hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Have I been comprimised?
Reply

Forum Jump

Have I been comprimised?

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 02-28-2008, 06:58 AM
matt1206 matt1206 is offline
WHT Addict
 
Join Date: Sep 2006
Location: Sheffield, UK
Posts: 116

Have I been comprimised?


Qmail appears to be sending tons of e-mails:

qmailr 24122 28409 0 10:34 ? 00:00:00 qmail-remote yahoo.com ydovnndvutp@yahoo.com hanklinville@yahoo.com
qmailr 24123 24122 0 10:34 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com ydovnndvutp@yahoo.com hanklinville@yahoo.com
qmailr 25401 28409 0 10:36 ? 00:00:00 qmail-remote yahoo.com vjoknmyaejckg@yahoo.com bjcalbjcal@yahoo.com
qmailr 25402 25401 0 10:36 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com vjoknmyaejckg@yahoo.com bjcalbjcal@yahoo.com
qmailr 25569 28409 0 10:37 ? 00:00:00 qmail-remote yahoo.com zptrfcfpadffr@yahoo.com cutziepi4u@yahoo.com
qmailr 25570 25569 0 10:37 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com zptrfcfpadffr@yahoo.com cutziepi4u@yahoo.com
qmailr 26300 28409 0 10:38 ? 00:00:00 qmail-remote yahoo.com abcctvxmkobjwb@yahoo.com hani_hapsari@yahoo.com
qmailr 26301 26300 0 10:38 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com abcctvxmkobjwb@yahoo.com hani_hapsari@yahoo.com
qmailr 27213 28409 0 10:39 ? 00:00:00 qmail-remote yahoo.com mqqbqmwzpnuzqo@yahoo.com
qmailr 27214 27213 0 10:39 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com mqqbqmwzpnuzqo@yahoo.com
qmailr 28391 28409 0 10:40 ? 00:00:00 qmail-remote yahoo.com obictols@yahoo.com
qmailr 28392 28391 0 10:40 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com obictols@yahoo.com
qmailr 28728 28409 0 10:40 ? 00:00:00 qmail-remote yahoo.com yigqz@yahoo.com
qmailr 28733 28728 0 10:40 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com yigqz@yahoo.com
qmailr 29993 28409 0 10:41 ? 00:00:00 qmail-remote yahoo.com imcxpvbbgsam@yahoo.com douginak@yahoo.com
qmailr 29994 29993 0 10:41 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com imcxpvbbgsam@yahoo.com douginak@yahoo.com
qmailr 30014 28409 0 10:41 ? 00:00:00 qmail-remote yahoo.com qwcji@yahoo.com desdemona8@yahoo.com
qmailr 30015 30014 0 10:41 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com qwcji@yahoo.com desdemona8@yahoo.com
root 462 1 0 10:44 ? 00:00:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
qmailr 491 1 0 10:44 ? 00:00:00 qmail-rspawn
qmailr 500 491 0 10:44 ? 00:00:00 qmail-remote yahoo.com kdeiizofbbf@yahoo.com buck63_@yahoo.com
qmailr 502 500 0 10:44 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com kdeiizofbbf@yahoo.com buck63_@yahoo.com
qmailr 628 491 0 10:44 ? 00:00:00 qmail-remote yahoo.com hajmgdiy@yahoo.com melbjeff1@yahoo.com
qmailr 629 628 0 10:44 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com hajmgdiy@yahoo.com melbjeff1@yahoo.com
qmailr 640 491 0 10:45 ? 00:00:00 qmail-remote yahoo.com wucvmxd@yahoo.com lucybeno@yahoo.com
qmailr 643 640 0 10:45 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com wucvmxd@yahoo.com lucybeno@yahoo.com
qmailr 827 491 0 10:45 ? 00:00:00 qmail-remote yahoo.com vdkwnfvyoohuqp@yahoo.com moonshinenkc@yahoo.com
qmailr 830 827 0 10:45 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com vdkwnfvyoohuqp@yahoo.com moonshinenkc@yahoo.com
qmailr 863 491 0 10:45 ? 00:00:00 qmail-remote yahoo.com djkwpaezxjc@yahoo.com cotyjoe61@yahoo.com
qmailr 864 863 0 10:45 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com djkwpaezxjc@yahoo.com cotyjoe61@yahoo.com
qmailr 936 491 0 10:45 ? 00:00:00 qmail-remote yahoo.com wmdxrwj@yahoo.com godinho@yahoo.com
qmailr 937 936 0 10:45 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com wmdxrwj@yahoo.com godinho@yahoo.com
qmailr 950 491 0 10:45 ? 00:00:00 qmail-remote yahoo.com vuwmtrsowwid@yahoo.com prairie_radio@yahoo.com
qmailr 951 950 0 10:45 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com vuwmtrsowwid@yahoo.com prairie_radio@yahoo.com
qmailr 1268 491 0 10:45 ? 00:00:00 qmail-remote yahoo.com axdixuqhwsbt@yahoo.com enrique56@yahoo.com
