Intruder using SMTP to send traffic while port 25 closed
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Starting Nmap 4.68 ( http://nmap.org ) at 2008-08-26 15:42 PDT
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1706 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
443/tcp open https
631/tcp open ipp
953/tcp open rndc
3306/tcp open mysql
10000/tcp open snet-sensor-mgmt
As the nmap output above indicate 25/tcp is closed.
While seeking the source of timeout messages (see below) in syslog
syslog messages:
"too many timeouts resolving '29.52.72.202.zen.spamhaus.org/A' (in
'zen.spamhaus.org'?): disabling EDNS"
when using tcpdump, I discovered SMTP traffic from an external source directed to outbound mailhosts (my.ip.ad2.res and my.ip.ad3.res) on my network.
Code:
[root@minime maps]# tcpdump -n dst port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
20:48:23.192432 IP 211.97.119.141.rapidmq-center > my.ip.ad3.res.smtp: . ack 3646915787 win 64296
20:48:23.450481 IP 211.97.119.141.rapidmq-center > my.ip.ad3.res.smtp: F 0:0(0) ack 1 win 64296
20:48:23.680967 IP 211.97.119.141.rapidmq-center > my.ip.ad3.res.smtp: . ack 2 win 64296
20:49:35.300394 IP 123.234.188.229.4383 > my.ip.ad3.res.smtp: S 2448658403:2448658403(0) win 64800 <mss 1440,nop,nop,sackOK>
20:49:35.525614 IP 123.234.188.229.4383 > my.ip.ad3.res.smtp: . ack 580516926 win 64800
20:49:36.783155 IP 123.234.188.229.4383 > my.ip.ad3.res.smtp: . ack 28 win 64773
20:49:36.790368 IP 123.234.188.229.4383 > my.ip.ad3.res.smtp: P 0:22(22) ack 28 win 64773
20:49:37.043620 IP 123.234.188.229.4383 > my.ip.ad3.res.smtp: P 22:58(36) ack 49 win 64752
20:49:37.296724 IP 123.234.188.229.4383 > my.ip.ad3.res.smtp: P 58:91(33) ack 63 win 64738
20:49:37.551795 IP 123.234.188.229.4383 > my.ip.ad3.res.smtp: P 91:97(6) ack 141 win 64660
20:49:37.788812 IP 123.234.188.229.4383 > my.ip.ad3.res.smtp: . ack 157 win 64645
20:49:37.791761 IP 123.234.188.229.4383 > my.ip.ad3.res.smtp: F 97:97(0) ack 157 win 64645
20:50:47.517051 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: S 1449700176:1449700176(0) win 5840 <mss 1460,sackOK,timestamp 4116706078 0,nop,wscale 2>
20:50:47.644222 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . ack 4290287674 win 5840
20:50:53.318491 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . ack 21 win 5840
20:50:53.358317 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: P 0:28(28) ack 21 win 5840
20:50:53.517589 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . ack 166 win 6432
20:50:53.598606 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: P 28:108(80) ack 166 win 6432
20:50:53.956107 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . ack 231 win 6432
20:50:53.983448 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 108:1460(1352) ack 231 win 6432
20:50:53.983836 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 1460:2812(1352) ack 231 win 6432
20:50:54.099416 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: P 2812:4164(1352) ack 231 win 6432
20:50:54.100049 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 4164:5516(1352) ack 231 win 6432
20:50:54.100391 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 5516:6868(1352) ack 231 win 6432
20:50:54.228217 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: P 6868:8220(1352) ack 231 win 6432
20:50:54.228586 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 8220:9572(1352) ack 231 win 6432
20:50:54.231217 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 9572:10924(1352) ack 231 win 6432
20:50:54.231486 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: P 10924:12276(1352) ack 231 win 6432
20:50:54.237689 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 12276:13628(1352) ack 231 win 6432
20:50:54.349528 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 13628:14980(1352) ack 231 win 6432
20:50:54.349910 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 14980:16332(1352) ack 231 win 6432
20:50:54.350515 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 16332:17684(1352) ack 231 win 6432
20:50:54.359733 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: P 17684:19036(1352) ack 231 win 6432
20:50:54.360344 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 19036:20388(1352) ack 231 win 6432
20:50:54.363844 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 20388:21740(1352) ack 231 win 6432
20:50:54.474101 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 21740:23092(1352) ack 231 win 6432
20:50:54.474480 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: P 23092:24444(1352) ack 231 win 6432
20:50:54.479140 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 24444:25796(1352) ack 231 win 6432
20:50:54.482290 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 25796:27148(1352) ack 231 win 6432
20:50:54.483592 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 27148:28500(1352) ack 231 win 6432
20:50:54.484002 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 28500:29852(1352) ack 231 win 6432
20:50:54.484291 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 29852:31204(1352) ack 231 win 6432
20:50:54.486716 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 31204:32556(1352) ack 231 win 6432
20:50:54.487097 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: P 32556:33908(1352) ack 231 win 6432
20:50:54.592084 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 33908:35260(1352) ack 231 win 6432
20:50:54.592423 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 35260:36612(1352) ack 231 win 6432
20:50:54.594730 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 36612:37964(1352) ack 231 win 6432
20:50:54.596187 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 37964:39316(1352) ack 231 win 6432
