[MLUG] Process sending mail on port 25
Jean-Francois Theroux
jf at theroux.ca
Wed Jul 23 09:15:16 EDT 2008
Looks like your server was hacked. Put it offline ASAP. If your provider
receives complaints that your box is spamming, there's a good change your
pipe will be disconnected after they warn you. Don't trust any systems
commands because they were probably tempered with.
And then, the normal investigation work begins. Auditing systems takes time
and experience. Also, use tshark instead of iptraf, it's much better.
lsof could probably help you track the culprit, but again, if the person who
hacked your machine has a bit of experience, it won't list his processes.
I would start with a normal nmap of the box, to check if there's any weird
ports open. I'm guessing you have an IRC bouncer on your box, which is
commonly used to remote control servers. The Storm botnet is built that way.
If that's the case, you will have evidence such as accounts and passwords in
a config file, which IRC server they call home to and which channels. You
can often go there and talk to the hackers. I did on several ocassions in
the past.
Another place to look at is /tmp. Most people these days allow execution in
that partition, which is bad.
On Wed, Jul 23, 2008 at 9:08 AM, Andre Courchesne - Consultant <
courchea at net-forces.com> wrote:
> Hi all,
>
> I have a server that seems to be making unwanted connection to an
> external mail host using port 25. How can I find which process is doing that
> ?
>
> I captured local traffic using iptraf that shows indeed that something is
> sending stuff over port 25 to a specific IP (and it should not).
>
> Any hints appreciated.
>
> Andre
> _______________________________________________
> mlug mailing list
> mlug at listserv.mlug.ca
> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
>
--
Jean-François Théroux
Linux/network security consultant
http://www.theroux.ca
Half of what I'm saying to you is meaningless, but it's necessary so that
the other half may reach you. -Kahlil Gibran
-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/mlug-listserv.mlug.ca/attachments/20080723/8ddc146c/attachment-0001.htm
More information about the mlug
mailing list