Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 191
  • Last Modified:

Mysterious mail from an unused ip.

Hi All;

I have a server running a control panel (PLESK).  Within the control panel we have multiple clients, each client is assigned its own ip so we can monitor bandwidth usage on a per client level.  Now each ip has multiple domains hosted off of it.  However we did assign a couple of extra ips to that server for use later when we get more clients.  Now one of these unused ips is sending out tcp packets that look to me like mail.  Again there is nobody assigned to this ip address.  I realize that the server might be compromised but I dont want to start pulling down sites unless I am absolutly sure.  The amount of bandwidth that the server is using is minimal. (150 MB/24 hours).  How can I check to be sure that this is not legitimate traffic?

P.S.  I checked the mail logs and wouldnt ya know it, the maillog is 0kb.
0
seanostephens
Asked:
seanostephens
1 Solution
 
PsiCopCommented:
Examine the contents of the TCP packets. What's in there? Is it legit?
0
 
kewljoeCommented:
Here is a good tool for viewing network traffic and its free.
http://www.ethereal.com/

PS
Could the IP be spoofed? or is it actual traffic?
0
 
seanostephensAuthor Commented:
I'm not sure thats what I have been trying to figure out.  I've got snort installed and monitoring packets.  After letting it run for a day I found that most of the traffic is legit mail from a list on our server.  However there are a few packets that come through that contain either:

a) no data (just TCP headers)
b) 221 service closing channel.

are either of these ok?
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
kewljoeCommented:
According to this:
http://www.nthelp.com/smtp_commands.htm
http://dfrench.hypermart.net/fancyIndex/Tools/smtp101.html

221 is a SMTP reply code

Hope that helps narrow it down.
0
 
ViRoyCommented:

was there a computer using this IP at any time? maybe the mail server has it in cache for some reason.

where are the packets destined? they just hammering the mail server?
0
 
seanostephensAuthor Commented:
Thanks all for the replys.  I have come to the conclusion that it is legit mail comming off that server.  Better safe than sorry.  Thanks again.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now