20:50:54.596569 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 39316:40668(1352) ack 231 win 6432
20:50:54.597556 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 40668:42020(1352) ack 231 win 6432
20:50:54.597937 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 42020:43372(1352) ack 231 win 6432
20:50:54.598327 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 43372:44724(1352) ack 231 win 6432
20:50:54.601208 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 44724:46076(1352) ack 231 win 6432
20:50:54.608602 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 46076:47428(1352) ack 231 win 6432
20:50:54.723331 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: P 47428:48780(1352) ack 231 win 6432
20:50:54.731915 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 48780:50132(1352) ack 231 win 6432
20:50:54.732243 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 50132:51484(1352) ack 231 win 6432
20:50:54.734542 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 51484:52836(1352) ack 231 win 6432
20:50:54.734812 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 52836:54188(1352) ack 231 win 6432
20:50:54.735095 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 54188:55540(1352) ack 231 win 6432
20:50:54.735366 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 55540:56892(1352) ack 231 win 6432
20:50:54.737841 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 56892:58244(1352) ack 231 win 6432
20:50:54.738385 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 58244:59596(1352) ack 231 win 6432
20:50:54.738838 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 59596:60948(1352) ack 231 win 6432
20:50:54.739102 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 60948:62300(1352) ack 231 win 6432
20:50:54.856517 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 62300:63652(1352) ack 231 win 6432
20:50:54.856863 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 63652:65004(1352) ack 231 win 6432
20:50:54.857194 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 65004:66356(1352) ack 231 win 6432
20:50:54.860406 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 66356:67708(1352) ack 231 win 6432
20:50:54.860757 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 67708:69060(1352) ack 231 win 6432
20:50:54.861033 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 69060:70412(1352) ack 231 win 6432
20:50:54.861306 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 70412:71764(1352) ack 231 win 6432
20:50:54.861575 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 71764:73116(1352) ack 231 win 6432
20:50:54.861854 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 73116:74468(1352) ack 231 win 6432
20:50:54.862141 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 74468:75820(1352) ack 231 win 6432
20:50:54.865122 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: P 75820:77172(1352) ack 231 win 6432
20:50:54.865778 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 77172:78524(1352) ack 231 win 6432
20:50:54.867094 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 78524:79876(1352) ack 231 win 6432
20:50:54.891443 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 79876:81228(1352) ack 231 win 6432
20:50:54.970310 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 81228:82580(1352) ack 231 win 6432
20:50:54.970652 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 82580:83932(1352) ack 231 win 6432
20:50:54.971222 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 83932:85284(1352) ack 231 win 6432
20:50:54.973769 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 85284:86636(1352) ack 231 win 6432
20:50:54.974050 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 86636:87988(1352) ack 231 win 6432
20:50:54.974329 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 87988:89340(1352) ack 231 win 6432
20:50:54.974613 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 89340:90692(1352) ack 231 win 6432
20:50:54.974885 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 90692:92044(1352) ack 231 win 6432
20:50:54.975157 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 92044:93396(1352) ack 231 win 6432
20:50:54.977179 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: P 93396:94748(1352) ack 231 win 6432
20:50:54.977513 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 94748:96100(1352) ack 231 win 6432
20:50:54.977794 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 96100:97452(1352) ack 231 win 6432
20:50:54.979373 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 97452:98804(1352) ack 231 win 6432
20:50:54.979848 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 98804:100156(1352) ack 231 win 6432
20:50:54.980140 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 100156:101508(1352) ack 231 win 6432
20:50:54.980472 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 101508:102860(1352) ack 231 win 6432
20:50:55.049139 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 102860:104212(1352) ack 231 win 6432
20:50:55.085092 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 104212:105564(1352) ack 231 win 6432
20:50:55.085455 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 105564:106916(1352) ack 231 win 6432
20:50:55.090686 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 106916:108268(1352) ack 231 win 6432
20:50:55.091046 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 108268:109620(1352) ack 231 win 6432
20:50:55.091372 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 109620:110972(1352) ack 231 win 6432
20:50:55.093368 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 110972:112324(1352) ack 231 win 6432
20:50:55.093823 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 112324:113676(1352) ack 231 win 6432
