Server affected by botnet! keeps on sending mail
I am not a full time sys admin but I am given the partial responsibility of keeping two of the servers up and running. Recently one of machines has been affected (probably a botnet) and keeps on sending mail. Luckily the firewall is blocking outgoing SMTP and the issue is controlled to some extent. However since the server is part of an academic network the Campus IT people want us to completely reinstall the OS (which is going to be a pain since I'll have to do a ton of reconfigurations). I will mention the symptoms and any help to figure out the problem and resolve it without a reinstall (if possible) is appreciated.
Here are the details
1. The machine is behind a firewall though it has a public IP. Only web and SSH ports are open right now.
2. The system is Redhat (cat /etc/redhat-release produces Red Hat Enterprise Linux ES release 4 (Nahant Update 6).
Uname -a output is
Linux xxx 2.6.9-5.ELsmp #1 SMP Wed Jan 5 19:30:39 EST 2005 i686 i686 i386 GNU/Linux
3. The sendmail program gets called every hour and we see output similar to following
Sep 9 11:08:39 xxx sendmail: m872cTtV015758: to=<email@example.com>, ctladdr=<firstname.lastname@example.org> (48/48), delay=2+12:30:10, xdelay=00:00:00, mailer=esmtp, pri=5610722, relay=aspmx5.googlemail.com., dsn=4.0.0, stat=Deferred: aspmx5.googlemail.com.: No route to host
Note that the firewall is blocking the SMTP port right now.
4. I suspected two drupal based sites hosted on the server to be the culprits and took them offline. However the mailing continues (thus they seem not to be the problem)
For now I've stopped the sendmail daemon and restored the sites. Any help regarding this matter is appreciated
Still trying to find the cause!
Thanks for the reply
I suspect its a bit more than that. This is only a single entry that I picked out from the log. There are many other entries that use different relay servers.
Since I've stopped sendmail I started seeing a different output now
Here are a few example entries
Sep 11 04:02:02 xxx sendmail: m8B822P3026863: from=root, size=4395, class=0, nrcpts=1, msgid=<200809110802.m8B822P3026863@xxx.xxx.edu>, relay=root@localhost
Sep 11 04:02:02 xxx sendmail: m8B822P3026863: to=root, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=34395, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]