Help! Is this an attack or a virus? Qmail on FBSD is flooding
viktorlazlo at telus.net
Thu Jul 17 02:51:58 PDT 2003
On Thu, 17 Jul 2003 keith at smmc.qld.edu.au wrote:
> Hi good people.
> I am not the cluiest here.
> Suddenly my fbsd 4.7. qmail router/gateway is dead slow and
> ps -ax reports all normal procs plus heaps! of procs like...
> 5567 (some flags) 0:00:02 qmail-remote hotmail.com
> reaf_ha99 at smmc.qld.edu.au
> The address is one of my user email accounts on qmail
> What is this? Is it possible FBSD has a virus or is it a suddenly
> rougue/corrupted qmail.
> Wher else can I look to track this down.
> I have ipfilter/ipmon/ipnat on it too.
> I disconnected router from internal LAN and rebooted and after a while it
> started doing it again!
> So it is something on the machine.
> Help please needed badly...typical..its mission critical in our school
> Thanks Keith
Just a guess but if only mail activity is reported and only for that
user's account it sounds like your mail server is being used to churn out
massive amounts of spam or hammer other mail servers to harvest valid
addresses either because it's an open relay or because someone has cracked
that user's account.
Disable that user's account and set your firewall and your mail server's
access database to block any IP's and hostnames that the activity seems to
be coming from and see if the box returns to normal. If multiple accounts
are being used it's possible the box itself has been rooted rather than
the individual accounts being cracked.
More information about the freebsd-questions