20:50:55.094159 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 113676:115028(1352) ack 231 win 6432
20:50:55.094448 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 115028:116380(1352) ack 231 win 6432
20:50:55.094720 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 116380:117732(1352) ack 231 win 6432
20:50:55.096275 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 117732:119084(1352) ack 231 win 6432
20:50:55.096617 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 119084:120436(1352) ack 231 win 6432
20:50:55.097617 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 120436:121788(1352) ack 231 win 6432
20:50:55.097957 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 121788:123140(1352) ack 231 win 6432
20:50:55.099165 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 123140:124492(1352) ack 231 win 6432
20:50:55.099623 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 124492:125844(1352) ack 231 win 6432
20:50:55.100807 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 125844:127196(1352) ack 231 win 6432
20:50:55.101145 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 127196:128548(1352) ack 231 win 6432
20:50:55.181293 IP 201.245.243.49.53750 > my.ip.ad2.res.smtp: S 41720116:41720116(0) win 64240 <mss 1452,nop,nop,sackOK>
20:50:55.206967 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 128548:129900(1352) ack 231 win 6432
20:50:55.207311 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 129900:131252(1352) ack 231 win 6432
20:50:55.213223 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 131252:132604(1352) ack 231 win 6432
20:50:55.213568 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 132604:133956(1352) ack 231 win 6432
20:50:55.213904 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 133956:135308(1352) ack 231 win 6432
20:50:55.215436 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 135308:136660(1352) ack 231 win 6432
20:50:55.215770 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 136660:138012(1352) ack 231 win 6432
20:50:55.216048 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 138012:139364(1352) ack 231 win 6432
20:50:55.217704 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 139364:140716(1352) ack 231 win 6432
20:50:55.218128 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: P 140716:142068(1352) ack 231 win 6432
20:50:55.218428 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 142068:143420(1352) ack 231 win 6432
20:50:55.219445 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 143420:144772(1352) ack 231 win 6432
20:50:55.219791 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 144772:146124(1352) ack 231 win 6432
20:50:55.220071 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 146124:147476(1352) ack 231 win 6432
20:50:55.221539 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 147476:148828(1352) ack 231 win 6432
20:50:55.221972 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 148828:150180(1352) ack 231 win 6432
20:50:55.327302 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 150180:151532(1352) ack 231 win 6432
20:50:55.327638 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: P 151532:152884(1352) ack 231 win 6432
20:50:55.330070 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 152884:154236(1352) ack 231 win 6432
20:50:55.330410 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 154236:155588(1352) ack 231 win 6432
20:50:55.330694 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 155588:156940(1352) ack 231 win 6432
20:50:55.330974 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 156940:158292(1352) ack 231 win 6432
20:50:55.331254 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 158292:159644(1352) ack 231 win 6432
20:50:55.335840 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 159644:160996(1352) ack 231 win 6432
20:50:55.336178 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 160996:162348(1352) ack 231 win 6432
20:50:55.336457 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 162348:163700(1352) ack 231 win 6432
20:50:55.336729 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 163700:165052(1352) ack 231 win 6432
20:50:55.337000 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 165052:166404(1352) ack 231 win 6432
20:50:55.337270 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 166404:167756(1352) ack 231 win 6432
20:50:55.337539 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 167756:169108(1352) ack 231 win 6432
20:50:55.341615 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 169108:170460(1352) ack 231 win 6432
20:50:55.341954 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 170460:171812(1352) ack 231 win 6432
20:50:55.344532 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 171812:173164(1352) ack 231 win 6432
20:50:55.344915 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 173164:174516(1352) ack 231 win 6432
20:50:55.377391 IP 201.245.243.49.53750 > my.ip.ad2.res.smtp: . ack 121560872 win 65340
20:50:55.439068 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 174516:175868(1352) ack 231 win 6432
20:50:55.439457 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 175868:177220(1352) ack 231 win 6432
20:50:55.449133 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 177220:178572(1352) ack 231 win 6432
20:50:55.449768 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 178572:179924(1352) ack 231 win 6432
20:50:55.456666 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 179924:181276(1352) ack 231 win 6432
20:50:55.457049 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: P 181276:182628(1352) ack 231 win 6432
20:50:55.459823 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 182628:183980(1352) ack 231 win 6432
