Linux for the Real World

System Auditing.

Often a business is paying for things they no longer use, or there are smarter ways to pay for the same service.

1. Are you using all the phone lines you pay for?
2. Are you getting the best deal from your cell phones and internet provider?
3. Could you do your faxes digitally?
4. Do you have a scanner and are you using it?
5. Are you spam protected?
6. Is your anti-virus up to date?

These are just some of the things we can check for.

Audit Checks run at $200 and $15 per PC.

Had an issue with a customers server and it being reported of sending out spam.

Went and had a look at the mail queue and there were a couple of hundred rejected emails sitting in the queue unable to be delivered due to invalid addresses. So how many had been sent to successful addresses?

/var/log/maillog

cat /var/log/maillog|grep "from=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >"

Feb 26 23:51:48 xxx sendmail[24483]: o1QApmA3024483: from=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >, size=2517,, nrcpts=100, msgid=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >, proto=ESMTP, daemon=Daemon0, relay=localhost [127.0.0.1]

Feb 26 23:52:45 xxx sendmail[24573]: o1QAqj3q024573: from=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >, size=2517,, nrcpts=100, msgid=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >, proto=ESMTP, daemon=Daemon0, relay=localhost [127.0.0.1]

Feb 27 00:01:55 xxx sendmail[25544]: o1QB1tZ0025544: from=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >, size=2513,, nrcpts=100, msgid=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >, proto=ESMTP, daemon=Daemon0, relay=localhost [127.0.0.1]

Feb 27 00:03:49 xxx sendmail[25898]: o1QB3nvL025898: from=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >, size=2513,, nrcpts=100, msgid=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >, proto=ESMTP, daemon=Daemon0, relay=localhost [127.0.0.1]

then

cat /var/log/maillog|grep -c "from=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >"
70

70 emails sent with 60 to 100 recipients in each.

var/log/http/access.log

cat /var/log/httpd/access_log|grep "26/Feb/2010:23:52"
cat /var/log/httpd/access_log|grep "26/Feb/2010:23:52"
cat /var/log/httpd/access_log|grep "27/Feb/2010:00:01"
cat /var/log/httpd/access_log|grep "27/Feb/2010:00:03"

Each one has a compose statment from Horde

41.217.65.3 - - [26/Feb/2010:23:52:18 +1300] "POST /horde/imp/compose.php?uniq=62pyjpm6iua1 HTTP/1.1" 200 73 "http://xxx.xxxxxx.net.nz/horde/imp/compose.php?thismailbox=INBOX&uniq=1267181512410" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; InfoPath.2)"

/tmp/horde.log

Therefore lets have a look at the Horde log file.

cat /tmp/horde.log |grep "Feb 26 23:"

Feb 26 23:49:39 HORDE [notice] [imp] Login success for 
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
  [41.217.65.3] to {xxx.xxxxxx.net.nz:143} [on line 154 of "/var/www/html/horde/imp/redirect.php"]

Notice the IP address 41.217.65.3

cat /var/log/httpd/access_log|grep "41.217.65.3"|grep -c  /horde/imp/compose.php

2024

That is 2024 accesses to compose emails from this IP Address.

This is not a program but a person who has cracked the user This e-mail address is being protected from spambots. You need JavaScript enabled to view it password and is using this account to send spam.

cat /tmp/horde.log |grep "41.217.65.3"

Shows this started on the 19th, but did not take off till the 25th.

41.217.65.3

whois 41.217.65.3

[Querying whois.afrinic.net]

[whois.afrinic.net]

% This is the AfriNIC Whois server.

% Note: this output has been filtered.

% Information related to '41.217.0.0 - 41.217.127.255'

inetnum: 41.217.0.0 - 41.217.127.255

netname: ZOOMNIGERIA

descr: ZOOM Mobile Nigeria Ltd

country: NG

admin-c: AI22-AFRINIC

tech-c: EK8-AFRINIC

org: ORG-ZMNL1-AFRINIC

status: ALLOCATED PA

mnt-by: AFRINIC-HM-MNT

mnt-lower: ZOOMNIGERIA-MNT

mnt-domains: ZOOMNIGERIA-MNT

source: AFRINIC # Filtered

parent: 41.0.0.0 - 41.255.255.255

organisation: ORG-ZMNL1-AFRINIC

org-name: ZOOM Mobile Nigeria Ltd

org-type: LIR

country: NG

address: 8A, Adeola Odeku Street

address: City: Victoria Island, Lagos

address: Postal Code: 999999*

address: Lagos

e-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

e-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

e-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

phone: +234-1-4312811

admin-c: AI22-AFRINIC

admin-c: TI3-AFRINIC

tech-c: EK8-AFRINIC

mnt-ref: AFRINIC-HM-MNT

mnt-ref: ZOOMNIGERIA-MNT

mnt-by: AFRINIC-HM-MNT

source: AFRINIC # Filtered

person: Andy Ibekaku

remarks: Chief Technical Officer (CTO)

remarks: ZOOM Mobile Nigeria Ltd

address: 8A, Adeola Odeku Street,

address: Victoria Island,

address: Lagos, Nigeria

phone: +23414807505

e-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

org: ORG-ZMNL1-AFRINIC

nic-hdl: AI22-AFRINIC

mnt-by: ZOOMNIGERIA-MNT

source: AFRINIC # Filtered

person: Emi Kennedy

remarks: IP/VSAT Transmission

remarks: ZOOM Mobile Nigeria Ltd

address: 8A, Adeola Odeku Street,

address: Victoria Island,

address: Lagos, Nigeria

phone: +23414312811

</code>

Not much luck going there.

Monitoring

We monitor your server around a number of procedures.

	aiBackups	Night remote backups from your server to our Remote Backup Server. Each morning you are proed with an email Link to see the status and activities of last nights backup.
	Cacti	A tool to see what your server is currently doing, traffic, CPU usage, HD Usage.
	Mailscanner	View contents of in-coming and out-going mail queues as well as todays mail volumes, spam and virus volumes.
	Netstats	Query your internal network for the amount of traffic PCs are doing on the Internet.
	SARG	Query your internal network for the web sits PCs are going to on the Internet.
	SmokePing	View latenacy and connecitvity issues on your network. This is a good first leel tool to diagnose issues and problems, bot today and historically oer the last year.
	WebMin	Manage your server, it's users and ait's functions from an easy to use GUI website.

Call 06-379-6668 [021-827-660] or email us for any of your Hardware needs.