Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
K
K
K. A.2018-03-05 10:32:01
Exim
K. A., 2018-03-05 10:32:01

Is it possible to find out which file opened an SMTP connection on an Exim server?

The hoster often blocks mail traffic on the server, after the last check it was not possible to detect any malicious scripts, it was possible to get a list of files that sent the messages from the headers - they were also checked and do not carry any threats. There was a suspicion that in addition to spam using the mail () function on the server, the server picked up something that sends spam through a third-party server.
lsof | grep smtp output:

[[email protected] ~]# lsof | grep smtp
exim      12669                exim    3u     IPv6         1617849445         0t0        TCP *:smtp (LISTEN)
exim      12669                exim    4u     IPv4         1617849446         0t0        TCP *:smtp (LISTEN)
exim      21248                exim    10u    IPv4         1791358785         0t0        TCP domain.ru:52790->ol-in-f27.1e100.net:smtp (SYN_SENT)
exim      21957                exim    9u     IPv4         1791378187         0t0        TCP  domain.ru:smtp->52.175.23.137:63597 (CLOSE_WAIT)
exim      21957                exim    10u    IPv4         1791378187         0t0        TCP  domain.ru:smtp->52.175.23.137:63597 (CLOSE_WAIT)

After restarting Exim:
[[email protected]~]# lsof | grep smtp
exim      12669                exim    3u     IPv6         1617849445         0t0        TCP *:smtp (LISTEN)
exim      12669                exim    4u     IPv4         1617849446         0t0        TCP *:smtp (LISTEN)
exim      25222                exim    9u     IPv4         1792563905         0t0        TCP domain.ru:smtp->52.175.23.137:54652 (CLOSE_WAIT)
exim      25222                exim   10u     IPv4         1792563905         0t0        TCP domain.ru:smtp->52.175.23.137:54652 (CLOSE_WAIT)
exim      25227                exim    9u     IPv4         1792575077         0t0        TCP domain.ru:smtp->52.175.23.137:54046 (ESTABLISHED)
exim      25227                exim   10u     IPv4         1792575077         0t0        TCP domain.ru:smtp->52.175.23.137:54046 (ESTABLISHED)

Not strong in administration, but as I understand it, before the restart, a connection was opened with the ol-in-f27.1e100.net server - obviously some kind of evil spirits. UDP - I found out that this is Google, but nothing should be sent from the server through its SMTP. Only Yandex and a dedicated mail server are on the side of the small ones.
Actually, the question arose: is it possible to find out which file on the server opened a connection to a particular server from the output of this command? Thank you.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

[[+comments_count]] answer(s)
Report
K
Kir aka Dober, 2018-03-05
@dobergroup

netstat -tap |grep smtp won't work?

Similar questions
I
icetinte2015-07-23 12:37:57
How to block mail with invalid dkim in exim? 0Reply
K
kiranananda2019-12-15 21:22:05
Exim and several external addresses, which one will he choose? 1Reply
A
Anton2015-08-13 23:49:11
Rule to block messages from local users? 0Reply
V
Vladimir Yakimov2015-09-09 14:16:55
How to change/remove the recipient of a frozen message in an Exim queue? 1Reply
K
Kirill_Ulyanov2017-09-01 21:55:54
Why doesn't Exim send mail if no IP address is found for a domain? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question