spam mails

N

nqch1

Verified User
Joined
Jun 11, 2003
Messages
6
Hi,

I found out that my server has been sending spam mails out to others since weeks ago. that's why changed from RH9 to FC3 for the license and reinstalled it seems that it came back again... any idea to stop it permeant ? It's using apache as it's userid to run the process...

Thanks in advance.
 
Upgrading your OS will not solve the problem on it's own. You need to secure your system. Have a look in /tmp and you'll probably find executable files. Answer is to mount your /tmp filesystem as non-executable.

Regards,
Onno Vrijburg
 
hi,

if i mount it as non-executable mysql service will be down. i wonder if there is any more ideas i can do to prevent that ?...

thanks in advance again
 
Mounting /tmp as non-executable should never cause mysql to go down unless your system is not configured correctly.

I have /tmp mounted as non-executable on all my servers and I have no problems with mysql.

regards,
Onno Vrijburg
 
Hi,

Thanks for your help. I will be doing a clean format cause the user seems to have managed to load a virtual sshd service to allow him/herself to login remotely without using a single password.

I think that I made a mistake for making 3 partitions, 80mb for /boot, 2gb for swap n rest for / ... thus I am unable to do a remount of /tmp to rw only and caused some errors when I try to do it.
 
nqch1 said:
Thanks for your help. I will be doing a clean format
Click to expand...
Probably a good idea.
cause the user seems to have managed to load a virtual sshd service to allow him/herself to login remotely without using a single password.
Click to expand...
To do that s/he must have at least once had a root login. It's very easy to set up ssh to not require passwords from trusted users if you're root.
I think that I made a mistake for making 3 partitions, 80mb for /boot, 2gb for swap n rest for / ... thus I am unable to do a remount of /tmp to rw only and caused some errors when I try to do it.
Click to expand...
Here's what we use on our servers:
Code: 
/		 1000 Megabytes
/usr		10000 Megabytes
/var		10000 Megabytes
/tmp		 2000 Megabytes
<swap>		 1024 Megabytes

But ...

you can create a /tmp partition using a loopback device, and then mount it noexec.

Use the HowTo here to create a /tmp file you can use (mounting it using the loop device) as a noexec mounted /tmp partition.

Note that since this server appears to have been comprised, I'd probably do a complete reinstall.

Jeff
 
You must log in or register to reply here.
Back
Top