0

I have a dedicated server and the server people say that a lot of spam emails are being send from my server. So its been hacked. They have looked but can´t find what it is sending them. I had a remote desktop connection and they turned it of so no outside access should be possible, but still it is sending emails.

As you understand Im not a tech guy so I have no idea where to look for a maleware or whatever it is sending the mails.

But how or where can I see any emails being send? Its a Window 2012r server. Where should I look? I don´t even know what mailserver that is installed, how do I tell?

I have run a maleware and antivirus program on the server and none of them find anything.

Any input really appreciated, thanks.

Claes Gustavsson
  • 103
  • 1
  • Dear fellows, please don't close this as a duplicate of [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server). This is actually a good question about **forensics** before *nuking it from orbit*! – Esa Jokinen Dec 15 '20 at 19:14

1 Answers1

1

You don't need a mail server installed to send email. SMTP is a simple protocol that connects to TCP port 25 of a remote server and delivers the message. Any process on a compromised server could do that.

You could start by using netstat -b -n -o to list the current connections and the processes involved in creating them. Or PowerShell Get-NetTCPConnection which can filter the listing based on the port with -RemotePort 25. E.g.

Get-NetTCPConnection -RemotePort 25 | Select-Object -Property LocalPort, RemoteAddress,
    @{ Name = 'ProcessName'; Expression = { (Get-Process -Id $_.OwningProcess).Name } },
    @{ Name = 'PID'; Expression = 'OwningProcess' }

This analysis might help you to find out how you got infected. However, eventually this will come back to question: How do I deal with a compromised server?

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129