Hello, My server has been attacked by a load of sad ass wholes. They have started flooding my cache with crap it got up to 180mb in size still increasing. They also flodded the root@localhost email account with thousands of emails. So i have switched off my server for now disruppting my service for everyone How can you flush/empty the cache? How can i remove the root@localhost email account? Have you got any idea how they are flodding my cache? Also how can i specific ip's from accessing my server? Please help, Alex
What cache are you referring to? I don't think this is a good idea as all the important system messages are sent to root.
Are you talking about the mailqueue? Message in the mailqueue can be deleted and listed with the "postqueue" command. I'am pretty sure that these messages are not send directly to root@localhost, so you should check in the mail log to which accounts the emails are sent originally.
Thanks alot, works very well. I put ntop on my server so i can see who is using lots of traffic if they try to dos attack me Any idea how to empty the cached show picture above?
Memory Info: Code: MemTotal: 515628 kB MemFree: 80540 kB Buffers: 26844 kB Cached: 216944 kB SwapCached: 672 kB Active: 300132 kB Inactive: 103272 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 515628 kB LowFree: 80540 kB SwapTotal: 513976 kB SwapFree: 512308 kB Dirty: 168 kB Writeback: 0 kB AnonPages: 159004 kB Mapped: 53604 kB Slab: 24732 kB PageTables: 2088 kB NFS_Unstable: 0 kB Bounce: 0 kB CommitLimit: 771788 kB Committed_AS: 558064 kB VmallocTotal: 507896 kB VmallocUsed: 5528 kB VmallocChunk: 501112 kB HugePages_Total: 0 HugePages_Free: 0 HugePages_Rsvd: 0 Hugepagesize: 4096 kB Process Info: Code: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 1 root 15 0 724 184 140 S 0 0.0 0:01.67 init 2 root RT 0 0 0 0 S 0 0.0 0:00.02 migration/0 3 root 38 19 0 0 0 S 0 0.0 0:00.00 ksoftirqd/0 4 root RT 0 0 0 0 S 0 0.0 0:00.01 migration/1 5 root 34 19 0 0 0 S 0 0.0 0:00.00 ksoftirqd/1 6 root 10 -5 0 0 0 S 0 0.0 0:00.02 events/0 7 root 10 -5 0 0 0 S 0 0.0 0:00.08 events/1 8 root 10 -5 0 0 0 S 0 0.0 0:00.00 khelper 9 root 10 -5 0 0 0 S 0 0.0 0:00.00 kthread 13 root 12 -5 0 0 0 S 0 0.0 0:00.07 kblockd/0 14 root 10 -5 0 0 0 S 0 0.0 0:00.04 kblockd/1 15 root 14 -5 0 0 0 S 0 0.0 0:00.00 kacpid 90 root 12 -5 0 0 0 S 0 0.0 0:00.00 cqueue/0 91 root 13 -5 0 0 0 S 0 0.0 0:00.00 cqueue/1 92 root 10 -5 0 0 0 S 0 0.0 0:00.01 kseriod 130 root 17 0 0 0 0 S 0 0.0 0:00.00 pdflush 131 root 15 0 0 0 0 S 0 0.0 0:00.13 pdflush 132 root 10 -5 0 0 0 S 0 0.0 0:01.28 kswapd0 133 root 12 -5 0 0 0 S 0 0.0 0:00.00 aio/0 134 root 13 -5 0 0 0 S 0 0.0 0:00.00 aio/1 381 root 11 -5 0 0 0 S 0 0.0 0:00.00 kpsmoused 849 root 13 -5 0 0 0 S 0 0.0 0:00.00 md1_raid1 855 root 12 -5 0 0 0 S 0 0.0 0:03.80 md2_raid1 874 root 12 -5 0 0 0 S 0 0.0 0:01.01 kjournald 930 root 12 -4 1832 452 336 S 0 0.1 0:00.44 udevd 1537 root 10 -5 0 0 0 S 0 0.0 0:00.00 khpsbpkt 1586 root 12 -5 0 0 0 S 0 0.0 0:00.02 kgameportd 1594 root 10 -5 0 0 0 S 0 0.0 0:00.00 khubd 1600 root 15 0 0 0 0 S 0 0.0 0:00.00 knodemgrd_0 1606 root 10 -5 0 0 0 S 0 0.0 0:00.00 kedac 1927 root 10 -5 0 0 0 S 0 0.0 0:00.00 md0_raid1 1971 root 10 -5 0 0 0 S 0 0.0 0:00.00 kjournald 1973 root 10 -5 0 0 0 S 0 0.0 0:02.30 kjournald 2271 root 18 0 1596 364 280 S 0 0.1 0:00.03 irqbalance 2285 root 16 0 1876 688 560 S 0 0.1 0:00.01 resmgrd 2294 root 15 0 1724 540 336 S 0 0.1 0:00.00 klogd 2309 root 15 0 2104 808 600 S 0 0.2 0:06.53 syslog-ng How can i get the mail service working again, aswell, when ever i enabled i start getting spammed with inslusting messages:
You didn't post the beginning of top's output which contains the details I was looking for (memory usage, etc.)... Check your mail queue with Code: postqueue -p if there are lots of spam mails in there. If so, you can delete the spam mails with the postqueue/postsuper commands.
Wooo, The postqueue is absoloutley massive, its been running for about 5 minutes and its still going listing the spam emails, all the emails are to one person. It appears that someone has been trying to flood someones email inbox. Is there anyway to clear all this email? Also just for intrest is there anyway to see how many emails are in the postqueue?
i am NOT 100% shure, but if you use MailDirs every mail is in the maildir of the "special" user. every file is one mail. I tried to delete one file (for example with "mc") and this works fine. deleting ALL files will delete all emails of this email-address.
Yes, use this command: Code: mailq | tail +2 | awk 'BEGIN { RS = "" } # $7=sender, $8=recipient1, $9=recipient2 { if ($8 == "[email protected]") print $1 } ' | tr -d '*!' | postsuper -d - The above is just one command, replace [email protected] with the email address of the recipient that shall receive the emails. Then copy all the lines above exactly as they are at once (in one block!) to your putty window and hit return. Yes, but at the end of the postqueue run :-(
As long as the emails are displayed by the postqueue command, they are not delivered yet to a maildir.
Thanks ill try that Just reached the end of the postque its very big! -> -- 31968 Kbytes in 104345 Requests.
Thank you ever so much again till, you have saved my server All the mail has been deleted and it is now running as normal. I know that they sent this mail through a php script on a loop. There accounts have now been terminated. Is there anyway to stop the php mail function working for certain users, so that next time if there is someone i dont fully trust i can remove there mail access? Thanks again, everyone you have saved my server!
If I remember correctly, there is a setting in the php.ini that defines the functions which are not allowed when php safemode is enabled. If you define this setting in the apache directives field to override the defualt in the php.ini, you might be able to disallow the use of the mail function.
i am not really sure, but i don't think, you must have safemode = on. this setting works also without safemode. i think i remember, this is a REPLACEMENT of safemode=on (this and some other settings in combination)
this depends of your installation. the "normal" place is the php.ini. if you override this in your vhosts, fell free to do it ;-)
