log of my mail server

mrlinux2000 · 10-22-2008, 02:30 PM

hello !
what is this , isaw this in my log /var/log/maillog am using sendmail

5, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IGWZfX029802: to=postmaster, delay=3+22:00:04, xdelay=00:00:00, mailer=relay, pri=8537434, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IGWZfY029802: to=postmaster, delay=3+22:00:04, xdelay=00:00:00, mailer=relay, pri=8539192, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IDWZfT029214: to=postmaster, delay=4+01:00:04, xdelay=00:00:00, mailer=relay, pri=8777721, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IDWZfU029214: to=postmaster, delay=4+01:00:04, xdelay=00:00:00, mailer=relay, pri=8785358, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IDWZfV029214: to=postmaster, delay=4+01:00:04, xdelay=00:00:00, mailer=relay, pri=8788043, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IDWZfW029214: to=postmaster, delay=4+01:00:04, xdelay=00:00:00, mailer=relay, pri=8797188, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IDWZfX029214: to=postmaster, delay=4+01:00:04, xdelay=00:00:00, mailer=relay, pri=8801162, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IDWZfY029214: to=postmaster, delay=4+01:00:04, xdelay=00:00:00, mailer=relay, pri=8819758, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IDWZfZ029214: to=postmaster, delay=4+01:00:04, xdelay=00:00:00, mailer=relay, pri=8831430, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IDWZfa029214: to=postmaster, delay=4+01:00:04, xdelay=00:00:00, mailer=relay, pri=8832773, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IDWZfb029214: to=postmaster, delay=4+01:00:03, xdelay=00:00:00, mailer=relay, pri=8834492, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IDWZfc029214: to=postmaster, delay=4+01:00:03, xdelay=00:00:00, mailer=relay, pri=8835682, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IDWZfd029214: to=postmaster, delay=4+01:00:03, xdelay=00:00:00, mailer=relay, pri=8838232, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IDWZfe029214: to=postmaster, delay=4+01:00:03, xdelay=00:00:00, mailer=relay, pri=8839040, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IDWZff029214: to=postmaster, delay=4+01:00:03, xdelay=00:00:00, mailer=relay, pri=8842134, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IDWZfg029214: to=postmaster, delay=4+01:00:03, xdelay=00:00:00, mailer=relay, pri=8843496, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IDWZfh029214: to=postmaster, delay=4+01:00:03, xdelay=00:00:00, mailer=relay, pri=8844603, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IBWZfT028822: to=postmaster, delay=4+03:00:05, xdelay=00:00:00, mailer=relay, pri=8976841, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IBWZfU028822: to=postmaster, delay=4+03:00:05, xdelay=00:00:00, mailer=relay, pri=8987483, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IBWZfV028822: to=postmaster, delay=4+03:00:05, xdelay=00:00:00, mailer=relay, pri=8988248, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IBWZfW028822: to=postmaster, delay=4+03:00:05, xdelay=00:00:00, mailer=relay, pri=8988358, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IBWZfX028822: to=postmaster, delay=4+03:00:05, xdelay=00:00:00, mailer=relay, pri=8989533, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IAWZfT028623: to=postmaster, delay=4+04:00:04, xdelay=00:00:00, mailer=relay, pri=9037398, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IAWZfU028623: to=postmaster, delay=4+04:00:04, xdelay=00:00:00, mailer=relay, pri=9043174, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IAWZfV028623: to=postmaster, delay=4+04:00:04, xdelay=00:00:00, mailer=relay, pri=9045448, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]

Oct 22 14:32:45 mail sm-msp-queue[13050]: m9IAWZfY028623: to=postmaster, delay=4+04:00:04, xdelay=00:00:00, mailer=relay,

mrlinux2000 · 10-22-2008, 02:43 PM

also when i type

netstat -an | grep :

