=00:00:00, 
> mailer=esmtp, pri=28658662, relay=omi.o.healthnet.org.np., dsn=4.0.0, stat=Deferred: Name server: omi.o.healthnet.org.np.: host name lookup failure21 20:04:47 mailhost sendmail[28291]: h2K7Esn21052: to=<ealde_oso omi o>, ctladdr=<nec healthnet org np > (770/998), delay=1+07:04:52, 
> xdelay=00:00:00, mailer=esmtp, pri=29594478, relay=omi.o.healthnet.org.np., dsn=4.0.0, stat=Deferred: Name server: omi.o.healthnet.org.np.: host name lookup failure21 20:04:47 mailhost sendmail[28291]: h2K8rAn24737: to=<deals prizepalace44 com>, ctladdr=<nec healthnet org np > (770/998), 
> delay=1+05:26:35, xdelay=00:00:00, mailer=esmtp, pri=29679755, relay=prizepalace44.com.healthnet.org.np., dsn=4.0.0, stat=Deferred: Name server: prizepalace44.com.healthnet.org.np.: host name lookup failure21 20:04:47 mailhost sendmail[28291]: h2K90kn25099: to=<opinions prizepalace44 com>, 
> ctladdr=<nec healthnet org np > (770/998), delay=1+05:19:00, xdelay=00:00:00, mailer=esmtp, pri=30639024, relay=prizepalace44.com.healthnet.org.np., dsn=4.0.0, stat=Deferred: Name server: prizepalace44.com.healthnet.org.np.: host name lookup failure21 20:04:47 mailhost sendmail[28291]: 
> h2K9CZn25425: to=<ealjaua omi o>, ctladdr=<nec healthnet org np > (770/998), delay=1+05:07:10, xdelay=00:00:00, mailer=esmtp, pri=30639070, relay=omi.o.healthnet.org.np., dsn=4.0.0, stat=Deferred: Name server: omi.o.healthnet.org.np.: host name lookup failure21 20:04:47 mailhost sendmail[28291]: 
> h2K7fMn22026: to=<gebremedhin xrzb udc>, ctladdr=<nec healthnet org np > (770/998), delay=1+06:38:24, xdelay=00:00:00, mailer=esmtp, pri=31746863, relay=xrzb.udc.healthnet.org.np., dsn=4.0.0, stat=Deferred: Name server: xrzb.udc.healthnet.org.np.: host name lookup failure21 20:04:47 mailhost 
> sendmail[28291]: h2K7uhn22470: to=<27515_12988_200303051439 sbmf relatedmail com>, ctladdr=<nec healthnet org np > (770/998), delay=1+06:23:02, xdelay=00:00:00, mailer=esmtp, pri=34449161, relay=sbmf.relatedmail.com.healthnet.org.np., dsn=4.0.0, stat=Deferred: Name server: 
> sbmf.relatedmail.com.healthnet.org.np.: host name lookup failure21 20:04:49 mailhost sendmail[28291]: h2K8VWn23840: to=<26996_9332_200303030607 merchantmail woodlandmail com>, delay=1+05:48:17, xdelay=00:00:01, mailer=esmtp, pri=38312165, relay=merchantmail.woodl....healthnet.org.np., dsn=4.0.0, 
> stat=Deferred: Name server: merchantmail.woodlandmail.com.healthnet.org.np.: host name lookup failure21 20:04:51 mailhost sendmail[28291]: h2KFRDx07534: to=<bert de belder skynet be>, ctladdr=<mathura healthnet org np> (547/999), delay=22:52:33, xdelay=00:00:02, mailer=esmtp, pri=58805316, 
> relay=relay.mx.skynet.be. [195.238.3.130], dsn=4.0.0, stat=Deferred: Connection refused by relay.mx.skynet.be.21 20:04:51 mailhost sendmail[28291]: h2KEXwN06710: to=<paradigm paradigmdeals com>, delay=23:25:08, xdelay=00:00:00, mailer=esmtp, pri=67982729, relay=mail.paradigmdeals.com., dsn=4.0.0, 
> stat=Deferred: Connection timed out with mail.paradigmdeals.com.21 20:04:53 mailhost sendmail[28502]: h2KBQga28732: to=<mary k erickson toyrus com>, delay=1+02:53:11, xdelay=00:01:01, mailer=esmtp, pri=69151351, relay=toyrus.com. [216.102.246.27], dsn=4.0.0, stat=Deferred: Connection timed out 
> with toyrus.com.21 20:04:53 mailhost sendmail[28502]: h2KEVkx06227: to=<paradigm paradigmdeals com>, delay=23:29:21, xdelay=00:00:00, mailer=esmtp, pri=77162731, relay=mail.paradigmdeals.com., dsn=4.0.0, stat=Deferred: Connection timed out with mail.paradigmdeals.com.21 20:04:59 mailhost 
> sendmail[28573]: h2LE1bx28175: to=<dkapell optonline net>, ctladdr=<mathura healthnet org np> (547/999), delay=00:18:22, xdelay=00:00:35, mailer=esmtp, pri=2100788, relay=mail-relay.optonline.net. [167.206.112.6], dsn=4.0.0, stat=Deferred: 451 4.1.8 Domain of sender address 
