Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i have a mail server, i can see from the router that the network activity is more than usual.
after running netstat i see that it is making many smtp connections all over the place.
below is only a small snippet.
i have done the relay test, and my email server is not relaying. how can i determine if my system has been compromised and what can i do to fix the problem ?
+1 on check the logs. The netstat output only tells a partial picture. If you do see something that looks suspicious in the logs, please respond with details and facts. In addition to some relevant log information, include at least the following:
1 - what distribution you are running and at what revision
2 - what email application are you using (again what version)
3 - what other email accessories are you using, e.g. spamassassin, dspam, amavis.
4 - what other server applications are you running, e.g. Apache and do you use a CMS and if so which one?
5 - do you use any PHP based configuration applications, like webmin (again include version information).
I realize that the above list may be jumping the gun a bit. The point I am trying to make is that if it does appear that you have a problem, please gather and respond with as much detail as possible and we will help analyze it.
It's definitively spam, so better stop your server from running and clean the queue from the spam messages.
I have never used that axigen mail server, but from the logs posted:
Quote:
--snip--
receiveDate Mon, 28 Feb 2011 07:09:33 GMT
retryCount 3
returnPath www@xj121.com
size 1741
status SEND FAILURE
looks like www@xj121.com was used to send out spam and gets back the DSNs. Is that xj121.com your domain served by the axigen mail server?
looks like www@xj121.com was used to send out spam and gets back the DSNs. Is that xj121.com your domain served by the axigen mail server?
===========================================
no ... not my domains.
i have cleared the queues .. so netstat now is not showing much activity.
but how can i check that they dont load rubbish into the queues again ?
As told you, I'm not familiar with axigen so I can give only generic advice:
Check the logs to see from which user account were all these mails of post #6 sent, or the IP of the sender. Since your server is not an open relay, then most probably it's a user account with a weak password that was compromised.
Also note that both your distro and the mail software you're using are quite old and maybe they need upgrading.
hi bathory, if it just a matter of locating the weak password, we can change all the email passwords.
because this is an internal server with not many email addresses.
easy to fix. my concern was that they have managed to install some script on the server it self which is harder to fix since my linux admin knowledge is limited.
i will monitor the logs and see if the email blast start again tomorrow.
You said that this server runs only mail and dns, that's why I told you it could be a weak mail user password. Of course it could be that someone gained access through ssh or other means in your box (given it's running an aged and obsoleted distro) and installed some sort of spam bot.
Why monitor the logs and wait to happen again and not look at the existing logs to see who start spamming and from what IP? I guess your server is already blacklisted by yahoo and other mail providers and if it happens again it will be difficult to whitelist it.
And once again you should consider upgrading OS and mail software
For somebody to have accessed the machine and dropping some script 0) requires a web stack component or service that allows access or an account, 1) with possibly a weak password in case of the latter and 2) enough rights for the service or account to drop files and execute them. If you want to explore that avenue you should review system and daemon logs, user shell history and verify integrity and purpose of any file system contents.
That said Axigen Mail Server 1.1.1 was released in 2006 (!) and this and subsequent versions may be or have been vulnerable (see the [url="http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Gecad+AXIGEN+Mail+Server"]CVE). Version 7.6.1 seems current. If there's no support available for free then indeed asking the vendor for help seems the logical way.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.