Hello. Since monday, our mailserver (FC5), behind a firewall, is suffering a heavy DoS mail attack. We have a user account, amanda.davila@padep.org.bo and it is receiving millions of emails from very different sites of the planet. Since now, my only action was deleting the account from /etc/password, and the traffic permits working. We suspect a virus attack...
What else can we do? We would appreciate any help with this issue. Here, a 20 seconds log by 07:15 GMT-4 (too early, many pcs off).
# tethereal |grep RCPT
0.030421 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 0.084245 193.195.46.98 -> 192.168.1.15 SMTP Command: RCPT To:amanda.davila@padep.org.bo 0.813207 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 1.196831 221.246.173.133 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 1.214975 221.246.173.133 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 1.330348 203.162.4.185 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 1.633672 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 1.999373 64.22.97.151 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 2.674852 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 2.783758 212.241.250.110 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 3.420356 71.86.28.162 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 3.785264 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 4.742188 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 5.525666 81.80.63.187 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 5.617303 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 5.854842 71.86.28.162 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 5.863718 70.103.68.218 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 5.868905 70.103.68.218 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 6.096777 59.124.4.190 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 6.436249 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 6.466815 66.249.92.172 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 7.262385 193.115.206.80 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 7.397907 71.86.28.162 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 10.592647 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 10.594863 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 10.646376 81.72.107.178 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 11.262748 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 11.383742 203.162.4.185 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 11.538739 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 11.568291 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 11.988369 203.190.60.202 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 12.501307 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 12.528634 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 12.807326 220.152.32.164 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 13.115271 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 13.453285 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 13.474763 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 14.099809 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 14.393268 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 14.429214 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 15.034781 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 15.053775 212.135.207.34 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 15.337869 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 15.378731 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 15.868339 189.32.131.187 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 16.258275 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 16.312235 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 16.633300 210.162.25.47 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 17.149183 210.147.8.9 -> 192.168.1.15 SMTP Command: RCPT To:amanda.davila@padep.org.bo 17.225328 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 17.237639 189.32.131.187 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 17.272639 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 17.673762 84.12.48.115 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 17.698118 84.12.48.115 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 18.182747 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 18.206657 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 18.422710 141.156.107.252 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 18.433819 141.156.107.252 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 18.588780 189.32.131.187 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 18.810259 210.162.25.47 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 19.128838 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo 19.167259 140.186.109.125 -> 192.168.1.15 SMTP Command: RCPT TO:amanda.davila@padep.org.bo
Here you can find a more detailed log: http://www.padep.org.bo/log20080325/
Thanks, again... ---------------------------------------------- Rodolfo Alcazar - rodolfo.alcazar@padep.org.bo otbits.blogspot.com / counter.li.org: #367962 ---------------------------------------------- "Träume nicht dein Leben, lebe deinen Traum." - Unbekannter Autor