Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I just happened to look at the output from sendmail the other day and found that batches of dubious-looking messages are going out at 8.20am each day, and can't think why this is happening.
The setup is this: we have a home network. The server (SuSE 9.1 fully patched) acts as an email server, but mostly for incoming mail as our client machines connect directly to our ISPs to send mail. However, it runs 'sendmail -q' once an hour, starting at 7.20am and ending at midnight. The 7.20 run always shows no queued mail, as does every other run except the 8.20.
The dubious mails, which look like spam and are going to addresses we don't send mail to, originate from two user accounts - our main accounts, in fact, but there are others. They are being generated on the server, I believe (at 8.20am, the two workstations used as our main machines are switched off. They also run Linux, BTW).
All the machines have local 192.168.0.x static IPs and sit behind a Linksys router which has a permanent Internet IP (Internet access is via Wimax). The router passes incoming HTTP (port 80) and FTP (port 21) requests to the server. (I've since disabled FTP and have set up snort to watch HTTP requests, which should be very few, if any. So we'll see what happens tomorrow).
At first, I suspected procmail recipes that might be bouncing back messages (we had one on each of the suspect accounts that bounced back a message to people using specific & no longer used email addresses). But turning those off had no effect.
Checking the logs, I could not find any incoming messages with the dubious email addresses to which our outgoing messages are being addressed - ie, I don't think this is a result of messages being bounced by our server, though I need to explore that more.
I figured I'd disable the cronjob that runs 'sendmail -q' so I can take a better look at what's in the outgoing mail queue - won't know until tomorrow about that. In the meantime, does anyone have any clues about what might be happening?
I'd be interested in seeing any updates on this. I think you're on the right track on how to proceed investigating this, at least in regards to where these emails are originating. From what you've posted, it's unclear as to whether this is something malicious or not (though it does sound highly suspect). It might help if you could post an example of one of the suspicious entries from your maillog. Also have a look through the list of processes in the output of ps aux and see if anything looks abnormal.