Topic: Worm/hack like activity

[TheRealWaldo]

Got an interesting process constantly appearing, and the system appears to be under abnormal load, slowing down to a crawl, almost to the point of DoS.

qmailr   29880  0.0  0.2  1488  512 ?        R    18:01   0:00 qmail-remote zactheman.no-ip.org  mary@zactheman.no-ip.org

Running SME 5.1.2 with all the latest updates, 1GHz, 256MB, 2x 40GB using software raid...  Any ideas as to where I should look, or what I should look for?

W.

[chris]

its actually a mail overload or sort of ,,,,,you have a low memory,,,,,actually if you set up a production server you have to allocate at least 1GB of RAM to allocate on all services

[TheRealWaldo]

Low memory?  All memory reports come out at less than 20% used memory.

That exact same process was stopping and starting constantly on the server for weeks, with exact same mail address, etc..

W.

[Rich Lafferty]

Nothing to do with memory at all.

This problem (with that same email address!) has hit a few people. The
problem is that zactheman.no-ip.org resolves to 0.0.0.0, which is localhost,
and you end up with a mail loop. (If you hadn't guessed, 'mary@zactheman.no-ip.org' was used by a spammer.)

Two steps to fix:


1) Set up a bitbucket.

echo "#" > ~alias/.qmail-devnull

(Now "devnull@your.server" will just delete the mail.)

2) Redirect all mail to zactheman.no-ip.net to the bitbucket. This bit's
off the top of my head.

mkdir -p /etc/e-smith/templates-custom/var/qmail/control/virtualdomains

cd /etc/e-smith/templates-custom/var/qmail/control/virtualdomains

echo 'zactheman.no-ip.org:alias-devnull' > 999zactheman

/sbin/e-smith/expand-template /var/qmail/control/virtualdomains


Now watch /var/log/qmail/current to make sure mail's being bitbucketed.

tail -f /var/log/qmail/current

Look for something like:

(timestamp) delivery 317814: success: forward:_qp_15406/did_0+0+0/

The "0+0+0" indicates that the mail was discarded.

Hope this helps,

--Rich