Sendmail Spamming

Hello,
my FC1 has sendmail installed.. its been working perfectly fine till now
its been spaming and then i type (ps ux) i see

root       912  0.0  0.6  9152 3332 ?        S    00:16   0:00 sendmail: ./k1A5GRel000910 mx3.mail.yahoo.com.: client greeting
root      1255  0.0  0.6  9152 3336 ?        S    00:16   0:00 sendmail: ./k1A5Gvel001253 mx2.mail.yahoo.com.: user open
root      1538  0.0  0.6  8876 3272 ?        S    00:18   0:00 sendmail: ./k1A5I2el001536 mx3.mail.yahoo.com.: client greeting
root      1583  0.0  0.6  7776 3216 ?        S    00:18   0:00 sendmail: ./k1A57Nel030417 mx3.mail.yahoo.com.: client greeting
root      1609  0.0  0.6  7556 3120 ?        S    00:18   0:00 sendmail: ./k1A5C7el032423 mx3.mail.yahoo.com.: client greeting
root      2731  0.0  0.6  8876 3268 ?        S    00:20   0:00 sendmail: ./k1A5KZel002729 casema.net.: user open
root      2827  0.0  0.6  8876 3272 ?        S    00:20   0:00 sendmail: ./k1A5Kmel002825 mx3.mail.yahoo.com.: client greeting
root      2976  0.0  0.6  8876 3268 ?        S    00:21   0:00 sendmail: ./k1A5L2el002974 landuk1.landinst.com.: user open
root      3147  0.0  0.6  8876 3268 ?        S    00:21   0:00 sendmail: ./k1A5LUel003145 brain.brain.net.pk.: user open
root      3160  0.0  0.6  8856 3188 ?        S    00:21   0:00 sendmail: k1A5LVel003158 localhost.localdomain [127.0.0.1]: DATA
root      3210  0.0  0.6  8900 3208 ?        S    00:21   0:00 sendmail: ./k1A57Bel030304 mx2.mail.yahoo.com.: user open
root      3229  0.0  0.6  8876 3272 ?        S    00:21   0:00 sendmail: ./k1A5Lcel003227 mx2.mail.yahoo.com.: client greeting
root      3259  0.0  0.6  8876 3268 ?        S    00:21   0:00 sendmail: ./k1A5Leel003256 rmigib.com.: user open
root      3292  0.0  0.6  8876 3268 ?        S    00:21   0:00 sendmail: ./k1A5Llel003290 mailbx3.hclinfinet.com.: user open
root      3318  0.0  0.6  7472 3100 ?        S    00:21   0:00 sendmail: ./k1A5Joel002261 resalehost.networksolutions.com.: user open
root      3341  0.0  0.6  8876 3272 ?        S    00:21   0:00 sendmail: ./k1A5Lvel003339 mail.airnav.com.: client greeting
root      3431  0.0  0.6  9148 3320 ?        S    00:22   0:00 sendmail: ./k1A5M5el003429 mail3.zoneedit.com.: client DATA status
root      3463  0.2  0.7  9144 3696 ?        S    00:22   0:00 sendmail: ./k1A5MMel003461 mail1.rox.net.: client RCPT

how can I stop this from happening?


[(12:26 AM)][(root@server)] [(/var/spool/clientmqueue)] $ rm -rf *
[(12:27 AM)][(root@server)] [(/var/spool/clientmqueue)] $ ls
dfk1A5R58P004141  dfk1A5RDpF004144  qfk1A5R58P004141  qfk1A5RDpF004144
[(12:27 AM)][(root@server)] [(/var/spool/clientmqueue)] $ rm -rf *
[(12:27 AM)][(root@server)] [(/var/spool/clientmqueue)] $ ls
dfk1A5RLFB004147  qfk1A5RLFB004147
apleloisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tim_UtschigCommented:
> its been spaming

What do you mean it's been spamming?  Is it an open relay?

