Am I being Hacked ?

rizhun · 08-27-2005, 09:50 AM

Hello,

I'm having problems with sendmail... Here is an extract from 'logwatch':

Quote:

--------------------- sendmail Begin ------------------------

Bytes Transferred: 12050
Messages Sent: 2
Total recipients: 2

Warning!!!:
Connections Rejected due to high load average 106 Time(s)
Max. Load Avg reached: 24

**Unmatched Entries**
have been rejecting connections on daemon MTA for 25+03:38:26: 1 Time(s)
have been rejecting connections on daemon MTA for 25+18:39:41: 1 Time(s)
have been rejecting connections on daemon MTA for 25+06:38:41: 1 Time(s)
have been rejecting connections on daemon MTA for 25+09:38:56: 1 Time(s)
have been rejecting connections on daemon MTA for 25+15:39:26: 1 Time(s)
have been rejecting connections on daemon MTA for 25+00:38:22: 1 Time(s)
have been rejecting connections on daemon MTA for 25+21:39:56: 1 Time(s)
have been rejecting connections on daemon MTA for 25+12:39:11: 1 Time(s)

---------------------- sendmail End -------------------------

Quote:

[rizhun][/home/rizhun]$ps -ef | grep -i sendmail
root 27397 1 0 15:52 ? 00:00:00 sendmail: rejecting connections on daemon MTA: load average: 23
smmsp 27405 1 0 15:52 ? 00:00:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
rizhun 27848 27821 0 16:07 pts/5 00:00:00 grep -i sendmail

The only email my server should be sending is a few script out-puts.

Im nervous that I'm being hacked, but I need my email back.
Can anybody help me out with this problem?

Thanks in advance.

trickykid · 08-27-2005, 10:32 AM

Not hacked but perhaps a spammer is trying to use your sendmail server as a means to send out spam.. make sure you don't have an open relay and find the IP or source of what is making so many connections by blocking them. And if you only use this to send out email, block port 25 from outside connections.

rizhun · 08-27-2005, 10:53 AM

An open relay?
Is that a setting in sendmail.cf or a network-related setting?

trickykid · 08-28-2005, 12:54 PM

Quote:

Originally posted by rizhun
An open relay?
Is that a setting in sendmail.cf or a network-related setting?

It's a configuration file with sendmail to only allow the hosts you want permission to send email using your email server.

antus · 09-07-2005, 08:08 AM

It sounds like your box is over loaded.

"Warning!!!:
Connections Rejected due to high load average 106 Time(s)"

Run top and take a look at your load average. 1 is 100%. It should be probably less than 0.1. If its over 1 then you need to see why. Perhaps your box is not up to the task, or perhaps something in partucular is sucking all the power. Either way running top should shed some light. Its unlikely that you are an open relay unless you have done something stupid to your mail configuration. By default you wont be.