Security Incidents mailing list archives
suspicous activities...
From: "hilton de meillon" <hiltond () hotpop com>
Date: Wed, 15 Sep 2004 10:22:31 +1000
Hi All, I had this really strange occurrence the other night... Please find the course of events detailed below : We had just migrated a clients email (MX) to a new server and as soon as we switched the MX over the server received thousands of spam emails from a domain called hanmail.net (or something like that). Since I was in the process of putting the finishing touches on the server I had not introduced any anti-relay measures (not that anti-relay should have been an afterthought) the emails were successfully relayed to other hosts for about a minute (just until I could re-configure sophos to block that IP from relaying.) A bit later on I ran chkrootkit and got this message : (just for reference zzz.yyy.xxx.www is my ip and www.xxx.yyy.zzz is the mail server.) xyzhost:~# chkrootkit -q You have 2 process hidden for readdir command You have 2 process hidden for ps command Warning: Possible LKM Trojan installed eth0 is not promisc so I was like "AAARRRGGGHHH!!!" I then ran : xyzhost:~# w 20:38:51 up 59 min, 3 users, load average: 0.07, 0.02, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 zzz.yyy.xxx.www 19:40 1:18 0.13s 0.00s tail -f /var/log/mail/mail.log root pts/1 zzz.yyy.xxx.www 20:06 46.00s 0.28s 0.18s watch -n 1 mailq root pts/2 zzz.yyy.xxx.www 20:38 0.00s 0.02s 0.01s w I ran chkrootkit again and got this message... xyzhost:~# chkrootkit -q warning, got bogus tcp line. eth0 is not promisc Then I ran it again and got nothing...???: xyzhost:~# chkrootkit -q eth0 is not promisc xyzhost:~# chkrootkit -q eth0 is not promisc -------------------------------------- Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 www.xxx.yyy.zzz:25 0.0.0.0:* LISTEN tcp 0 0 www.xxx.yyy.zzz:22 zzz.yyy.xxx.www:3616 ESTABLISHED tcp 0 0 www.xxx.yyy.zzz:22 zzz.yyy.xxx.www:3489 ESTABLISHED tcp 0 0 www.xxx.yyy.zzz:22 zzz.yyy.xxx.www:3735 ESTABLISHED tcp 1 0 www.xxx.yyy.zzz:33337 211.43.197.159:25 CLOSE_WAIT tcp 0 0 www.xxx.yyy.zzz:33414 203.231.231.41:25 ESTABLISHED Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 15838 /var/run/mmsmtp.control unix 2 [ ACC ] STREAM LISTENING 221 /var/run/courier/authdaemon/socket.tmp unix 7 [ ] DGRAM 155 /dev/log unix 2 [ ] DGRAM 299 unix 2 [ ] DGRAM 253 unix 2 [ ] DGRAM 245 unix 2 [ ] DGRAM 220 unix 2 [ ] DGRAM 198 what the hang happened there ?? The server is a Debian woody running sendmail and sophos mailmonitor (mmsmtp daemon). Any ideas ?. Regards, Hilton De Meillon.
Current thread:
- suspicous activities... hilton de meillon (Sep 15)
- Re: suspicous activities... L0stm4n (Sep 18)
- Re: suspicous activities... Sean (Sep 19)
- Re: suspicous activities... Martin Schuster (Sep 20)
- <Possible follow-ups>
- RE: suspicous activities... Michael Shirk (Sep 16)
- RE: suspicous activities... hilton de meillon (Sep 16)
- RE: suspicous activities... Luke Marty (Sep 16)