A friend has a small company with an opensuse linux computer and their ISP just told them that something’s sending spam. The person who set this computer up is long since gone. They don’t know anything about linux and have no idea what programs are on there.
How would I figure out:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Two things to consider. Any box, ever, can be the source of spam if a
user on that box wants it to be. It does not matter at all if the system
is running an open relay as a mail server or not if the box is compromised.
To see if your box is an open relay… well, there are several ways to be
an open relay. What kind of spam is the ISP saying is coming from their
box? Should the box be sending mail at all? If so, what kind of mail
from where to where? If the box should never be relaying mail via SMTP
just make sure the firewall is, as is the default, block SMTP port 25.
The mail server also, by default, only listens on localhost so you could
prevent that though changing the firewall is an easier and usually better
solution in this case. If the box should never be sending mail at all
then watch for when it does and what it sends and work back from there.
Good luck.
On 06/11/2010 10:56 AM, 6tr6tr wrote:
>
> A friend has a small company with an opensuse linux computer and their
> ISP just told them that something’s sending spam. The person who set
> this computer up is long since gone. They don’t know anything about
> linux and have no idea what programs are on there.
>
> How would I figure out:
>
> 1. If there’s an emailing program on there
> 2. Whether it’s sending or capable of sending spam
> 3. Lock it down
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJMEnCBAAoJEF+XTK08PnB5sEkP/1olZ6XKVxqT5/8D5dlBTWVZ
OCBIu9k5SnzgefwokeWZEmhn+7it0dLH1NMxeyIj+83hzTardA6i5YbogYL5Jt9o
n1UNSAd7e7oqxEf313V3Mn33oOuGmuoHpiqgTXRxzHU3K+fMJhHKAzfXF4SFC7nD
Rp7Q8N0dxVqUJU+1zuzrjaZI5LHrgZh5lRQGhwAajDDXXT8Ooc3MyOkhrNddlyGj
jkxBrG55wp7yEjurUXR3m3Eh8Yva5OMZBJWhZcVTQ2bn5Bq3WJL2SrAamPlhRIOT
gti0XXnLCCEO654XO8r9ShwcU6DzwbR8uk+0vuYBQGUJLFUDTSvw0FDYFpOvINXR
+YXO7KMHywFaYilrSGerTZ+RnfIqjdjvCQaqwuUqq+51dlMkjWgvPjXNDSZ9vSMC
Ujdh1KwEoShfqKmah6TMtatCHfPQ6VlAliSlYabRezmQRvgJHhSiPiwfwkEpwyTH
YJfoGoaZSwa/Kj7bD6NaxS8QkImYhZWHlcao6v5OlZJwC6aFqcLhWXSxp8wlUcNd
C/9u0J7O43DEEQWmChE5PmQubCyH0jz62PzXc+DCZcJroAmxtXRRX4F+c4z4ANYW
DevIUvV92mRzPc0afYGL3ygXYEUlulzybzokcNIqaQduwc+iB/Qn4GDqY9geUgtk
66sk1SuOLOUyKpge0i0o
=7Fxv
-----END PGP SIGNATURE-----
Thanks for the help!
How do I do this?
ab@novell.com wrote:
> watch for when it does and what it sends and work back from there.
and, i’d suggest looking for the root kit that may be in charge of
that machine…
what version of openSUSE is it running?
–
DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio
On Fri, 11 Jun 2010 17:56:01 +0000, 6tr6tr wrote:
> Thanks for the help!
>
> ab@novell.com;2175474 Wrote:
>> If the box should never be sending mail at all then watch for when it
>> does and what it sends and work back from there.
>
> How do I do this?
Easiest thing to do would be to start by disabling postfix and/or
sendmail. Do this in YaST’s runlevel editor.
If it’s supposed to send mail, then you’ll need to use YaST’s
configuration editor for the mailer program (I believe Postfix is the
default selection these days) and set up security options to allow mail
only from the local machine, or to use authenticated SMTP, or from a
local network (of course, if a machine on the local network is
compromised, that may be what’s causing the issue, too).
Jim
–
Jim Henderson
openSUSE Forums Administrator
you may need to advise your friend to hire a temporary or part time
*nix administrator…
what country are you in…that is what language is the operation
language on the server? i ask because i know a top notch, trustworthy
admin guy in Slovenia that could do all this from afar…for a fair
and reasonable price…
–
DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio
Thank you to EVERYONE for your help! We blocked the ports, changed firewall settings and were able to figure out who/what was attempting to send spam!
Thanks again!