EMERGENCY - need to secure my server against an ongoing SPAMMER
Paul Howarth
paul at city-fan.org
Fri Mar 11 11:41:43 UTC 2005
Bob Brennan wrote:
> On Fri, 11 Mar 2005 11:06:13 +0000, Paul Howarth <paul at city-fan.org> wrote:
>
>>Bob Brennan wrote:
>>
>>>On Fri, 11 Mar 2005 10:48:29 +0000, Paul Howarth <paul at city-fan.org> wrote:
>>>
>>>
>>>>Bob Brennan wrote:
>>>>
>>>>
>>>>>Sorry for the brevity here but I woke this morning to find my
>>>>>mailserver sending 1000+ rejected email notices to postmaster@, and it
>>>>>was increasing by the minute. I have shut down Sendmail and am
>>>>>removing all relay permissions (I hope) but have a few issues that
>>>>>need to be resolved quickly before going back online - knowing the
>>>>>spammer will be retrying and my legitimate users are losing services.
>>>>
>>>>What relaying permissions did you have?
>>>
>>>
>>>FEATURE('relay_entire_domain')
>>>HACK('popauth')
>>>...none of which worked for *me* in my continuing struggle to find a
>>>secure way to let my users use a remote MUA
>>>...both commented out for now, as well as removed all domains in the
>>>"Relay Domains" (Webmin again) file
>>
>>No real clues there, need to see a qf file as mentioned last time.
>
>
> Sorry - could you explain "qf" file?
The files in /var/spool/mqueue (and now also /var/spool/mqueue.spam)
begin with either "qf" or "df" (queue file or data file). There should
be one of each for each email. The rest of the filename is made up from
sendmail's queue tag for that message, which also appears in
/var/log/maillog.
I want to see what's in one of the "qf" files for one of the spam emails.
>>>>>2. MySql is shut down for some reason, I don't know if it's related to
>>>>>the attack. "service msqld status" returns "msqld dead but subsys
>>>>>locked"
>>>>
>>>>Perhaps it collapsed under the load? Will "service msqld restart"
>>>>restart it?
>>>
>>>
>>>"Timeout error occured trying to start MySQL Deamon"
>>>"Starting MySQL [FAILED]
>>>... having to do with the "subsys locked" problem above I believe -
>>>but how to fix that?
>>
>>Doesn't "service msqld stop" clear the "subsys locked" error?
>
>
> no - start, stop, restart, nothing works
Try removing the lock file manually:
# rm /var/lock/subsys/mysqld
This is probably a symptom of the problem rather than being the problem
itself though.
Paul.
More information about the fedora-list
mailing list