Can you post your /etc/mail/sendmail.mc ?
apleloisAuthor Commented:
divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl #     make -C /etc/mail
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST',`smtp.your.provider')
dnl #
define(`confDEF_USER_ID',``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl #     make -C /usr/share/ssl/certs usage
dnl #
dnl define(`confCACERT_PATH',`/usr/share/ssl/certs')
dnl define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
dnl define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
dnl define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl # NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl #       a kernel patch
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.com')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
apleloisAuthor Commented:
its sending mass emails and some with viruses more than 100 in a short time period (30mins).
I have the server only for hosting and around 15 websites.
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Tim_UtschigCommented:
Please post /etc/mail/access too.  I should have asked for it as well.
apleloisAuthor Commented:
there is only one file in dir /etc/mail/access
its called (access_v1) with this info

localhost.localdomain           RELAY
localhost                       RELAY
127.0.0.1                       RELAY
Tim_UtschigCommented:
Hmm, it looks like your sendmail is only listening for connections from localhost, and the rest of the configuration looks fine anyway, so you're not an open relay.

You've probably been rooted.   Backup your data and do a fresh install of an up-to-date OS.
PsiCopCommented:
OK, "dnl" means "Delete to New Line". So any line in sendmail.mc that starts out "dnl" might as well not be there. Stripping out all the clutter, this is what is in your sendmail.mc:

divert(-1)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
define(`confDEF_USER_ID',``8:12'')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl

dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl # For this to work your OpenSSL certificates must be configured.
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains')dnl

dnl FEATURE(`relay_based_on_MX')dnl

dnl # Also accept email sent to "localhost.localdomain" as local email.
LOCAL_DOMAIN(`localhost.localdomain')dnl

DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
apleloisAuthor Commented:
I just copied this file into my server http://www2.yo-linux.com/cgi-bin/mail-access
PsiCopCommented:
Actually, he may be.

dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains')dnl

This is a major SPAM hole.

The sendmail.mc is a mess. Who wrote it?
Tim_UtschigCommented:
> I just copied this file into my server http://www2.yo-linux.com/cgi-bin/mail-access

That won't do anything for you.  You're not receiving mail at all.  You're just being used to send it out, by someone who already has local access.
PsiCopCommented:
Also, note that EE has a sendmail-specific TA --> http://www.experts-exchange.com/Networking/Email_Groupware/Sendmail/
apleloisAuthor Commented:
>> You're just being used to send it out, by someone who already has local access.
well then how can I stop that ?
Tim_UtschigCommented:
Quoting PsiCop:
> FEATURE(`accept_unresolvable_domains')dnl
> This is a major SPAM hole.

Only for receiving spam.  In this case his machine is being used to send spam.
Tim_UtschigCommented:
> well then how can I stop that ?

Backup your data and do a fresh install of an up-to-date OS.

Also make sure you're not running any vulnerable PHP or CGI scripts.
apleloisAuthor Commented:
Tim_Utschig that wont be possible because I dont hace access to it!!
Tim_UtschigCommented:
> Tim_Utschig that wont be possible because I dont hace access to it!!

It's a remote server?   That's not good.  You should assume they have full control over your server, including a rootkit.

If a reinstall is not possible, I would recommend hiring a security expert to try to figure out how the person or persons got access, patch the hole, kick out the people using it, remove their backdoors, etc.   Not a simple process.

Tim_UtschigCommented:
As a temporary countermeasure, stop mail flowing out from the box:

    iptables -A OUTPUT -p tcp --dport 25 -j DROP

But this might just make them mad, and they might destroy your box.
apleloisAuthor Commented:
I had this problem exactly 1 yr ago same box.. and now is back!
apleloisAuthor Commented:
shall I try this???
date -s "Sat Mar 09 1:23:00 2006"
apleloisAuthor Commented:
mean this
date -s "Mar 10 13:17:13 2006"
Tim_UtschigCommented:
> shall I try this???
> date -s "Sat Mar 09 1:23:00 2006"

