Log Entry Question
I need help interpreting the result some tests I am running.
What exactly dose (ESTABLISHED) mean in the following lines?
exim 9329 mailnull 9u IPv4 58031678 0t0 TCP name.name.net:smtp->173-233-95-133.static.as40244.net:54981 (ESTABLISHED)
exim 9329 mailnull 10u IPv4 58031678 0t0 TCP name.name.net:smtp->173-233-95-133.static.as40244.net:54981 (ESTABLISHED)
I have been trying to clean and infection of the "Steel Rat" that has repeatedly landed my server on the CBL's block list.
But even after much cleaning when I run
I still see random "established" entries to various odd destinations. Is that normal for a server "at rest"? Why should it be 'establishing" anything on its own? Should I be concerned.
lsof -i | grep smtpI still see random "established" entries to various odd destinations. Is that normal for a server "at rest"? Why should it be 'establishing" anything on its own? Should I be concerned.
-
Hello, Can you please update here full output of following command, so that we can check this and assist on this. lsof -i | grep smtp0 -
Here is a sample from this morning. root@server2 [~]# lsof -i | grep smtp exim 1735 mailnull 3u IPv6 53368707 0t0 TCP *:smtp (LISTEN) exim 1735 mailnull 4u IPv4 53368708 0t0 TCP *:smtp (LISTEN) exim 25137 mailnull 10u IPv4 58188199 0t0 TCP server2.example.net:35677->a3ifql8es.example.top:smtp (ESTABLISHED) exim 25197 mailnull 9u IPv4 58188347 0t0 TCP server2.example.net:smtp->butter.example.xyz:58318 (ESTABLISHED) exim 25197 mailnull 10u IPv4 58188347 0t0 TCP server2.example.net:smtp->butter.example.xyz:58318 (ESTABLISHED)
- Post Edited Please Don't Post Actual Domain Names -0 -
Hello :) You could review the remote destinations to determine if it's legitimate traffic. I've moved this thread to the "Security" forum where you may receive more user-feedback. You can always consult with a qualified system administrator if you are concerned about the security of your system. Thank you. 0 -
Those connections are inbound/outbound SMTP connections owned by exim. In your case troubleshooting a CBL listing that is a good thing. You would need to be concerned if the output did not have exim / mailnull as the owner. If a "normal" username owned those connections they would be more concerning. Since those connections are owned by exim, the incoming or outgoing mail that caused them will be detailed in /var/log/exim_mainlog. 0 -
Thank you. 0
Please sign in to leave a comment.
Comments
5 comments