i think my server is sending spam mail
i have a mail server, i can see from the router that the network activity is more than usual.
after running netstat i see that it is making many smtp connections all over the place. below is only a small snippet. i have done the relay test, and my email server is not relaying. how can i determine if my system has been compromised and what can i do to fix the problem ? ========================== tcp 0 0 192.168.0.70:43611 mail0.abel.net.uk:smtp TIME_WAIT tcp 0 0 192.168.0.70:58254 mtain-md.r1000.mx.aol.:smtp TIME_WAIT tcp 0 0 192.168.0.70:58008 mtain-md.r1000.mx.aol.:smtp TIME_WAIT tcp 0 0 192.168.0.70:58011 mtain-md.r1000.mx.aol.:smtp TIME_WAIT tcp 0 0 192.168.0.70:58092 mtain-md.r1000.mx.aol.:smtp TIME_WAIT tcp 0 0 192.168.0.70:49326 mx1.earthlink.net:smtp ESTABLISHED tcp 0 0 192.168.0.70:58059 mtain-md.r1000.mx.aol.:smtp TIME_WAIT tcp 0 0 192.168.0.70:34635 mx1.isp.kq.no:smtp TIME_WAIT tcp 0 1 192.168.0.70:43053 hrndva-smtpin01.mail.r:smtp SYN_SENT tcp 0 0 192.168.0.70:47896 ppagent2.ad.uab.edu:smtp TIME_WAIT tcp 0 0 192.168.0.70:41655 ff-mx-vip3b.prodigy.ne:smtp TIME_WAIT tcp 0 0 192.168.0.70:41605 ff-mx-vip3b.prodigy.ne:smtp TIME_WAIT tcp 0 0 192.168.0.70:41655 ppagent1.ad.uab.edu:smtp TIME_WAIT tcp 0 0 192.168.0.70:44367 mta-v2.mail.vip.ac4.ya:smtp TIME_WAIT tcp 0 0 192.168.0.70:44350 mta-v2.mail.vip.ac4.ya:smtp TIME_WAIT tcp 0 0 192.168.0.70:44485 mta-v2.mail.vip.ac4.ya:smtp TIME_WAIT tcp 0 0 192.168.0.70:48841 mx.scarlet.be:smtp TIME_WAIT tcp 0 0 192.168.0.70:44264 mta-v2.mail.vip.ac4.ya:smtp TIME_WAIT tcp 0 0 192.168.0.70:44657 mta-v2.mail.vip.ac4.ya:smtp TIME_WAIT tcp 0 0 192.168.0.70:44667 mta-v2.mail.vip.ac4.ya:smtp TIME_WAIT tcp 0 0 192.168.0.70:44597 mta-v2.mail.vip.ac4.ya:smtp TIME_WAIT tcp 1 38 192.168.0.70:50649 yokota-mail2.afnoc.af.:smtp CLOSING tcp 0 0 192.168.0.70:59712 mx2.electric.net:smtp ESTABLISHED ====================================== |
Hi,
Better check the mail logs (usually /var/log/maillog) and see what's happening. Regards |
+1 on check the logs. The netstat output only tells a partial picture. If you do see something that looks suspicious in the logs, please respond with details and facts. In addition to some relevant log information, include at least the following:
1 - what distribution you are running and at what revision 2 - what email application are you using (again what version) 3 - what other email accessories are you using, e.g. spamassassin, dspam, amavis. 4 - what other server applications are you running, e.g. Apache and do you use a CMS and if so which one? 5 - do you use any PHP based configuration applications, like webmin (again include version information). I realize that the above list may be jumping the gun a bit. The point I am trying to make is that if it does appear that you have a problem, please gather and respond with as much detail as possible and we will help analyze it. |
i think there is a problem.
