Spam on my server
For the last few days we noticed a large amount of spam being sent out from our server. I have tried a few things to stop it from happening but it seems every night at around midnight a mass flood of spam is being sent out reaching numbers as high as 25000 emails a night! For now I have been deleting the emails in queue until I can figure out the source of the problem. Here is what I have tried up until now:
- relay is turned OFF
- disabled "nobody" in WHM
- inspecting the email headers I am unable to find the source...here is an example: (my server is dhwebhost.com)
1CFO6F-0002b6-Gv-H
mailnull 47 12
<>
1097116427 0
-ident mailnull
-received_protocol local
-body_linecount 17
-frozen 1097116427
-localerror
XX
1
1800SunTrust@suntrust-email.com
160P Received: from mailnull by host.dhwebhost.com with local (Exim 4.34)
id 1CFO6F-0002b6-Gv
for 1800SunTrust@suntrust-email.com; Wed, 06 Oct 2004 22:33:47 -0400
031 Auto-Submitted: auto-generated
062F From: Mail Delivery System <Mailer-Daemon@host.dhwebhost.com>
036T To: 1800SunTrust@suntrust-email.com
060 Subject: Warning: message 1CF1bv-00084e-Gv delayed 24 hours
051I Message-Id: <E1CFO6F-0002b6-Gv@host.dhwebhost.com>
038 Date: Wed, 06 Oct 2004 22:33:47 -0400
1CFO6F-0002b6-Gv-D
This message was created automatically by mail delivery software.
A message that you sent has not yet been delivered to one or more of its
recipients after more than 24 hours on the queue on host.dhwebhost.com.
The message identifier is: 1CF1bv-00084e-Gv
The subject of the message is: SunTrust Banking
The date of the message is: Tue, 05 Oct 2004 22:32:59 -0400
The address to which the message has not yet been delivered is:
dgoodling@nc.edgemark.com
Delay reason: Connection timed out
No action is required on your part. Delivery attempts will continue for
some time, and this warning may be repeated at intervals if the message
remains undelivered. Eventually the mail delivery software will give up,
and when that happens, the message will be returned to you.
mailnull 47 12
<>
1097116427 0
-ident mailnull
-received_protocol local
-body_linecount 17
-frozen 1097116427
-localerror
XX
1
1800SunTrust@suntrust-email.com
160P Received: from mailnull by host.dhwebhost.com with local (Exim 4.34)
id 1CFO6F-0002b6-Gv
for 1800SunTrust@suntrust-email.com; Wed, 06 Oct 2004 22:33:47 -0400
031 Auto-Submitted: auto-generated
062F From: Mail Delivery System <Mailer-Daemon@host.dhwebhost.com>
036T To: 1800SunTrust@suntrust-email.com
060 Subject: Warning: message 1CF1bv-00084e-Gv delayed 24 hours
051I Message-Id: <E1CFO6F-0002b6-Gv@host.dhwebhost.com>
038 Date: Wed, 06 Oct 2004 22:33:47 -0400
1CFO6F-0002b6-Gv-D
This message was created automatically by mail delivery software.
A message that you sent has not yet been delivered to one or more of its
recipients after more than 24 hours on the queue on host.dhwebhost.com.
The message identifier is: 1CF1bv-00084e-Gv
The subject of the message is: SunTrust Banking
The date of the message is: Tue, 05 Oct 2004 22:32:59 -0400
The address to which the message has not yet been delivered is:
dgoodling@nc.edgemark.com
Delay reason: Connection timed out
No action is required on your part. Delivery attempts will continue for
some time, and this warning may be repeated at intervals if the message
remains undelivered. Eventually the mail delivery software will give up,
and when that happens, the message will be returned to you.
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... You have 15 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `lkm'... You have 15 process hidden for ps command
Warning: Possible LKM Trojan installed
Can anyone kindly offer any ideas on what else I can do/check?
