topic Re: mail questions , maybe a hacker ? in Operating System - HP-UX

mail questions , maybe a hacker ?

someone_4 — Mon, 26 Nov 2001 16:07:17 GMT

Hey everyone
I hope everyone had a good long weekend.Well over the weekend we had a server that had some issue with /var getting full. After digging around I found the big files were in /var/spool/mqueue. Theese files were huge emails with atachments that were just sitting there. The thing is this is not a mail server at all. No dns no nothing.It is running a website. And it is open to the public. I have attached part of my mail.log. My questions are how can I find who is doing this and what they are doing?
Also I moved the files in the mailq to another dir. have a crash and burn pc set up where I can check theese atachments.Soi f I move them back to /var/spool/mqueue can I force them to be sent to a specific email? Any other advice would be helpfull.

Thanks
Richard

Re: mail questions , maybe a hacker ?

harry d brown jr — Mon, 26 Nov 2001 16:12:28 GMT

Richard,

What kind of products do you have installed on your host? The mail log looked like it was trying send something to prodigy.net and blackplanet.com.

live free or die
harry

Re: mail questions , maybe a hacker ?

Uday_S_Ankolekar — Mon, 26 Nov 2001 16:21:15 GMT

Hi,
Mails are from prodigy.net to blackplanet.com.
You've some large size mails got stuck in mail queue. You can check the details of this mail by opening files start with letter q in /var/spool/mqueue directory and then take action accordingly

Goodluck
-USA.

Re: mail questions , maybe a hacker ?

S.K. Chan — Mon, 26 Nov 2001 16:23:58 GMT

I don't think you can force the file in /var/spool/mqueue to be sent to specific email. Looking at the content of that file is as good as looking as reading the email itself. Examine these huge files will give you some indication what is being sent out. As for who is sending it, in my opinion a few areas to look for clues ..
- syslog file
- browser history/cache log

Re: mail questions , maybe a hacker ?

John Bolene — Mon, 26 Nov 2001 16:25:19 GMT

Looks like someone trying to use your server to relay mail.

You can shutdown sendmail in /etc/rc.config.d/mailservs or turn off port 25 in /etc/services.

From the size of them, it must have slowed your webserver access down.

Re: mail questions , maybe a hacker ?

Volker Borowski — Mon, 26 Nov 2001 16:25:20 GMT

Richard,

first of all, if you do not use mail on this computer, turn of either sendmail or block port 25/tcp in your firewall for this host.

Since your server does not seem to have internet DNS configured, all the attempted mail delivery did not work.

This looks very much, like someone wants to use your server as a mail relay, which could be a quite costy thing.

Check your public mailservers as well, for relay features. A public mailserver configured as an "open relay" might be missused.

Hope this helps
Volker

Re: mail questions , maybe a hacker ?

Joseph Chakkery — Mon, 26 Nov 2001 16:26:25 GMT

Hello,

Looks like it is failing to reach relay host name.

Check /var/adm/syslog/mail.log for more details.

Regards
Joe.

Re: mail questions , maybe a hacker ?

harry d brown jr — Mon, 26 Nov 2001 16:33:20 GMT

Richard,

secure your server:

http://people.hp.se/stevesk/bastion.html

live free or die
harry

Re: mail questions , maybe a hacker ?

Sridhar Bhaskarla — Mon, 26 Nov 2001 16:33:40 GMT

The mails are coming from projedy.net.mx and are trying to go to blackplanet.com through your server. So, obviously your server is being unsuccessfully used as a relay.

If the purpose of this server is only for web, you can turn off sendmail on it and comment out 25 from your services.

-Sri

Re: mail questions , maybe a hacker ?

Tony Rose — Tue, 12 Feb 2002 22:18:00 GMT

Richard:

I have a mail server that is having this same problem with prodigy.net.mx. Did you ever find out a resolution to this problem other than shutting down sendmail?

Re: mail questions , maybe a hacker ?

Stefan Schulz — Wed, 13 Feb 2002 08:26:19 GMT

Hi,

i don't think somebody did break into your system. But somebody found your server has open ports.

So he tried to missuse your system. The damage is not done to the system itselfe, but it costs your money and resources.

Check your system for unused open ports and close them as a first reaction.

Someone has postet the link to the bastion host documents; have a look at them.

I would save the logs and mailfiles in case you or your company decides to take them to the police.

Regards Stefan

Re: mail questions , maybe a hacker ?

Craig Rants — Wed, 13 Feb 2002 10:15:33 GMT

Tony,
They are probably using your and Richards servers as email relays. A lot of people actually blacklist open email relay sites, to check it out go to orbz.org and see if any mail servers in your netblock are listed as open email relays. If not, have them test your server, then see what they say. They will usually recommend how to fix the problem.

GL,
C

Re: mail questions , maybe a hacker ?

someone_4 — Wed, 13 Feb 2002 16:45:28 GMT

Hey everyone .. I totaly forgot about this post. But anyways .. I was a relay problem I upgraded to 8.9.3 and turned on the anti relay features and we done.

Thanks everyone
for your help
Richard

Re: mail questions , maybe a hacker ?

Tony Rose — Wed, 17 Apr 2002 17:49:26 GMT

Hey guys, I know it has been a while since this forum was updated, but I have some information on prodigy.net.mx. This is a domain that mail is sent to if a computer has the Sircam virus. We have lots of resident students who had this virus, and my mail server was getting slammed hard. I don't know if this was Richard's problem or not, but I thought I would mention it in case someone caught this discussion while searching on prodigy.net.mx.

Also, the blackplanet domain is one that is used by a common spammer, so I would tend to believe that Richard's problem was more along the lines of someone trying to relay, rather than the Sircam.

Cheers,
-tr