HPE Community
Operating System - HP-UX
1838383 Members
4454 Online
110125 Solutions
New Discussion

mail questions , maybe a hacker ?

 
SOLVED
Go to solution
someone_4
Honored Contributor

‎11-26-2001 08:07 AM

‎11-26-2001 08:07 AM

mail questions , maybe a hacker ?

Hey everyone
I hope everyone had a good long weekend.Well over the weekend we had a server that had some issue with /var getting full. After digging around I found the big files were in /var/spool/mqueue. Theese files were huge emails with atachments that were just sitting there. The thing is this is not a mail server at all. No dns no nothing.It is running a website. And it is open to the public. I have attached part of my mail.log. My questions are how can I find who is doing this and what they are doing?
Also I moved the files in the mailq to another dir. have a crash and burn pc set up where I can check theese atachments.Soi f I move them back to /var/spool/mqueue can I force them to be sent to a specific email? Any other advice would be helpfull.

Thanks
Richard
0 Kudos
Reply
13 REPLIES 13
harry d brown jr
Honored Contributor

‎11-26-2001 08:12 AM

‎11-26-2001 08:12 AM

Re: mail questions , maybe a hacker ?

Richard,

What kind of products do you have installed on your host? The mail log looked like it was trying send something to prodigy.net and blackplanet.com.

live free or die
harry
Live Free or Die
0 Kudos
Reply
Uday_S_Ankolekar
Honored Contributor

‎11-26-2001 08:21 AM

‎11-26-2001 08:21 AM

Re: mail questions , maybe a hacker ?

Hi,
Mails are from prodigy.net to blackplanet.com.
You've some large size mails got stuck in mail queue. You can check the details of this mail by opening files start with letter q in /var/spool/mqueue directory and then take action accordingly


Goodluck
-USA.
Good Luck..
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎11-26-2001 08:23 AM

‎11-26-2001 08:23 AM

Re: mail questions , maybe a hacker ?

I don't think you can force the file in /var/spool/mqueue to be sent to specific email. Looking at the content of that file is as good as looking as reading the email itself. Examine these huge files will give you some indication what is being sent out. As for who is sending it, in my opinion a few areas to look for clues ..
- syslog file
- browser history/cache log
0 Kudos
Reply
John Bolene
Honored Contributor

‎11-26-2001 08:25 AM

‎11-26-2001 08:25 AM

Re: mail questions , maybe a hacker ?

Looks like someone trying to use your server to relay mail.

You can shutdown sendmail in /etc/rc.config.d/mailservs or turn off port 25 in /etc/services.

From the size of them, it must have slowed your webserver access down.
It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com
0 Kudos
Reply
Volker Borowski
Honored Contributor

‎11-26-2001 08:25 AM

‎11-26-2001 08:25 AM

Re: mail questions , maybe a hacker ?

Richard,

first of all, if you do not use mail on this computer, turn of either sendmail or block port 25/tcp in your firewall for this host.

Since your server does not seem to have internet DNS configured, all the attempted mail delivery did not work.

This looks very much, like someone wants to use your server as a mail relay, which could be a quite costy thing.

Check your public mailservers as well, for relay features. A public mailserver configured as an "open relay" might be missused.

Hope this helps
Volker
0 Kudos
Reply
Joseph Chakkery
Valued Contributor

‎11-26-2001 08:26 AM

‎11-26-2001 08:26 AM

Re: mail questions , maybe a hacker ?

Hello,

Looks like it is failing to reach relay host name.

Check /var/adm/syslog/mail.log for more details.

Regards
Joe.
Knowledge is wealth
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎11-26-2001 08:33 AM

‎11-26-2001 08:33 AM

Solution

Re: mail questions , maybe a hacker ?

Richard,

secure your server:

http://people.hp.se/stevesk/bastion.html


live free or die
harry
Live Free or Die
Reply
Sridhar Bhaskarla
Honored Contributor

‎11-26-2001 08:33 AM

‎11-26-2001 08:33 AM

Re: mail questions , maybe a hacker ?

The mails are coming from projedy.net.mx and are trying to go to blackplanet.com through your server. So, obviously your server is being unsuccessfully used as a relay.

If the purpose of this server is only for web, you can turn off sendmail on it and comment out 25 from your services.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Tony Rose
Advisor

‎02-12-2002 02:18 PM

‎02-12-2002 02:18 PM

Re: mail questions , maybe a hacker ?

Richard:

I have a mail server that is having this same problem with prodigy.net.mx. Did you ever find out a resolution to this problem other than shutting down sendmail?
0 Kudos
Reply
Stefan Schulz
Honored Contributor

‎02-13-2002 12:26 AM

‎02-13-2002 12:26 AM

Re: mail questions , maybe a hacker ?

Hi,

i don't think somebody did break into your system. But somebody found your server has open ports.

So he tried to missuse your system. The damage is not done to the system itselfe, but it costs your money and resources.

Check your system for unused open ports and close them as a first reaction.

Someone has postet the link to the bastion host documents; have a look at them.

I would save the logs and mailfiles in case you or your company decides to take them to the police.

Regards Stefan
No Mouse found. System halted. Press Mousebutton to continue.
0 Kudos
Reply
Craig Rants
Honored Contributor

‎02-13-2002 02:15 AM

‎02-13-2002 02:15 AM

Re: mail questions , maybe a hacker ?

Tony,
They are probably using your and Richards servers as email relays. A lot of people actually blacklist open email relay sites, to check it out go to orbz.org and see if any mail servers in your netblock are listed as open email relays. If not, have them test your server, then see what they say. They will usually recommend how to fix the problem.

GL,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
someone_4
Honored Contributor

‎02-13-2002 08:45 AM

‎02-13-2002 08:45 AM

Re: mail questions , maybe a hacker ?

Hey everyone .. I totaly forgot about this post. But anyways .. I was a relay problem I upgraded to 8.9.3 and turned on the anti relay features and we done.

Thanks everyone
for your help
Richard
0 Kudos
Reply
Tony Rose
Advisor

‎04-17-2002 10:49 AM

‎04-17-2002 10:49 AM

Re: mail questions , maybe a hacker ?

Hey guys, I know it has been a while since this forum was updated, but I have some information on prodigy.net.mx. This is a domain that mail is sent to if a computer has the Sircam virus. We have lots of resident students who had this virus, and my mail server was getting slammed hard. I don't know if this was Richard's problem or not, but I thought I would mention it in case someone caught this discussion while searching on prodigy.net.mx.

Also, the blackplanet domain is one that is used by a common spammer, so I would tend to believe that Richard's problem was more along the lines of someone trying to relay, rather than the Sircam.

Cheers,
-tr
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.