Prev: How to permit 10.0.0.17 to relay mail?
Next: antivirus for mail server [clamdscan]
From: davidst on 2 Aug 2010 14:24
My IP has been listed on BarracudaCentral.org, and before I request
them to remove it, I want to verify that my server is not
compromised. I'm a rather inexperienced admin however.

If I look at the mail log and grep for 'localhost.localdomain' I don't
see any abnormal amount of outgoing mail.

Can anyone offer other suggestions for checking up on this? I'm going
to continue fishing around in the mean time.
From: mikea on 2 Aug 2010 14:40
davidst <davidst.vz(a)gmail.com> wrote in <a7811f6c-e4d1-4796-bed8-17f8eb735783(a)u4g2000prn.googlegroups.com>:
> My IP has been listed on BarracudaCentral.org, and before I request
> them to remove it, I want to verify that my server is not
> compromised. I'm a rather inexperienced admin however.
>
> If I look at the mail log and grep for 'localhost.localdomain' I don't
> see any abnormal amount of outgoing mail.
>
> Can anyone offer other suggestions for checking up on this? I'm going
> to continue fishing around in the mean time.

If your machine has been compromised and is sending spam, it almost
certainly will not be doing so through sendmail, but rather through
something else that connects to SMTP ports on other machines.

Do you have TripWire installed and a baseline scan to compare against
the current state of your system?

--
Mike Andrews, W5EGO
mikea(a)mikea.ath.cx
Tired old sysadmin
From: davidst on 2 Aug 2010 14:53
> If your machine has been compromised and is sending spam, it almost
> certainly will not be doing so through sendmail, but rather through
> something else that connects to SMTP ports on other machines.
>
> Do you have TripWire installed and a baseline scan to compare against
> the current state of your system?
>
> --
> Mike Andrews, W5EGO
> mi...(a)mikea.ath.cx
> Tired old sysadmin

Hmm... I guess you're probably right. I don't have tripwire installed
so no baseline scan. I guess I should try to monitor the raw network
traffic from another machine then.
From: mikea on 2 Aug 2010 15:07
davidst <davidst.vz(a)gmail.com> wrote in <8820aa3d-4e9f-4a72-8b8e-91f37ddedb8c(a)v35g2000prn.googlegroups.com>:
>> If your machine has been compromised and is sending spam, it almost
>> certainly will not be doing so through sendmail, but rather through
>> something else that connects to SMTP ports on other machines.
>>
>> Do you have TripWire installed and a baseline scan to compare against
>> the current state of your system?

> Hmm... I guess you're probably right. I don't have tripwire installed
> so no baseline scan. I guess I should try to monitor the raw network
> traffic from another machine then.

Do us and the rest of the Internet a favor, then: isolate the network with
those two machines from the rest of the world. If it's not infected, you
won't see anything. If it is infected, you still may not, if it's waiting
for a C&C machine to instruct it. But if it's infected and connected to the
rest of the world, it will be spewing at some point, and trying to infect
other machines as well, which is A Bad Thing.

--
End-to-end connectivity is the "coin of the realm" for internet
operations. Use it wisely. You only control your end of it.
From: davidst on 2 Aug 2010 15:36
> Do us and the rest of the Internet a favor, then: isolate the network with
> those two machines from the rest of the world. If it's not infected, you
> won't see anything. If it is infected, you still may not, if it's waiting
> for a C&C machine to instruct it. But if it's infected and connected to the
> rest of the world, it will be spewing at some point, and trying to infect
> other machines as well, which is A Bad Thing.
>
> --
> End-to-end connectivity is the "coin of the realm" for internet
> operations.  Use it wisely.  You only control your end of it.

If only things were quite that simple. I'm not the most experienced
sys admin in the world and it's not the only part of my job. I'm a
bit overworked and can't devote adequate time to sys admin duties.
I'm trying to use Wireshark right now to inspect the packets. If you
have any suggestions or advice I'm all ears.
 |  Next  |  Last
Pages: 1 2
Prev: How to permit 10.0.0.17 to relay mail?
Next: antivirus for mail server [clamdscan]