[Hidden-tech] Need help finding what hijacked our email server port 25
Noah Paessel
knowuh at gmail.com
Wed Sep 11 18:23:52 UTC 2024
Port 25 is a privileged port, meaning only processes with root privileges
can bind to it.
This means someone had root access to the computer, and could have
compromised the machine in *many* ways, including installing backdoors,
replacing system binaries, &etc.
Good rootkits can modify the system in such a way as to cover up traces and
make forensic investigations difficult.
In my opinion this isn't simply a matter of stopping the service bound to
port 25.
I am not a security expert, but I would definitely treat this seriously.
- Noah
On Wed, Sep 11, 2024 at 1:57 PM Rich at tnr via Hidden-discuss <
hidden-discuss at lists.hidden-tech.net> wrote:
> Quick answer that might be helpful.
>
> Requires SSH access:
> fuser -n tcp 25
> will give process ID using port 25 (SMTP), and then
> ps process-id
> That will give you the process runing the smtp server
> and then kill it with (that will need root access)
> kill -15 process-id
>
> Rich (sorry booked up to help directly - let me know if no other answers.)
> On 9/11/2024 1:16 PM, Steven Aronstein via Hidden-discuss wrote:
>
> Hi,
>
> We have an email server (Communigate hosted on Linode) that stopped
> responding. We discovered it was because something else on the server
> started using port 25. Except it wasn't anything we installed.
>
> master 811 root 13u IPv4 28666 0t0 TCP 127.0.0.1:25 (LISTEN) master 811
>> root 14u IPv6 28667 0t0 TCP [::1]:25 (LISTEN)
>
>
> Then Linode warned us (and blocked) our server because the detected spam
> being sent from it. Which wasn't us.
>
> So, we appear to have some kind of virus or app that has hacked into our
> server and is using it.
>
> This may actually be a fairly simple process for someone in the know, but
> we don't have the resources at this moment to be that someone fast enough.
> We've had enough bad experiences hiring random gig workers online that we
> don't want to trust someone like that with access, however brief, to our
> mail server.
>
> Is there anyone in this group or locally or that people here trust up for
> a quick gig finding and purging the uninvited guest from our server so the
> mail server starts running and Linode will unblock it?
>
> You can call or text or email me privately as well. All suggestions,
> guidance, or references welcome.
>
> Thanks!
> Steve
> 413-207-5610
>
>
>
>
>
> _______________________________________________
> Hidden-discuss mailing list - home page: http://www.hidden-tech.netHidden-discuss@lists.hidden-tech.net
>
> You are receiving this because you are on the Hidden-Tech Discussion list.
> If you would like to change your list preferences, Go to the Members
> page on the Hidden Tech Web site.http://www.hidden-tech.net/members
>
> --
> Rich Roth
> CEO TnR Global
>
> Bio and personal blog: http://rizbang.com
> Building the really big sites: http://www.tnrglobal.com
> Small/Soho business in the PV: http://www.hidden-tech.net
> Places to meet for business: http://www.meetmewhere.com
> And for Arts and relaxation:http://TarotMuertos.com - Artistic Tarot Deck
> http://www.welovemuseums.com
> http://www.artonmytv.com/
> Shakers: http://www.shakerpedia.com/
> Helping move the world: http://www.earththrives.com
>
> _______________________________________________
> Hidden-discuss mailing list - home page: http://www.hidden-tech.net
> Hidden-discuss at lists.hidden-tech.net
>
> You are receiving this because you are on the Hidden-Tech Discussion list.
> If you would like to change your list preferences, Go to the Members
> page on the Hidden Tech Web site.
> http://www.hidden-tech.net/members
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20240911/4943f8eb/attachment-0001.html>
More information about the Hidden-discuss
mailing list