What is the IP of your server..? 70.84.211.98 ? 68.106.154.147 ? Is your server somehow related with: webpal.info ?
the ip address of my server is the second one (68.106.154.147) and no my server is no way related with webpal.info at all what-so-ever!!!
Which ISPConfig are you running? And which distro of Linux? It seems that someone from IP 70.84.211.98 is trying to connect to your mailserver. Take a look at this post: http://www.howtoforge.com/forums/showthread.php?t=6363&highlight=dovecot Try to reject that IP (70.84.211.98)
ISPConfig Version: 2.2.6 (c) ISPConfig 2006 Fedora Core 5 is my linux distro and how do you tell which user is trying to login ????
take a look at your own posts, especially where you posted maillog and you will see that someone is trying to connect to your mailserver. There is an IP in those logs: 70.84.211.98
i see what you were saying.......so I need to block that IP address, my thing iz i dont know if i run this command I found from the link you sent me will actually work. I did disable the SELinux and Firewall per the directions from this site for the tutorial.....but if I still need to do it and yall know its gone work then I think this should solve the problem???
According to the header of the message that you posted at the begining of this thread, it seems that something or someone is trying to send message to nonexisting user on terions.de network. As that user in non-existant, terions.de mailserver is sending information to your mailserver that email can't be delivered. Than your mailserver tries to send email again and again and terions.de is sending email back again and again. Please consider posibility that your client machine is infected with some virus, trojan etc. Few week ago I had on my "secure" windows workstation some trojan who was trying to connect to my email account as fast as 2 - 4 times in second. I noticed problem when my ISP disconnected me from network because my workstation machine was overhelming their mail server with repeated login atempts.
And try to install logcheck. With it you can allways see are you target of some nasty hacker. And get used to it, once when you have live serve on the net. http://www.howtoforge.com/howto_chkrootkit_portsentry http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts
see thats the thing....the only thing I installed was ISPConfig and that was it...nothing more or nothing further! I get what you are saying. So where can I check to see where this email thing comes into play! I want to see who is trying to send mail to the servers mentioned??? I havent read your second post and thats what im getting ready to do now!!
I guess your server must not have been hacked, It is enough if someone sends spam emails with a sender address located on your server. To remove all mailer daemon messges from your mailqueue, run this command:
till, he deleted previous post where he assumed that second IP miht be IP of his desktop PC. Maybie he should check if his desktop PC is sending emails (trying to send) using his own webserver (located on other IP). also , there might be posibillity that his email account on his serve is compromised if his pasword is cracked. if he install logcheck he might check if someone in realtime is trying bruteforce password crack of his accounts. Very often my server is also target of hackers trying to crack passwords for my email accounts..
Okay...portsentry will not install however chkrootkit did install per those directions there........!!! I stoped at portsentry! here is the error I am getting: Code: [root@jdubbhosting ~]# cd portsentry_beta [root@jdubbhosting portsentry_beta]# make linux SYSTYPE=linux Making cc -O -Wall -DLINUX -DSUPPORT_STEALTH -o ./portsentry ./portsentry.c \ ./portsentry_io.c ./portsentry_util.c ./portsentry.c: In function ‘PortSentryModeTCP’: ./portsentry.c:1187: warning: pointer targets in passing argument 3 of ‘accept’ differ in signedness ./portsentry.c: In function ‘PortSentryModeUDP’: ./portsentry.c:1384: warning: pointer targets in passing argument 6 of ‘recvfrom’ differ in signedness ./portsentry.c: In function ‘Usage’: ./portsentry.c:1584: error: missing terminating " character ./portsentry.c:1585: error: ‘sourceforget’ undeclared (first use in this function) ./portsentry.c:1585: error: (Each undeclared identifier is reported only once ./portsentry.c:1585: error: for each function it appears in.) ./portsentry.c:1585: error: expected ‘)’ before ‘dot’ ./portsentry.c:1585: error: stray ‘\’ in program ./portsentry.c:1585: error: missing terminating " character ./portsentry.c:1595: error: expected ‘;’ before ‘}’ token make: *** [linux] Error 1 [root@jdubbhosting portsentry_beta]#
[root@jdubbhosting ~]# mailq | tail +2 | awk 'BEGIN { RS = "" } > # $7=sender, $8=recipient1, $9=recipient2 > { if ($7 == "MAILER-DAEMON") > print $1 } > ' | tr -d '*!' | postsuper -d - tail: cannot open `+2' for reading: No such file or directory [root@jdubbhosting ~]#
see and this is looking like its gonna leave me with no other option but to just completely take down the server and start from scratch all over again. See I want to use ISPConfig dont get me wrong but, this is just overwhelming!! I am not new to linux administration im not but I am not that deep into it either! I more of a windows guy! Linux is better when it comes to servers and I feel that its more secure! So I mean what other options do I have? If I run the uninstall option, thats still gonna leave stuff behind which is a bitch to cleanup after and that just means for me that I need to take the server down and re-install the base OS, follow the tutorial again and call it a day! If there are other suggestions then please let me know!
If everything is working OK on your server then there is no need for you to reinstall server. (BTW I reinstalled my servers more than 20 times with different distributions just to learn every single step about installing it. Mother of knowledge is repetition). Now I have stable servers. Or at least I think so. Just don't panic, RELAX, and locate mail problem. Step by step. WHO is owner of IP that is permanently trying to conect to your server. Is it yours IP? 1. If it is, check your desktop machine, where is your Outlook Express. I noticed your edited post before you deleted it. 2. If it is not then BLOCK that IP (see previous posts). 3. If it is what till said to you then you will have to wait that spammer stops sending emails, or try to locate from which IP he is doing so, so report that problem to that network administrtor (terions.de) And DO NOT delete your posts in future.
i didnt delete any of my posts i dont think and I did block the IP address because its not mine! all i know iz on my machine, I have everything set except for the password and I hit cancel when it tries to check my mailbox because it has too many messages so i just cancel it when it tries to login.....it slows up my computer
i think its the server doing it itself......something is obviously set wrong in the distro i got i think as far as ISPConfig goes cuz way before all this happened I tested the mailservers and stuff to make sure they worked.....then sometime after the install of ISPconfig....bam I got SPAMMED the hell out of
Anymore suggestions? I am feeling that a server reinstall needs to happen! But if this problem can be fixxed then I please need to know if there is something in ISPConfig thats sending emails to that domain!!!
I didnt get any response for 2 days so I just went on ahead and reinstalled the entire server and have not installed ISPConfig as of yet. I will be reinstalling it though! But once I took ISPConfig out, no more emails. Lets see what happens this time!
