Help! Is this an attack or a virus? Qmail on FBSD is flooding

[keith at smmc.qld.edu.au]

Hi Victor thanks,
I had deleted that one persons account but it staill happens!
What is the qmail-remote thing??
Any ideas?
Keith


>
> On Thu, 17 Jul 2003 keith at smmc.qld.edu.au wrote:
>
>> Hi good people.
>> I am not the cluiest here.
>> Suddenly my fbsd 4.7. qmail router/gateway is dead slow and
>> ps -ax reports all normal procs plus heaps! of procs like...
>>
>> 5567    (some flags)  0:00:02 qmail-remote hotmail.com
>> reaf_ha99 at smmc.qld.edu.au
>>
>> The address is one of my user email accounts on qmail
>>
>> What is this? Is it possible FBSD has a virus or is it a suddenly
>> rougue/corrupted qmail.
>> Wher else can I look to track this down.
>> I have ipfilter/ipmon/ipnat on it too.
>>
>> I disconnected router from internal LAN and rebooted and after a while
>> it started doing it again!
>> So it is something on the machine.
>> Help please needed badly...typical..its mission critical in our school
>> Thanks Keith
>
> Just a guess but if only mail activity is reported and only for that
> user's account it sounds like your mail server is being used to churn
> out massive amounts of spam or hammer other mail servers to harvest
> valid addresses either because it's an open relay or because someone has
> cracked that user's account.
>
> Disable that user's account and set your firewall and your mail server's
> access database to block any IP's and hostnames that the activity seems
> to be coming from and see if the box returns to normal.  If multiple
> accounts are being used it's possible the box itself has been rooted
> rather than the individual accounts being cracked.
>
> Cheers,
>
> Viktor
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"