qmailr 1269 1268 0 10:45 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com axdixuqhwsbt@yahoo.com enrique56@yahoo.com
qmailr 1458 491 0 10:45 ? 00:00:00 qmail-remote yahoo.com edghuhjfolryo@yahoo.com dremsen@yahoo.com
qmailr 1459 1458 0 10:45 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com edghuhjfolryo@yahoo.com dremsen@yahoo.com
qmailr 1522 491 0 10:46 ? 00:00:00 qmail-remote yahoo.com fvsgugskegbm@yahoo.com cubishi@yahoo.com
qmailr 1523 1522 0 10:46 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com fvsgugskegbm@yahoo.com cubishi@yahoo.com
qmailr 1590 491 0 10:46 ? 00:00:00 qmail-remote yahoo.com slchphkans@yahoo.com
qmailr 1591 1590 0 10:46 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com slchphkans@yahoo.com
qmailr 1602 491 0 10:46 ? 00:00:00 qmail-remote yahoo.com ngntudgmnc@yahoo.com rokit777@yahoo.com
qmailr 1603 1602 0 10:46 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com ngntudgmnc@yahoo.com rokit777@yahoo.com
qmailr 1611 491 0 10:46 ? 00:00:00 qmail-remote yahoo.com gyqlgc@yahoo.com sepehr4356772@yahoo.com
qmailr 1612 1611 0 10:46 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com gyqlgc@yahoo.com sepehr4356772@yahoo.com
qmailr 1674 491 0 10:46 ? 00:00:00 qmail-remote yahoo.com sfmdmaynevhq@yahoo.com midoinmi@yahoo.com
qmailr 1675 1674 0 10:46 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com sfmdmaynevhq@yahoo.com midoinmi@yahoo.com
qmailr 2356 491 0 10:46 ? 00:00:00 qmail-remote yahoo.com dvjcrb@yahoo.com kharkov64@yahoo.com
qmailr 2357 2356 0 10:46 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com dvjcrb@yahoo.com kharkov64@yahoo.com
qmailr 2371 491 0 10:46 ? 00:00:00 qmail-remote yahoo.com mkxmmxo@yahoo.com bigwill325@yahoo.com
qmailr 2372 2371 0 10:46 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com mkxmmxo@yahoo.com bigwill325@yahoo.com
qmailr 2811 491 0 10:47 ? 00:00:00 qmail-remote yahoo.com jfkygog@yahoo.com truckinandy@yahoo.com
qmailr 2812 2811 0 10:47 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com jfkygog@yahoo.com truckinandy@yahoo.com
qmaild 5450 462 0 10:49 ? 00:00:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail
qmaild 5487 462 0 10:49 ? 00:00:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail
qmaild 6388 462 0 10:50 ? 00:00:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail
qmailr 6445 491 0 10:50 ? 00:00:00 qmail-remote yahoo.com oklbj@yahoo.com xxpikangelladyspazxx@yahoo.com
qmailr 6446 6445 0 10:50 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com oklbj@yahoo.com xxpikangelladyspazxx@yahoo.com
qmaild 6721 462 0 10:50 ? 00:00:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail
qmaild 8956 462 0 10:53 ? 00:00:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail
qmaild 9042 462 0 10:53 ? 00:00:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail
qmaild 9143 462 0 10:53 ? 00:00:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail
qmaild 9303 462 0 10:53 ? 00:00:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail
qmaild 9420 462 0 10:53 ? 00:00:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail
qmaild 9564 462 0 10:53 ? 00:00:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail
qmaild 10155 462 0 10:54 ? 00:00:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail
qmaild 10232 462 0 10:54 ? 00:00:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail
qmaild 10355 462 0 10:54 ? 00:00:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail
qmailr 10379 491 0 10:54 ? 00:00:00 qmail-remote yahoo.com jbebxflt@yahoo.com shillemite@yahoo.com
qmailr 10380 10379 0 10:54 ? 00:00:00 /var/qmail/bin/qmail-remote.moved yahoo.com jbebxflt@yahoo.com shillemite@yahoo.com
root 10500 4200 31 10:54 ? 00:00:02 /usr/bin/perl /usr/local/psa/admin/sbin/mailqueuemng --remove:19/5719866: --remove:19/5719567: --remove:19/57
qmaild 10529 462 0 10:54 ? 00:00:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail
root 10604 10232 0 10:54 ? 00:00:00 bin/qmail-queue
qmaild 10606 462 2 10:54 ? 00:00:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail
root 10608 6388 0 10:54 ? 00:00:00 bin/qmail-queue
root 10617 10155 0 10:54 ? 00:00:00 bin/qmail-queue



