Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-14-2004, 01:29 PM
|
#1
|
LQ Newbie
Registered: Oct 2004
Location: Devon, England
Distribution: Debian Stable
Posts: 26
Rep:
|
Worrying email message from cron
I have been receiving emails similar to below from my cron daemon on my RH9 web-server (1and1 root server running ensim):
Quote:
--header--
Return-Path: <root@myserverdomain>
Received: from myserverdomain (root@localhost)
by moretonhampstead.net (8.11.6/8.11.6) with ESMTP id i9EHb3917022
for <root@moretonhampstead.net>; Thu, 14 Oct 2004 18:37:03 +0100
Received: (from root@localhost)
by myserverdomain (8.11.6/8.11.6) id i9EHb1t17009
for root; Thu, 14 Oct 2004 18:37:01 +0100
Date: Thu, 14 Oct 2004 18:37:01 +0100
Message-Id: <200410141737.i9EHb1t17009@myserverdomain>
From: root@myserverdomain (Cron Daemon)
To: root@myserverdomain
Subject: Cron <root@myserverdomain> /usr/lib/opcenter/virtualhosting/MailQueueCleaner
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
--/header--
--body--
affinity... Can't create output
<freiejgxozyhji@cheatcity.com>... User unknown
affinity... Can't create output
savemail: cannot save rejected email anywhere
|
--/body--
So i did a: grep cheatcity /var/log/maillog
and got
Quote:
Oct 14 12:46:03 p15144987 sendmail[14325]: i9EBk2O14325: from=<freiejgxozyhji@cheatcity.com>, size=3845, class=0, nrcpts=1, msgid=<3niu952irt07$wg43ehe93oad61$319tei9hq0@S9863773>, proto=ESMTP, daemon=MTA, relay=mq-1.v3.com [66.179.230.120]
Oct 14 12:46:03 p15144987 sendmail[14330]: i9EBk3L14330: from=<freiejgxozyhji@cheatcity.com>, size=4067, class=0, nrcpts=1, msgid=<3niu952irt07$wg43ehe93oad61$319tei9hq0@S9863773>, proto=ESMTP, relay=root@localhost
Oct 14 12:46:05 p15144987 sendmail[14331]: i9EBk3L14331: to=<freiejgxozyhji@cheatcity.com>, delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=32538, relay=mail.cheatcity.com. [207.44.236.22], dsn=5.7.1, stat=User unknown
Oct 14 13:37:03 p15144987 sendmail[14700]: i9ECb1014700: to=<freiejgxozyhji@cheatcity.com>, delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=32538, relay=mail.cheatcity.com. [207.44.236.22], dsn=5.7.1, stat=User unknown
Oct 14 14:38:08 p15144987 sendmail[15218]: i9EDb5I15218: to=<freiejgxozyhji@cheatcity.com>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=32538, relay=mail.cheatcity.com. [207.44.236.22], dsn=5.7.1, stat=User unknown
Oct 14 15:38:05 p15144987 sendmail[15744]: i9EEb1c15744: to=<freiejgxozyhji@cheatcity.com>, delay=00:00:02, xdelay=00:00:01, mailer=esmtp, pri=32538, relay=mail.cheatcity.com. [207.44.236.22], dsn=5.7.1, stat=User unknown
Oct 14 16:38:05 p15144987 sendmail[16254]: i9EFb1O16254: to=<freiejgxozyhji@cheatcity.com>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=32538, relay=mail.cheatcity.com. [207.44.236.22], dsn=5.7.1, stat=User unknown
Oct 14 17:37:04 p15144987 sendmail[16652]: i9EGb2f16652: to=<freiejgxozyhji@cheatcity.com>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=32538, relay=mail.cheatcity.com. [207.44.236.22], dsn=5.7.1, stat=User unknown
Oct 14 18:37:03 p15144987 sendmail[17006]: i9EHb1Y17006: to=<freiejgxozyhji@cheatcity.com>, delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=32538, relay=mail.cheatcity.com. [207.44.236.22], dsn=5.7.1, stat=User unknown
|
I dont know much about the mail system!!
Is this someone using my server to send spam?? Where are they coming from?
The worrying thing is that no-one uses my server for smtp!!
|
|
|
10-15-2004, 12:17 AM
|
#2
|
Member
Registered: Oct 2004
Location: Queen Charlotte B. C. Canada
Distribution: openSUSE 11.1
Posts: 42
Rep:
|
If you have php running some one may be trying to use the mail(); function in a php script.
|
|
|
10-17-2004, 08:50 AM
|
#3
|
LQ Newbie
Registered: Oct 2004
Location: Devon, England
Distribution: Debian Stable
Posts: 26
Original Poster
Rep:
|
Good point. I hadn't thought of that. I guess it could be any CGI script (ie perl). Does anyone know how I can find out who and what is trying to send these emails?
|
|
|
10-17-2004, 02:38 PM
|
#4
|
Member
Registered: Oct 2004
Location: Queen Charlotte B. C. Canada
Distribution: openSUSE 11.1
Posts: 42
Rep:
|
Quote:
Originally posted by merlininthewood
Good point. I hadn't thought of that. I guess it could be any CGI script (ie perl). Does anyone know how I can find out who and what is trying to send these emails?
|
Try searching your htdocs folder for the string in the to: e-mail address. IE "freiejgxozyhji"
or try searching your htdocs folder for the string "mail("
Last edited by m_shroom; 10-17-2004 at 02:40 PM.
|
|
|
11-07-2004, 01:47 PM
|
#5
|
LQ Newbie
Registered: Nov 2004
Posts: 1
Rep:
|
Fixing the MailQueueCleaner
Did you find a way to solve whatever problem the mailqueuecleaner was coming up with and stop the emails.
I've just started getting the same problem from my server.
David
PS - have you found a 1&1 root server peer support group anywhere - they don't provide anything to help us help ourselves - scum
Cheers
|
|
|
11-08-2004, 05:48 AM
|
#6
|
LQ Newbie
Registered: Oct 2004
Location: Devon, England
Distribution: Debian Stable
Posts: 26
Original Poster
Rep:
|
I havn't got any closer to solving this problem (not enough time).
I haven't heard of a support group. Maybe we should start an independant one and see if we can get 1and1 to link to it!!
I wonder if LinuxQuestions would be up for hosting a forum??
|
|
|
All times are GMT -5. The time now is 10:16 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|