Security Incidents mailing list archives

RE: suspicous activities...

From: "hilton de meillon" <hiltond () hotpop com>
Date: Fri, 17 Sep 2004 11:48:32 +1000
I ran a aide check but it did not return anything significant. I have not
had time to fine tune  my aide config so it produces a lot of noise. The
only files that had changed during that time were my anti-virus definitions.

This is my major problem: There is always lots of (interesting) security
work to be done but never a client that
Is willing to pay for these modifications, that is why I have not fine tuned
my aide conf, etc. Making a system secure is an exhausting process and is
EXTREMELY time consuming, but I guess you get faster and more efficient at
learning what to worry about and what not to...



-----Original Message-----
From: Michael Shirk [mailto:shirkdog () cryptomail org] 
Sent: Friday, 17 September 2004 2:53 AM
To: incidents () securityfocus com
Subject: RE: suspicous activities...

Try lsof to see what process are tied to what open ports. Do you have any
backups, or an integrity database (aide/tripwire) of the files before
putting this mail server into production??
If you can not take the system offline, then you should try to a live system
investigation. SecurityFocus has a couple step by step walkthroughs when
working with a live unix/linux system.
Shirkdog
-----Original Message-----
From: hiltond () hotpop com [mailto:hiltond () hotpop com]
Sent: Tuesday, September 14, 2004 8:23 PM
To: incidents () securityfocus com
Subject: suspicous activities...
Importance: Low
Hi All, 
 
I had this really strange occurrence the other night...
 
Please find the course of events detailed below :
 
We had just migrated a clients email (MX) to a new server and as soon as we
switched the MX over the server received thousands of spam emails from a
domain called hanmail.net (or something like that). Since I was in the
process of putting the finishing touches on the server I had not introduced
any anti-relay measures (not that anti-relay should have been an
afterthought) the emails were successfully relayed to other hosts for about
a minute (just until I could re-configure sophos to block that IP from
relaying.)
 
 
 
A bit later on I ran chkrootkit and got this message : 
 
(just for reference zzz.yyy.xxx.www is my ip and www.xxx.yyy.zzz is the mail
server.)
 
 
xyzhost:~# chkrootkit -q
 
You have     2 process hidden for readdir command
You have     2 process hidden for ps command
Warning: Possible LKM Trojan installed
  eth0 is not promisc
 
so I was like "AAARRRGGGHHH!!!" I then ran :
 
xyzhost:~# w
 20:38:51 up 59 min,  3 users,  load average: 0.07, 0.02, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
root     pts/0    zzz.yyy.xxx.www  19:40    1:18   0.13s  0.00s  tail -f
/var/log/mail/mail.log
root     pts/1    zzz.yyy.xxx.www  20:06   46.00s  0.28s  0.18s  watch -n 1
mailq
root     pts/2    zzz.yyy.xxx.www  20:38    0.00s  0.02s  0.01s  w
I ran chkrootkit again and got this message...
xyzhost:~# chkrootkit -q
warning, got bogus tcp line.
  eth0 is not promisc
Then I ran it again and got nothing...???:
 
xyzhost:~# chkrootkit -q
  eth0 is not promisc
 
xyzhost:~# chkrootkit -q
  eth0 is not promisc
 
 
 
--------------------------------------
 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 www.xxx.yyy.zzz:25      0.0.0.0:*               LISTEN
tcp        0      0 www.xxx.yyy.zzz:22      zzz.yyy.xxx.www:3616
ESTABLISHED
tcp        0      0 www.xxx.yyy.zzz:22      zzz.yyy.xxx.www:3489
ESTABLISHED
tcp        0      0 www.xxx.yyy.zzz:22      zzz.yyy.xxx.www:3735
ESTABLISHED
tcp        1      0 www.xxx.yyy.zzz:33337   211.43.197.159:25
CLOSE_WAIT
tcp        0      0 www.xxx.yyy.zzz:33414   203.231.231.41:25
ESTABLISHED
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     15838
/var/run/mmsmtp.control
unix  2      [ ACC ]     STREAM     LISTENING     221
/var/run/courier/authdaemon/socket.tmp
unix  7      [ ]         DGRAM                    155    /dev/log
unix  2      [ ]         DGRAM                    299
unix  2      [ ]         DGRAM                    253
unix  2      [ ]         DGRAM                    245
unix  2      [ ]         DGRAM                    220
unix  2      [ ]         DGRAM                    198
 
 
what the hang happened there ??
The server is a Debian woody running sendmail and sophos mailmonitor (mmsmtp
daemon).
Any ideas ?.
Regards,
Hilton De Meillon.
 
 
 
 


!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+
CryptoMail provides free end-to-end message encryption.  
http://www.cryptomail.org/   Ensure your right to privacy.
Traditional email messages are not secure.  They are sent as clear-text and
thus are readable by anyone with the motivation to acquire a copy.
!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+
Current thread:

suspicous activities... hilton de meillon (Sep 15)
- Re: suspicous activities... L0stm4n (Sep 18)
- Re: suspicous activities... Sean (Sep 19)
- Re: suspicous activities... Martin Schuster (Sep 20)
- <Possible follow-ups>
- RE: suspicous activities... Michael Shirk (Sep 16)
  - RE: suspicous activities... hilton de meillon (Sep 16)
- RE: suspicous activities... Luke Marty (Sep 16)