LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-29-2005, 04:40 AM   #1
woodwater
LQ Newbie
 
Registered: Jun 2005
Posts: 1

Rep: Reputation: 0
Unhappy Something wrong in the email server


Condition:

The email server have a hidden process which keep sending packet out to a external ip, i have tried to kill it manually, but it will automatically run again itself after i reboot the linux.

the destination ip : 59.36.X.X

due to i have use a firewall like server to track the network, and know that the email server keep outbound to the dest.

How can i check the email server's startup process. and try to see which one process cause this strange condition.

Due to the firewall show that, the email server made many connection out to the dest. and cause the network performance drop.

there are two evaluation on this condition:
1. the server being hack by somebody
2. trojan running on the server.

anybody have experience on the dest ip: 59.36.X.X

i'm now considering whether re-install it or not.

thx with regards
 
Old 06-29-2005, 01:12 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
If your server has been compromised, then a full reinstall from trusted media is absolutely necessary.

To see what processes are sending packets, use 'lsof -i' or alternatively 'netstat -pantu' and then look up the process ID number in /proc. Once you identify the rogue process, take a look around its directory for any other suspicious files and folders. Make sure to take note of the owners of those files and dirs as well. I'd also highly recommend running something like rootkit hunter or chkrootkit.
 
Old 06-29-2005, 01:18 PM   #3
stefan_nicolau
Member
 
Registered: Jun 2005
Location: Canada
Distribution: Debian Etch/Sid, Ubuntu
Posts: 529

Rep: Reputation: 32
This is whois information for 59.36.0.0:
Code:
% [whois.apnic.net node-1]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      59.32.0.0 - 59.42.255.255
netname:      CHINANET-GD
descr:        CHINANET Guangdong province network
descr:        China Telecom
descr:        No.31,jingrong street
descr:        Beijing 100032
country:      CN
admin-c:      CH93-AP
tech-c:       IC83-AP
mnt-by:       APNIC-HM
mnt-lower:    MAINT-CHINANET-GD
status:       ALLOCATED PORTABLE
remarks:      -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks:      This object can only be updated by APNIC hostmasters.
remarks:      To update this object, please contact APNIC
remarks:      hostmasters and include your organisation's account
remarks:      name in the subject line.
remarks:      -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed:      hm-changed@apnic.net 20040802
changed:      hm-changed@apnic.net 20041123
source:       APNIC

person:       Chinanet Hostmaster
address:      No.31 ,jingrong street,beijing
address:      100032
country:      CN
phone:        +86-10-66027112
fax-no:       +86-10-58501144
e-mail:       hostmaster@ns.chinanet.cn.net
e-mail:       anti-spam@ns.chinanet.cn.net
nic-hdl:      CH93-AP
mnt-by:       MAINT-CHINANET
changed:      hostmaster@ns.chinanet.cn.net 20021016
remarks:      hostmaster is not for spam complaint,please send spam complaint to anti-spam@ns.chinanet.cn.net
source:       APNIC

person:       IPMASTER CHINANET-GD
nic-hdl:      IC83-AP
e-mail:       ipadm@gddc.com.cn
address:      NO.1,RO.DONGYUANHENG,YUEXIUNAN,GUANGZHOU
phone:        +86-20-83877223
fax-no:       +86-20-83877223
country:      CN
changed:      ipadm@gddc.com.cn 20040902
mnt-by:       MAINT-CHINANET-GD
remarks:      IPMASTER is not for spam complaint,please send spam complaint to abuse@gddc.com.cn
source:       APNIC
If you look up the full ip, you may get a more precise result.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What email program can work with email header on pop3 server TruongAn Linux - Software 0 01-13-2005 12:48 PM
Email Server and Email Administration zenix Linux - Software 1 12-13-2004 01:02 PM
How do I configure postfix master to forward all email to an email server ? hello321_1999 Linux - Software 1 11-18-2004 05:43 AM
Allowing an IP to send email using my email server... culprit Linux - Networking 7 09-09-2003 01:24 PM
Problem receiving email from email server sharon Linux - Newbie 3 07-11-2003 04:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration