<div dir="ltr"><br>Port 25 is a privileged port, meaning only processes with root privileges can bind to it. <div><br>This means someone had root access to the computer, and could have compromised the machine in *many* ways, including installing backdoors, replacing system binaries, &etc. <br><br>Good rootkits can modify the system in such a way as to cover up traces and make forensic investigations difficult.</div><div><br>In my opinion this isn't simply a matter of stopping the service bound to port 25. </div><div><br>I am not a security expert, but I would definitely treat this seriously.</div><div><br></div><div>- Noah<br><br><br><br><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 11, 2024 at 1:57 PM Rich@tnr via Hidden-discuss <<a href="mailto:hidden-discuss@lists.hidden-tech.net">hidden-discuss@lists.hidden-tech.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
<p>Quick answer that might be helpful.<br>
<br>
Requires SSH access:<br>
fuser -n tcp 25<br>
will give process ID using port 25 (SMTP), and then<br>
ps process-id<br>
That will give you the process runing the smtp server<br>
and then kill it with (that will need root access)<br>
kill -15 process-id</p>
<p>Rich (sorry booked up to help directly - let me know if no other
answers.)<br>
</p>
<div>On 9/11/2024 1:16 PM, Steven Aronstein
via Hidden-discuss wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>We have an email server (Communigate hosted on Linode) that
stopped responding. We discovered it was because something
else on the server started using port 25. Except it wasn't
anything we installed. </div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">master
811 root 13u IPv4 28666 0t0 TCP <a href="http://127.0.0.1:25" target="_blank">127.0.0.1:25</a> (LISTEN) master 811
root 14u IPv6 28667 0t0 TCP [::1]:25 (LISTEN)</blockquote>
<div><br>
</div>
<div>Then Linode warned us (and blocked) our server because the
detected spam being sent from it. Which wasn't us.</div>
<div><br>
</div>
<div>So, we appear to have some kind of virus or app that has
hacked into our server and is using it.</div>
<div> </div>
<div>This may actually be a fairly simple process for someone in
the know, but we don't have the resources at this moment to be
that someone fast enough. We've had enough bad experiences
hiring random gig workers online that we don't want to trust
someone like that with access, however brief, to our mail
server.</div>
<div><br>
</div>
<div>Is there anyone in this group or locally or that people
here trust up for a quick gig finding and purging the
uninvited guest from our server so the mail server starts
running and Linode will unblock it?</div>
<div><br>
</div>
<div>You can call or text or email me privately as well. All
suggestions, guidance, or references welcome.</div>
<div><br>
</div>
<div>Thanks!</div>
<div>Steve</div>
<div>413-207-5610</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Hidden-discuss mailing list - home page: <a href="http://www.hidden-tech.net" target="_blank">http://www.hidden-tech.net</a>
<a href="mailto:Hidden-discuss@lists.hidden-tech.net" target="_blank">Hidden-discuss@lists.hidden-tech.net</a>
You are receiving this because you are on the Hidden-Tech Discussion list.
If you would like to change your list preferences, Go to the Members
page on the Hidden Tech Web site.
<a href="http://www.hidden-tech.net/members" target="_blank">http://www.hidden-tech.net/members</a>
</pre>
</blockquote>
<pre cols="72">--
Rich Roth
CEO TnR Global
Bio and personal blog: <a href="http://rizbang.com" target="_blank">http://rizbang.com</a>
Building the really big sites: <a href="http://www.tnrglobal.com" target="_blank">http://www.tnrglobal.com</a>
Small/Soho business in the PV: <a href="http://www.hidden-tech.net" target="_blank">http://www.hidden-tech.net</a>
Places to meet for business: <a href="http://www.meetmewhere.com" target="_blank">http://www.meetmewhere.com</a>
And for Arts and relaxation:
<a href="http://TarotMuertos.com" target="_blank">http://TarotMuertos.com</a> - Artistic Tarot Deck
<a href="http://www.welovemuseums.com" target="_blank">http://www.welovemuseums.com</a>
<a href="http://www.artonmytv.com/" target="_blank">http://www.artonmytv.com/</a>
Shakers: <a href="http://www.shakerpedia.com/" target="_blank">http://www.shakerpedia.com/</a>
Helping move the world: <a href="http://www.earththrives.com" target="_blank">http://www.earththrives.com</a></pre>
</div>
_______________________________________________<br>
Hidden-discuss mailing list - home page: <a href="http://www.hidden-tech.net" rel="noreferrer" target="_blank">http://www.hidden-tech.net</a><br>
<a href="mailto:Hidden-discuss@lists.hidden-tech.net" target="_blank">Hidden-discuss@lists.hidden-tech.net</a><br>
<br>
You are receiving this because you are on the Hidden-Tech Discussion list.<br>
If you would like to change your list preferences, Go to the Members<br>
page on the Hidden Tech Web site.<br>
<a href="http://www.hidden-tech.net/members" rel="noreferrer" target="_blank">http://www.hidden-tech.net/members</a><br>
</blockquote></div>