LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-23-2006, 05:49 PM   #1
Zeno McDohl
Member
 
Registered: Apr 2005
Location: Saratoga, NY
Distribution: Slackware
Posts: 317

Rep: Reputation: 30
Check mail server logs?


I have full root access to a linux server and I need to check the mail logs, but I have no idea how. Here is what I was told of why the server is having issues (what I need to check):

Quote:
It appears that our mail servers are currently blocking your server because of the large number of messages you are sending to them. I checked the log and I am showing that there are currently sending around 6 emails per second to this
I need to find what those emails are (the content of the email etc). Any suggestions?
 
Old 12-23-2006, 05:55 PM   #2
Gethyn
Member
 
Registered: Aug 2003
Location: UK
Distribution: (X)Ubuntu 10.04/10.10, Debian 5, CentOS 5
Posts: 900

Rep: Reputation: 32
Find the mail logs! The exact location will depend on which mail program you use. On my server, which uses qmail, they're under /var/log/qmail.
 
Old 12-23-2006, 05:58 PM   #3
Zeno McDohl
Member
 
Registered: Apr 2005
Location: Saratoga, NY
Distribution: Slackware
Posts: 317

Original Poster
Rep: Reputation: 30
Hmm, well there's no qmail dir so we must not use qmail. How would I check what the server uses?
 
Old 12-23-2006, 06:19 PM   #4
Gethyn
Member
 
Registered: Aug 2003
Location: UK
Distribution: (X)Ubuntu 10.04/10.10, Debian 5, CentOS 5
Posts: 900

Rep: Reputation: 32
Try running 'ps aux' and see if you can spot any mail related processes in there. That might give some clues.
 
Old 12-23-2006, 06:58 PM   #5
Zeno McDohl
Member
 
Registered: Apr 2005
Location: Saratoga, NY
Distribution: Slackware
Posts: 317

Original Poster
Rep: Reputation: 30
Looks like it's exim.
Looking over this: http://www.exim.org/exim-html-3.20/d...l/spec_51.html

But it doesn't seem to tell me where the logs may be.

Last edited by Zeno McDohl; 12-23-2006 at 07:04 PM.
 
Old 12-24-2006, 01:49 PM   #6
Zeno McDohl
Member
 
Registered: Apr 2005
Location: Saratoga, NY
Distribution: Slackware
Posts: 317

Original Poster
Rep: Reputation: 30
Anyone? I don't see anywhere in the config file that says where the logs are.
 
Old 12-24-2006, 02:26 PM   #7
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 6,153

Rep: Reputation: Disabled
If your server is used to send 6 emails per second to just one another domain then your server is hijacked with 99.99% certainity and used for spamming. Keeping this server online is a crime. Disconnect your server from internet asap and address the issue.
 
Old 12-24-2006, 03:02 PM   #8
Zeno McDohl
Member
 
Registered: Apr 2005
Location: Saratoga, NY
Distribution: Slackware
Posts: 317

Original Poster
Rep: Reputation: 30
Erm, I don't know how to address the issue nor find out if that's actually the case.
 
Old 12-24-2006, 03:16 PM   #9
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 6,153

Rep: Reputation: Disabled
Sorry but you do not have my sympathy. If you do not know how to drive a car you cannot go to a public highway but you can still drive in your backyard. If you do not know how to manage a server keep it running for yourself and do not connect it to the internet where it poses public danger. Period.
 
Old 12-24-2006, 03:25 PM   #10
Zeno McDohl
Member
 
Registered: Apr 2005
Location: Saratoga, NY
Distribution: Slackware
Posts: 317

Original Poster
Rep: Reputation: 30
And who says I'm the one who runs this server? I'm trying to help narrow down what this mail is.

Thanks for the help.
 
Old 12-24-2006, 03:30 PM   #11
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 6,153

Rep: Reputation: Disabled
First - whoever runs this server has to understand his/her responsibilities.
Second - if your server is hijacked then the attacker is probably using his own SMTP service which does not leave any logs.
 
Old 12-24-2006, 03:35 PM   #12
Zeno McDohl
Member
 
Registered: Apr 2005
Location: Saratoga, NY
Distribution: Slackware
Posts: 317

Original Poster
Rep: Reputation: 30
The company pays for the host and the server is located in FL (we are in NY), run by a local tech team. We are a web host company. Whose responsibility is it? I don't have permission to take the server offline.

Right, IF the server. I don't know if it is yet.
 
Old 12-24-2006, 03:43 PM   #13
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 6,153

Rep: Reputation: Disabled
Check /var/log, all logs are in there. I had an Exim server once but I do not remember exact filenames any more. You also may want to check if there is a rootkit installed. http://www.chkrootkit.org/
 
Old 12-24-2006, 04:02 PM   #14
Zeno McDohl
Member
 
Registered: Apr 2005
Location: Saratoga, NY
Distribution: Slackware
Posts: 317

Original Poster
Rep: Reputation: 30
Quote:
./exim_rejectlog.1
./exim_rejectlog
./exim_mainlog.5.gz
./exim_mainlog.1
./exim_paniclog.5.gz
./exim_paniclog.1
./exim_rejectlog.5.gz
./exim_mainlog
./exim_paniclog
Those are what I found in /var/log.

In the mainlog, I don't see any logs that are a lot (like 6 a second)...

Yes, chkrootkit is installed. I don't see any problems, everything was "nothing found" or "not infected".

Last edited by Zeno McDohl; 12-24-2006 at 04:04 PM.
 
Old 12-24-2006, 04:16 PM   #15
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 6,153

Rep: Reputation: Disabled
Ask those people who complained to send you some of these 6-per-second mails with full headers. BTW, chkrootkit is helpful but it won't find all threats. Check if there is still high traffic on port 25.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Red hat mail server: security check list shekharswamy Linux - Security 1 06-08-2006 03:23 AM
Logs: What to check and where to find them? Swakoo Linux - General 2 01-12-2006 04:35 AM
what logs do I check? mehesque Linux - Newbie 1 02-12-2004 08:26 PM
Server Mail Logs soulwatcher1974 Linux - Security 1 12-09-2003 12:35 AM
Cannot check mail on my server from the outside. anorman Linux - Networking 2 08-29-2003 01:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 08:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration