Well anyone that can guess my passwords must be amazing. Let alone get through the elaborate firewall system. ssh port is " non standard "
But I agree, this box is compromised " some how " File count now at 9580 and counting ----- Original Message ----- From: Michael Colvin To: qmailtoaster-list@qmailtoaster.com Sent: Thursday, April 08, 2010 1:39 PM Subject: RE: [qmailtoaster] spam I mean.It's a wild guess, but it sure sounds like your box has been hacked. The spamming can have several causes, but why is your box trying to connect to other servers via SSH? Have you changed your passwords? Although, at this point, it's probably too late and changing them wouldn't do much. Sound's like you've been owned. Michael J. Colvin NorCal Internet Services www.norcalisp.com ------------------------------------------------------------------------------ From: madmac [mailto:sysad...@tricubemedia.com] Sent: Thursday, April 08, 2010 12:23 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] spam Now at 5829 , still counting. madmac ----- Original Message ----- From: test To: qmailtoaster-list@qmailtoaster.com Sent: Thursday, April 08, 2010 1:05 PM Subject: [qmailtoaster] spam I received reports today that my qmail server was spaamming, and trying to get into others ssh ports. Many complaints and emails from ab...@otherdomain.com ( eg ) Loggin in to the box , mostly unresonsive, sen a whole bunch of entries that looked dodgy eg: ./brk *** could not kill the process, so did a reboot. stopped qmail, stopped named, stopped mysql etc. created a " catch " directory mkdir -p /var/clamav/unwanted cd /var chown -R clamav:clamav clamav/ Then decided to manually run a complete clamav system scan ( after getting freshclam update ) cd / /usr/bin/clamscan -r -i --move=/var/log/clamav/unwanted/ -l /var/log/clamav/clamscan.log Currently found 2270 infected files , mostly users email with : Sanesecurity.Junk.27236.UNOFFICIAL FOUND ( the 27236 numbers vary ) And still scanning. So my question would be , why, is the server not stopping this when it come in to the email? What should I check in the configs. Thanks all madmac
<<image001.gif>>