- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: mail questions , maybe a hacker ?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2001 08:07 AM
11-26-2001 08:07 AM
I hope everyone had a good long weekend.Well over the weekend we had a server that had some issue with /var getting full. After digging around I found the big files were in /var/spool/mqueue. Theese files were huge emails with atachments that were just sitting there. The thing is this is not a mail server at all. No dns no nothing.It is running a website. And it is open to the public. I have attached part of my mail.log. My questions are how can I find who is doing this and what they are doing?
Also I moved the files in the mailq to another dir. have a crash and burn pc set up where I can check theese atachments.Soi f I move them back to /var/spool/mqueue can I force them to be sent to a specific email? Any other advice would be helpfull.
Thanks
Richard
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2001 08:12 AM
11-26-2001 08:12 AM
			
				
					
						
							Re: mail questions , maybe a hacker ?
						
					
					
				
			
		
	
			
	
	
	
	
	
What kind of products do you have installed on your host? The mail log looked like it was trying send something to prodigy.net and blackplanet.com.
live free or die
harry
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2001 08:21 AM
11-26-2001 08:21 AM
			
				
					
						
							Re: mail questions , maybe a hacker ?
						
					
					
				
			
		
	
			
	
	
	
	
	
Mails are from prodigy.net to blackplanet.com.
You've some large size mails got stuck in mail queue. You can check the details of this mail by opening files start with letter q in /var/spool/mqueue directory and then take action accordingly
Goodluck
-USA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2001 08:23 AM
11-26-2001 08:23 AM
			
				
					
						
							Re: mail questions , maybe a hacker ?
						
					
					
				
			
		
	
			
	
	
	
	
	
- syslog file
- browser history/cache log
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2001 08:25 AM
11-26-2001 08:25 AM
			
				
					
						
							Re: mail questions , maybe a hacker ?
						
					
					
				
			
		
	
			
	
	
	
	
	
You can shutdown sendmail in /etc/rc.config.d/mailservs or turn off port 25 in /etc/services.
From the size of them, it must have slowed your webserver access down.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2001 08:25 AM
11-26-2001 08:25 AM
			
				
					
						
							Re: mail questions , maybe a hacker ?
						
					
					
				
			
		
	
			
	
	
	
	
	
first of all, if you do not use mail on this computer, turn of either sendmail or block port 25/tcp in your firewall for this host.
Since your server does not seem to have internet DNS configured, all the attempted mail delivery did not work.
This looks very much, like someone wants to use your server as a mail relay, which could be a quite costy thing.
Check your public mailservers as well, for relay features. A public mailserver configured as an "open relay" might be missused.
Hope this helps
Volker
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2001 08:26 AM
11-26-2001 08:26 AM
			
				
					
						
							Re: mail questions , maybe a hacker ?
						
					
					
				
			
		
	
			
	
	
	
	
	
Looks like it is failing to reach relay host name.
Check /var/adm/syslog/mail.log for more details.
Regards
Joe.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2001 08:33 AM
11-26-2001 08:33 AM
Solutionsecure your server:
http://people.hp.se/stevesk/bastion.html
live free or die
harry
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2001 08:33 AM
11-26-2001 08:33 AM
			
				
					
						
							Re: mail questions , maybe a hacker ?
						
					
					
				
			
		
	
			
	
	
	
	
	
If the purpose of this server is only for web, you can turn off sendmail on it and comment out 25 from your services.
-Sri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2002 02:18 PM
02-12-2002 02:18 PM
			
				
					
						
							Re: mail questions , maybe a hacker ?
						
					
					
				
			
		
	
			
	
	
	
	
	
I have a mail server that is having this same problem with prodigy.net.mx. Did you ever find out a resolution to this problem other than shutting down sendmail?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-13-2002 12:26 AM
02-13-2002 12:26 AM
			
				
					
						
							Re: mail questions , maybe a hacker ?
						
					
					
				
			
		
	
			
	
	
	
	
	
i don't think somebody did break into your system. But somebody found your server has open ports.
So he tried to missuse your system. The damage is not done to the system itselfe, but it costs your money and resources.
Check your system for unused open ports and close them as a first reaction.
Someone has postet the link to the bastion host documents; have a look at them.
I would save the logs and mailfiles in case you or your company decides to take them to the police.
Regards Stefan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-13-2002 02:15 AM
02-13-2002 02:15 AM
			
				
					
						
							Re: mail questions , maybe a hacker ?
						
					
					
				
			
		
	
			
	
	
	
	
	
They are probably using your and Richards servers as email relays. A lot of people actually blacklist open email relay sites, to check it out go to orbz.org and see if any mail servers in your netblock are listed as open email relays. If not, have them test your server, then see what they say. They will usually recommend how to fix the problem.
GL,
C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-13-2002 08:45 AM
02-13-2002 08:45 AM
			
				
					
						
							Re: mail questions , maybe a hacker ?
						
					
					
				
			
		
	
			
	
	
	
	
	
Thanks everyone
for your help
Richard
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2002 10:49 AM
04-17-2002 10:49 AM
			
				
					
						
							Re: mail questions , maybe a hacker ?
						
					
					
				
			
		
	
			
	
	
	
	
	
Also, the blackplanet domain is one that is used by a common spammer, so I would tend to believe that Richard's problem was more along the lines of someone trying to relay, rather than the Sircam.
Cheers,
-tr
