RE: [IMail Forum] Unauthorized SMTP

[John Tolmachoff]

So as to help us, what is the IP address of your server, and what are the addresses listed in your relay for address setting?   John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA  92835 www.reliancesoft.com   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry @ SMGazette.com Sent: Tuesday, March 25, 2003 12:07 PM To: [EMAIL PROTECTED] Subject: [IMail Forum] Unauthorized SMTP   Hello,   This is beyond my limited knowledge.   My server seems to have been hacked into... I have relaying set up only for my Network addresses, but my processor is pegging out.   There are smtp services running that I can't trace down, coming from multiple internal IPs.   I shut down SMTP services and processor returns to normal.   The daily syslog is over 57mb... I have posted it at www.smgazette.com/log   Here is some of the things I am seeing...   03:25 00:05 SMTPD(010601AE) [66.239.112.100] connect 66.239.112.100 port 2217 03:25 00:06 SMTPD(010801AE) [66.239.112.100] connect 66.239.112.100 port 2221 03:25 00:07 SMTPD(010A01AE) [66.239.112.100] connect 66.239.112.100 port 2223 03:25 00:08 SMTPD(010C01AE) [66.239.112.100] connect 66.239.112.100 port 2225 03:25 00:09 SMTPD(010E01AE) [66.239.112.100] connect 66.239.112.100 port 2227 03:25 00:10 SMTPD(011001AE) [66.239.112.100] connect 66.239.112.100 port 2229 03:25 00:11 SMTPD(011201AE) [66.239.112.100] connect 66.239.112.100 port 2235 03:25 00:12 SMTPD(011401AE) [66.239.112.100] connect 66.239.112.100 port 2237 This is the IP of the mail server... connecting to itself? Port scanning I would assume.   It did that throughout the night... then today...   03:25 04:31 SMTPD(01EF0204) [66.112.62.162] RCPT To:<[EMAIL PROTECTED]> 03:25 04:31 SMTPD(01EF0204) [66.112.62.162] ERR stmarieschamber.org invalid user <[EMAIL PROTECTED] 03:25 04:31 SMTPD(001C01D6) [4.33.9.88] RCPT To:<[EMAIL PROTECTED]> 03:25 04:31 SMTPD(001C01D6) [4.33.9.88] ERR stmariesidaho.com invalid user <[EMAIL PROTECTED] 03:25 04:31 SMTPD(003301BC) [64.216.84.106] RCPT To:<[EMAIL PROTECTED]> 03:25 04:31 SMTPD(003301BC) [64.216.84.106] ERR stmariesrealty.com invalid user <[EMAIL PROTECTED] 03:25 04:31 SMTPD(01AD01AE) [67.65.160.6] RCPT To:<[EMAIL PROTECTED]> 03:25 04:31 SMTPD(01AD01AE) [67.65.160.6] ERR protelresearch.com invalid user <[EMAIL PROTECTED] 03:25 04:31 SMTPD(02ED017A) [193.188.13.16] RCPT To:<[EMAIL PROTECTED]> 03:25 04:31 SMTPD(02ED017A) [193.188.13.16] ERR pinbarpunch.com invalid user <[EMAIL PROTECTED]   These look like the bounces from the hacker's spam.   What do I look for in the log to find out exactly where this person is coming from? I can't seem to find any reference to an external IP so I can block it.   Thanks for the help.   Larry Mowery Gazette Record