I just received an email from Comcast, my ISP, that there is SPAM originating from my network:

Comcast has determined that your computer(s) have been used to send unsolicited email ("spam"), which is generally an indicator of a virus. For your own protection and that of other Comcast customers, we have taken steps to prevent further transmission of spam from your computer(s).

It is really an email from Comcast. I assume they know what they are talking about.

I ran a virus check- with up-to-date definitions on all my Windoze boxes- they are clean.

I have two Mythbuntu boxes (both 8.04, all the latest updates installed) and one of them has shown considerably more HD activity in the last two weeks- rattling pretty much all the time. After I received the Comcast email I shut that box down.

How can I test, if that machine is sending out spam? Can I check activity on the ports or something like that? would there be activity logged anywhere?

Thanks!

While unexplained HD activity can sometimes be a sign of an incident, you're going to need more evidence. Unfortunately you should of left the mythbox online because now you have lost data and potential evidence held in memory. Evidence such as network connections and programs running, files opened, etc.

You could use something like Helix or some other LiveCD and try to run an AV scan. But keep in mind detecting and recovering from an incident is a lot more than running an AV scan.

I don't know much about your environment so it is hard for me to say which of your computers is or is not compromised, but certainly a Windows computer is suspect. I suggest you run process explorer from Microsoft and see if you can find any suspicious programs running on your Windows boxes. Suspicious being processes that aren't signed, or say they are from Microsoft but not digitally signed, processes that are purple meaning they are encrypted/packed, processes that have random names, or you don't recognize, etc. Then google for them and see if you can find out what they are.

Also check out Autoruns, TCPView, RootkitRevealer, and other Sysinternal tools by Microsoft to look for more suspicious activity.

That's not everything, but it's a good start.

I ran several different virus and spyware checkers on my Windows boxes. They all were declared clean- completely clean. I also looked for suspicious apps running etc and came up clean.

Is there a good tool that will allow me to sniff my network for email-traffic?

I assume it would have to be a lot in order to attract Comcast's suspicion...

Thanks!

I ran several different virus and spyware checkers on my Windows boxes. They all were declared clean- completely clean. I also looked for suspicious apps running etc and came up clean.

Is there a good tool that will allow me to sniff my network for email-traffic?

I assume it would have to be a lot in order to attract Comcast's suspicion...

Thanks!

Wireshark (http://www.wireshark.org) is probably the best thing to sniff traffic for you. You should look for SMTP traffic (TCP port 25) and can use some of these display filters (http://www.wireshark.org/docs/dfref/s/smtp.html). However, analyzing network traffic might not be the easiest option.

Using netstat and lsof to find the program generating the spam is another option if you aren't familiar with analyzing traffic. If you do find outbound spam being generated by one of your computers by using Wireshark, then you should use netstat and lsof to find the program generating the spam.

Keep in mind you will either have to run Wireshark on both Mythboxes, or connect both Mythboxes to a hub or tap that also has a computer with Wireshark installed monitoring traffic.

Edit: Check out Richard Bejtlich's latest Traffic Talk article called Using Wireshark and Tshark display filters for troubleshooting (http://searchnetworkingchannel.techtarget.com/tip/0,289483,sid100_gci1333127,00.html) for a crash course on using Wireshark.

You could write use iptables to see if any smtp(send mail) traffic is going out.

iptables -A OUTPUT -p tcp --dport 25 -j DROP

To see the packet count
iptables -vnL

I used nmap to scan my router for port 25 to test the iptable count
nmap -sS -p 25 172.16.0.1
You'll see something like the following which shows 2 dropped packets
Chain OUTPUT (policy ACCEPT 1 packets, 69 bytes)
pkts bytes target prot opt in out source destination
2 88 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25

It might be a good idea to lock down ssh by allowing only local connections. The following will allow only new connection to port 22 from 172.16.0.0/16 network (You might want to substiture 192.168.0.0/24 or 192.168.1.0/24 depending on your network).
iptables -A INPUT -p tcp --dport 22 -s 172.16.0.0/16 -m state --state NEW -j ACCEPT
Accept established & related connections then drop everything else
iptables -A INPUT -m state --state Established,Related -j ACCEPT
iptables -P INPUT DROP


To reset iptables if you ever get stuck
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT