Locating malware on network

AWippler asked:

I am trying to isolate an email sending malware on my network. The headers are as follows:

Received: from z.local.domain (172.18.248.22) by z.local.domain (172.18.248.22) with Microsoft SMTP Server (TLS) id 15.0.712.24 via Mailbox Transport; Mon, 30 Sep 2013 02:35:43 -0700
Received: from z.local.domain (172.18.248.22) by z.local.domain (172.18.248.22) with Microsoft SMTP Server (TLS) id 15.0.712.24; Mon, 30 Sep 2013 02:35:43 -0700
Received: from localhost (172.18.248.18) by z.local.domain (172.18.248.22) with Microsoft SMTP Server (TLS) id 15.0.712.24 via Frontend Transport; Mon, 30 Sep 2013 02:35:43 -0700
Received: from www-data by localhost with local (Exim 4.80) (envelope-from <www-data@local.domain>) id 1VQZtH-0002oq-13 for helpdesk@local.domain; Mon, 30 Sep 2013 02:35:43 -0700
MIME-Version: 1.0
Subject: Subject: eRKpqkSHqdjESMjhqQ
Return-Path: www-data@local.domain
X-MS-Exchange-Organization-Authsource: z.local.domain
Date: Mon, 30 Sep 2013 02:35:43 -0700
X-MS-Exchange-Organization-Network-Message-ID: d786a17d-ef12-4403-aa12-08d08bd7914a
X-MS-Exchange-Organization-Authas: Anonymous
content-type: text/html; charset="utf-8"
Message-ID: <E1VQZtH-0002oq-13@localhost>
To: <helpdesk@local.domain>
X-PHP-Originating-Script: 0:ticket.php
From: Benjamin <goodsam@gmail.com>
X-RT-Original-Encoding: iso-8859-1
Content-Length: 500

I have scanned the Z server with clamwin and malwarebytes, but both have returned negative. Nobody else seems to have reported this spam within our network except for helpdesk. (Helpdesk is on a Debian 7.1 host running Request Tracker 4 – this is the only place this email account is checked.)

Is there any other scanners I can run on the Z server or does the problem lie elsewhere?

My answer:


Your headers show that this mail originated from 172.18.248.18. So that’s the machine you need to be looking at.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.