Try lsof to see what process are tied to what open ports. Do you have any
backups, or an integrity database (aide/tripwire) of the files before putting
this mail server into production??
If you can not take the system offline, then you should try to a live system
investigation. SecurityFocus has a couple step by step walkthroughs when
working with a live unix/linux system.
Shirkdog
-----Original Message-----
From: hiltond@hotpop.com [mailto:hiltond@hotpop.com]
Sent: Tuesday, September 14, 2004 8:23 PM
To: incidents@securityfocus.com
Subject: suspicous activities...
Importance: Low
Hi All,
I had this really strange occurrence the other night...
Please find the course of events detailed below :
We had just migrated a clients email (MX) to a new server and as soon as we
switched the MX over the server received thousands of spam emails from
a domain called hanmail.net (or something like that). Since I was in the
process of putting the finishing touches on the server I had not introduced
any anti-relay measures (not that anti-relay should have been an
afterthought) the emails were successfully relayed to other hosts for about
a minute (just until I could re-configure sophos to block that IP from
relaying.)
A bit later on I ran chkrootkit and got this message :
(just for reference zzz.yyy.xxx.www is my ip and www.xxx.yyy.zzz is the mail
server.)
xyzhost:~# chkrootkit -q
You have 2 process hidden for readdir command
You have 2 process hidden for ps command
Warning: Possible LKM Trojan installed
eth0 is not promisc
so I was like "AAARRRGGGHHH!!!" I then ran :
xyzhost:~# w
20:38:51 up 59 min, 3 users, load average: 0.07, 0.02, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 zzz.yyy.xxx.www 19:40 1:18 0.13s 0.00s tail -f
/var/log/mail/mail.log
root pts/1 zzz.yyy.xxx.www 20:06 46.00s 0.28s 0.18s watch -n 1
mailq
root pts/2 zzz.yyy.xxx.www 20:38 0.00s 0.02s 0.01s w
I ran chkrootkit again and got this message...
xyzhost:~# chkrootkit -q
warning, got bogus tcp line.
eth0 is not promisc
Then I ran it again and got nothing...???:
xyzhost:~# chkrootkit -q
eth0 is not promisc
xyzhost:~# chkrootkit -q
eth0 is not promisc
--------------------------------------
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 www.xxx.yyy.zzz:25 0.0.0.0:* LISTEN
tcp 0 0 www.xxx.yyy.zzz:22 zzz.yyy.xxx.www:3616
ESTABLISHED
tcp 0 0 www.xxx.yyy.zzz:22 zzz.yyy.xxx.www:3489
ESTABLISHED
tcp 0 0 www.xxx.yyy.zzz:22 zzz.yyy.xxx.www:3735
ESTABLISHED
tcp 1 0 www.xxx.yyy.zzz:33337 211.43.197.159:25
CLOSE_WAIT
tcp 0 0 www.xxx.yyy.zzz:33414 203.231.231.41:25
ESTABLISHED
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 15838
/var/run/mmsmtp.control
unix 2 [ ACC ] STREAM LISTENING 221
/var/run/courier/authdaemon/socket.tmp
unix 7 [ ] DGRAM 155 /dev/log
unix 2 [ ] DGRAM 299
unix 2 [ ] DGRAM 253
unix 2 [ ] DGRAM 245
unix 2 [ ] DGRAM 220
unix 2 [ ] DGRAM 198
what the hang happened there ??
The server is a Debian woody running sendmail and sophos mailmonitor (mmsmtp
daemon).
Any ideas ?.
Regards,
Hilton De Meillon.
!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+
CryptoMail provides free end-to-end message encryption.
http://www.cryptomail.org/ Ensure your right to privacy.
Traditional email messages are not secure. They are sent as
clear-text and thus are readable by anyone with the motivation
to acquire a copy.
!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+
