Welcome to WebmasterWorld Guest from

Forum Moderators: bakedjake

Message Too Old, No Replies

dos attack?

3:31 pm on Jan 4, 2010 (gmt 0)

New User

5+ Year Member

joined:June 28, 2008
posts: 39
votes: 0


I have several websites on a dedicated server that all function pretty much the same. Over the past few days, I noticed my main website was not loading. I displayed processes and found this....

25165 ? S 0:00 qmail-remote example.net iujelycyt3586@example.net
25166 ? S 0:00 /var/qmail/bin/qmail-remote.moved example.net iujelycyt3586@example.net
25172 ? S 0:00 qmail-remote example1.net.sa nywumyyfaf4577@example1.net.sa
25173 ? S 0:00 /var/qmail/bin/qmail-remote.moved example1.net.sa nywumyyfaf4577@example1.net.sa
25187 ? S 0:00 qmail-remote example.com aviatorsn35@example.com
25188 ? S 0:00 /var/qmail/bin/qmail-remote.moved example.com aviatorsn35@example.com

I've seen up to 10 entries so far. These entries just come and go. My other websites normally just pop right up as normal but one of my main websites does not.

Can someone tell me what this is? How I can stop it? Is it IP or domain related since the other sites don't have as many problems.

Ironically, I was in the process of moving my sites to a different server but I can't even get that done because at times I can't even reach the server.

[edited by: tedster at 5:11 am (utc) on Jan. 5, 2010]
[edit reason] switched to example.com [/edit]

11:47 pm on Jan 13, 2010 (gmt 0)

Senior Member from KZ 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
votes: 24

Qmail is a mail server program. It looks like your server is used quite heavily and unauthorized as an email server. There are three possibilities:

  1. Your server is hacked and someone is sending emails from the system level
  2. Your email server has an open relay setup and someone is using your server to distribute mail from another source outside of your server
  3. One of your websites has a hackable email form which is currently abused to send email from that webform via your email server to the outside world.

In all three cases: try to find the leak and close it, or better: move to a new server if you had that plan already.

12:26 am on Jan 14, 2010 (gmt 0)

New User

5+ Year Member

joined:June 28, 2008
posts: 39
votes: 0

Thank you for your response.

I think it is option 1. At 1 point my server reported that it would not allow me to sign in because it's log was full (or something like that).

I'm almost done moving. They will need to find a different host in a couple of days.