LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-25-2007, 06:59 AM   #1
BlackBone
LQ Newbie
 
Registered: Aug 2007
Posts: 11

Rep: Reputation: 0
Newby system admin need help!


Hi all, last week our system admin left with 24hours notice, then my boss ask me to takeover he gives me 1 month if i cant handle he will find somebody else. I was from Helpdesk and have zero knowledge of linux (windows guy) but i am very keen for this post because i want to learn linux.

Few days after he left we have a problem, our company emails are rejected by certain email servers, reason given we are sending spam messages. Many staffs start complaining I think that our email server has been hacked and somebody put spambot or something sending spam email nonstop, but im not sure how to check or verify this.

We are using redhat fedora core 2 for the email server and Exim email (qmail smtp server). Any suggestion what should I do first? Any suggestion is very much appreciated!
 
Old 08-25-2007, 07:30 AM   #2
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 8,326
Blog Entries: 4

Rep: Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840
Whew! Well then, what a career-opportunity for you! Congratulations... now get ready for a mind-blowing ride. (It will get better quickly.)

You have found the right place... we'll be happy to help.

A good place to start looking is in a directory probably called /var/log which is where most programs put their log-files. If someone's sending mail out of your system, you might see logs being created there. It is also possible that your predecessor did some vandalism before (s)he left.

The command ps -a | less will show you the processes that are running on your system: the output of ps is piped to a program (font=courier]less[/font]) that lets you page through it with the PgDn and PgUp keys. Do you see anything with your predecessor's name on it?

How about top, which (when sorted by %CPU) shows you the active programs. A spambot will be quite busy.

If the spams are showing up at a particular time of day, then the person probably has a crontab ("cron" as in Chronos .. the god of Time) that's firing them off.

Start keeping a paper and pencil notebook: a three-ring binder works great. Write down your musings, your questions, your panic attacks ... whatever.

As I said, what has been suddenly thrust upon you is, on the one hand, a gut-wrenching surprise, but also a great "vote of confidence" in you. And you are by no means the first person to whom such a thing has happened. Hang on (for dear life)... you might come to enjoy the ride!
 
Old 08-25-2007, 07:32 AM   #3
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 8,326
Blog Entries: 4

Rep: Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840
Whew! Well then, what a career-opportunity for you! Congratulations... now get ready for a mind-blowing ride. (It will get better quickly.)

You have found the right place... we'll be happy to help.

A good place to start looking is in a directory probably called /var/log which is where most programs put their log-files. If someone's sending mail out of your system, you might see logs being created there. It is also possible that your predecessor did some vandalism before (s)he left.

The command ps -a | less will show you the processes that are running on your system: the output of ps is piped to a program (font=courier]less[/font]) that lets you page through it with the PgDn and PgUp keys. Do you see anything with your predecessor's name on it?

How about top, which (when sorted by %CPU) shows you the active programs. A spambot will be quite busy.

If the spams are showing up at a particular time of day, then the person probably has a crontab ("cron" as in Chronos .. the god of Time) that's firing them off.

Start keeping a paper and pencil notebook: a three-ring binder works great. Write down your musings , your questions , your research ... your panic attacks ... whatever.

As I said, what has been suddenly thrust upon you is, on the one hand, a gut-wrenching surprise, but also a great "vote of confidence" in you. And you are by no means the first person to whom such a thing has happened. Hang on (for dear life)... you might come to enjoy the ride!
 
Old 08-25-2007, 08:57 AM   #4
BlackBone
LQ Newbie
 
Registered: Aug 2007
Posts: 11

Original Poster
Rep: Reputation: 0
thanks sundialsvcs! yes its like a thrust and hopefully i can go through it well
still need your help or anybody who willing.. have few more questions

1) with ps -a | less command i get this :

PID TTY TIME CMD
4041 pts/0 00:00:00 su
4042 pts/0 00:00:00 bash
4160 pts/0 00:00:00 ps
4161 pts/0 00:00:00 less
(END)

so i think shuld be clear rite?

2) then with top command i can see below (capturing the first 4)

Tasks: 98 total, 1 running, 97 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.3% us, 0.8% sy, 0.0% ni, 96.8% id, 2.0% wa, 0.0% hi, 0.0% si
Mem: 514572k total, 209948k used, 304624k free, 44492k buffers
Swap: 2096472k total, 0k used, 2096472k free, 60548k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
3020 qmails 16 0 2028 352 272 S 1.0 0.1 0:05.87 qmail-send
3031 qmaill 16 0 2236 328 264 S 0.7 0.1 0:04.40 multilog
4178 root 16 0 3736 904 728 R 0.7 0.2 0:00.04 top
2674 mysql 16 0 31240 5544 2144 S 0.3 1.1 0:00.23 mysqld

what concern me is that the qmailsend and miltulog keep popping up after every 10-20 seconds, does it mean the server keep sending email out every 10-20 seconds?


3) about the stsrem log, i checked in /var/log folder there are many files, any suggestion which 1 shuld i check? below is what i can see

[root@mail log]# ls -a
. cups messages.2 rpmpkgs.3 squid
.. dmesg messages.3 rpmpkgs.4 up2date
acpid exim messages.4 samba up2date.1
boot.log gdm mysqld.log scrollkeeper.log up2date.2
boot.log.1 httpd mysqld.log.1 secure up2date.3
boot.log.2 lastlog mysqld.log.2 secure.1 up2date.4
boot.log.3 mail mysqld.log.3 secure.2 vbox
boot.log.4 maillog mysqld.log.4 secure.3 wtmp
clamav maillog.1 ppp secure.4 wtmp.1
cron maillog.2 prelink.log spooler xferlog
cron.1 maillog.3 qmail spooler.1 Xorg.0.log
cron.2 maillog.4 rpmpkgs spooler.2 Xorg.0.log.old
cron.3 messages rpmpkgs.1 spooler.3 yum.log
cron.4 messages.1 rpmpkgs.2 spooler.4

4) not quiet understand what u mean by "then the person probably has a crontab ("cron" as in Chronos .. the god of Time) that's firing them off." do you mean i should check for the cron files in the log folder?

5) i checked in sshd_conf there are two users allowed to connect via ssh => ess and sz , is it ok if i remove them or does these 2 users are actually a program required to run the mail?


appreciate ur feedback! or anybody!
 
Old 08-27-2007, 01:25 AM   #5
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,374

Rep: Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383
Have a look here for cron files by username: /var/spool/cron
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What to Know before starting Solaris System Admin songeek Solaris / OpenSolaris 5 05-16-2007 08:32 AM
basic system admin tasks kc3377 Linux - Server 2 04-25-2007 10:24 PM
System Admin shaolin77 Linux - Security 3 06-19-2006 10:23 AM
System Admin Certification Question nazs Linux - Certification 1 01-18-2006 02:59 AM
System Admin wanted glowrider General 1 07-19-2003 06:17 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 10:13 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration