Our server/sendmail is being hacked

[MatthewP]

Someone seems to have got into our server and is putting thousands of spam emails through sendmail. I'm renting the server from a company who don't seem too bothered about it, but I've not got a clue how to stop this. I've been through all the email scripts on our site and made sure that they're secure, changed every password we've got, re-booted the server, stopped and re-started sendmail, but nothing has happened.

How can I trace where this is coming from?

Thanks,
Matt.

 

[dbase77]

Hi,

Check log file /var/log/messages and /var/log/maillog. Check if you have any outstanding line. Usually all connection will be locked in var/log/maillog.

regards,
feroz

 

[Morsing]

What version of Sendmail are you running??

Cheers

Henrik Morsing
Certified AIX 4.3 Systems Administration
& p690 Technical Support

 

[MatthewP]

Sendmail version is :

sendmail-install-8.11.1-12
sendmail-8.11.1-ensim4
sendmail-cf-8.11.1-ensim4
sendmail-doc-8.11.1-ensim4
sendmail-manage-8.11.1-12


Maillog contains 368934 lines, I'm not sure what I'm looking for in this!

Thanks,
Matt.

 

[bluegroper]

Easy to fix.
Use postfix instead.
See

http://www.postfix.org/

 

[dbase77]

HI,

Patch your sendmail to latest version as this version of sendmail contain remoet exploit which lead to root user.

regards,
feroz

 

[BalajiR]

Hi Matt,

You can try the tool BMS (Bad Mail Stats) from the site

http://www.ginini.com/software/bms/

. It will send you the detailed statistics and it is a free tool. Try that and you will easiliy know the domains broadcasting the SPAM Mails to your mail server. You can block it using the /etc/mail/access file.

Hope this can be of help.

Regards
Balaji R

 

[dnguyen80]

add this line to your M4 to enable sending mail with authentication...meaning that they must login to sendmail.

define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl

and only accept mail relays from localhost in /etc/mail/access