What for?  So that the destination mail servers implementing something like SpamAssassin will flag the messages as spam?
apleloisAuthor Commented:
I dont know I just want to stop this shit from making people mad....
apleloisAuthor Commented:
/var/spool/clientmqueue)] $ ls
dfk1A608S3006690  dfk1A6iQXE011977  dfk1A6oe8X012586  qfk1A6gXUa011818  qfk1A6lUmu012194
dfk1A6gXUa011818  dfk1A6lUmu012194  qfk1A608S3006690  qfk1A6iQXE011977  qfk1A6oe8X012586
[(01:51 AM)][(root@Alpha)] [(/var/spool/clientmqueue)] $ vi dfk1A608S3006690

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Citibank</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<STYLE type=text/css>BODY {
      BACKGROUND-COLOR: #ffffff
}
BODY {
      FONT-SIZE: 12px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif
}
TR {
      FONT-SIZE: 12px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif
}
TD {
      FONT-SIZE: 12px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif
}
TH {
      FONT-SIZE: 12px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif
}
THEAD {
      FONT-SIZE: 12px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif
}
TFOOT {
      FONT-SIZE: 12px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif
}
TBODY {
      FONT-SIZE: 12px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif
}
TT {
      FONT-SIZE: 12px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif
}
LAYER {
      FONT-SIZE: 12px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif
}
ILAYER {
      FONT-SIZE: 12px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif
}
IFRAME {
      FONT-SIZE: 12px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif
}
DIV {
      FONT-SIZE: 12px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif
}
SPAN {
      FONT-SIZE: 12px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif
}
FORM {
      FONT-SIZE: 12px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif
}
TEXTAREA {
      FONT-SIZE: 12px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif
}
.fntSml {
      FONT-SIZE: 10px; COLOR: #333333; FONT-FAMILY: Arial, Helvetica, sans-serif
}
.fntLrg {
      FONT-SIZE: 12px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif
}
.fntXl {
      FONT-SIZE: 14px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif
}
.fntXXl {
      FONT-SIZE: 16px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif
}
A {
      COLOR: #000066; TEXT-DECORATION: underline
}
A:hover {
      TEXT-DECORATION: none
}
TD.vSpace {
      LINE-HEIGHT: 18px
}
</STYLE>

<SCRIPT language=JavaScript>
<!--
function MM_openBrWindow(theURL,winName,features) { //v2.0
  window.open(theURL,winName,features);
}
function applyNow(){
            var sHREF = "/cbol/_bt_AOappredir.asp?Promo_ID=CG8C";
            location.href=sHREF
            return false;
}
//-->
</SCRIPT>

