Help with identifying an intrusion
Posted on 2006-06-05
I am reviewing my mail logs and I have noticed an email originating from 127.0.0.1. This is not something that is normal for my mail server to do. I have since stopped my mail server from allowing 127.0.0.1, but the "program" is still attempting to send. I have done a netstat to see if it is originating from local or from a spoof. It seems to be originating from a local source (I will past netstat log below), which leads me to believe that it is in fact a virus of some sort. My virus scanner has not picked up anything of value.
I a trying to find the program or flaw that is responsible. Is there a way to find what program is responsible for the entry in netstat? I have edited the following netstat to show all the entries from port 25.
Proto Local Address Foreign Address State
TCP 127.0.0.1:3713 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3719 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3723 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3726 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3727 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3729 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3730 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3734 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3737 127.0.0.1:25 ESTABLISHED
TCP 127.0.0.1:3742 127.0.0.1:25 ESTABLISHED
TCP 127.0.0.1:3745 127.0.0.1:25 ESTABLISHED
Now to me that seems like an awful lot of connections for my little mail server. The entry in the logs comes up about every 20 seconds. Is there a way to track down this to make sure that it is in fact not a virus trying to send mail or if it is someone spoofing 127?
Any help would be appreciated.