Security Incidents mailing list archives

RE: suspicous activities...

From: "Michael Shirk" <shirkdog () cryptomail org>
Date: Thu Sep 16 12:52:31 EDT 2004

Try lsof to see what process are tied to what open ports. Do you have any backups, or an integrity database 
(aide/tripwire) of the files before putting this mail server into production??
If you can not take the system offline, then you should try to a live system investigation. SecurityFocus has a couple 
step by step walkthroughs when working with a live unix/linux system.
Shirkdog
-----Original Message-----
From: hiltond () hotpop com [mailto:hiltond () hotpop com]
Sent: Tuesday, September 14, 2004 8:23 PM
To: incidents () securityfocus com
Subject: suspicous activities...
Importance: Low
Hi All, 

I had this really strange occurrence the other night...

Please find the course of events detailed below :

We had just migrated a clients email (MX) to a new server and as soon as we
switched the MX over the server received thousands of spam emails from 
a domain called hanmail.net (or something like that). Since I was in the
process of putting the finishing touches on the server I had not introduced
any anti-relay measures (not that anti-relay should have been an
afterthought) the emails were successfully relayed to other hosts for about
a minute (just until I could re-configure sophos to block that IP from
relaying.)

A bit later on I ran chkrootkit and got this message : 

(just for reference zzz.yyy.xxx.www is my ip and www.xxx.yyy.zzz is the mail
server.)

xyzhost:~# chkrootkit -q

You have     2 process hidden for readdir command
You have     2 process hidden for ps command
Warning: Possible LKM Trojan installed
  eth0 is not promisc

so I was like "AAARRRGGGHHH!!!" I then ran :

xyzhost:~# w
 20:38:51 up 59 min,  3 users,  load average: 0.07, 0.02, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
root     pts/0    zzz.yyy.xxx.www  19:40    1:18   0.13s  0.00s  tail -f
/var/log/mail/mail.log
root     pts/1    zzz.yyy.xxx.www  20:06   46.00s  0.28s  0.18s  watch -n 1
mailq
root     pts/2    zzz.yyy.xxx.www  20:38    0.00s  0.02s  0.01s  w
I ran chkrootkit again and got this message...
xyzhost:~# chkrootkit -q
warning, got bogus tcp line.
  eth0 is not promisc
Then I ran it again and got nothing...???:

xyzhost:~# chkrootkit -q
  eth0 is not promisc

xyzhost:~# chkrootkit -q
  eth0 is not promisc

--------------------------------------

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 www.xxx.yyy.zzz:25      0.0.0.0:*               LISTEN
tcp        0      0 www.xxx.yyy.zzz:22      zzz.yyy.xxx.www:3616
ESTABLISHED
tcp        0      0 www.xxx.yyy.zzz:22      zzz.yyy.xxx.www:3489
ESTABLISHED
tcp        0      0 www.xxx.yyy.zzz:22      zzz.yyy.xxx.www:3735
ESTABLISHED
tcp        1      0 www.xxx.yyy.zzz:33337   211.43.197.159:25
CLOSE_WAIT
tcp        0      0 www.xxx.yyy.zzz:33414   203.231.231.41:25
ESTABLISHED
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     15838
/var/run/mmsmtp.control
unix  2      [ ACC ]     STREAM     LISTENING     221
/var/run/courier/authdaemon/socket.tmp
unix  7      [ ]         DGRAM                    155    /dev/log
unix  2      [ ]         DGRAM                    299
unix  2      [ ]         DGRAM                    253
unix  2      [ ]         DGRAM                    245
unix  2      [ ]         DGRAM                    220
unix  2      [ ]         DGRAM                    198

what the hang happened there ??
The server is a Debian woody running sendmail and sophos mailmonitor (mmsmtp
daemon).
Any ideas ?.
Regards,
Hilton De Meillon.

!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+
CryptoMail provides free end-to-end message encryption.  
http://www.cryptomail.org/   Ensure your right to privacy.
Traditional email messages are not secure.  They are sent as
clear-text and thus are readable by anyone with the motivation
to acquire a copy.
!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+

Current thread:

suspicous activities... hilton de meillon (Sep 15)
- Re: suspicous activities... L0stm4n (Sep 18)
- Re: suspicous activities... Sean (Sep 19)
- Re: suspicous activities... Martin Schuster (Sep 20)
- <Possible follow-ups>
- RE: suspicous activities... Michael Shirk (Sep 16)
  - RE: suspicous activities... hilton de meillon (Sep 16)
- RE: suspicous activities... Luke Marty (Sep 16)