Re: [qmailtoaster] spam

Thu, 08 Apr 2010 13:21:58 -0700 

Well anyone that can guess my passwords must be amazing.
Let alone get through the elaborate firewall system.
ssh port is " non standard "

But I agree, this box is compromised " some how "

File count now at 9580 and counting


  ----- Original Message ----- 
  From: Michael Colvin 
  To: qmailtoaster-list@qmailtoaster.com 
  Sent: Thursday, April 08, 2010 1:39 PM
  Subject: RE: [qmailtoaster] spam


  I mean.It's a wild guess, but it sure sounds like your box has been hacked.  
The spamming can have several causes, but why is your box trying to connect to 
other servers via SSH?  Have you changed your passwords?  Although, at this 
point, it's probably too late and changing them wouldn't do much.

   

  Sound's like you've been owned.

   

   

  Michael J. Colvin

  NorCal Internet Services

  www.norcalisp.com

   



   


------------------------------------------------------------------------------

  From: madmac [mailto:sysad...@tricubemedia.com] 
  Sent: Thursday, April 08, 2010 12:23 PM
  To: qmailtoaster-list@qmailtoaster.com
  Subject: Re: [qmailtoaster] spam

   

  Now at 5829 , still counting.

   

  madmac

    ----- Original Message ----- 

    From: test 

    To: qmailtoaster-list@qmailtoaster.com 

    Sent: Thursday, April 08, 2010 1:05 PM

    Subject: [qmailtoaster] spam

     

    I received reports today that my qmail server was spaamming, and trying to 
get into others ssh ports.

    Many complaints and emails from ab...@otherdomain.com ( eg )

     

    Loggin in to the box , mostly unresonsive, sen a whole bunch of entries 
that looked dodgy

     

    eg: ./brk ***

    could not kill the process, so did a reboot.

    stopped qmail, stopped named, stopped mysql etc.

     

    created a " catch " directory

    mkdir -p /var/clamav/unwanted

    cd /var

    chown -R clamav:clamav clamav/

    Then decided to manually run a complete clamav system scan ( after getting 
freshclam update ) 

    cd /

    /usr/bin/clamscan -r -i --move=/var/log/clamav/unwanted/ -l 
/var/log/clamav/clamscan.log

     

    Currently found 2270 infected files , mostly users email with : 
Sanesecurity.Junk.27236.UNOFFICIAL FOUND ( the 27236 numbers vary )

    And still scanning.

     

     

    So my question would be , why, is the server not stopping this when it come 
in to the email?

     

    What should I check in the configs.

     

    Thanks all

    madmac

<<image001.gif>>

Reply via email to