[SOLVED] hacked by spammer? (sendmail-mta running wild)

[alfmarius]

Hello!

I came back to work after some time, and noticed that my logs are running
very big... I traced it to the sendmail-mta program that somehow is called
(i cant figure out what source is calling this program, its nothing i can find
in the crontab at least).

> ps aux|grep send:

root 3915 0.0 0.2 7360 2176 ? Ss Mar31 0:00 sendmail: MTA: accepting connections
root 20598 3.8 0.3 8676 3888 ? D 14:27 0:35 sendmail: MTA: ./n2VClVNc003916 from queue
root 9341 5.1 0.3 8596 3776 ? D 14:37 0:15 sendmail: MTA: ./n2VCv68w003916 from queue
root 16504 0.0 0.0 0 0 ? Zs 14:42 0:00 [sendmail-mta] <defunct>


sendmail-mta is not installed on my server, so the logs are filling up with errors like:

Apr 3 14:30:09 bluelady sm-mta[20711]: n321vXH2028280: Warning: program /usr/sbin/sensible-mda unsafe: No such file or directory
Apr 3 14:30:09 bluelady sm-mta[20711]: n321vXH2028280: SYSERR(root): Cannot exec /usr/sbin/sensible-mda: No such file or directory
Apr 3 14:30:09 bluelady sm-mta[20598]: n321vXH2028280: SYSERR(root): putbody: write error: Broken pipe
...
...

Anyone got a clue whats going on here? Is this a hack-attack?

Thanks

[alfmarius]

Problem solved, no hacker fortunatly!

The problem is described here: Cronic - A cure for Cron's chronic email problem

Basicly a cronjob that was running every 5 minutes created
a lot of output that was put in the mail-que. Since the sendmail
was missing sensible-mda package, the error logs was
expanding rapidly and creating all sorts of problems.