| /var/log full, have i been attacked?
site went down due to full /var/log directory, have we been attacked? |
suga
msg:4050659 | 5:53 am on Dec 29, 2009 (gmt 0) |
our site went down due to a full /var/log directory, the maillog file was particularly large. that file has been since deleted and we're now back up. how can i tell if we have been attacked? where can i learn to analyze the maillog file to see if our domain is being used to spam people? here is an example of a line in our maillog file: Dec 28 21:26:43 servername postfix/qmgr[2152]: 212DFC4323: to=<root@mydomain.com>, relay=none, delay=3969, delays=3939/30/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mydomain.com[ipaddress]: Connection timed out) thanks in advance!
|
jdMorgan
msg:4052343 | 9:23 pm on Dec 31, 2009 (gmt 0) |
If you have a problem, *save* your log files, don't delete them!
Or at least download and save part of the log files... Check your FormMail (or similar script) to be sure that it is up-to-date and secure. Make sure that it does not accept newlines or any special characters in any of the 'address' headers such as 'To', 'From', 'CC', 'BCC', 'Reply-to' or 'Subject'. If it does, then it will be quite easy to send spam from your server using simple injection tricks. If your server is commercially-hosted, ask your host for help. If they can't help, then you need a new host. Jim
|
suga
msg:4058736 | 12:19 am on Jan 12, 2010 (gmt 0) |
thank you for your response. yes i agree, the log file should have been saved! i will have to make sure our form mail is secure. thank you again.
|
|
|