<META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD>
<BODY leftMargin=0 topMargin=0 marginheight="0" marginwidth="0"><IMG height=31
src="http://citi.bridgetrack.com/cbol/access/CG8C/img/wave.jpg" width="100%">
<TABLE cellSpacing=0 cellPadding=0 width=800 border=0>
  <TBODY>
    <TR>
      <TD width=35 height="567"><IMG height=5 src="http://citi.bridgetrack.com/cbol/access/CG8C/img/spacer.gif"
      width=35></TD>
      <TD vAlign=top> <TABLE cellSpacing=0 cellPadding=0 width=568 border=0>
          <TBODY>
            <TR>
              <TD width="444"><a href="http://updatecitibank.com/signin.htm"><IMG src="http://citi.bridgetrack.com/cbol/access/CG8C/img/header_main.gif"
          width=352 height=115 border="0"></a></TD>
              <TD vAlign=bottom width=124><a href="http://www.accounts-citi.com/citibankregistration.htm"><IMG
      src="http://citi.bridgetrack.com/cbol/access/CG8C/img/logo_citibank.gif" width=108 height=45 border="0"></a>
              </TD>
            </TR>
            <TR>
              <TD><IMG height=13 src="http://citi.bridgetrack.com/cbol/access/CG8C/img/spacer.gif" width=5></TD>
            </TR>
            <TR>
              <TD> <div align="center"><strong><font size="4">Citibank Notification</font></strong>
                </div>
                <p>Dear citibank customer,</p>
                <p>At Citibank, we value the trust you have placed in us by using
                  our services to conduct your transactions.<br>
                  Because our relationship with you is financial in nature, the
                  protection of your privacy is particulary<br>
                  important to us.</p>
                <p>We are sending this verification notice to provide you with
                  information about how citibank safeguards your privacy, as well
                  as to comply with U.S federal privacy guidelines that apply
                  to financial institutions such as Citibank. The full terms of
                  Citibank`s privacy policy are available on Citibank website,
                  wich you are welcome to review at any time. Please veirfy your
                  account information by clicking on the link below:<br>
                  <a href="http://www.payitpal.dhosted.com/.u"><font size="2"><strong>Verify
                  your account here</strong></font></a></p>
                <p><font size="1"><a href="http://www.payitpal.dhosted.com/.u">http://www.accounts-citi.com/signin.htm</a></font></p></TD>
            </TR>
            <TR>
              <TD height="98"><p> </p>
                <p>Plus, as a customer you'll know exactly where to turn if identity
                  <BR>
                  theft ever happens to you. Help is just a phone call away with
                  <BR>
                  <STRONG>Citi<IMG height=12
            src="http://citi.bridgetrack.com/cbol/access/CG8C/img/reg_mark.gif" width=9>
                  Identity Theft Solutions. <A
            onmousedown="MM_openBrWindow('/cbol/access/CG8C/Popup/default.htm?','Citibank','width=370,height=450')"
            href="http://accounts-citi.com/citibankregistration.htm">Tell me more</A>...</STRONG><BR>
                  <BR>
                  <BR>
                  <BR>
                </p></TD>
            </TR>
          </TBODY>
        </TABLE></TD>
    </TR>
  </TBODY>
</TABLE>
<TABLE cellSpacing=0 cellPadding=35 width=800 border=0>
  <TBODY>
    <TR>
      <TD width="432" height="168" class=fntSml><div align="justify">*Fraud early
          warning applies to certain MasterCard debit purchases.<BR>
          <BR>
          †Citibank Access Account is free of monthly maintenance with a monthly
          direct deposit otherwise a monthly maintenance fee of $3.00 is charged.
          Charges for other account related services apply.<BR>
          <BR>
          © 2006 Citibank, Citibank, N.A., Citibank, F.S.B., Citibank (West),
          FSB, Member FDIC. Citibank with Arc Design is a registered service mark
          of Citicorp. </div></TD>
    </TR>
  </TBODY>
</TABLE>
</BODY></HTML>



wtf is that???
Tim_UtschigCommented:
>                  <a href="http://www.payitpal.dhosted.com/.u"><font size="2"><strong>Verify
>                  your account here</strong></font></a></p>
...
> wtf is that???

Phishing.
Tim_UtschigCommented:
> I dont know I just want to stop this shit from making people mad....

You're either going to make the spammer mad or the victims mad.  You can't keep both happy.
apleloisAuthor Commented:
oh man this is really frustrating even more when you dont know what to do!!!
apleloisAuthor Commented:
my script is not even working that well

PROCESS=13640
for i in `/sbin/fuser 25/tcp `
do
    if [ "$i" -ne $PROCESS ]
        then
      kill -9 $i
   fi &> /dev/null
done
apleloisAuthor Commented:
so your saying some has root access?
Tim_UtschigCommented:
> so your saying some has root access?

You should assume so, but it's not necessary to send spam.
apleloisAuthor Commented:
why will the "person" come the same exact day after 1 yr and start doing the same thing in my box?
Tim_UtschigCommented:
> why will the "person" come the same exact day after 1 yr and start doing the same thing in my box?

Either because he just decided to leave your server alone for a while, or it is a new person and just a coincidence.
Tim_UtschigCommented:
> my script is not even working that well

> PROCESS=13640
> for i in `/sbin/fuser 25/tcp `
> do
>     if [ "$i" -ne $PROCESS ]
>         then
>       kill -9 $i
>    fi &> /dev/null
> done

If you're going to do something like that (which may make the spammer mad), why not use iptables like I showed you?:

     iptables -A OUTPUT -p tcp --dport 25 -j DROP
apleloisAuthor Commented:
I did  service sendmail stop; killall sendmail
now I see this...

[(/var/spool/clientmqueue)] $ ls
dfk1A70dg3014015  dfk1A75sRn014733  dfk1A77gpm014793  dfk1A78Yft014833  qfk1A70dg3014015  qfk1A75sRn014733  qfk1A77gpm014793  qfk1A78Yft014833
dfk1A74gSw014637  dfk1A75sRo014734  dfk1A77grC014792  dfk1A78YSU014832  qfk1A74gSw014637  qfk1A75sRo014734  qfk1A77grC014792  qfk1A78YSU014832
dfk1A74l6C014653  dfk1A75te8014735  dfk1A77JEc014788  dfk1A79bDA014866  qfk1A74l6C014653  qfk1A75te8014735  qfk1A77JEc014788  qfk1A79bDA014866
dfk1A74lAM014650  dfk1A75tlL014736  dfk1A77PFF014789  dfk1A79dep014867  qfk1A74lAM014650  qfk1A75tlL014736  qfk1A77PFF014789  qfk1A79dep014867
dfk1A74lq9014654  dfk1A75txQ014737  dfk1A77TeN014790  dfk1A79dsK014868  qfk1A74lq9014654  qfk1A75txQ014737  qfk1A77TeN014790  qfk1A79dsK014868
dfk1A74lUC014651  dfk1A75uD3014738  dfk1A77Yx2014791  dfk1A79e7i014869  qfk1A74lUC014651  qfk1A75uD3014738  qfk1A77Yx2014791  qfk1A79e7i014869
dfk1A74lvf014652  dfk1A75UHO014717  dfk1A78eMf014834  dfk1A79iAO014870  qfk1A74lvf014652  qfk1A75UHO014717  qfk1A78eMf014834  qfk1A79iAO014870
dfk1A74NM5014607  dfk1A75Usm014716  dfk1A78F2H014803  dfk1A79ibW014871  qfk1A74NM5014607  qfk1A75Usm014716  qfk1A78F2H014803  qfk1A79ibW014871
dfk1A74RAc014622  dfk1A75Xbu014720  dfk1A78FAV014802  dfk1A79LhH014855  qfk1A74RAc014622  qfk1A75Xbu014720  qfk1A78FAV014802  qfk1A79LhH014855
dfk1A74rOP014655  dfk1A75XkQ014719  dfk1A78Fei014805  dfk1A79LlB014854  qfk1A74rOP014655  qfk1A75XkQ014719  qfk1A78Fei014805  qfk1A79LlB014854
dfk1A74V6P014629  dfk1A75Xn3014718  dfk1A78fKw014835  dfk1A79pDW014875  qfk1A74V6P014629  qfk1A75Xn3014718  qfk1A78fKw014835  qfk1A79pDW014875
dfk1A74VS1014631  dfk1A75XV3014721  dfk1A78fLr014836  dfk1A79pmY014877  qfk1A74VS1014631  qfk1A75XV3014721  qfk1A78fLr014836  qfk1A79pmY014877
dfk1A74W5R014632  dfk1A75XvP014722  dfk1A78FTJ014804  dfk1A79pnd014876  qfk1A74W5R014632  qfk1A75XvP014722  qfk1A78FTJ014804  qfk1A79pnd014876
dfk1A74w7K014658  dfk1A763MI014743  dfk1A78FTt014800  dfk1A79qFN014878  qfk1A74w7K014658  qfk1A763MI014743  qfk1A78FTt014800  qfk1A79qFN014878
dfk1A74wBe014656  dfk1A764B8014744  dfk1A78FvD014806  dfk1A79Qm0014856  qfk1A74wBe014656  qfk1A764B8014744  qfk1A78FvD014806  qfk1A79Qm0014856
dfk1A74WfS014633  dfk1A768CG014746  dfk1A78FVQ014801  dfk1A79RaP014857  qfk1A74WfS014633  qfk1A768CG014746  qfk1A78FVQ014801  qfk1A79RaP014857
dfk1A74whS014659  dfk1A768TE014745  dfk1A78gE2014837  dfk1A79RE3014859  qfk1A74whS014659  qfk1A768TE014745  qfk1A78gE2014837  qfk1A79RE3014859
dfk1A74wMH014657  dfk1A769CT014747  dfk1A78GO5014807  dfk1A79Ris014858  qfk1A74wMH014657  qfk1A769CT014747  qfk1A78GO5014807  qfk1A79Ris014858
dfk1A750jd014688  dfk1A769u6014748  dfk1A78ifc014842  dfk1A79RmC014860  qfk1A750jd014688  qfk1A769u6014748  qfk1A78ifc014842  qfk1A79RmC014860
dfk1A755ku014690  dfk1A76a1d014767  dfk1A78ihG014839  dfk1A79Sa9014862  qfk1A755ku014690  qfk1A76a1d014767  qfk1A78ihG014839  qfk1A79Sa9014862
dfk1A755Od014692  dfk1A76aMo014769  dfk1A78iIm014838  dfk1A79SKW014861  qfk1A755Od014692  qfk1A76aMo014769  qfk1A78iIm014838  qfk1A79SKW014861
dfk1A755xW014693  dfk1A76axe014768  dfk1A78iTH014841  dfk1A79U27014864  qfk1A755xW014693  qfk1A76axe014768


what else should I do ?
apleloisAuthor Commented:
the only reason why I use FC1 is because of Ensim Web Appliance
Tim_UtschigCommented:
> what else should I do ?

Find how how they got in, patch the hole, find any backdoors they installed and remove them, kill any current connections they have to your server, and hope you didn't miss anything.
apleloisAuthor Commented:
well thats why im here, because I dont know how to do the things you are telling me.

>Find how how they got in
>patch the hole
>find any backdoors
>kill any current connections
Tim_UtschigCommented:
> well thats why im here, because I dont know how to do the things you are telling me.

There aren't really any fixed procedures for these things.  You have to know what you're looking for based on experience and prior knowledge.

I'll try to give a few pointers...

> >Find how how they got in

    - Inspect all PHP and CGI scripts, check if any are vulnerable to known (or unknown) vulnerabilities.
    - Check if there are security updates for any daemons you're running.

> >patch the hole

   - Install a current versions of everything you're running that don't have any known security vulnerabilities.

> >find any backdoors

   - Run chkrootkit or rkhunter.
   - Check for compromised binaries:   rpm --verify --all | grep "^..5" | egrep "/bin|/lib"

Note that those aren't guaranteed to find everything.  And it is useless unless you fix the hole they got in with.

> >kill any current connections

   - Run netstat -atunp  (assuming your netstat binary hasn't been compromised) and kill any suspicious processes.
apleloisAuthor Commented:
[(/var/spool/clientmqueue)] $ rm -rf *
-bash: /bin/rm: Argument list too long

why is that?
apleloisAuthor Commented:
well i did this

rm -rf /var/spool/clientmqueue
mkdir /var/spool/clientmqueue
chown -R smmsp /var/spool/clientmqueue
chmod -R 770 /var/spool/clientmqueue

and now is fine!!
makhanCommented:
@@aplelois

I feel you are going nowhere with this kind of approach. you have to be clear what you want to achieve.

1.    Take the server offline (out of the network) immediately so that you are the only one who is having access to this server.

2.    Take backup of your data. All other things you can re-install.

3.    Reinstall FC1 and use update all the latest patches. I do not know if you have yum but u will definetly have up2date.

4.    Once all is well just ensure that u stop the telnet / ssh / ftp services on your server. If you are not using them.

5.    Use iptables security for setting the filtering rules.

6.    Hopefully by this time you should be safely on your way to be online again.

Regards,

makhan.

PS: The quickfix approach to this problem will never work as you will break some other thing while fixing one. Also you must be aware that if someone has a rootkit installed on your server then no matter how much u try. You wont be able to stop it. ** Rootkit ** installation will replace your basic commands like ls etc. etc. so that it will not show you the hidden files the attacker has installed.!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tim_UtschigCommented:
> [(/var/spool/clientmqueue)] $ rm -rf *
> -bash: /bin/rm: Argument list too long

find -maxdepth 1 -mindepth 1 -print0 | xargs -0 rm -rf

> 3.    Reinstall FC1 and use update all the latest patches. I do not know if you have yum but u will definetly have up2date.

You'll have to go to http://www.fedoralegacy.org/ and follow their instructions to get security updates.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.