how to stop spam

[jasonlamkk]

as title,
my server was used by a client to send spams, how to stop them,
the account is already deleted as well as his files, but , do anyone know whether his permission in Linux would be delete by DA too?
* exim seems allow his mail job to br process

example log are as follow,
blodded text are something never exist, sb. is trying to send mail to randomly generated address / testing if such address exist.

2005-08-25 00:37:58 1E4dmE-0008Mv-Q9 mail.eadead.net [61.31.235.245]: Connection refused
2005-08-25 00:37:58 1E4dmE-0008Mv-Q9 == [email protected] R=lookuphost T=remote_smtp defer (111): Connection refused
2005-08-25 00:37:58 1E4dmE-0008Mv-Q9 ** [email protected] : retry timeout exceeded
2005-08-25 00:37:58 1E4dmE-0008Mv-Q9 [email protected] : error ignored
2005-08-25 00:37:58 1E4dmE-0008Mv-Q9 Completed

 

[nobaloney]

It's possible there's still a lot of spam in the queue trying to get off your server; exim by default tries for four days, if memory serves.

However it's also possible that there's a process running somewhere on your server that's being used to process spam.

Jeff

 

[jasonlamkk]

re: how about the account

Thanks for your help,

so if there's background process started by user1,
can it still run if user1 has been deleted

or DA delete settings in apache but leave the linux account?

any command to clear the queue other than stop exim for 4 days?

----------------------------------------------
ps. another problem,
i discovered that i have forgotten the root password, and now searching for the script to recover by installing plug-ins
may i know what script i should type in
install.sh to reset password / grant root premission to another user?
(on RH9)

 

[nobaloney]

Re: re: how about the account

so if there's background process started by user1,
can it still run if user1 has been deleted

Yes. Once the user starts a process it will continue to run with the same user number. The process has no way to know the user has been deleted.

or DA delete settings in apache but leave the linux account?

That shouldn't happen. But if a hacker breaks in he can put the files anywhere. In fact he can add a module to the kernel to hide everything from you and to only show you what he wants you to see.

any command to clear the queue other than stop exim for 4 days?

Definitely. My reference is the UITCambridge exim book:

eximThe Exim SMTP Mail Server

Unfortunately I don't have time to look it up now. I highly recommend the book. It's a great reference.

Jeff

 

[jasonlamkk]

Re:

thanks ,
may be i have to get back the root password first, the command need root premission, right?

( i was busy with programming last few months and haven't use the root login for a long time.)

please let me know if you have any information about root password recovery through SSH+DA

 

[nobaloney]

There was a post on these forums for creating a new root password through the web-based interface if you have the admin password.

I don't know where it is, but I remember reading it.

Jeff

 

[jasonlamkk]

i may have watch the thread you mention, but have problems on my RH9

There was a post on these forums for creating a new root password through the web-based interface if you have the admin password.

I don't know where it is, but I remember reading it.

Jeff

by adding this line in a new plug-in's install .sh?

/usr/sbin/pw usermod useraccount -u 0

from:
http://www.directadmin.com/forum/showthread.php?s=&threadid=8580&highlight=root+password

Yet,
i have tried on my RH9 but

i have tried the above method, but it seems that
my server only have /usr/sbin/usermod

nothing occurs after i called both
/usr/sbin/usermod -u 'username' 0
/usr/sbin/usermod -u 'username' 0 -o
usermod -u 'username' 0
usermod -u 'username' 0 -o
and even
usermod -G 'username' 0
after installed the 'plug-in' , i use "set" to check for any changes but nothing happened , the uid is still 502

May i know the command for RH9 to set userid ?
Alt. method:
or can't shell script reset root password? (eg. shall there be some solution for sb. to reset root password of 30 servers by script?)
i know very little about linux command but logicial if the script can type
passwd
[pause]
newpassword

it would be possible

but i don't know how or is it possible for shell script to create the [pause] and wait till the server to ask for an input?


Ps.
currently only 2 account (admin and the one with uid 502) allowed to use ssh and root must be "su" from one of them, it would be safe through out the password recovery,