October 29th, 2005, 09:33 PM
Has our server been cracked
We regularly get viral email addressed to one of our email accounts purporting to be from our webserver (supposedly from an admin). The email says something about needing to update our account. I have never checked this out because it seemed obviously viral (Mcafee cathches it) and I know that email addresses can be spoofed.
However, today I thought to look at the return path and it does contain our appliance address. Should I be concerned that the server has been cracked? Any particular tools that I (as a novice) could use to make a reasonable scan?
Thanks for any suggestions.
October 29th, 2005, 10:26 PM
...i am not good on that... but fast scan of %windir% can be good if you are using windows.... and may be also bin($PATH) folders in linux....
What type of server > Unix based or Windows based?
Do you have something that monitoring changes on server? If so,, then you can compary old with new and find potential viruses...
Here is what I am thinking.. but wait for more answers......
(me are newbie yet)
// too far away outside of limit
October 29th, 2005, 10:40 PM
October 30th, 2005, 12:05 AM
Some details would be helpful, like e-mail headers.
Also, check out your logs to see if any unusual traffic has been going in or out of your netwokr.
\"The future stretches out before us, uncharted. Find the open road and look back with a sense of wonder. How pregnant this moment in time. How mysterious the path ahead. Now, step forward.\"
Phillip Toshio Sudo, Zen Computer
Have faith, but lock your door.
October 30th, 2005, 08:04 PM
Try verifying the e-mail server package with rpm -V. That will compare the files to the rpm database and make sure none of them changed. Is the server Postfix?
Either get busy living or get busy dying.
-The Sawshank Redemption
October 31st, 2005, 06:51 AM
I've been concerned with a simillar issue and since our mailserver a-vir scanner acts as a proxy and modifies the headers I couldn't see the originating IP of the mails even when I turned the smtp agent log to a higher level. So just looked at the mail scanner documentation and turned the debugging on.
That way I couldnt capture the originating IP of the "offender" which came out to be somebody from the people my users did have mail discussions. Another possibilty is that one of the machines on your network is infected and uses your SMTP.
Of course it doesnt hurt to install rkhunter and check your system for rootkits and vulnerable apps.