Sendmail on RHEL 5.3

tom_sawyer70 · 02-18-2010, 11:02 AM

I have been asked to look into an issue with a RHEL 5.3 server with Sendmail on it. Apparently, the server is scanning for SMTP ports on external servers, about once every two minutes or so. The server had been up for a month prior to this activity which started a couple of days ago. In the interim, the server was shut down.

So tonight the server will be brought back online and I'll get to look at it. While the server has Sendmail on it, it may not even be a Sendmail issue.

Malware could be a culprit, but the server is behind a firewall and relatively locked down from service accounts, etc.

Any thoughts on either something specific to Sendmail that might be generating requests or anything else to investigate?

TIA,
Dave

kbp · 02-18-2010, 04:37 PM

What exactly do you mean by 'scanning' ? .. attempting to send mail ? Have a look at /var/log/maillog, see if the activity is initiated by sendmail.

cheers

unSpawn · 02-18-2010, 04:38 PM

If you have access to the machine you could boot a Live CD and scrape off all logs for analysis (logwatch, slst, grep?) if not then I'd boot it with a firewall ruleset that restricts access to your management IP (range) and at least -j LOG all traffic unless you have access to router logs. Wrt router logs, if you're going to do analysis then take those into account to, there might be some things to be learnt from scanned addresses or ranges. Wrt checking things I'd say read and perform the usual routine like with any system you suspect.

tom_sawyer70 · 02-19-2010, 12:32 PM

Quote:

Originally Posted by kbp

What exactly do you mean by 'scanning' ? .. attempting to send mail ? Have a look at /var/log/maillog, see if the activity is initiated by sendmail.

cheers

It's apparently sending out requests. Our firewall is seeing this:

"Date" "Time" "Action" "Service" "Source" "Destination" "Protocol"
"18Feb2010" "21:16:56" "Drop" "smtp" "xx.xx.xx.xx" "fk-in-f27.1e100.net" "tcp"
"18Feb2010" "21:18:29" "Drop" "smtp" "xx.xx.xx.xx" "fk-in-f27.1e100.net" "tcp"
"18Feb2010" "21:20:05" "Drop" "smtp" "xx.xx.xx.xx" "mail-ew0-f60.google.com" "tcp"
"18Feb2010" "21:21:38" "Drop" "smtp" "xx.xx.xx.xx" "mail-ew0-f60.google.com" "tcp"

/var/log/maillog and the associated versions going back a few weeks are all zero bytes.

Sendmail is not in active processes and there is nothing in top that looks peculiar.

kbp · 02-19-2010, 04:24 PM

Try 'netstat -tunlp' as root to list all the listening processes... if there's nothing on tcp/25 then it's possible it's malware, it could also be an app of some kind ( java? ).. I've seen developers configure them to send email directly out rather than via the local mta

cheers