Is My Linux Machine a Spam Bot?

chsalvia
chsalvia used Ask the Experts™
on
Recently I've found reason to believe my Linux computer might have been compromised by a spam-bot.  (I was blacklisted on CBL.)  I carefully examined all running processes, and I don't see any process that's out of the ordinary.

If my Linux machine is running a spam-bot, how can I find out?  I'm running Ubuntu 6.06.  Are there some access logs that might be helpful, or software specially designed to detect this sort of thing?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2004

Commented:
If you're running a mail server, check the mail logs.  It should detail every message that comes in or out.  I find my log at /var/log/maillog, or the /var/log/mail directory.
Top Expert 2007
Commented:
Hi,

To test if your server is running a mail server run

telnet 0 25

If you see that you are connected then you have a mailserver running and accepting connections on port 25
You can see if sendmail process is running, use
ps -ef | grep mail
to stop it
cd /etc/init.d
./sendmail stop
if you want to disable it
mv sendmail .sendmail

Commented:
Was you ip address blacklisted, or just your domain name.

Its sad, but, the spammers use bogus domain names, and they may have used yours.  

Also if you run a mailing list, some folks are so lazy that instead of signing off of your list, they report it and your domain get banned...
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

sysadmin
Commented:
If you don't mind not having mail sending ability for a short period of time, you should block the outgoing mail by blocking all packets that are directed to destination port 25.
Just add a quick iptables rule which drops the packets and logs all of the occurrences to a file. Then tail -f the file for a while. Having an active spambot in your box should usually generate a fair amount of output there. Should you opt for a DNS resolution in the process, you should also be able to tell the legitimate traffic from the spam if you happen to run a bigger enterprise site.
However, if there is no spambot in your box, the small outage you've created in the process is not gonna hurt, because your mail server will try to keep sending these blocked e-mails for quite a while (depending on the configuration but usually several days).
Duncan RoeSoftware Developer

Commented:
The telnet command should be:

telnet localhost 25

In my case I do have a server, and I see:

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 dimstar.local.net ESMTP

To break the connection, type Control-] and q at the prompt, e.g.:

^]
telnet> q
Connection closed.

Just because you have a mail server doen't make you a spam-bot, but do follow the advice above (check logs &c). Also, during a period when you don't expect much legitamate traffic, you could try running

tcpdump port 25

in an xterm somewhere. You'll get output from incoming mail, but you want to look for attempted connects to outside (packet type S). If you see lots of them, something's amiss.
TolomirAdministrator
Top Expert 2005
Commented:
Hmm, I wonder if I were a bot net programmer I would not use port 25 as smtp port, instead something unsuspicious.

First at all, I would make sure that ubuntu is updated to the latest patch level. (1)

Then I would check with shields up for open ports (2)

If all ports are closed, there could be still some port knocking involved, but we should single out the easy ones first.

Tolomir

(1) http://www.cyberciti.biz/faq/how-do-i-update-ubuntu-linux-softwares/
(2) https://www.grc.com/x/ne.dll?bh0bkyd2
(3) http://en.wikipedia.org/wiki/Port_knocking
jakosysadmin

Commented:
Indeed, Tolomir. It's not the 25th port on the spambot itself but all the packets that are directed to 25th ports of remote spam destinations, that need to be blocked.
Reread my comment, please.
Note that you don't have to have a spambot to be listed on cbl or any other dnsbl's.  All you have to have is an open relay.

Have you verified that you're not running an open relay?
TolomirAdministrator
Top Expert 2005

Commented:
@jakopriit: Right, I thought mail would be sent from port 25 between mailservers too, but there is no need.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial