EMERGENCY - need to secure my server against an ongoing SPAMMER

Bob Brennan rbrennan96 at gmail.com
Fri Mar 11 13:01:47 UTC 2005 

> If you followed the instructions I gave, they'd be in /var/spool/mqueue.spam
> 
> Did you delete that directory too? There may have been non-spam messages
> there too.

bad bad me - I figured out how to delete all the files in the mail
queue before receiving your instructions and (again bad I know) saw
that as a first priority.

> Deleting this sort of stuff really is a bad idea because you've lost
> some evidence of what's happened. So you don't know if a machine your
> server trusts has been compromised, whether your server is a plain old
> open relay, or whether your server itself has been compromised or
> running a spam-vulnerable application. Without the evidence to reassure
> yourself that it's only vulnerable to spamming and your machine hasn't
> actually been rooted, you should assume the worst and do as Sam said -
> reinstall from scratch.

As soon as I got to the machine, with spam still obviously being sent
out, I checked all users. There were only entries for me as root
having logged on just a few moments earlier, nothing else. I won't
rule that out of course but occam's razor points to my many attempts
to get sendmail to relay my remote Evolution/Outlook clients.
Apparently I *did* get relaying working - just not for me! I had
carefully noted my changes to sendmail.mc (mentioned earlier) and the
first thing I did was comment them out, rebuild and reboot. It was the
reboot that flagged up the mysqld problem, and that might have
happened over several weeks since I rarely reboot.

> I need to see the full headers really. The addresses used are probably
> irrelevant because spammers just forge them anyway. The interesting
> thing to see is where the mail came from.
> 
> >>Try removing the lock file manually:
> >>
> >># rm /var/lock/subsys/mysqld
> >>
> >>This is probably a symptom of the problem rather than being the problem
> >>itself though.
> >
> >
> > I had already tried that trick - no difference, it just creates a new
> > file when I try to restart.
> > The error seems to be:
> > /usr/libexec/mysqld: Can't find file: './mysql/host.frm' (errno:13)
> > but I haven't tracked that one down yet
> 
> That file should be in /var/lib/mysql/mysql
> 
> You might have to recover it from your backups if it's no longer there.

That is my next priority

bob

More information about the users mailing list