The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Log Entry Question

Discussion in 'Security' started by Amgeek, Jan 12, 2016.

  1. Amgeek

    Amgeek Member

    Joined:
    Nov 7, 2013
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    I need help interpreting the result some tests I am running.

    What exactly dose (ESTABLISHED) mean in the following lines?

    exim 9329 mailnull 9u IPv4 58031678 0t0 TCP name.name.net:smtp->173-233-95-133.static.as40244.net:54981 (ESTABLISHED)
    exim 9329 mailnull 10u IPv4 58031678 0t0 TCP name.name.net:smtp->173-233-95-133.static.as40244.net:54981 (ESTABLISHED)


    I have been trying to clean and infection of the "Steel Rat" that has repeatedly landed my server on the CBL's block list.

    But even after much cleaning when I run

    Code:
    lsof -i | grep smtp
    I still see random "established" entries to various odd destinations.

    Is that normal for a server "at rest"?
    Why should it be 'establishing" anything on its own?
    Should I be concerned.
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    Can you please update here full output of following command, so that we can check this and assist on this.

    Code:
    lsof -i | grep smtp
     
  3. Amgeek

    Amgeek Member

    Joined:
    Nov 7, 2013
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Here is a sample from this morning.
    Code:
    root@server2 [~]# lsof -i | grep smtp
    exim       1735 mailnull    3u  IPv6 53368707      0t0  TCP *:smtp (LISTEN)
    exim       1735 mailnull    4u  IPv4 53368708      0t0  TCP *:smtp (LISTEN)
    exim      25137 mailnull   10u  IPv4 58188199      0t0  TCP server2.example.net:35677->a3ifql8es.example.top:smtp (ESTABLISHED)
    exim      25197 mailnull    9u  IPv4 58188347      0t0  TCP server2.example.net:smtp->butter.example.xyz:58318 (ESTABLISHED)
    exim      25197 mailnull   10u  IPv4 58188347      0t0  TCP server2.example.net:smtp->butter.example.xyz:58318 (ESTABLISHED)
    
    - Post Edited Please Don't Post Actual Domain Names -
     
    #3 Amgeek, Jan 13, 2016
    Last edited by a moderator: Jan 13, 2016
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You could review the remote destinations to determine if it's legitimate traffic. I've moved this thread to the "Security" forum where you may receive more user-feedback. You can always consult with a qualified system administrator if you are concerned about the security of your system.

    Thank you.
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Those connections are inbound/outbound SMTP connections owned by exim. In your case troubleshooting a CBL listing that is a good thing. You would need to be concerned if the output did not have exim / mailnull as the owner. If a "normal" username owned those connections they would be more concerning.

    Since those connections are owned by exim, the incoming or outgoing mail that caused them will be detailed in /var/log/exim_mainlog.
     
  6. Amgeek

    Amgeek Member

    Joined:
    Nov 7, 2013
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Thank you.
     
Loading...

Share This Page