LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-24-2006, 04:40 PM   #16
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,284

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371

You might also look at the results of netstat -tpan and look for incoming and outgoing connections on port 25 (the SMTP port). The -p argument to netstat will tell you which process is responsible for the connection. Note, if your server has been root compromised, netstat may not give accurate results, but it's still useful just to have a look and see what you can find.

Also, a high connection rate should be chewing a fair amount of CPU -- does top show anything out of the ordinary?
 
Old 12-24-2006, 04:48 PM   #17
Zeno McDohl
Member
 
Registered: Apr 2005
Location: Saratoga, NY
Distribution: Slackware
Posts: 317

Original Poster
Rep: Reputation: 30
About 20% of the ports on netstat -tpan would be port 25. Is that a lot? I would expect mail and port 80 to be the highest, which they are.

There is nothing on top that uses a higher than normal amount of CPU, the normal ones there are mysql httpd etc. Although I did see "spamd" a few times.
 
Old 12-24-2006, 05:00 PM   #18
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,284

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
How many total outgoing port 25 connections do you have? if this machine isn't expected to be handling a lot of mail traffic then yes, that might be a lot. It's hard to say though because no one here knows the normal mail load for the box (this is why it's important to monitor this sort of thing before there are any problems so there's a baseline to compare against).

Did you see what processes were putting out the port 25 connections? If you have had a Web application exploited it's entirely possible that an httpd process could be doing it. This is becoming increasingly common. You need to check these things and look for processes that are doing things they're not supposed to be.

And yes, definitely do ask for the mail with full headers from the site making the complaint.
 
Old 12-24-2006, 05:30 PM   #19
Zeno McDohl
Member
 
Registered: Apr 2005
Location: Saratoga, NY
Distribution: Slackware
Posts: 317

Original Poster
Rep: Reputation: 30
I see 13 using port 25. They're all either exim or just blank (a dash).

And yeah, I already asked for the emails w/ full headers before.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Red hat mail server: security check list shekharswamy Linux - Security 1 06-08-2006 03:23 AM
Logs: What to check and where to find them? Swakoo Linux - General 2 01-12-2006 04:35 AM
what logs do I check? mehesque Linux - Newbie 1 02-12-2004 08:26 PM
Server Mail Logs soulwatcher1974 Linux - Security 1 12-09-2003 12:35 AM
Cannot check mail on my server from the outside. anorman Linux - Networking 2 08-29-2003 01:32 PM


All times are GMT -5. The time now is 05:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration