How can I tell if one of our linux boxes is a spam generator?
-
I have all our mail going through our Spam filter. In the last 24 hours our OutgoingQueue has hit over 400. All of them are no names on sender and receiver. How do I check if a linux box has been compromised. I cannot turn it off at this point.
-
Do you have a specific Linux box to check? Or is this a pool of many and you are wondering if "any of them" is compromised?
-
The spam filter "should" record the IP address of the sender. In theory, that would tell you on a LAN.
-
If the Linux server should not be sending traffic, block its outbound port 25 to stop the possibility of it sending.
-
@scottalanmiller said in How can I tell if one of our linux boxes is a spam generator?:
Do you have a specific Linux box to check? Or is this a pool of many and you are wondering if "any of them" is compromised?
Single box. It is our Moodle Server which sends email through class discussions.
-
Obviously a WireShark or similar on the LAN should show traffic patterns to know the SMTP sources.
-
@WLS-ITGuy said in How can I tell if one of our linux boxes is a spam generator?:
@scottalanmiller said in How can I tell if one of our linux boxes is a spam generator?:
Do you have a specific Linux box to check? Or is this a pool of many and you are wondering if "any of them" is compromised?
Single box. It is our Moodle Server which sends email through class discussions.
Oh, that makes it much harder. You are looking for a compromise inside an existing email stream!
-
@scottalanmiller said in How can I tell if one of our linux boxes is a spam generator?:
@WLS-ITGuy said in How can I tell if one of our linux boxes is a spam generator?:
@scottalanmiller said in How can I tell if one of our linux boxes is a spam generator?:
Do you have a specific Linux box to check? Or is this a pool of many and you are wondering if "any of them" is compromised?
Single box. It is our Moodle Server which sends email through class discussions.
Oh, that makes it much harder. You are looking for a compromise inside an existing email stream!
That's what I thought.
Email is passed from the Moodle server, to the exchange box, and then to our spam filter. Both incoming and outgoing emails are going through the spam filter.
-
Look at processes on the moodle box? If you have a rough idea of what the resource usage should be you can compare that with actual usage and dig into anything that's out of spec.
-
@WLS-ITGuy said in How can I tell if one of our linux boxes is a spam generator?:
Single box. It is our Moodle Server which sends email through class discussions.
hmmm check nload perhaps, i am guessing the machine with many network activities is the suspect, that said spams are texts so, also there are alot of rootkits scanners for linux free and in package system, good chance to test them.
-
Well, it looks that it is actually FreePBX as part of the problem again with some stupid cron jobs.
And there is an issues with Moodle but I think that is more of an authentication issue and not actually a spam issue.
