Hi,
I really do not know how to describe this problem; but, I think it's a firewall
issue. My Distro is Slackware 12.0 (somewhat updated).
My company firewall uses Netfilter and the e-mail server uses Sendmail.
Let's say the firewall's Ext IP = A and Internal DMZ IP = B.
The firewall's name is Flame.
In the DMZ, let's say the e-mail server's IP = C.
Email's server name is Mercury.
In the past, traffic bound for A to port 25 will get forwarded to C.
In the firewall, the DNAT is set to C. In my e-mail log, the following
is shown:
Host connect: <foreign server>
IP Connect: <foreign IP>
Hello From : <some hello string>
Yesterday when I checked my spam e-mail I had like 8000+ (
) spam
in the spambox. I freaked out a bit and did a bit of checking. In my
e-mail logs, I noticed that the logs were now displaying the following:
Host connect: Flame
Ip Connect: B
Hello from: <foreign server> or <junk word>
I looked at my IP rules and didn't see anything out of the
ordinary (that specifically states to change the SNAT to B).
That done, I set Mercury's eth0 to down. and check out Flame's
tcpdump. It was still sending some packets (from B to C), but
since Mercury's down, nothing is replying to the connection.
Switching off the firewall stops the inbound traffic (of course).
Switching it back on starts it again.
So I went to my firewall rules and disabled all SMTP ports
so that they aren't being forwarded to C.
That did nothing.
So my current conclusion is that something has attached
itself to my firewall's process and is forwarding all e-mail
to my e-mail server without even going through the
firewall. So all e-mail goes into Flame and then out
of its B IP and into mercury's C ip. So my tcpdump
would show B:port -> C:25...
IOW, my firewall has been breached.
.
Would someone know how I might be able to find out what
processes is being run that is hidden? I've looked at the
/proc and preliminary don't see anything out of the
ordinary.
telinit 1 stops the traffic.
telinit 3 restarts the traffic.
So something is hooking up to my server's list of
processes.
Any help appreciated