Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hack attempts overloading server by hogging memory

Status
Not open for further replies.

JRFEG

Systems Engineer
Jan 9, 2024
1
0
0
GB
Good day from UK
I have spent a very long time trying to find the answer and not been successful
There are repeated attempts to use send mail on my webserver and each time this opens a new process, which hogs memory, even though the attempt is unsuccessful, sendmail has ended the process but still holds the memory for a longer time.
I have heard there is a value in the .inf file to change that reduces the time for holding the memory but I can not find it.
All attempts are "cmd read" and from forged IP addresses or compromised systems.
I use firewalld on the server and have blocked a range of IPs that were regularly used and that helped.
There are only 7 users for sendmail, all accessing the server using port 597 and the IP address. However, use from roaming places can be port 25 so do not want to just block that.
Here is just a sample.

ANY clues gratefully accepted as the server keeps dropping services when memory is full, sadly my BIND DNS is the first to drop so then nothing works and can't even access server through any control panel - have to open a Putty window and reboot the server.

Thanks
John
UK

List from open processes-
12657 root an hour ago sendmail: server [109.70.206.253] cmd read
13178 root an hour ago sendmail: server tdev152-163.codetel.net.do [200.88.152.163] cmd read
13683 root an hour ago sendmail: server 163.pool90-160-139.dynamic.orange.es [90.160.139.163] (may be f ...
13764 root an hour ago sendmail: server host3.maishabd.net [103.86.196.3] (may be forged) cmd read
13773 root an hour ago sendmail: server 208-105-193-045.biz.spectrum.com [208.105.193.45] cmd read
14097 root an hour ago sendmail: server [37.99.215.57] cmd read
14100 root an hour ago sendmail: server [137.59.122.138] cmd read
14169 root an hour ago sendmail: server [121.120.147.200] cmd read
14382 root 44 minutes ago sendmail: server [31.179.236.122] cmd read
14444 root 44 minutes ago sendmail: server [94.159.23.102] cmd read
14533 root 43 minutes ago sendmail: server [150.107.207.142] cmd read
15096 root 37 minutes ago sendmail: server [222.68.154.46] cmd read
15556 root 32 minutes ago sendmail: server [118.70.190.56] cmd read
15664 root 30 minutes ago sendmail: server host3.maishabd.net [103.86.196.3] (may be forged) cmd read
15708 root 30 minutes ago sendmail: server [94.159.23.102] cmd read
15966 root 27 minutes ago sendmail: server [154.127.86.66] cmd read
15967 root 27 minutes ago sendmail: server static-201-163-73-88.alestra.net.mx [201.163.73.88] cmd read
16093 root 26 minutes ago sendmail: server [37.99.215.57] cmd read
16170 root 25 minutes ago sendmail: server [212.152.216.141] cmd read
16347 root 23 minutes ago sendmail: server 1.243.66.125.broad.zg.sc.dynamic.163data.com.cn [125.66.243.1] ...
16399 root 23 minutes ago sendmail: server static-201-163-73-88.alestra.net.mx [201.163.73.88] cmd read
16406 root 23 minutes ago sendmail: server 177-22-88-183.triway.net.br [177.22.88.183] (may be forged) cmd ...
18921 root 12 minutes ago sendmail: server [36.66.49.62] cmd read
18923 root 12 minutes ago sendmail: server [103.73.164.190] cmd read
19203 root 9 minutes ago sendmail: server 82.193.120.85.ipnet.ua [82.193.120.85] (may be forged) cmd read
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top