20:50:55.460106 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 183980:185332(1352) ack 231 win 6432
20:50:55.460372 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 185332:186684(1352) ack 231 win 6432
20:50:55.460649 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 186684:188036(1352) ack 231 win 6432
20:50:55.460922 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 188036:189388(1352) ack 231 win 6432
20:50:55.461198 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 189388:190740(1352) ack 231 win 6432
20:50:55.464815 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 190740:192092(1352) ack 231 win 6432
20:50:55.465163 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 192092:193444(1352) ack 231 win 6432
20:50:55.465441 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 193444:194796(1352) ack 231 win 6432
20:50:55.465712 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 194796:196148(1352) ack 231 win 6432
20:50:55.465984 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 196148:197500(1352) ack 231 win 6432
20:50:55.466553 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 197500:198852(1352) ack 231 win 6432
20:50:55.579517 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 198852:200204(1352) ack 231 win 6432
20:50:55.580168 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 200204:201556(1352) ack 231 win 6432
20:50:55.580501 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 201556:202908(1352) ack 231 win 6432
20:50:55.583105 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 202908:204260(1352) ack 231 win 6432
20:50:55.583448 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 204260:205612(1352) ack 231 win 6432
20:50:55.583738 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: P 205612:206964(1352) ack 231 win 6432
20:50:55.584011 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 206964:208316(1352) ack 231 win 6432
20:50:55.584286 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 208316:209668(1352) ack 231 win 6432
20:50:55.584555 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 209668:211020(1352) ack 231 win 6432
20:50:55.588290 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 211020:212372(1352) ack 231 win 6432
20:50:55.588636 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 212372:213724(1352) ack 231 win 6432
20:50:55.588919 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 213724:215076(1352) ack 231 win 6432
20:50:55.589194 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 215076:216428(1352) ack 231 win 6432
20:50:55.589460 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 216428:217780(1352) ack 231 win 6432
20:50:55.589898 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 217780:219132(1352) ack 231 win 6432
20:50:55.590177 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 219132:220484(1352) ack 231 win 6432
20:50:55.590458 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 220484:221836(1352) ack 231 win 6432
20:50:55.590731 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 221836:223188(1352) ack 231 win 6432
20:50:55.707207 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 223188:224540(1352) ack 231 win 6432
20:50:55.707550 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 224540:225892(1352) ack 231 win 6432
20:50:55.819454 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 225892:227244(1352) ack 231 win 6432
20:50:55.819797 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 227244:228596(1352) ack 231 win 6432
20:50:55.933488 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 228596:229948(1352) ack 231 win 6432
20:50:55.933829 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: P 229948:231300(1352) ack 231 win 6432
20:50:56.058601 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 231300:232652(1352) ack 231 win 6432
20:50:56.059289 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 232652:234004(1352) ack 231 win 6432
20:50:56.177325 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 234004:235356(1352) ack 231 win 6432
20:50:56.177669 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 235356:236708(1352) ack 231 win 6432
20:50:56.296669 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 236708:238060(1352) ack 231 win 6432
20:50:56.297008 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 238060:239412(1352) ack 231 win 6432
20:50:56.409673 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 239412:240764(1352) ack 231 win 6432
20:50:56.410309 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 240764:242116(1352) ack 231 win 6432
20:50:56.520817 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 242116:243468(1352) ack 231 win 6432
20:50:56.521156 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 243468:244820(1352) ack 231 win 6432
20:50:56.639241 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 244820:246172(1352) ack 231 win 6432
20:50:56.639580 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . 246172:247524(1352) ack 231 win 6432
20:50:56.639590 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: P 247524:247678(154) ack 231 win 6432
20:50:57.099804 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . ack 267 win 6432
20:50:57.253298 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: P 247678:247684(6) ack 267 win 6432
20:50:57.367225 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . ack 267 win 6432
20:50:57.367555 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: . ack 283 win 6432
20:50:57.401959 IP 8.15.27.183.48716 > my.ip.ad2.res.smtp: F 247684:247684(0) ack 283 win 6432
How do I stop this intrusion using snort or ossec if iptables, firestarter, and nmap reports that port 25 is closed?