from the mail log:

Feb 28 10:57:14 www qmail: 1204196234.099860 starting delivery 256: msg 2999361 to remote beautytoyou@gmail.com
Feb 28 10:57:14 www qmail: 1204196234.099942 status: local 0/10 remote 2/20
Feb 28 10:57:14 www qmail: 1204196234.099988 starting delivery 257: msg 2999361 to remote charleshonig@gmail.com
Feb 28 10:57:14 www qmail: 1204196234.100024 status: local 0/10 remote 3/20
Feb 28 10:57:14 www qmail-remote-handlers[12853]: Handlers Filter before-remote for qmail started ...
Feb 28 10:57:14 www qmail-remote-handlers[12854]: Handlers Filter before-remote for qmail started ...
Feb 28 10:57:14 www qmail-remote-handlers[12853]: from=jzaryz@yahoo.com
Feb 28 10:57:14 www qmail-remote-handlers[12853]: to=beautytoyou@gmail.com
Feb 28 10:57:14 www qmail-remote-handlers[12854]: from=jzaryz@yahoo.com
Feb 28 10:57:14 www qmail-remote-handlers[12854]: to=charleshonig@gmail.com
Feb 28 10:57:14 www qmail-queue-handlers[12859]: Handlers Filter before-queue for qmail started ...
Feb 28 10:57:14 www qmail: 1204196234.612377 delivery 256: success: 66.249.83.27_accepted_message./Remote_host_said:_250_2.0.0_OK_1204196232_h18si2172257wxd.18/
Feb 28 10:57:14 www qmail: 1204196234.612467 status: local 0/10 remote 2/20
Feb 28 10:57:14 www qmail: 1204196234.673680 delivery 257: success: 64.233.179.27_accepted_message./Remote_host_said:_250_2.0.0_OK_1204196232_e76si11306316hse.1/
Feb 28 10:57:14 www qmail: 1204196234.673786 status: local 0/10 remote 1/20
Feb 28 10:57:14 www qmail: 1204196234.673832 end msg 2999361
Feb 28 10:57:14 www qmail-queue-handlers[12859]: from=qidxvexp@yahoo.com
Feb 28 10:57:14 www qmail-queue-handlers[12859]: to=hjbrennan@gmail.com
Feb 28 10:57:14 www qmail-queue-handlers[12859]: hook_dir = '/var/qmail//handlers/before-queue'
Feb 28 10:57:14 www qmail-queue-handlers[12859]: recipient[3] = 'hjbrennan@gmail.com'
Feb 28 10:57:14 www qmail-queue-handlers[12859]: handlers dir = '/var/qmail//handlers/before-queue/recipient/hjbrennan@gmail.com'
Feb 28 10:57:14 www qmail-queue-handlers[12859]: starter: submitter[12863] exited normally
Feb 28 10:57:14 www qmail: 1204196234.800231 new msg 2999361
Feb 28 10:57:14 www qmail: 1204196234.800319 info msg 2999361: bytes 677 from <qidxvexp@yahoo.com> qp 12863 uid 2020
Feb 28 10:57:14 www qmail: 1204196234.805023 starting delivery 258: msg 2999361 to remote hjbrennan@gmail.com
Feb 28 10:57:14 www qmail: 1204196234.805271 status: local 0/10 remote 2/20
Feb 28 10:57:14 www qmail-remote-handlers[12864]: Handlers Filter before-remote for qmail started ...
Feb 28 10:57:14 www qmail-remote-handlers[12864]: from=qidxvexp@yahoo.com
Feb 28 10:57:14 www qmail-remote-handlers[12864]: to=hjbrennan@gmail.com
Feb 28 10:57:17 www qmail: 1204196237.319981 delivery 258: success: 64.233.179.27_accepted_message./Remote_host_said:_250_2.0.0_OK_1204196235_y56si10812255hsb.6/
Feb 28 10:57:17 www qmail: 1204196237.320069 status: local 0/10 remote 1/20
Feb 28 10:57:17 www qmail: 1204196237.320112 end msg 2999361
Feb 28 10:57:17 www qmail-queue-handlers[12879]: Handlers Filter before-queue for qmail started ...


