There are about 3-5 entries in the log file for different IP addresses every minute. I don’t know if I have been hacked and my machine is now some kind of mail spamming zombie, or if this is a valid URL. I looked up the IP address above and it returned:
have a look at /var/log/messages and you might identify more attacks. Maybe you’ll be able to identify on which port they are spamming you. I had issues on port 22(ssh) with attacks.
i checked the logs and saw multiple (hundreds!) of attempts on ports 22 and 21 which I immediately closed the ports on the firewall to stop these dead.
However, the proxy log is showing OUTBOUND traffic from my network to the link I provided in my original post.
I’m concerned that my mail server is hijacked into a spambot. I have since installed DansGuardian onto my firewall but it’s still showing outbound traffic to the URL. Any ideas how to stop these dead?
I wish I would know more to help you. So you are saying that ths server still connects or at least you can see in the log that it connects to that ip address. Can you stop the server completely? unless you need to use it. it might be that someone was able to successfully connect and get something installed on your side, but i cannot be sure. Maybe somebody else which knows more about mail server could help you out. I wrote a command to pull out from the log all the ip addresses which were attacking you, if you want to use it. Try to find the string which is part of each line logged(in my case was the server name and sshd (ex. aruba sshd)
note: I used messages* in case you have multiple files and some of them were zipped by the system:
zgrep ‘your string’ /var/log/messages* |grep ‘user’ |awk -f /path/awk_ip
here are the lines needed in this small script awk_ip( you can use any name you want for your awk script and use any editor you like to create the file). Please don’t forget to give u+x to the script and you have to run this as root in order to have access to the messages log files(or copy them to your user)
#! /usr/bin/gawk -f
{
ip_array$10]++;
}
END {
for (ip_address in ip_array)
{
print "FROM “,ip_address,” there were ",ip_array[ip_address],“attempts”
}
}
and the result would be something like this:
FROM 200.46.212.67 there were 737 attempts
FROM 69.124.40.54 there were 2 attempts
FROM 222.87.0.97 there were 1366 attempts
FROM 221.6.179.212 there were 20 attempts
FROM 77.51.250.130 there were 2710 attempts
FROM 202.30.130.134 there were 221 attempts
FROM 210.82.89.139 there were 330 attempts
Good luck with your search and please let us know if you find anything. I will try to learn how to debug/maintain a mail server
I would look at changing your mail server if this is anything to go on… Get onto some security rss feeds use something like yahoo pipes to get the relevant ones you want.
Though it looks like there is a fix with the vendor not really looked at the exploit if the server hasn’t been compromised the fix might be good still.