Results 1 to 5 of 5
  1. #1
    Join Date
    Jun 2007
    Posts
    36

    user getting heavily spammed

    I've got a user getting heavily spammed but other users on the same domain are fine, it all started last night here's some info and hope you can help me....

    I've got loads of these in 'top'

    5975 dovecot 15 0 3712 1712 1432 S 0.0 0.2 0:00.00 imap-login

    and these in ps dovecot

    dovecot 5250 5533 0 13:05 ? 00:00:00 pop3-login
    root 5533 1 0 11:21 ? 00:00:00 /usr/sbin/dovecot
    root 5534 5533 0 11:21 ? 00:00:00 dovecot-auth
    dovecot 5663 5533 0 12:15 ? 00:00:00 pop3-login

    ps exim i've got

    mail 19725 32303 0 15:03 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
    mail 19732 19725 0 15:03 ? 00:00:00 [exim] <defunct>
    mail 20142 19725 0 15:03 ? 00:00:00 [exim] <defunct>
    mail 20280 32303 0 15:03 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
    mail 20321 20280 0 15:03 ? 00:00:00 [exim] <defunct>
    mail 20358 32303 0 15:03 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
    mail 20368 20358 0 15:03 ? 00:00:00 [exim] <defunct>
    mail 20476 20358 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 21589 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
    mail 21610 21589 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 21655 20280 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 21711 20358 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 21769 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
    mail 21783 21769 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 22180 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
    mail 22183 22180 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 22227 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
    mail 22244 22227 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 22262 20280 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 22296 19725 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 22302 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
    mail 22325 22302 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 22353 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
    mail 22360 22353 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 22372 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
    mail 22383 22372 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 22403 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
    mail 22411 22403 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 23610 22372 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 23616 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
    mail 23634 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
    mail 23638 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
    mail 23652 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
    mail 23653 23616 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 23659 23634 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 23666 23638 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 23684 23652 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 23691 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
    mail 23694 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
    mail 23695 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
    root 23696 1 0 15:04 ? 00:00:00 /usr/sbin/exim -Mc 1QUKJW-0006A6-9b
    mail 23697 23696 0 15:04 ? 00:00:00 /usr/sbin/exim -Mc 1QUKJW-0006A6-9b
    mail 23698 23697 0 15:04 ? 00:00:00 /usr/sbin/exim -oMr spam-scanned -bS
    mail 23699 23697 0 15:04 ? 00:00:00 /usr/sbin/exim -Mc 1QUKJW-0006A6-9b
    mail 23701 23697 0 15:04 ? 00:00:00 [exim] <defunct>
    root 23704 23691 0 15:04 ? 00:00:00 /usr/sbin/exim -Mc 1QUKJW-0006A7-9F
    root 23708 23638 0 15:04 ? 00:00:00 /usr/sbin/exim -Mc 1QUKJW-00069G-1R
    mail 23709 23708 0 15:04 ? 00:00:00 /usr/sbin/exim -Mc 1QUKJW-00069G-1R
    mail 23710 23709 0 15:04 ? 00:00:00 /usr/sbin/exim -oMr spam-scanned -bS
    mail 23711 23709 0 15:04 ? 00:00:00 /usr/sbin/exim -Mc 1QUKJW-00069G-1R
    mail 23713 23709 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 23717 23704 0 15:04 ? 00:00:00 /usr/sbin/exim -Mc 1QUKJW-0006A7-9F
    mail 23718 23717 0 15:04 ? 00:00:00 /usr/sbin/exim -oMr spam-scanned -bS
    mail 23719 23717 0 15:04 ? 00:00:00 /usr/sbin/exim -Mc 1QUKJW-0006A7-9F
    mail 23721 23717 0 15:04 ? 00:00:00 [exim] <defunct>
    mail 23733 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
    root 23735 30339 0 15:05 pts/0 00:00:00 grep exim
    mail 32303 1 0 14:59 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid

    paniclog

    2011-06-08 15:01:04 daemon: accept process fork failed: Cannot allocate memory
    2011-06-08 15:01:05 1QUKFj-0002eY-4B daemon: delivery process fork failed: Cannot allocate memory
    2011-06-08 15:01:05 1QUKFk-0002eZ-3v daemon: delivery process fork failed: Cannot allocate memory
    2011-06-08 15:01:06 1QUKFh-0002e0-4F failed to fork automatic delivery process: Cannot allocate memory
    2011-06-08 15:01:12 1QUKFn-0002f7-6z == [email protected] R=spamcheck_director T=spamcheck defer (12): Cannot allocate memory: Error 12
    2011-06-08 15:01:12 1QUKFp-0002vp-7G == [email protected] R=spamcheck_director T=spamcheck defer (12): Cannot allocate memory: Error 12
    2011-06-08 15:01:12 1QUKFp-0002vt-9x == [email protected] R=spamcheck_director T=spamcheck defer (12): Cannot allocate memory: Error 12

    and lots of

    2011-06-08 15:08:10 queue run: process 7848 crashed with signal 11 while delivering 1OYH1M-0004FY-5M
    2011-06-08 15:08:10 queue run: process 7849 crashed with signal 11 while delivering 1OuoOM-0006hP-I1
    2011-06-08 15:08:10 queue run: process 7858 crashed with signal 11 while delivering 1P5bLM-0007o5-9O
    2011-06-08 15:08:10 queue run: process 7862 crashed with signal 11 while delivering 1OY2oM-0006GB-Gp
    2011-06-08 15:08:10 queue run: process 7863 crashed with signal 11 while delivering 1OuoOM-0006hO-3O
    2011-06-08 15:08:10 queue run: process 7873 crashed with signal 11 while delivering 1OuaZM-0005bT-FU
    2011-06-08 15:08:10 queue run: process 7874 crashed with signal 11 while delivering 1OYH1M-0004az-Mu
    2011-06-08 15:08:10 queue run: process 7876 crashed with signal 11 while delivering 1PpRfM-0007JO-JA

    it's the [email protected] that's getting hit

    I've found the file exploit in tmp directory but keeps getting re-created after deletion.

  2. #2
    Join Date
    Jan 2011
    Posts
    451
    Hello,

    As you found the vulnerable file in /tmp partition you need to secure tmp asap. Use the below given URL for securing tmp

    http://www.webhostgear.com/34.html

    Also post a sample mail's header and body here :

    exim -Mvh Message ID
    exim -Mvb Message ID
    " Your work is to discover your work and then with all your heart to give yourself to it. "

    That's the mark of a true professional !

  3. #3
    Join Date
    Jun 2007
    Posts
    36
    I tried following the guide but got

    mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
    mount: no permission to look at /dev/loop#

    this is on a vps

  4. #4
    Join Date
    Nov 2005
    Location
    /etc/fstab
    Posts
    1,274
    You can force the use of SpamAssasign rules for each user. It does reduce the amount of spam. Are you using any control panel?
    Mellowhost - Providing High Quality Web Hosting Services since 2007
    SSD Cpanel Shared, SSD OpenVZ & KVM VPS Hosting
    A Hosting Provider with Complete SSD VPS & Shared Hosting.

  5. #5
    Join Date
    Jun 2007
    Posts
    36
    i'm running SA under directadmin but I need get rid of this rouge file and anything attached to it, any ideas how?

Similar Threads

  1. User spammed, Asking for Credit.
    By 9XNet in forum Running a Web Hosting Business
    Replies: 8
    Last Post: 04-06-2005, 01:55 PM
  2. Apache got flooded heavily
    By wheimeng in forum Hosting Security and Technology
    Replies: 9
    Last Post: 09-01-2003, 08:22 PM
  3. Funny E-mail from a spammed user
    By sethgarnar in forum Web Hosting Lounge
    Replies: 3
    Last Post: 07-04-2003, 04:04 PM
  4. heavily ripped off by scammer!
    By pattox in forum Running a Web Hosting Business
    Replies: 14
    Last Post: 03-24-2003, 10:38 PM
  5. Help - Raq3 heavily loaded
    By certify in forum Dedicated Server
    Replies: 13
    Last Post: 07-20-2001, 05:47 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •