I've been having some major problems with my server the past few days. MySQL has been screwing up, as well as having a 3GB mail queue file, and a 30GB mail log file.
Could someone please help me out on this one. It would seem as huge amounts of mail are going through my server?
Thanks,
-Daniel
Full Version: 30gb mail log?!
My initial thought is that you have an open relay Daniel. The first thing to do is close that down. To do that go to your Plesk control panel, then Server, then Mail. Make sure "Closed" is checked under the relay section.
Make a note of what it was set at before and post that back to the boards. Also look just below that section and jot down what IP addresses are showing in your Relay whitelist.
That'll be a start to get your server back to health. Though I have a feeling you're going to be deleting a lot of email from the queue.
Look around here or on the Plesk forums for instructions on installing "qmail-remove" and "qmHandle". Me thinks you're going to need both of those to dump the spam in your queue as soon as we find out where it was coming from.
Squire
Make a note of what it was set at before and post that back to the boards. Also look just below that section and jot down what IP addresses are showing in your Relay whitelist.
That'll be a start to get your server back to health. Though I have a feeling you're going to be deleting a lot of email from the queue.
Look around here or on the Plesk forums for instructions on installing "qmail-remove" and "qmHandle". Me thinks you're going to need both of those to dump the spam in your queue as soon as we find out where it was coming from.
Squire
Thanks for your post Squire. I have it set as "Authenticate" and STMP check marked. I don't think it is acting as an open relay. The only host in the whitelist is localhost, 127.0.0.0/8 and 127.0.0.1/24.
Also, I have dug through a bunch of the messages in the mail queue and many are from AOL, reporting they will not accept mail sent from my server. Funny thing is, the mail that is bouncing has a domain in the "from" address that is not on my server. They appear to be spam messages as well. Since i've always had the server set to authenticate outgoing email, how is this possible?
Thank you,
-Daniel
Also, I have dug through a bunch of the messages in the mail queue and many are from AOL, reporting they will not accept mail sent from my server. Funny thing is, the mail that is bouncing has a domain in the "from" address that is not on my server. They appear to be spam messages as well. Since i've always had the server set to authenticate outgoing email, how is this possible?
Thank you,
-Daniel
Ok I repaired some of the tables in plesk, and it is now working, but qmail is going extremely slow.
I found this in my snort logs:
09/29-23:04:07.286324 [**] [1:1549:9] SMTP HELO overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 207.44.216.55:52409 -> 152.163.224.26:25
and from the newest chkrootkit 0.42b:
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'...
eth0: PROMISC
Checking `w55808'... not infected
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... nothing deleted
[root@ns1 chkrootkit-0.42b]#
I found this in my snort logs:
09/29-23:04:07.286324 [**] [1:1549:9] SMTP HELO overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 207.44.216.55:52409 -> 152.163.224.26:25
and from the newest chkrootkit 0.42b:
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'...
eth0: PROMISC
Checking `w55808'... not infected
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... nothing deleted
[root@ns1 chkrootkit-0.42b]#
Well, it seems you may have more than one issue Daniel. Hopefully someone will jump in will jump in with your Snort/chrootkit returns. I've not had anything like that :::knocks on wood:::
One thing on the mail though... Remove that 127.0.0.1/8 from your whitelist pronto. That's creating an open relay on your box, no matter what you set the rest at. The most you want to have is the 127.0.0.1/24.
Good luck on getting AOL to accept mail from your server again if they're really blocking it based on your IP range/hostname. If you're really lucky their spam filters are just picking up the email and not totally blocking your server. You'll still want to use qmail-remove and/or qmHandle to get all of those messages out of the queue.
Squire
One thing on the mail though... Remove that 127.0.0.1/8 from your whitelist pronto. That's creating an open relay on your box, no matter what you set the rest at. The most you want to have is the 127.0.0.1/24.
Good luck on getting AOL to accept mail from your server again if they're really blocking it based on your IP range/hostname. If you're really lucky their spam filters are just picking up the email and not totally blocking your server. You'll still want to use qmail-remove and/or qmHandle to get all of those messages out of the queue.
Squire
Maybe a little silly question..
but what is the exact meaning of:
127.0.0.1/8
and
127.0.0.1/24?
:confused:
but what is the exact meaning of:
127.0.0.1/8
and
127.0.0.1/24?
:confused:
mtijssen, that's the localhost IP number / Mask.
You need to have 127.0.0.1 whitelisted if you want allow scripts (php, cgi, horde/webmail, etc) the ability to send email from your server.
The problem is that as the number on Mask side of things descreases it opens your relay up farther and farther. And by the time you get down to a Mask of /8 you're basically setting there wide open for any of the spam-kiddies to take over your mailserver and do what they want to with it.
So you want to open it up enough so that scripts can send mail, but not so far that you're standing there with your pants down. Hence 127.0.0.1/24.
Squire
You need to have 127.0.0.1 whitelisted if you want allow scripts (php, cgi, horde/webmail, etc) the ability to send email from your server.
The problem is that as the number on Mask side of things descreases it opens your relay up farther and farther. And by the time you get down to a Mask of /8 you're basically setting there wide open for any of the spam-kiddies to take over your mailserver and do what they want to with it.
So you want to open it up enough so that scripts can send mail, but not so far that you're standing there with your pants down. Hence 127.0.0.1/24.
Squire
Thankx for your answer/explaination..
QUOTE
Originally posted by osiris
Ok I repaired some of the tables in plesk, and it is now working, but qmail is going extremely slow.
I found this in my snort logs:
09/29-23:04:07.286324 [**] [1:1549:9] SMTP HELO overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 207.44.216.55:52409 -> 152.163.224.26:25
and from the newest chkrootkit 0.42b:
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'...
eth0: PROMISC
Checking `w55808'... not infected
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... nothing deleted
[root@ns1 chkrootkit-0.42b]#
Ok I repaired some of the tables in plesk, and it is now working, but qmail is going extremely slow.
I found this in my snort logs:
09/29-23:04:07.286324 [**] [1:1549:9] SMTP HELO overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 207.44.216.55:52409 -> 152.163.224.26:25
and from the newest chkrootkit 0.42b:
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'...
eth0: PROMISC
Checking `w55808'... not infected
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... nothing deleted
[root@ns1 chkrootkit-0.42b]#
You've got issues. Take this warning very very seriously, as the LKM warning does imply your machine has been comprimised. In this case you will need to order a system restore.
I'm not sure if snort puts eth0 in promiscuous mode or not. Normally it's not.
P.S. - what does your mail log *say*? I mean don't post 30 gigs worth to the forum, but is it pretty clear that messages are being sent from your server?
Hmm, there might be a bug in 0.42b with the PROMSC message. Run ./ifpromisc from the chkrootkit directory to confirm. Anyhow, that's the least of your worries...focus on the lkm warning.
One more hmm in regards to the promisc deal... it seems that make all doesn't make chkproc and strings, so do them individually or do make *.c .... then chkrootkit produces correct (or better) output. There's probably some readme somewhere, but who has time 
haha
haha
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.