Question : Sendmail Spamming

Hello,
my FC1 has sendmail installed.. its been working perfectly fine till now
its been spaming and then i type (ps ux) i see

root 912 0.0 0.6 9152 3332 ? S 00:16 0:00 sendmail: ./k1A5GRel000910 mx3.mail.yahoo.com.: client greeting
root 1255 0.0 0.6 9152 3336 ? S 00:16 0:00 sendmail: ./k1A5Gvel001253 mx2.mail.yahoo.com.: user open
root 1538 0.0 0.6 8876 3272 ? S 00:18 0:00 sendmail: ./k1A5I2el001536 mx3.mail.yahoo.com.: client greeting
root 1583 0.0 0.6 7776 3216 ? S 00:18 0:00 sendmail: ./k1A57Nel030417 mx3.mail.yahoo.com.: client greeting
root 1609 0.0 0.6 7556 3120 ? S 00:18 0:00 sendmail: ./k1A5C7el032423 mx3.mail.yahoo.com.: client greeting
root 2731 0.0 0.6 8876 3268 ? S 00:20 0:00 sendmail: ./k1A5KZel002729 casema.net.: user open
root 2827 0.0 0.6 8876 3272 ? S 00:20 0:00 sendmail: ./k1A5Kmel002825 mx3.mail.yahoo.com.: client greeting
root 2976 0.0 0.6 8876 3268 ? S 00:21 0:00 sendmail: ./k1A5L2el002974 landuk1.landinst.com.: user open
root 3147 0.0 0.6 8876 3268 ? S 00:21 0:00 sendmail: ./k1A5LUel003145 brain.brain.net.pk.: user open
root 3160 0.0 0.6 8856 3188 ? S 00:21 0:00 sendmail: k1A5LVel003158 localhost.localdomain [127.0.0.1]: DATA
root 3210 0.0 0.6 8900 3208 ? S 00:21 0:00 sendmail: ./k1A57Bel030304 mx2.mail.yahoo.com.: user open
root 3229 0.0 0.6 8876 3272 ? S 00:21 0:00 sendmail: ./k1A5Lcel003227 mx2.mail.yahoo.com.: client greeting
root 3259 0.0 0.6 8876 3268 ? S 00:21 0:00 sendmail: ./k1A5Leel003256 rmigib.com.: user open
root 3292 0.0 0.6 8876 3268 ? S 00:21 0:00 sendmail: ./k1A5Llel003290 mailbx3.hclinfinet.com.: user open
root 3318 0.0 0.6 7472 3100 ? S 00:21 0:00 sendmail: ./k1A5Joel002261 resalehost.networksolutions.com.: user open
root 3341 0.0 0.6 8876 3272 ? S 00:21 0:00 sendmail: ./k1A5Lvel003339 mail.airnav.com.: client greeting
root 3431 0.0 0.6 9148 3320 ? S 00:22 0:00 sendmail: ./k1A5M5el003429 mail3.zoneedit.com.: client DATA status
root 3463 0.2 0.7 9144 3696 ? S 00:22 0:00 sendmail: ./k1A5MMel003461 mail1.rox.net.: client RCPT

how can I stop this from happening?

[(12:26 AM)][(root@server)] [(/var/spool/clientmqueue)] $ rm -rf *
[(12:27 AM)][(root@server)] [(/var/spool/clientmqueue)] $ ls
dfk1A5R58P004141 dfk1A5RDpF004144 qfk1A5R58P004141 qfk1A5RDpF004144
[(12:27 AM)][(root@server)] [(/var/spool/clientmqueue)] $ rm -rf *
[(12:27 AM)][(root@server)] [(/var/spool/clientmqueue)] $ ls
dfk1A5RLFB004147 qfk1A5RLFB004147

Answer : Sendmail Spamming

@@aplelois

I feel you are going nowhere with this kind of approach. you have to be clear what you want to achieve.

1. Take the server offline (out of the network) immediately so that you are the only one who is having access to this server.

2. Take backup of your data. All other things you can re-install.

3. Reinstall FC1 and use update all the latest patches. I do not know if you have yum but u will definetly have up2date.

4. Once all is well just ensure that u stop the telnet / ssh / ftp services on your server. If you are not using them.

5. Use iptables security for setting the filtering rules.

6. Hopefully by this time you should be safely on your way to be online again.

Regards,

makhan.

PS: The quickfix approach to this problem will never work as you will break some other thing while fixing one. Also you must be aware that if someone has a rootkit installed on your server then no matter how much u try. You wont be able to stop it. Rootkit installation will replace your basic commands like ls etc. etc. so that it will not show you the hidden files the attacker has installed.!

Random Solutions

How do I import Macros and the icon onto a new pc from an old pc

Cells.Find Problems

If I have two email accounts in Outlook, how do I send emails from each one with the correct email address showing?

Need assistance in growing my site traffic

SQL Server's equivalent of Oracles sequence?

Copy all files in one directory

How to reinstall Outlook Express

Test for interactive vs non-interactive shell

Exchange Event ID 1025 EcFudgeResults??

Hard Drive Size Limitation in Windows Vista