[BlueOnyx:10161] Re: Trojans and backdoors?
Chuck Tetlow
chuck at tetlow.net
Tue Apr 17 17:44:57 -05 2012
Darren,
When I had some similar instances on our old BlueQuartz servers - I always had a ton of crap mail that couldn't be delivered for one reason or another. That slowed down valid e-mail, and loaded up the CPU. You can see how much you've got by using the "mailq" command. It will show the mail waiting to be sent and give a count at the bottom of the list. I usually clean it all out during low-use periods (like middle of the night) by using "rm -f /home/spool/mqueue/*". Just realize, that will delete valid e-mail as well as crap - so be careful!
And if you're interested in tracking what your server is sending out - use a custom IPTables firewall rule to log it. Try:
iptables -I acctout 1 -p tcp --tcp-flags SYN --dport 25 -j LOG --log-prefix Outgoing_E-mail
That will log all outgoing TCP Port 25 connection initiations to /var/log/messages. Then periodically run "cat /var/log/messages | grep Outgoing_E-mail | less" to see the outgoing mail connections. From that - you can get a pretty good guess if your server is still flooding out tons of crap.
Chuck
---------- Original Message -----------
From: "Darren Shea" <dshea at ecpi.com>
To: <blueonyx at mail.blueonyx.it>
Sent: Tue, 17 Apr 2012 17:16:27 -0500
Subject: [BlueOnyx:10160] Re: Trojans and backdoors?
> Thanks for all the suggestions, everyone. The particular hack does not seem
> to use the mailserver, nor has it created any files in the /tmp directory. I
> have pored over the logs (mail and httpd) thoroughly, but I can't say
> they've really been a whole lot of help. I did try turning on suPHP, but
> that broke SquirrelMail also. There may be a configuration setting that can
> make that work; I'm still looking into it..
>
> I did find one of my WordPress customers whose PHP settings allowed fopen
> and include - so I was able to lock that down. I also found several
> suspicious files in various user's directories, including some which
> appeared to execute strings of obfuscated code, and I removed all those. We
> don't appear to have had any new exploits in over 5 hours, but I am too
> nervous to relax about it yet!
>
> Thank you,
> Darren
> ECPI Western Broadband
> (512)257-1077
> (254)213-6116 fax
>
> -----Original Message-----
> From: blueonyx-bounces at mail.blueonyx.it
> [mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of
> blueonyx-request at mail.blueonyx.it
> Sent: Tuesday, April 17, 2012 2:07 PM
> To: blueonyx at mail.blueonyx.it
> Subject: Blueonyx Digest, Vol 40, Issue 33
>
> Send Blueonyx mailing list submissions to
> blueonyx at mail.blueonyx.it
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
> or, via email, send a message with subject or body 'help' to
> blueonyx-request at mail.blueonyx.it
>
> You can reach the person managing the list at
> blueonyx-owner at mail.blueonyx.it
>
> When replying, please edit your Subject line so it is more specific than
> "Re: Contents of Blueonyx digest..."
>
> Today's Topics:
>
> 1. [BlueOnyx:10150] Trojans and backdoors? (Darren Shea)
> 2. [BlueOnyx:10151] Re: Trojans and backdoors? (Matthew Komar)
> 3. [BlueOnyx:10152] PHPMyAdmin Export Limit (SB9-PageKeeper Service)
> 4. [BlueOnyx:10153] Re: Trojans and backdoors?
> (SB9-PageKeeper Service)
> 5. [BlueOnyx:10154] Re: Trojans and backdoors? (Chuck Tetlow)
> 6. [BlueOnyx:10155] Re: PHPMyAdmin Export Limit (bob richards)
> 7. [BlueOnyx:10156] Re: PHPMyAdmin Export Limit
> (SB9-PageKeeper Service)
> 8. [BlueOnyx:10157] Re: Trojans and backdoors? (Michael Stauber)
>
> ------------------------------
>
> Message: 8
> Date: Tue, 17 Apr 2012 21:07:09 +0200
> From: Michael Stauber <mstauber at blueonyx.it>
> Subject: [BlueOnyx:10157] Re: Trojans and backdoors?
> To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
> Message-ID: <201204172107.10011.mstauber at blueonyx.it>
> Content-Type: Text/Plain; charset="utf-8"
>
> Hi Darren,
>
> > Our BlueOnyx system seems to have been compromised by some sort of
> > php-based Trojan which is allowing spammers to send spam through the
> > webserver. We're having a hard time tracking it down to a particular
> > virtual site, and shutting off php for all users is not an option -
> > besides the people using WordPress and shopping carts, the SquirrelMail
> > interface breaks when php is shut off.
>
> Yeah, the logfiles are usually your best bet at finding this. Also check the
>
> /tmp directory, as a lot of PHP based exploits use a round about to trick a
> vulnerable PHP script into downloading some code from somewhere into /tmp/
> and
> then during a second step try to execute that code.
>
> The date and time stamps of such suspicious files in /tmp may give an idea
> as
> of when the attack happened, making it easier to find the right window of
> action in the logfiles.
>
> Another option that helps at peventing and finding such exploits is to
> enable
> suPHP.
>
> This is for two reasons: suPHP adds another layer of security which can help
>
> to limit the effects of such exploits. But even if there is a blaring foul
> up
> in one of your PHP scripts that still allows undesired access, then the
> exploited scripts run as the user who owns the scripts.
>
> So the exploit files that the attackers managed to download to /tmp are
> owned
> by the siteAdmin or owner of the script in question, which already directly
> points you to the site in question. Additionally emails sent by those PHP
> scripts show the owner of the script in the header of the emails, which
> again
> makes finding the culprit a really easy task.
>
> If you want me to take a look, then please email me offlist with the details
>
> and I'll see what I can do.
>
> --
> With best regards
>
> Michael Stauber
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2012.0.1913 / Virus Database: 2411/4942 - Release Date: 04/17/12
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
------- End of Original Message -------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20120417/0ee3a18a/attachment.html>
More information about the Blueonyx
mailing list