Has our server been cracked
Results 1 to 6 of 6

Thread: Has our server been cracked

  1. #1
    Junior Member
    Join Date
    Apr 2004
    Posts
    7

    Has our server been cracked

    We regularly get viral email addressed to one of our email accounts purporting to be from our webserver (supposedly from an admin). The email says something about needing to update our account. I have never checked this out because it seemed obviously viral (Mcafee cathches it) and I know that email addresses can be spoofed.

    However, today I thought to look at the return path and it does contain our appliance address. Should I be concerned that the server has been cracked? Any particular tools that I (as a novice) could use to make a reasonable scan?

    Thanks for any suggestions.

  2. #2
    Senior Member
    Join Date
    Oct 2003
    Posts
    394
    ...i am not good on that... but fast scan of %windir% can be good if you are using windows.... and may be also bin($PATH) folders in linux....

    What type of server > Unix based or Windows based?
    Do you have something that monitoring changes on server? If so,, then you can compary old with new and find potential viruses...

    Here is what I am thinking.. but wait for more answers......
    (me are newbie yet)
    // too far away outside of limit

  3. #3
    Junior Member
    Join Date
    Apr 2004
    Posts
    7
    It is a Linux server.

  4. #4
    Member
    Join Date
    Jan 2005
    Posts
    73
    Some details would be helpful, like e-mail headers.

    Also, check out your logs to see if any unusual traffic has been going in or out of your netwokr.
    \"The future stretches out before us, uncharted. Find the open road and look back with a sense of wonder. How pregnant this moment in time. How mysterious the path ahead. Now, step forward.\"
    Phillip Toshio Sudo, Zen Computer
    Have faith, but lock your door.

  5. #5
    Senior Member
    Join Date
    Apr 2002
    Posts
    214
    Try verifying the e-mail server package with rpm -V. That will compare the files to the rpm database and make sure none of them changed. Is the server Postfix?
    Either get busy living or get busy dying.

    -The Sawshank Redemption

  6. #6
    I've been concerned with a simillar issue and since our mailserver a-vir scanner acts as a proxy and modifies the headers I couldn't see the originating IP of the mails even when I turned the smtp agent log to a higher level. So just looked at the mail scanner documentation and turned the debugging on.

    That way I couldnt capture the originating IP of the "offender" which came out to be somebody from the people my users did have mail discussions. Another possibilty is that one of the machines on your network is infected and uses your SMTP.

    Of course it doesnt hurt to install rkhunter and check your system for rootkits and vulnerable apps.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •