LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-23-2007, 11:19 AM   #16
Emerson
LQ Sage
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~amd64
Posts: 7,675

Rep: Reputation: Disabled

I was thinking you spotted the problem and reinstalled your server? You know of course there is no fix for a compromised server?
 
Old 04-23-2007, 11:32 AM   #17
SlackDaemon
Member
 
Registered: Mar 2006
Distribution: RedHat, Slackware, Experimenting with FreeBSD
Posts: 222

Rep: Reputation: 30
Quote:
Originally Posted by dablew
Here are the rules:
iptables -A FORWARD -p tcp --dport 25 -j DROP

Forgive me but how would I check on the spam headers?And how would I know that my server is owned or hijacked ?
If so,what are the remedies if any..

Kindly help its taking even more time than I expected.
Hi,
I have been through the same ordeal you described. My clients kept on getting blacklisted on spamhaus and/or spamcop.net for no apparent reason. However, the last rule you posted will solve your problem:

iptables -I FORWARD -m tcp -p tcp --dport 25 -j DROP

The problem is being caused by a botnet infection on your LAN. Its a windows virus that comes packaged with a spam engine. It spends a couple of hours enumerating domains to attack by quering MX entries for domains then all at once sends a massive amount of spam. That rule ensures that your LAN PCs cannot directly send mail through your gateway. What happens is the generated message gets NATed from the gateway.

Try typing iptables -vL and look at the byte counter for your FORWARD chain. I bet you'll see a number in the Ks or Ms.

You can find out which PCs are causing the problem with iptraf. Ofcourse that means you'll temporarily need to remove the DROP rule in the FORWARD chain. Any single private IP trying to send packets to the 25 port of a number of different public IPs is a winner

edit: Although I doubt it, you could check if your system has any backdoors installed with rkhunter.

Last edited by SlackDaemon; 04-23-2007 at 11:40 AM.
 
Old 05-01-2007, 08:20 AM   #18
dablew
Member
 
Registered: Oct 2006
Distribution: CentOS | Fedora | Mint | Ubuntu
Posts: 43

Original Poster
Rep: Reputation: 15
Hi all ;-)

I finally came out of this mess.
I painfully decided to format all of the machines,backed as much data as I could but losed so much of applications and some data.

For the few days since I did this am now clean in all those spam databases.

I just want to thank all who supported me in advice thro' this.Keep this spirit of sharing..
 
Old 05-01-2007, 09:22 AM   #19
moxieman99
Member
 
Registered: Feb 2004
Distribution: Dabble, but latest used are Fedora 13 and Ubuntu 10.4.1
Posts: 425

Rep: Reputation: 147Reputation: 147
Quote:
Originally Posted by dablew
Hi all ;-)
I painfully decided to format all of the machines,backed as much data as I could but losed so much of applications and some data.
..
___________
make sure before you reinstall the backups that you don't reinfect your systems. Run antivirus and also a few different rootkit detectors (no one detector is perfect) on your backed-up files first.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to configure postfix to reject spams xlh3110 Linux - Server 18 12-19-2006 08:08 AM
I badly needed your help... spams experts erosszz Linux - Newbie 3 10-25-2006 02:56 AM
Is this a secure way to set up a home network (with network storage) ? phildacey Linux - Security 2 08-24-2006 04:25 AM
emails and spams alaios Linux - Networking 7 02-25-2006 01:54 PM
My victory over spams J_Szucs Linux - Networking 15 09-23-2004 02:11 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration