/var/log full, have i been attacked?

Forum Moderators: phranque

Message Too Old, No Replies

/var/log full, have i been attacked?

site went down due to full /var/log directory, have we been attacked?

suga

5:53 am on Dec 29, 2009 (gmt 0)

our site went down due to a full /var/log directory, the maillog file was particularly large. that file has been since deleted and we're now back up.

how can i tell if we have been attacked? where can i learn to analyze the maillog file to see if our domain is being used to spam people? here is an example of a line in our maillog file:

Dec 28 21:26:43 servername postfix/qmgr[2152]: 212DFC4323: to=<root@mydomain.com>, relay=none, delay=3969, delays=3939/30/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mydomain.com[ipaddress]: Connection timed out)

thanks in advance!

jdMorgan

9:23 pm on Dec 31, 2009 (gmt 0)

If you have a problem, *save* your log files, don't delete them!
Or at least download and save part of the log files...

Check your FormMail (or similar script) to be sure that it is up-to-date and secure. Make sure that it does not accept newlines or any special characters in any of the 'address' headers such as 'To', 'From', 'CC', 'BCC', 'Reply-to' or 'Subject'. If it does, then it will be quite easy to send spam from your server using simple injection tricks.

If your server is commercially-hosted, ask your host for help. If they can't help, then you need a new host.

Jim

suga

12:19 am on Jan 12, 2010 (gmt 0)

thank you for your response. yes i agree, the log file should have been saved! i will have to make sure our form mail is secure. thank you again.