|/var/log full, have i been attacked?|
site went down due to full /var/log directory, have we been attacked?
| 5:53 am on Dec 29, 2009 (gmt 0)|
our site went down due to a full /var/log directory, the maillog file was particularly large. that file has been since deleted and we're now back up.
how can i tell if we have been attacked? where can i learn to analyze the maillog file to see if our domain is being used to spam people? here is an example of a line in our maillog file:
Dec 28 21:26:43 servername postfix/qmgr: 212DFC4323: to=<firstname.lastname@example.org>, relay=none, delay=3969, delays=3939/30/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mydomain.com[ipaddress]: Connection timed out)
thanks in advance!
| 9:23 pm on Dec 31, 2009 (gmt 0)|
If you have a problem, *save* your log files, don't delete them!
Or at least download and save part of the log files...
Check your FormMail (or similar script) to be sure that it is up-to-date and secure. Make sure that it does not accept newlines or any special characters in any of the 'address' headers such as 'To', 'From', 'CC', 'BCC', 'Reply-to' or 'Subject'. If it does, then it will be quite easy to send spam from your server using simple injection tricks.
If your server is commercially-hosted, ask your host for help. If they can't help, then you need a new host.
| 12:19 am on Jan 12, 2010 (gmt 0)|
thank you for your response. yes i agree, the log file should have been saved! i will have to make sure our form mail is secure. thank you again.