email log snippet ===================== 02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 75.180.132.243 for domain ad$ 02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 75.180.132.244 for domain ad$ 02-28 18:31:39 +0800 08 dns1 PROCESSING:0038D7CF: Start mail delivery 02-28 18:31:39 +0800 08 dns1 RELAY:0000E02E: Bad greeting code from server: Error - Blocked for abuse. See $ 02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: no more relays for bellsouth.net 02-28 18:31:39 +0800 08 dns1 PROCESSING:003B4D5B: Max retry reached; giving up delivery for mail 3B4D5B 02-28 18:31:39 +0800 08 dns1 RELAY:0000E030: Connected to 212.52.84.174 02-28 18:31:39 +0800 08 dns1 RELAY:0000E031: Connected to 75.180.132.243 02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 98.137.54.237 for domain yah$ 02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 98.137.54.238 for domain yah$ 02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 66.94.236.34 for domain yaho$ 02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 74.6.140.64 for domain yahoo$ 02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 66.94.237.64 for domain yaho$ 02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 98.139.54.60 for domain yaho$ 02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 74.6.136.244 for domain yaho$ 02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 66.94.238.147 for domain yah$ 02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 67.195.168.31 for domain yah$ 02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 74.6.136.65 for domain yahoo$ |
1 - what distribution you are running and at what revision
2.6.11-1.1369_FC4smp 2 - what email application are you using (again what version) it is called AXIGEN Axigen server version: 1.1.1 (Linux/i686) i have been using the same thing since 2005 3 - what other email accessories are you using, e.g. spamassassin, dspam, amavis. spamassassin, but i have disabled it 4 - what other server applications are you running, e.g. Apache and do you use a CMS and if so which one? only DNS and MAIL server on this machine 5 - do you use any PHP based configuration applications, like webmin (again include version information). only the interface to configure the email server, but is only accessable via local ip addresses ---------- Post added 02-28-11 at 06:18 AM ---------- more stats from the mail server MTP_InboundConnection 447 SMTP_InboundConnectionAuthenticated 428 SMTP_InboundConnectionAuthenticatedSuccess 428 SMTP_InboundConnectionReceivedBytes 1424177 SMTP_InboundConnectionSentBytes 722858 SMTP_InboundMessage 449 SMTP_InboundMessageBDATAccepted 0 SMTP_InboundMessageBodyAccepted 438 SMTP_InboundMessageDATAAccepted 438 SMTP_InboundMessageDATAUsed 438 SMTP_InboundMessageFROMAccepted 449 SMTP_InboundMessageMessageBytes 685211 SMTP_InboundMessageTOcommandsAccepted 21027 SMTP_InboundMessageTOcommandsRejected 6 SMTP_OutboundConnection 69859 SMTP_OutboundConnectionAuthenticated 0 SMTP_OutboundConnectionAuthenticatedSuccess 0 SMTP_OutboundConnectionErrorFinish 60304 SMTP_OutboundConnectionReceivedBytes 0 SMTP_OutboundConnectionSentBytes 7792745 SMTP_OutboundMessage 8984 SMTP_OutboundMessageBDATAccepted 8943 SMTP_OutboundMessageBodyAccepted 3000 SMTP_OutboundMessageDATAAccepted 8153 SMTP_OutboundMessageDATAUsed 5930 SMTP_OutboundMessageFROMAccepted 7724 SMTP_OutboundMessageMessageBytes 6604053 SMTP_OutboundMessageTOcommandsAccepted 5577 SMTP_OutboundMessageTOcommandsRejected 4293 |
It's definitively spam, so better stop your server from running and clean the queue from the spam messages.
I have never used that axigen mail server, but from the logs posted: Quote:
|
looks like www@xj121.com was used to send out spam and gets back the DSNs. Is that xj121.com your domain served by the axigen mail server?
=========================================== no ... not my domains. i have cleared the queues .. so netstat now is not showing much activity. but how can i check that they dont load rubbish into the queues again ? |
As told you, I'm not familiar with axigen so I can give only generic advice:
Check the logs to see from which user account were all these mails of post #6 sent, or the IP of the sender. Since your server is not an open relay, then most probably it's a user account with a weak password that was compromised. Also note that both your distro and the mail software you're using are quite old and maybe they need upgrading. Regards |
hi bathory, if it just a matter of locating the weak password, we can change all the email passwords.
because this is an internal server with not many email addresses. easy to fix. my concern was that they have managed to install some script on the server it self which is harder to fix since my linux admin knowledge is limited. i will monitor the logs and see if the email blast start again tomorrow. thanks |
You said that this server runs only mail and dns, that's why I told you it could be a weak mail user password. Of course it could be that someone gained access through ssh or other means in your box (given it's running an aged and obsoleted distro) and installed some sort of spam bot.
Why monitor the logs and wait to happen again and not look at the existing logs to see who start spamming and from what IP? I guess your server is already blacklisted by yahoo and other mail providers and if it happens again it will be difficult to whitelist it. And once again you should consider upgrading OS and mail software |
Why monitor the logs and wait to happen again and not look at the existing logs to see who start spamming and from what IP?
===================================================================== possible to give me some pointers on what logs to look at and how to see who is spamming and from what ip ? thanks |
Quote:
You can ask axigen support for help, as it's a proprietary software and you should pay support for it. Regards |
For somebody to have accessed the machine and dropping some script 0) requires a web stack component or service that allows access or an account, 1) with possibly a weak password in case of the latter and 2) enough rights for the service or account to drop files and execute them. If you want to explore that avenue you should review system and daemon logs, user shell history and verify integrity and purpose of any file system contents.
That said Axigen Mail Server 1.1.1 was released in 2006 (!) and this and subsequent versions may be or have been vulnerable (see the [url="http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Gecad+AXIGEN+Mail+Server"]CVE). Version 7.6.1 seems current. If there's no support available for free then indeed asking the vendor for help seems the logical way. |
well rightly predicted, i believe it was an account with a weak password.
i believe the system root password is strong enough not to have been broken into, and we have changed it to be safe. after deleting some unused email accounts, the spamming seems to have stopped. but i need to keep a watch on the system for another few days to check if it comes back again. axigen does not seem to maintain user logs. so i did not manage to tell which user is generating the most traffic. |
All times are GMT -5. The time now is 10:25 AM. |