Security Incidents mailing list archives
RE: suspicous activities...
From: "Michael Shirk" <shirkdog () cryptomail org>
Date: Thu Sep 16 12:52:31 EDT 2004
Try lsof to see what process are tied to what open ports. Do you have any backups, or an integrity database (aide/tripwire) of the files before putting this mail server into production?? If you can not take the system offline, then you should try to a live system investigation. SecurityFocus has a couple step by step walkthroughs when working with a live unix/linux system. Shirkdog -----Original Message----- From: hiltond () hotpop com [mailto:hiltond () hotpop com] Sent: Tuesday, September 14, 2004 8:23 PM To: incidents () securityfocus com Subject: suspicous activities... Importance: Low Hi All, I had this really strange occurrence the other night... Please find the course of events detailed below : We had just migrated a clients email (MX) to a new server and as soon as we switched the MX over the server received thousands of spam emails from a domain called hanmail.net (or something like that). Since I was in the process of putting the finishing touches on the server I had not introduced any anti-relay measures (not that anti-relay should have been an afterthought) the emails were successfully relayed to other hosts for about a minute (just until I could re-configure sophos to block that IP from relaying.) A bit later on I ran chkrootkit and got this message : (just for reference zzz.yyy.xxx.www is my ip and www.xxx.yyy.zzz is the mail server.) xyzhost:~# chkrootkit -q You have 2 process hidden for readdir command You have 2 process hidden for ps command Warning: Possible LKM Trojan installed eth0 is not promisc so I was like "AAARRRGGGHHH!!!" I then ran : xyzhost:~# w 20:38:51 up 59 min, 3 users, load average: 0.07, 0.02, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 zzz.yyy.xxx.www 19:40 1:18 0.13s 0.00s tail -f /var/log/mail/mail.log root pts/1 zzz.yyy.xxx.www 20:06 46.00s 0.28s 0.18s watch -n 1 mailq root pts/2 zzz.yyy.xxx.www 20:38 0.00s 0.02s 0.01s w I ran chkrootkit again and got this message... xyzhost:~# chkrootkit -q warning, got bogus tcp line. eth0 is not promisc Then I ran it again and got nothing...???: xyzhost:~# chkrootkit -q eth0 is not promisc xyzhost:~# chkrootkit -q eth0 is not promisc -------------------------------------- Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 www.xxx.yyy.zzz:25 0.0.0.0:* LISTEN tcp 0 0 www.xxx.yyy.zzz:22 zzz.yyy.xxx.www:3616 ESTABLISHED tcp 0 0 www.xxx.yyy.zzz:22 zzz.yyy.xxx.www:3489 ESTABLISHED tcp 0 0 www.xxx.yyy.zzz:22 zzz.yyy.xxx.www:3735 ESTABLISHED tcp 1 0 www.xxx.yyy.zzz:33337 211.43.197.159:25 CLOSE_WAIT tcp 0 0 www.xxx.yyy.zzz:33414 203.231.231.41:25 ESTABLISHED Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 15838 /var/run/mmsmtp.control unix 2 [ ACC ] STREAM LISTENING 221 /var/run/courier/authdaemon/socket.tmp unix 7 [ ] DGRAM 155 /dev/log unix 2 [ ] DGRAM 299 unix 2 [ ] DGRAM 253 unix 2 [ ] DGRAM 245 unix 2 [ ] DGRAM 220 unix 2 [ ] DGRAM 198 what the hang happened there ?? The server is a Debian woody running sendmail and sophos mailmonitor (mmsmtp daemon). Any ideas ?. Regards, Hilton De Meillon. !+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+ CryptoMail provides free end-to-end message encryption. http://www.cryptomail.org/ Ensure your right to privacy. Traditional email messages are not secure. They are sent as clear-text and thus are readable by anyone with the motivation to acquire a copy. !+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+
Current thread:
- suspicous activities... hilton de meillon (Sep 15)
- Re: suspicous activities... L0stm4n (Sep 18)
- Re: suspicous activities... Sean (Sep 19)
- Re: suspicous activities... Martin Schuster (Sep 20)
- <Possible follow-ups>
- RE: suspicous activities... Michael Shirk (Sep 16)
- RE: suspicous activities... hilton de meillon (Sep 16)
- RE: suspicous activities... Luke Marty (Sep 16)