0.0.0.0:* LISTEN
tcp 0 0 65.54.186.79:443 TIME_WAIT
tcp 0 41.203.232.107:12999 ESTABLISHED
tcp 0 65.54.186.107:443 TIME_WAIT
tcp 0 80.236.94.250:43305 ESTABLISHED
tcp 58255 192.168.1.28:3488 ESTABLISHED
tcp 0 82.224.218.169:12625 ESTABLISHED
tcp 0 1 89.224.163.233:31225 SYN_SENT
tcp 0 65.55.197.254:80 ESTABLISHED
tcp 0 65.55.197.254:80 ESTABLISHED
tcp 0 65.55.197.254:80 ESTABLISHED
tcp 0 65.55.197.254:80 ESTABLISHED
tcp 0 0 65.55.197.254:80 ESTABLISHED
tcp 0 1 82.208.156.187:25292 SYN_SENT

mrlinux2000 · 10-22-2008, 02:43 PM

of course i deleted the first column that contain the ip address
please help please

mrlinux2000 · 10-22-2008, 02:53 PM

tcp 0 0 192.168.1.12:8080 192.168.1.28:2540 ESTABLISHED

mrlinux2000 · 10-22-2008, 02:58 PM

TCPDUMP give this

1:02:01.842035 IP 64.128.118.83.smtp > 192.168.1.203.1222: F 193:193(0) ack 1 win 5840
21:02:01.842171 IP 192.168.1.203.1222 > 64.128.118.83.smtp: . ack 194 win 65189
21:02:01.851050 IP 192.168.1.203.1222 > 64.128.118.83.smtp: F 1:1(0) ack 194 win 65189
21:02:02.001667 IP 192.168.1.203.1289 > 63.97.155.67.smtp: P 1:29(28) ack 77 win 65459
21:02:02.106205 IP 208.80.200.217.smtp > 192.168.1.203.1277: . ack 1493 win 7270
21:02:02.407813 IP 192.168.1.203.1295 > 216.32.180.22.smtp: S 2191296816:2191296816(0) win 65535 <mss 1460,nop,nop,sackOK>
21:02:02.486362 IP 64.18.7.14.smtp > 192.168.1.203.1204: . ack 8 win 5840
21:02:02.575569 IP 208.80.200.217.smtp > 192.168.1.203.1277: P 30:38(8) ack 1493 win 7270
21:02:02.615702 IP 208.71.198.40.smtp > 192.168.1.203.1220: . ack 112 win 5840
21:02:02.620866 IP 208.71.198.40.smtp > 192.168.1.203.1220: P 214:268(54) ack 112 win 5840
21:02:02.709543 IP 192.168.1.203.1277 > 208.80.200.217.smtp: . ack 38 win 65389
21:02:02.810122 IP 192.168.1.203.1220 > 208.71.198.40.smtp: . ack 268 win 65224

billymayday · 10-22-2008, 03:13 PM

Correct me if I'm wrong, but is anything listening on port 25?

mrlinux2000 · 10-22-2008, 03:16 PM

this tcpdump -n port 25

nothing listing on port 25

billymayday · 10-22-2008, 03:33 PM

So isn't sendmail trying to connect to localhost 25 in the logs you posted?

mrlinux2000 · 10-22-2008, 03:42 PM

when i start that command of tcpdump on port 25 i found that addres ip 192.168.1.203 using port 25 and no one on that PC , when i remove it from network it stop traffic on the port 25, so i think it is a pam virus infect that pc and then being using my server and that black listed my ip ?
is that correct

billymayday · 10-22-2008, 08:55 PM

The connection attempt is from 127.0.0.1 (ie localhost) according to the log

mdKhan_17 · 10-29-2008, 03:03 AM

Quote:

Originally Posted by mrlinux2000

when i start that command of tcpdump on port 25 i found that addres ip 192.168.1.203 using port 25 and no one on that PC , when i remove it from network it stop traffic on the port 25, so i think it is a pam virus infect that pc and then being using my server and that black listed my ip ?
is that correct

if you are using your server with real ip than check the mail server hosting in /etc/hosts it will be like this :

#127.0.0.1 xyz.com www localhost.localdomain localhost

and also check in your mail server parking page is that all ok or not.

from,
Tiger Khan.

mrlinux2000 · 11-12-2008, 06:06 AM

it is all ok,
thank you all guys , thread is closed

unixfool · 11-12-2008, 08:58 AM

So, what happened? I'd be nice to see an explanation of what happened after all that dialog (instead of just saying the thread is closed and that everything is OK).