RE: suspicous activities...

• Previous message: Michael Shirk: "RE: suspicous activities..."
• Maybe in reply to: hilton de meillon: "suspicous activities..."
• Next in thread: L0stm4n: "Re: suspicous activities..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 16 Sep 2004 12:06:54 -0500
To: "hilton de meillon" <hiltond@hotpop.com>, <incidents@securityfocus.com>

I have seen a bizillion mails trying to slip through my exchange server
destined to hanmail.com also. Starting very shortly after I put the mail
server up. I have since blocked mail to and from that domain at the
firewall but have not been able isolate where the messages where coming
from. I assumed it was some sort of bug stuck in my exchange store but
this makes me a bit more concerned.

Luke Marty
Network Shock Trooper
-----Original Message-----
From: hilton de meillon [mailto:hiltond@hotpop.com]
Sent: Tuesday, September 14, 2004 7:23 PM
To: incidents@securityfocus.com
Subject: suspicous activities...

Hi All,
 
I had this really strange occurrence the other night...
 
Please find the course of events detailed below :
 
We had just migrated a clients email (MX) to a new server and as soon as
we
switched the MX over the server received thousands of spam emails from
a domain called hanmail.net (or something like that). Since I was in the
process of putting the finishing touches on the server I had not
introduced
any anti-relay measures (not that anti-relay should have been an
afterthought) the emails were successfully relayed to other hosts for
about
a minute (just until I could re-configure sophos to block that IP from
relaying.)
 
 
 
A bit later on I ran chkrootkit and got this message :
 
(just for reference zzz.yyy.xxx.www is my ip and www.xxx.yyy.zzz is the
mail
server.)
 
 
xyzhost:~# chkrootkit -q
 
You have 2 process hidden for readdir command
You have 2 process hidden for ps command
Warning: Possible LKM Trojan installed
  eth0 is not promisc
 
so I was like "AAARRRGGGHHH!!!" I then ran :
 
xyzhost:~# w
 20:38:51 up 59 min, 3 users, load average: 0.07, 0.02, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 zzz.yyy.xxx.www 19:40 1:18 0.13s 0.00s tail -f
/var/log/mail/mail.log
root pts/1 zzz.yyy.xxx.www 20:06 46.00s 0.28s 0.18s watch
-n 1
mailq
root pts/2 zzz.yyy.xxx.www 20:38 0.00s 0.02s 0.01s w

I ran chkrootkit again and got this message...

xyzhost:~# chkrootkit -q
warning, got bogus tcp line.
  eth0 is not promisc

Then I ran it again and got nothing...???:
 
xyzhost:~# chkrootkit -q
  eth0 is not promisc
 
xyzhost:~# chkrootkit -q
  eth0 is not promisc
 
 
 
--------------------------------------
 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 0.0.0.0:110 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:143 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN
tcp 0 0 www.xxx.yyy.zzz:25 0.0.0.0:*
LISTEN
tcp 0 0 www.xxx.yyy.zzz:22 zzz.yyy.xxx.www:3616
ESTABLISHED
tcp 0 0 www.xxx.yyy.zzz:22 zzz.yyy.xxx.www:3489
ESTABLISHED
tcp 0 0 www.xxx.yyy.zzz:22 zzz.yyy.xxx.www:3735
ESTABLISHED
tcp 1 0 www.xxx.yyy.zzz:33337 211.43.197.159:25
CLOSE_WAIT
tcp 0 0 www.xxx.yyy.zzz:33414 203.231.231.41:25
ESTABLISHED
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 15838
/var/run/mmsmtp.control
unix 2 [ ACC ] STREAM LISTENING 221
/var/run/courier/authdaemon/socket.tmp
unix 7 [ ] DGRAM 155 /dev/log
unix 2 [ ] DGRAM 299
unix 2 [ ] DGRAM 253
unix 2 [ ] DGRAM 245
unix 2 [ ] DGRAM 220
unix 2 [ ] DGRAM 198
 
 
what the hang happened there ??

The server is a Debian woody running sendmail and sophos mailmonitor
(mmsmtp
daemon).

Any ideas ?.

Regards,
Hilton De Meillon.
 
 
 
 

• Previous message: Michael Shirk: "RE: suspicous activities..."
• Maybe in reply to: hilton de meillon: "suspicous activities..."
• Next in thread: L0stm4n: "Re: suspicous activities..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]