> mathura HEALTHNET ORG NP does not resolve21 20:05:02 mailhost sendmail[26998]: h2JK5Fn08657: to=<iom whorestars com>, delay=1+18:14:47, xdelay=00:00:46, mailer=esmtp, pri=148174714, relay=coaler.ai.net. [63.215.143.77], dsn=4.0.0, stat=Deferred: Connection reset by coaler.ai.net.21 20:05:06 
> mailhost sendmail[26998]: h2JE7ga02798: to=<hobbit-iom=healthnet org np jenny foxymail net>, delay=2+00:12:24, xdelay=00:00:04, mailer=esmtp, pri=272011812, relay=jenny.foxymail.net. [209.50.233.225], dsn=4.0.0, stat=Deferred: Connection refused by jenny.foxymail.net.21 20:05:07 mailhost 
> sendmail[26998]: h2IJ8ga08382: to=<58-228019-healthnet org np?ilohani stderr inbox-deal com>, delay=2+19:11:24, xdelay=00:00:01, mailer=esmtp, pri=461556776, relay=stdin-mv-01.inbox-deal.com. [206.131.243.154], dsn=4.0.0, stat=Deferred: Connection refused by stdin-mv-01.inbox-deal.com.21 20:05:12 
> mailhost sendmail[28573]: h2LE1bx28175: to=<bert de belder skynet be>, ctladdr=<mathura healthnet org np> (547/999), delay=00:18:35, xdelay=00:00:13, mailer=esmtp, pri=2100788, relay=relay.mx.skynet.be. [195.238.3.130], dsn=4.0.0, stat=Deferred: 451 4.1.8 Domain of sender address 
> mathura HEALTHNET ORG NP does not resolve21 20:05:15 mailhost sendmail[28583]: h2LEKDx28583: from=<>, size=3018, class=0, nrcpts=1, msgid=<E18wNIn-0003T3-00 seattle dnsrouter com>, proto=ESMTP, daemon=MTA, relay=rapti.mos.com.np [202.52.255.23]21 20:05:17 mailhost sendmail[28585]: h2LEKDx28583: 
> to=<mathura healthnet org np>, delay=00:00:03, xdelay=00:00:02, mailer=ravsendmail, pri=33018, relay=mathura<@healthnet.org.np.>, dsn=2.0.0, stat=Sent21 20:05:21 mailhost sendmail[28589]: h2LEKLx28589: from=<owner-psydoc psycom net>, size=2814, class=-60, nrcpts=2, msgid=<A37F7A70-5B5E-11D7-89AB-
> 00039302FCAE attbi com>, proto=ESMTP, daemon=MTA, relay=rapti.mos.com.np [202.52.255.23]21 20:05:21 mailhost sendmail[28591]: h2LEKLx28589: to=<mhp healthnet org np>, delay=00:00:00, xdelay=00:00:00, mailer=ravsendmail, pri=170814, relay=mhp<@healthnet.org.np.>, dsn=2.0.0, stat=Sent21 20:05:21 
> mailhost sendmail[28591]: h2LEKLx28589: to=<psychopharm healthnet org np>, delay=00:00:00, xdelay=00:00:00, mailer=ravsendmail, pri=170814, relay=psychopharm<@healthnet.org.np.>, dsn=2.0.0, stat=Sent
> 
> 
> On 21 Mar 2003 at 9:00, Joe Polk wrote:
> 
> > Check your maillog file for outgoing messages. This may be a sign
> > you're being used as a relay.
> > 
> > <<JAV>>
> > 
> > On Fri, 2003-03-21 at 08:59, nlimbu healthnet org np wrote:
> > > Hi all!
> > > 
> > > My mailserver seems to be accessing harddisk all the time. I didn't
> > > face such situtation of continously accessing harddisk in previous
> > > times. 
> > > 
> > > Using ps command, I found only normal process. Using top command, I
> > > found sendmail running at the top but not consuming much memory
> > > (less than 1%). When using netstat -a, I found lots of connection of
> > > sendmail and domain.
> > > 
> > > What process might be using my harddisk for such a long time (nearly
> > > whole day)? Is somebody trying to access my server or some program
> > > is acting abnormally?
> > > 
> > > Hoping for your help
> > > 
> > > With Regards
> > > Nabin Limbu
> > > HealthNet Nepal
> > > Ph : 977-1-429722
> > > 
> > > 
> > > 
> > > -- 
> > > redhat-list mailing list
> > > unsubscribe
> > > mailto:redhat-list-request redhat com?subject=unsubscribe
> > > https://listman.redhat.com/mailman/listinfo/redhat-list
> > 
> > 
> > 
> > 
> > 
> > -- 
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
> > https://listman.redhat.com/mailman/listinfo/redhat-list
> 
> 
> With Regards
> Nabin Limbu
> HealthNet Nepal
> Ph : 977-1-429722
> 
> 
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
> https://listman.redhat.com/mailman/listinfo/redhat-list
References:
- suspicious act in my server
  - From: nlimbu
- Re: suspicious act in my server
  - From: nlimbu
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]