On Tuesday 25 November 2008 02:02 pm, Randall Whitman wrote: > Does fuser(1) help any? fuser + netstat?
Thanks for the prompt reply, Randall. Nothing from fuser, but this only happens a few times a day (yet enough to get blocked by Barracuda and warned by AOL), totalling a few hundred emails daily. If check.cgi appears again in top I'll look at it in fuser, but top shows that apache owns it; I'd bet that fuser will say the same. > Do you allow logins to the box? Is anyone logged in? Yes to first question, and No to the second question. I've grepped the secure file; I've been the only person to successfully log in through ssh in the last 4-1/2 weeks. While I don't think that's the cause I am thinking of switching to an obscure port. > If you declare an emergency maintenance window and take down webmail > for 5min, does that change anything? (is webmail being abused some > weird way?) If I could catch it when it happened I could try taking down webmail, but it doesn't seem to happen while/when I watch. However I have an idea to check the webmail issue... > You have intrusion detection? For example, what? > Does it show changes to any files? For example, what should I use, what should I look for? > port scan? It's happening inside the box to port 127.0.0.1. I don't know what I'd look at with a port scan. > /var/log/warn? I don't have any file /var/log/warn. This is CentOS 3.9 final. > fully patched? Yes for stuff I maintain. For scripts my clients use, who knows <frown>. I may have come up with a fix. I've switched squirrelmail (or webmail program) to use the sendmail interface instead of SMTP on localhost. And I've blocked email coming from localhost via SMTP. I wonder if that'll work. I've spoken to a few web programmers who tell me that by default most/all/somenumber of php/cgi/pl programs sending mail do it through the sendmail interface, and NOT smtp to localhost. If that's true, I may have nipped this. Here's hoping. Again thanks for your great ideas. Jeff -- Jeff Lasman, Nobaloney Internet Services P.O. Box 52200, Riverside, CA 92517 Our jplists address used on lists is for list email only voice: +1 951 643-5345, or see: "http://www.nobaloney.net/contactus.html";
