0

I have a server which doesn't have much activity. Today, suddenly server load went higher than 12 which compared to its normal value(0.5) is way too high. I checked and found out that postfix is being used by a program named smpt to send emails. Its full arguments:

 smtp -t unix -u

I use CentOS release 6.7 , I update my server on regular basis. netstat shows me something like this: netstat

I also checked /var/log/maillog which told me in last 10 hours hundreds of thousands of email has been sent.

How can I find out who is behind this? How can I find out if it's internal or external?

P.S: postfix is down.

undone
  • 167
  • 1
  • 1
  • 7
  • 2
    Possible duplicate of [Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?](http://serverfault.com/questions/419407/fighting-spam-what-can-i-do-as-an-email-administrator-domain-owner-or-user) – Greg Askew Dec 26 '15 at 14:04
  • Likely the malware which broke into your server, most likely via a security issue in a web application, is sending it. This is but one of many reasons you should not disable SELinux. For now, you'll have to find and clean the malware, and most likely blow the server away and reinstall it. – Michael Hampton Dec 26 '15 at 14:46
  • At least post some logs. – ychaouche Sep 19 '16 at 10:31

2 Answers2

1

To find out how this is happening, you need to look at postfix logs. Either your postfix is misconfigured or you have some authorized host that is compromised (usually a webserver). If the postfix logs say this is coming from your local host, an lsof -i -n can yield useful information.

Law29
  • 3,507
  • 1
  • 15
  • 28
1

Most probably you have open relay enabled and some bot/scanner has picked you up. See your postfix config file (/etc/postfix/main.cf) and look for something like:

mynetworks = 0.0.0.0/0

If it is the case here, you will have to decide which networks are allowed to relay mail, or even disable it altogether leaving just the localhost.

Konrad Gajewski
  • 1,498
  • 3
  • 15
  • 29