Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now

ajbird
Posted on: Oct 18 2004, 09:16 AM


Whats this Lie-nix Thing?
*

Group: Members
Posts: 9
Joined: 2-October 04
Member No.: 3,879


hi people,

the inbox of my mailmanager account is getting hammered by thousands (20000 in the last couple of days) of undelivered items. now my worst fear is that someone is using my server to spam others and when i do a ps aux on my server there appears to be a lot of activity like

qmail-remote belitungisland.com masahiro@belitungisland.com

so i guess i have 2 questions.
1) how can i check to see if anyone is using my server to spam other users
and
2) how can i track down and report spammers trying to hit my users - ie they seem to be randomly smamming something@dx3webs.com (one of my domains)

here is an example of an undelivery report - can someone break this down to show who sent it and where from

QUOTE
Hi. This is the qmail-send program at p15151010.pureserver.info.
I tried to deliver a bounce message to this address, but the bounce bounced!

<wghiuwyikcy@attglobal.net>:
32.97.166.40 does not like recipient.
Remote host said: 551 not our customer
Giving up on 32.97.166.40.

--- Below this line is the original bounce.

Return-Path: <>
Received: (qmail 19228 invoked for bounce); 18 Oct 2004 12:48:11 -0000
Date: 18 Oct 2004 12:48:11 -0000
From: MAILER-DAEMON@p15151010.pureserver.info
To: wghiuwyikcy@attglobal.net
Subject: failure notice

Hi. This is the qmail-send program at p15151010.pureserver.info.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<pjestes@dx3webs.com>:
This address no longer accepts mail.

--- Below this line is a copy of the message.

Return-Path: <wghiuwyikcy@attglobal.net>
Received: (qmail 19225 invoked from network); 18 Oct 2004 12:48:11 -0000
Received: from moutng.kundenserver.de (212.227.126.171)
by xdcuk.net with SMTP; 18 Oct 2004 12:48:11 -0000
Received: from [212.227.126.159] (helo=mxng09.kundenserver.de)
by moutng.kundenserver.de with esmtp (Exim 3.35 #1)
id 1CJWvr-0004MF-00
for pjestes@dx3webs.com; Mon, 18 Oct 2004 14:48:11 +0200
Received: from [138.130.6.24] (helo=CPE-138-130-6-24.nsw.bigpond.net.au)
by mxng09.kundenserver.de with smtp (Exim 3.35 #1)
id 1CJWvT-000848-00; Mon, 18 Oct 2004 14:47:49 +0200
X-Message-Info: T21enBQbeoJYbc3s214+Pkfb4kjaEO
Received: from mail6240.mljzs.cox.net (110.216.64.205) by qd651-wrg041.cox.net with Microsoft SMTPSVC(5.0.2195.6824);
Mon, 18 Oct 2004 06:37:11 -0700
Received: from QHNNB1 (m26.188.224.83.unyhx071.c.cox.net 160.88.220.215)
by mail61.w.cox.net (969.8.0plf7/1.91.134) with SMTP id bao66KK29ZJFq5648;
Mon, 18 Oct 2004 09:43:11 -0400
Message-ID: <762q995cef61uzd304vzo$xsk4cyw37i6$ygo60m42@LXG697>
From: "The Stock Radar" <wghiuwyikcy@attglobal.net>
To: "Pjestes" <pjestes@dx3webs.com>
References: <boycott5-X413TlcGELrAD14GAR086a5@cox.net>
Subject: Informed Investors are winners
Date: Mon, 18 Oct 2004 09:41:11 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--987928866321632"
X-RBL-Warning: (dialup.bl.kundenserver.de) This mail has been received from a dialup host.
X-Provags-Forward: pjestes@dx3webs.com -> pjestes@dx3webs.com

----987928866321632
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

HouseRaising Inc. OTCBB: HRAI

Net Assets of over 7,000,000

1,100,000 in Homebuilding and Renovation Sales Under Construction.

(Source: News Announcement 9/14/04)

Current Price. 0.48


A massive PR campaign is being launched this Weekend and Monday
could be a huge day in the Stock.

blah blah blah blah blah
  Forum: Technical Support · Post Preview: #18166 · Replies: 2 · Views: 2,461

ajbird
Posted on: Oct 13 2004, 08:01 AM


Whats this Lie-nix Thing?
*

Group: Members
Posts: 9
Joined: 2-October 04
Member No.: 3,879


thanks hughesjr for all your help

the web server is now zapped and web interface shut down till i get it all sorted

it now looks like they managed to use misconfigured coppermine permissions (my fault) to install their own webserver which allowed them run stuff - which i knew what the gaps were but either way they got in and thats that

cheers for all your suggestions and help

andy
  Forum: Technical Support · Post Preview: #18012 · Replies: 12 · Views: 6,651

ajbird
Posted on: Oct 9 2004, 03:02 AM


Whats this Lie-nix Thing?
*

Group: Members
Posts: 9
Joined: 2-October 04
Member No.: 3,879


yeh - thanks for all the help chaps. I have requested that my hosting company re-image my setup. it will be red hat 9 - no choice in this. so will get it patched up as soon as the reimage takes place

thanks for all the help

andy
  Forum: Technical Support · Post Preview: #17955 · Replies: 12 · Views: 6,651

ajbird
Posted on: Oct 8 2004, 08:34 AM


Whats this Lie-nix Thing?
*

Group: Members
Posts: 9
Joined: 2-October 04
Member No.: 3,879


great - as i type a dos folder just appeared - inside is smurf6-linux+LPG.c and a list of ip addresess and a few other DOS tools - that explains where my bandwidth went to!

this is just getting silly now
  Forum: Technical Support · Post Preview: #17933 · Replies: 12 · Views: 6,651

ajbird
Posted on: Oct 8 2004, 07:08 AM


Whats this Lie-nix Thing?
*

Group: Members
Posts: 9
Joined: 2-October 04
Member No.: 3,879


bugger

i think you are right - i was getting a load of port scans from IRC networks - the whois explained that this was natural if you were running an irc client... however, i was not. i blocked all ports used to connect to irc networks. this morning i found the following after running f-prot..

[quote]
/var/tmp/.bash_history/logs/eggdrop-1.6.10 Infection: Unix/Osf.A
Unable to remove the virus.
/var/tmp/.bash_history/logs/kik Infection: Unix/Osf.A
Unable to remove the virus.
/var/tmp/.bash_history/logs/kik.4 Infection: Unix/Osf.A
Unable to remove the virus.
/var/tmp/httpd Infection: Unix/Osf.A
Unable to remove the virus.
[/quote]


i just hope i have learned enough about security now to have a safe and secure webserver the next time around.

sad.gif

oh and for anyone who is interested - the following was found in my .bash_history folder - note the owner is listed as apache

[quote]drwxr-xr-x 9 apache apache 4096 Oct 8 13:44 .
drwxr-xr-x 4 apache apache 4096 Oct 4 15:59 ..
-rw-r--r-- 1 apache apache 3665 Oct 4 16:18 238
-rw-r--r-- 1 apache apache 1880 Oct 8 13:44 AlreadyAsked.txt
lrwxrwxrwx 1 apache apache 14 Oct 4 15:58 bin -> eggdrop-1.6.10
-rw-r--r-- 1 apache apache 451 Oct 8 09:03 BotScore.html
-rw-r--r-- 1 apache apache 49 Oct 8 09:03 BotScores.txt
drwxr-xr-x 5 apache apache 4096 Oct 4 15:58 doc
-rwxr-xr-x 1 apache apache 2523568 May 11 2002 eggdrop-1.6.10
-rw-r--r-- 1 apache apache 45658 May 11 2002 eggdrop.advanced.conf
-rw-r--r-- 1 apache apache 49936 May 11 2002 eggdrop.complete.conf
-rw-r--r-- 1 apache apache 4823 May 11 2002 eggdrop.simple.conf
drwxr-xr-x 3 apache apache 4096 May 11 2002 filesys
-rw-r--r-- 1 apache apache 41895 Oct 4 16:40 file.txt
drwxr-xr-x 4 apache apache 4096 Oct 4 15:58 help
-rwxr-xr-x 1 apache apache 21149 Mar 24 2003 kik
-rw-r--r-- 1 apache apache 21149 Mar 24 2003 kik.4
drwxr-xr-x 2 apache apache 4096 Oct 8 13:36 language
drwxr-xr-x 2 apache apache 4096 Oct 4 15:58 logs
-rw-r--r-- 1 apache apache 283 Oct 7 22:27 MonthlyScores.html
-rw-r--r-- 1 apache apache 10 Oct 7 22:27 MonthlyScores.txt
-rw-r--r-- 1 apache apache 6 Oct 7 22:24 pid.bangku-
-rw-r--r-- 1 apache apache 28591 May 11 2002 README
-rw-r--r-- 1 apache apache 275 Oct 7 22:27 ScoresOct.html
-rw-r--r-- 1 apache apache 10 Oct 7 22:27 ScoresOct.txt
drwxr-xr-x 2 apache apache 4096 Oct 7 22:39 scripts
drwxr-xr-x 2 apache apache 4096 Oct 4 15:58 text
[/quote]

and there appears to be a back door script (see aboce 238) installed as well - looking into that now - looks nasty - nice of them to leave if for me to look at though

egg drop is a irc bot! is that all they were after? but what caused the 40 gig of traffic that made me realise they were there?

very strange

lol - analysing the stuff in the above files and found Linux.Jac.8759! see here interstesting that the copy of egg-drop has the same virus inside it! did they know this? it was almost certainly infected after they installed the bot as when unpacked from bete.tar.gz then it contains no virus!

that script begins
[quote]
set my-hostname "localhost"
set my-ip "***.***.***.***"
set nick "bangku-"
set owner "anak_baik"
set basechan "#sobatmu"
set username "games"

[/quote]
so i guess i now know where that game user came from!
  Forum: Technical Support · Post Preview: #17932 · Replies: 12 · Views: 6,651

ajbird
Posted on: Oct 6 2004, 09:00 AM


Whats this Lie-nix Thing?
*

Group: Members
Posts: 9
Joined: 2-October 04
Member No.: 3,879


right i have run 2 rootkit detectors and the only things that look abnormal is ....

chkroot

Checking `lkm'... You have 6 process hidden for ps command
Warning: Possible LKM Trojan installed

root check

== Check process/ps: ==

PID 1077 in use but "ps" do not show!

rkhunter
says everthing is clean

anything to worry about here?

other than that all seems to be back up to running - i just dont reallly have the capabilities or the time to rebuild this server from scratch. so am really hoping to clean out the existing setup! fingers crossed

oh and this appears when you do a f-prot check

/var/tmp/httpd Infection: Unix/Osf.A

what the hell is this?

please tell me i can avoid a rebuild

cheers

andy
  Forum: Technical Support · Post Preview: #17896 · Replies: 12 · Views: 6,651

ajbird
Posted on: Oct 3 2004, 05:01 AM


Whats this Lie-nix Thing?
*

Group: Members
Posts: 9
Joined: 2-October 04
Member No.: 3,879


i have used "ps aux" and this showed a large number of processes of qmail attempting to send info to adfadsfadsfadsfadf@yahoo.com ewraewrweraewrwr@yahoo.com adfadsfasfasd@yahoo.com etc

it looks like this smap was the cuase of the 40 gig of traffic in a single day. does this sound likly. i have the webserver running with the firewall script on and qmail turned off. hoiwever i really need my email back up and running but a bit scared to do so. suggestions anyone!!! please.

also i cant find the qmail logs to check them i think they should be at /bin/log/qmail but there is nothing there

help meeeeee
  Forum: Technical Support · Post Preview: #17826 · Replies: 12 · Views: 6,651

ajbird
Posted on: Oct 2 2004, 09:58 AM


Whats this Lie-nix Thing?
*

Group: Members
Posts: 9
Joined: 2-October 04
Member No.: 3,879


have installed the firewall as noted here http://www.linuxhelp.net/guides/iptables/ - do you think this will help? also someone tell me how to accuratly monitor traffic going over eth0

cheers

andy
  Forum: Technical Support · Post Preview: #17823 · Replies: 12 · Views: 6,651

ajbird
Posted on: Oct 2 2004, 07:32 AM


Whats this Lie-nix Thing?
*

Group: Members
Posts: 9
Joined: 2-October 04
Member No.: 3,879


The 1st warning was a message from my hosting company which stated -

QUOTE
Dear Mr. Bird,

we have recently received several complaints regarding illegal access
attempts (port scans / hack attempts) originating from your 1&1 RootServer
(contract 4721466). Please check your server for viruses / internet
worms etc. immediatly

Should further complaints reach us concerning this matter we'll feel
impelled to take the server offline in order to prevent further abuse of our
infrastructure. Thank you for your understanding.

Furthermore we would ask you to contact us (abuse@kundenserver.de) within
three days in order to receive your comment on this concern. Thank you.


I was a bit worried and installed f-prot on my webserver. Running this found a Unix/blitz virus which no one seems to have heard of. The only other viruses were w32 viruses in peoples emails. I removed all of the infections listed.

Worse news was to follow... on the 25th of september by webserver managed to generate 36,523.00MB of traffic on 1 day. THis cost me 150 for the one days activities. So the questions is.... how do i track down what i going on? where do i begin to investigate this traffic. the PLESK system provided by my isp to manage the box reports that there was no unusual traffic on the system. so i guess it was not normal web traffic.

I was installing trip wire and a firewall when i got another bandwidth warning so I lost my bottle and shut the box down.

oh and its running redhat 9.0

any ideas where to begin.

andy
  Forum: Technical Support · Post Preview: #17822 · Replies: 12 · Views: 6,651


New Posts  New Replies
No New Posts  No New Replies
Hot topic  Hot Topic (New)
No new  Hot Topic (No New)
Poll  Poll (New)
No new votes  Poll (No New)
Closed  Locked Topic
Moved  Moved Topic
 

RSS Lo-Fi Version Time is now: 18th October 2017 - 01:40 PM