Server suspect for sending out spams!

M

miltongoh

Verified User
Joined
Oct 2, 2005
Messages
50
Location
Singapore
Hi,

Kindly please help me with this. My server with DA seems to be sending out spam.

=============================================

[root@server root]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 MYIPADDRESS:53 0.0.0.0:* LISTEN
tcp 0 0 MYIPADDRESS:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 MYIPADDRESS:33531 209.86.93.229:25 TIME_WAIT
tcp 0 1 MYIPADDRESS:33501 63.237.122.0:25 SYN_SENT
tcp 0 1 MYIPADDRESS:33457 64.34.105.163:25 SYN_SENT
tcp 0 1 MYIPADDRESS:33429 64.34.105.163:25 SYN_SENT
tcp 0 1 MYIPADDRESS:33399 64.34.105.163:25 SYN_SENT
tcp 0 1 MYIPADDRESS:33378 64.34.105.163:25 SYN_SENT
tcp 1 0 MYIPADDRESS:32882 68.6.19.3:25 CLOSE_WAIT
tcp 0 0 MYIPADDRESS:25 209.225.28.161:43693 TIME_WAIT
tcp 0 0 MYIPADDRESS:25 216.119.128.23:54766 TIME_WAIT
tcp 0 29 MYIPADDRESS:33465 205.188.159.57:25 ESTABLISHED
tcp 0 10136 MYIPADDRESS:33510 205.188.159.57:25 ESTABLISHED
tcp 0 1 MYIPADDRESS:33534 205.188.159.57:25 SYN_SENT
tcp 0 0 MYIPADDRESS:33552 207.115.57.16:25 ESTABLISHED
tcp 0 14480 MYIPADDRESS:33548 209.150.236.156:25 ESTABLISHED
tcp 0 13032 MYIPADDRESS:33549 209.86.93.237:25 ESTABLISHED
tcp 0 84 MYIPADDRESS:33551 194.154.128.2:25 ESTABLISHED
tcp 0 28 MYIPADDRESS:33543 64.12.138.89:25 ESTABLISHED
tcp 0 1 MYIPADDRESS:33546 64.12.138.89:25 SYN_SENT
tcp 0 2186 MYIPADDRESS:33511 64.12.138.89:25 ESTABLISHED
tcp 0 0 MYIPADDRESS:33521 129.81.118.37:25 TIME_WAIT
tcp 0 1 MYIPADDRESS:33212 63.237.122.20:25 SYN_SENT
tcp 0 32 MYIPADDRESS:33529 64.12.138.185:25 ESTABLISHED
tcp 61 0 MYIPADDRESS:32888 205.152.58.33:25 CLOSE_WAIT
tcp 0 7 MYIPADDRESS:33547 206.211.123.47:25 FIN_WAIT1
tcp 0 29 MYIPADDRESS:33522 205.188.159.217:25 ESTABLISHED
tcp 0 10136 MYIPADDRESS:33497 205.188.159.217:25 ESTABLISHED
tcp 0 0 MYIPADDRESS:33553 193.209.83.72:25 ESTABLISHED
tcp 0 0 MYIPADDRESS:25 129.115.102.173:13013 TIME_WAIT
tcp 51 0 MYIPADDRESS:33512 207.115.20.21:25 CLOSE_WAIT
tcp 0 7 MYIPADDRESS:33554 66.211.211.51:25 FIN_WAIT1
tcp 0 0 MYIPADDRESS:25 209.225.28.213:52543 TIME_WAIT
tcp 0 0 MYIPADDRESS:33064 4.79.181.14:25 ESTABLISHED
tcp 0 0 MYIPADDRESS:25 65.24.7.62:23234 TIME_WAIT
tcp 0 1 MYIPADDRESS:33309 66.110.17.71:25 SYN_SENT
tcp 0 8688 MYIPADDRESS:33507 205.188.157.25:25 ESTABLISHED
tcp 0 7 MYIPADDRESS:33203 65.64.1.195:25 FIN_WAIT1
tcp 1 49 MYIPADDRESS:25 66.133.183.136:45408 CLOSING
tcp 0 7 MYIPADDRESS:33306 65.64.1.195:25 FIN_WAIT1
tcp 0 0 MYIPADDRESS:33491 64.34.161.33:25 TIME_WAIT
tcp 0 48 MYIPADDRESS:22 218.212.135.222:1738 ESTABLISHED
tcp 0 1 MYIPADDRESS:33539 64.12.138.152:25 SYN_SENT
tcp 0 0 MYIPADDRESS:25 64.12.138.17:53228 ESTABLISHED
tcp 0 0 MYIPADDRESS:25 167.193.142.16:4389 TIME_WAIT
tcp 0 1 MYIPADDRESS:33520 64.12.138.152:25 SYN_SENT
tcp 0 12312 MYIPADDRESS:33550 160.109.70.76:25 ESTABLISHED
tcp 0 75 MYIPADDRESS:33541 160.109.70.76:25 FIN_WAIT1
tcp 0 0 MYIPADDRESS:33504 205.188.156.185:25 ESTABLISHED
tcp 0 78 MYIPADDRESS:25 205.158.62.61:39084 ESTABLISHED
tcp 0 1 MYIPADDRESS:33239 207.218.192.49:25 SYN_SENT
tcp 0 1 MYIPADDRESS:33556 216.119.128.24:25 SYN_SENT
tcp 0 1 MYIPADDRESS:33555 204.127.134.23:25 SYN_SENT
udp 0 0 0.0.0.0:32769 0.0.0.0:*
udp 296 0 MYIPADDRESS:53 0.0.0.0:*
udp 0 0 MYIPADDRESS:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 1455 /var/lib/mysql/mysql.sock
unix 7 [ ] DGRAM 1290 /dev/log
unix 2 [ ] DGRAM 27963
unix 2 [ ] DGRAM 4217
unix 2 [ ] DGRAM 1905
unix 3 [ ] STREAM CONNECTED 1818
unix 3 [ ] STREAM CONNECTED 1817
unix 3 [ ] STREAM CONNECTED 1816
unix 3 [ ] STREAM CONNECTED 1815
unix 2 [ ] DGRAM 1686
unix 2 [ ] DGRAM 1486
unix 2 [ ] DGRAM 1301
 
