Ask the Expert

Scanning a compromised Fedora server

My Fedora box suddenly started to spew out SMTP requests to external servers. I have to disable it through xinet.d, but I can't find the source of the original problem. I've clean-installed qmail, checked Apache hits, unusual processes, etc. and I cannot find any triggers. Any ideas?

Requires Free Membership to View

This does sound like malicious behaviour, but it's very hard to say exactly what the issue is based on the limited information in your question. If you think your host is compromised, then I recommend your first step should be to pull the host off the network and quarantine it for further analysis. If you don't have the capability in-house to do this analysis, then I recommend you engage a third-party security organisation or consultancy to help you out.

If you don't or can't do this then, I suggest first checking your logs to determine it isn't a mis-configuration, such as being an open relay. Check both the logs on your mail server and your host. Qmail is an excellent package when it comes to logging. Every transaction Qmail undertakes is generally logged by default. You can find some more information on Qmail troubleshooting and logging at: Qmailrocks.org or the Life with qmail troubleshooting FAQ.

The qmail mailing list is also excellent source of information and help. You can find it at http://cr.yp.to/lists.html#qmail. Remember to clearly articulate your problem, post relevant logs and detail your configuration to allow other users to properly assist you.

You can also use tools such as Wireshark or tcpdump to analyse your outgoing network traffic. A Nessus and nmap scan of your host to detect vulnerabilities or unusual ports open is also a good idea. Checking for root kits (tools used to compromise your hosts) using a tool like chkrootkit may also determine if a root kit is running.

But I strongly recommend that this sort of behaviour can often be malicious and the safest course of action, if you can't immediately identify the issue, is to remove the box from the network before it is used to further compromise yours or others' networks.

This was first published in May 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: