I'm in real trouble!!

I don't know if my server has been hacked or a web site but this seems to be the only place i can get any support. I am running a Linux free BSD leased server. We have 18 web sites on this server and have never had this kind of traffic on it before. I cleaned the messages and mqueue at 11:am and have over 60,000 messages and 32,000 mqueue 3 hours later. Is there any i can identify the problem? (web site or server)
The server keeps shutting down and I'm getting internal server errors.
Any suggestions WELCOME!
Thanks,
Dan

 

I don't mean to be a jerk, but heres what i would do first. Contact some one professional responsible for maintaining your server and going from there instructions to remove the problem. Its likely you have been comprimissed, but a forum really in my opinon isn't the place for support for a bussines server with immediate support needs as yours. I would find the nearest trained professional and ask/pay him for support. Sorry i can't be more help but thats your best solution.

 

Sorry to take up your time if i could get through to support i would have and if i knew how to withdraw the thread i would do that also.

Thanks,
Dan

 

t

Totally UN called for . dont listen to people like that, he should have posted in the most heard or whatever, Got nothin nice to say, then shut up! Unbelievable!

 

No not really, im just saying we are really his best option are we? Unless we own his server, then hes probably best option is to go through there support. Thats a very good response to an issue like that, since hes already paying someone to host do his work, they would be his best bet for the answer to his questions, i clearly stated im not trying to be rude, but giving him an honest answer to his question, and juding by the lack of responses here, his best option. Sense when did it became uncalled for to post an honest opinon and response to his problem??? Tell me where in my thread i was rude or not helpful. I posted my opinon, and last time i checked that was a valid thing to do in a public forum. And to the orignal poster, don't apolize, i just think your time is better spent with the people who setup the server as they know all the details, and its likely the information actually needed to solve the problems shouldn't be given out in a public forum. Thats jazagod but if i shouldn't have posted, then neither should you.

 

Hey guys my intent is not to stir any ill will. It's just that owner of the company is unreachable and i have been helping out. I don't know how to get to his support and you have all helped me so much that i spend all my free time here trying to learn as much as possible. Jazzagod thank you but maybe i overstepped what the forum is designed for. If i did i apologize and someone please just push the destruct button for this thread.
Thanks,
Dan

 

This sounds a lot like a Denial-Of-Service attack. Check out
www.grc.com/dos/grcdos.htm

 

I believe Dromano could find some sort of help here. Colemanguy, I need not an argument, I appologize for my lip, and hope you will accept....
Nice speech
I hope you take the appology!

 

GaryG this may REALLY HELP time to do some reading.
I appreciate it thanks,
Dan

 

Well is the traffic you mentioned going in the server like that many messages trying to be email to you. That could be part of DOS attack, but from your description it sounds like your having issues with a large amount of messages being sent out of your server, which would be more of a mail relay type attack.

 

I am cleaning them right now . It looks like they are being sent from the server var- log-messages- 56,000 spool- mqueue- 20,334 none of the sites have a mailing list or seem to have any unusually high mail in thier in box.
Thanks,
Dan

 

yea then it really isn't a dos attack, that would be more of a sending large amounts of mail to your server. I would actually check if there from one particular address and narrow it down to the desktop sending those, its more then likely an infected machine.

 

Thats one big problem i don't know how to do that. How do i check what the adress is? in mqueueu i only get as an example (dika48BMQqui082533) how can i find the adress?

 

Hey drom, possibly one day you can explain what and how you are talking about, I have basics, but I want to learn more, pm me :~)

 

what program are you using for your mail server.

 

Hey guys,
I'm finaly back to normal it seems it was stemming from two of our web sites on two different servers. I have a feeling it might be one of our programmers harvesting or selling mailing lists. In any case it has stopped for now and i am tracing the e-mails. I should know more later today. I want to thank Jazzagod,
GaryG and especialy Colemanguy for pointing me in the right direction.
MAJORGEEKS RULE!!!!!!!!!!
Thanks again,
Dan