Check mail server logs?
I have full root access to a linux server and I need to check the mail logs, but I have no idea how. Here is what I was told of why the server is having issues (what I need to check):
Quote:
|
Find the mail logs! The exact location will depend on which mail program you use. On my server, which uses qmail, they're under /var/log/qmail.
|
Hmm, well there's no qmail dir so we must not use qmail. How would I check what the server uses?
|
Try running 'ps aux' and see if you can spot any mail related processes in there. That might give some clues.
|
Looks like it's exim.
Looking over this: http://www.exim.org/exim-html-3.20/d...l/spec_51.html But it doesn't seem to tell me where the logs may be. |
Anyone? I don't see anywhere in the config file that says where the logs are.
|
If your server is used to send 6 emails per second to just one another domain then your server is hijacked with 99.99% certainity and used for spamming. Keeping this server online is a crime. Disconnect your server from internet asap and address the issue.
|
Erm, I don't know how to address the issue nor find out if that's actually the case.
|
Sorry but you do not have my sympathy. If you do not know how to drive a car you cannot go to a public highway but you can still drive in your backyard. If you do not know how to manage a server keep it running for yourself and do not connect it to the internet where it poses public danger. Period.
|
And who says I'm the one who runs this server? I'm trying to help narrow down what this mail is.
Thanks for the help. |
First - whoever runs this server has to understand his/her responsibilities.
Second - if your server is hijacked then the attacker is probably using his own SMTP service which does not leave any logs. |
The company pays for the host and the server is located in FL (we are in NY), run by a local tech team. We are a web host company. Whose responsibility is it? I don't have permission to take the server offline.
Right, IF the server. I don't know if it is yet. |
Check /var/log, all logs are in there. I had an Exim server once but I do not remember exact filenames any more. You also may want to check if there is a rootkit installed. http://www.chkrootkit.org/
|
Quote:
In the mainlog, I don't see any logs that are a lot (like 6 a second)... Yes, chkrootkit is installed. I don't see any problems, everything was "nothing found" or "not infected". |
Ask those people who complained to send you some of these 6-per-second mails with full headers. BTW, chkrootkit is helpful but it won't find all threats. Check if there is still high traffic on port 25.
|
All times are GMT -5. The time now is 04:49 PM. |