Re: [qmailtoaster] spam

[Postmaster]

This could have been a key logger trojan or something. Any server has got an "Achilles heel". The jump from 5829 msgs to 9580 in about 1 hour is not normal even for "marketing orientated" e-mail servers. Personally, I would re-install the server changing ssh port and all passwords etc. Regards Alex On 08/04/2010 21:21, madmac wrote: Well anyone that can guess my passwords must be amazing. Let alone get through the elaborate firewall system. ssh port is " non standard "   But I agree, this box is compromised " some how "   File count now at 9580 and counting     ----- Original Message ----- From: Michael Colvin To: qmailtoaster-list@qmailtoaster.com Sent: Thursday, April 08, 2010 1:39 PM Subject: RE: [qmailtoaster] spam I mean…It’s a wild guess, but it sure sounds like your box has been hacked…  The spamming can have several causes, but why is your box trying to connect to other servers via SSH?  Have you changed your passwords?  Although, at this point, it’s probably too late and changing them wouldn’t do much…   Sound’s like you’ve been owned.     Michael J. Colvin NorCal Internet Services www.norcalisp.com     From: madmac [mailto:sysad...@tricubemedia.com] Sent: Thursday, April 08, 2010 12:23 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] spam   Now at 5829 , still counting.   madmac ----- Original Message ----- From: test To: qmailtoaster-list@qmailtoaster.com Sent: Thursday, April 08, 2010 1:05 PM Subject: [qmailtoaster] spam   I received reports today that my qmail server was spaamming, and trying to get into others ssh ports. Many complaints and emails from ab...@otherdomain.com ( eg )   Loggin in to the box , mostly unresonsive, sen a whole bunch of entries that looked dodgy   eg: ./brk *** could not kill the process, so did a reboot. stopped qmail, stopped named, stopped mysql etc.   created a " catch " directory mkdir -p /var/clamav/unwanted cd /var chown -R clamav:clamav clamav/ Then decided to manually run a complete clamav system scan ( after getting freshclam update ) cd / /usr/bin/clamscan -r -i --move=/var/log/clamav/unwanted/ -l /var/log/clamav/clamscan.log   Currently found 2270 infected files , mostly users email with : Sanesecurity.Junk.27236.UNOFFICIAL FOUND ( the 27236 numbers vary ) And still scanning.     So my question would be , why, is the server not stopping this when it come in to the email?   What should I check in the configs.   Thanks all madmac