Code: 
nano /etc/exim.conf

#Find:
log_selector = \
  +delivery_size \
  +sender_on_delivery \
  +received_recipients \
  +received_sender \
  +smtp_confirmation \
  +subject \
  +smtp_incomplete_transaction \
  -dnslist_defer \
  -host_lookup_failed \
  -queue_run \
  -rejected_header \
  -retry_defer \
  -skip_delivery

#Change it to:
#log_selector = \
 # +delivery_size \
  #+sender_on_delivery \
  #+received_recipients \
  #+received_sender \
  #+smtp_confirmation \
  #+subject \
  #+smtp_incomplete_transaction \
  #-dnslist_defer \
  #-host_lookup_failed \
  #-queue_run \
  #-rejected_header \
  #-retry_defer \
  #-skip_delivery


log_selector = \
 +address_rewrite \
 +all_parents \
 +arguments \
 +connection_reject \
 +delay_delivery \
 +delivery_size \
 +dnslist_defer \
 +incoming_interface \
 +incoming_port \      
 +lost_incoming_connection \
 +queue_run \
 +received_sender \    
 +received_recipients \
 +retry_defer \     
 +sender_on_delivery \
 +size_reject \          
 +skip_delivery \
 +smtp_confirmation \
 +smtp_connection \
 +smtp_protocol_error \
 +smtp_syntax_error \
 +subject \              
 +tls_cipher \
 +tls_peerdn

#CTRL + X
/sbin/service exim restart

now tail /var/log/exim/mainlog
search for masive e-mail messages that are send from a web page (like:
Code: 
2005-12-08 00:50:11 cwd=/home/user/domains/domain.come/public_html/dir 5 args: /usr/sbin/sendmail -t -i -f ....
or masive e-mail sending from one adress.

btw check out this:
http://help.directadmin.com/item.php?id=81
 
I did a exim -bp | less and i got quite a number of results.

How do I do a mass removed off the message ID?
 
You must log in or register to reply here.
Back
Top