You are confused. Your server's port 25 is not listening or open.
This does not mean that your server cannot access remote port 25 services.
Add an iptable rule to block dst=25 if you don't want outbound SMTP traffic.
Quote:
"too many timeouts resolving '29.52.72.202.zen.spamhaus.org/A' (in
'zen.spamhaus.org'?): disabling EDNS"
Sorry, you're right. I was confused. I read "to outbound mailhosts (my.ip.ad2.res and my.ip.ad3.res)" and thought external host hostnames. I see those are your hosts.
No there are none. I cant a fix on the intruders, they are transmitting the mail messages from various ports 4543, 43607, 20156, etc. and ip addresses.
It is normal for the source port to be random. It is common that (seemingly) random IPs hit a mail server.
What is confusing here is why traffic is occurring on your dst port 25, yet no listening port 25 service is listed by netstat. One might begin to suspect your system has been infiltrated and tampered with, perhaps replacing netstat and other utilities.
It might be time to take the system offline and start doing some forensics.
The idea of using snort or something else to block that traffic is like locking the doors once the thief is in the house.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Well, if you wouldn't have masked the external IP we could actually help you out by testing from outside your network. It's not like hiding your IP is doing any good, since plenty of other hosts have already found you without looking on an Internet forum...
Although netstat might be lying to you, I do notice you ran your nmap against 127.0.0.1 instead of your external IP. It's possible for a service to bind to a single IP only and not include localhost. Also, any traffic sent from your own host is going to use the loopback device regardless of which IP on your box it's going to. A more accurate way to test would be from another machine.
In any case, it seems quite possible that you've been owned.
Although netstat might be lying to you, I do notice you ran your nmap against 127.0.0.1 instead of your external IP. It's possible for a service to bind to a single IP only and not include localhost. Also, any traffic sent from your own host is going to use the loopback device regardless of which IP on your box it's going to. A more accurate way to test would be from another machine.
Bingo...that's the very first thing I noticed and I'm glad I decided to keep reading before responding in a redundant manner.
I don't see the the destination IP (your SMTP server, 64.183.63.46) responding to any of that. That tells me that it is configured correctly. IMO, if this service is exposed to the internet, spam hosts will attempt to connect to it in a dumb (automated) manner. Have you checked your server logs to ensure that nothing is amiss?
I also didn't understand your nmap blurb (at the bottom of your last post). I'm not sure you understand why you should be scanning from a separate host, but if you did, it would help us in assisting you better.
** is it just me or does the side-scrolling suck?? **
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
I tried getting to that IP on port 25 and it's timing-out, which means it's probably not allowing incoming traffic... Have you tried doing a tcpdump with simply "port 25" for the arguments, instead of "dst port 25"? That would tell you if your machine is even sending return traffic. Have you actually checked /var/log/maillog to see if there's actually e-mail being sent?
It's also possible that your firewall is not tightly configured and spoofed packets, or packets with odd combinations of flags set are allowed through.
dont do a src or dst port just port then we can see the connection better. From the looks of it the server is responding to the packets on 25 but its hard to see without the bi-directional traffic
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