I've ran a rookit check, and thats come up with nothing. This all started at 08:00 GMT this morning.

What do people think?

__________________
http://z22se.co.uk
A site dedicated to the GM Z22SE Engine
https://mattwservices.co.uk
XenForo specialist services

Reply With Quote


Sponsored Links
  #2  
Old 03-22-2010, 12:40 PM
jettro22 jettro22 is offline
New Member
 
Join Date: Mar 2010
Posts: 2
Thinking .....

Hi sir,

I seams to get the same problème for about a week now , and can't get it solved by any post in google or any else... ;-)

Did you solve your issue or get any feedback ??

i'm interestied by helping or get helped

regards

Jeff

Reply With Quote
  #3  
Old 03-22-2010, 02:15 PM
madaboutlinux madaboutlinux is offline
Web Hosting Master
 
Join Date: Jul 2009
Posts: 1,543
No, your server is not compromised. It happens mostly on Plesk servers. It's sort of relaying.... try to figure out if there is any script under a user using the email headers and also enable RBL lists from Plesk >> Settings >> Mails and see if it helps.

__________________
| LinuxHostingSupport.net
| Server Setup | Security | Optimization | Troubleshooting | Server Migration
| Monthly and Task basis services.
| MSN : madaboutlinux[at]hotmail.com | Skype : madaboutlinux

Reply With Quote
Sponsored Links
  #4  
Old 03-22-2010, 02:19 PM
jettro22 jettro22 is offline
New Member
 
Join Date: Mar 2010
Posts: 2
Thinking .....

well,

you right it's on an plesk server i won't upgrade, as we plan to migrate to another server.

I startd to look after websites but as we host 100 it's quiet long....


Thanks for answering

Reply With Quote
  #5  
Old 03-22-2010, 03:45 PM
matt1206 matt1206 is offline
WHT Addict
 
Join Date: Sep 2006
Location: Sheffield, UK
Posts: 116
I simply turned off the mail server for several hours, and it went away. It was on a plesk server, but I've since moved servers and now on CPANEL.

__________________
http://z22se.co.uk
A site dedicated to the GM Z22SE Engine
https://mattwservices.co.uk
XenForo specialist services

Reply With Quote
Reply

Related posts from TheWhir.com
Title Type Date Posted


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?