I’m blocking in and outbound SMTP except to registered mail servers on the main campus Internet connection now.
We’ve got a number of boxes infected with the MyDoom/Novarg worm, and a couple of the made it onto the DSBL DNS black list. Got those removed pretty easily, but there shouldn’t be any legitimate traffic outbound on SMTP except from our mail servers anyway. So, snip.
We saw the rambing up of a new mass mailing worm yesterday afternoon.
It got through our virus scanner because there was no signature for it yet. MIMEDefang defanged it, but still a few systems on campus were infected. Late afternoon I crawled through the maillogs to find the most common attachment names that this seemed to be getting sent as, and came up with a filename regex of:
((doc(\w)*|body|readme|gmf|text|file|message).(scr|zip|pif|exe))
I also sent a copy of the virus to Central Command’s virus submission address. An hour later they had an updated signature file for the virus, which I grabbed.
We’ve gotten 5755 copies dropped by MIMEDefang since midnight.
EYEWI lost a disk on Saturday morning.
The good: Jumpstart solves most everything, and /home was being backed up via fssnap and ufsdump to the standalone DLT drive. That got me most of the data restored, other than /usr/local, which really only had the rcs.mgr data in it. NetBackup was pretty happy with the restored /home/opt directory when I moved that into place.
The bad: The Jumpstart script for mirroring the drives does not perform (properly) the final metattach on the mirror sets, so the mirror only includes the first half. I did the metattach on all the remaining Jumpstarted servers, and I’ll be fixing that in the Jumpstart script. The upshot is that the second disk was useless for booting, and didn’t have /home or /usr like it should have.
What I did:
There were a few other oddments scattered in there, as well - getting the system on the private net on bge1 (so I could run the NetBackup install from the cdserver), and things like that.
Last night’s backups didn’t work, since they fired off before I had updated /etc/system with the shared memory bumps. I manually fired off backups for a few key systems, though, and they worked. I also tested a restore of some data on ASHTI, and that worked.
I think things are stable and working as well as they used to now.
Monday morning started out with a Mailman glitch.
It appears that certain crafted messages sent through Mailman can trigger a bug that crashees the queue runner. I deleted the message (which was some bounce of a spam bounce), and the queue runner started working properly.
Made BARIS the main WebMail server this morning.
Copied all of /usr/local/squirreldata to BARIS from KE, made the DNS changes, and the web changes. KE is still responding (on Apache) to webmail.e.e, but that can be taken care of later this week.
Looked into Jabber 2.0 this morning; still icky.
Getting HETEP ready for Jumpstart for SunONE Calendar this afternoon.