|
Hello,
This is beyond my limited knowledge.
My server seems to have been hacked into... I have
relaying set up only for my Network addresses, but my processor is pegging
out.
There are smtp services running that I can't trace
down, coming from multiple internal IPs.
I shut down SMTP services and processor returns to
normal.
The daily syslog is over 57mb... I have posted it
at www.smgazette.com/log
Here is some of the things I am seeing...
03:25 00:05 SMTPD(010601AE) [66.239.112.100]
connect 66.239.112.100 port 2217
03:25 00:06 SMTPD(010801AE) [66.239.112.100] connect 66.239.112.100 port 2221 03:25 00:07 SMTPD(010A01AE) [66.239.112.100] connect 66.239.112.100 port 2223 03:25 00:08 SMTPD(010C01AE) [66.239.112.100] connect 66.239.112.100 port 2225 03:25 00:09 SMTPD(010E01AE) [66.239.112.100] connect 66.239.112.100 port 2227 03:25 00:10 SMTPD(011001AE) [66.239.112.100] connect 66.239.112.100 port 2229 03:25 00:11 SMTPD(011201AE) [66.239.112.100] connect 66.239.112.100 port 2235 03:25 00:12 SMTPD(011401AE) [66.239.112.100] connect 66.239.112.100 port 2237 This is the IP of the mail server... connecting to
itself? Port scanning I would assume.
It did that throughout the night... then
today...
03:25 04:31 SMTPD(01EF0204) [66.112.62.162] RCPT
To:<[EMAIL PROTECTED]>
03:25 04:31 SMTPD(01EF0204) [66.112.62.162] ERR stmarieschamber.org invalid user <[EMAIL PROTECTED] 03:25 04:31 SMTPD(001C01D6) [4.33.9.88] RCPT To:<[EMAIL PROTECTED]> 03:25 04:31 SMTPD(001C01D6) [4.33.9.88] ERR stmariesidaho.com invalid user <[EMAIL PROTECTED] 03:25 04:31 SMTPD(003301BC) [64.216.84.106] RCPT To:<[EMAIL PROTECTED]> 03:25 04:31 SMTPD(003301BC) [64.216.84.106] ERR stmariesrealty.com invalid user <[EMAIL PROTECTED] 03:25 04:31 SMTPD(01AD01AE) [67.65.160.6] RCPT To:<[EMAIL PROTECTED]> 03:25 04:31 SMTPD(01AD01AE) [67.65.160.6] ERR protelresearch.com invalid user <[EMAIL PROTECTED] 03:25 04:31 SMTPD(02ED017A) [193.188.13.16] RCPT To:<[EMAIL PROTECTED]> 03:25 04:31 SMTPD(02ED017A) [193.188.13.16] ERR pinbarpunch.com invalid user <[EMAIL PROTECTED] These look like the bounces from the hacker's
spam.
What do I look for in the log to find out exactly
where this person is coming from? I can't seem to find any reference to an
external IP so I can block it.
Thanks for the help.
Larry Mowery
Gazette Record
|
- Re: [IMail For... IMail @ Carrz-Fox-Fire Promotions
- [IMail Forum] ... Mike Barnett
- Re: [IMail For... Eric Shanbrom
- RE: [IMail For... Mike Barnett
- RE: [IMail Forum] ... Jeff Kratka
- [IMail Forum] External ... kilahdesi
- Re: [IMail Forum] [OT] web page... Gerald Brown
- [IMail Forum] Andrew P. Kaplan
- [IMail Forum] Jay Calvert
- RE: [IMail Forum] Scott Huber
- Re: [IMail Forum] Unauthorized ... Larry @ SMGazette.com
- Re: [IMail Forum] Unauthori... R. Scott Perry
- RE: [IMail Forum] Unauthori... John Tolmachoff
- Re: [IMail Forum] Unaut... Larry @ SMGazette.com
- RE: [IMail Forum] ... John Tolmachoff
- Re: [IMail For... Larry @ SMGazette.com
- RE: [IMail For... John Tolmachoff
- Re: [IMail For... Larry @ SMGazette.com
- RE: [IMail For... John Tolmachoff
- Re[2]: [IMail ... Rod Dorman
- Re: Re[2]: [IM... Larry @ SMGazette.com
