[BlueOnyx:12313] Re: Server hacked?

Wed Feb 27 11:13:34 -05 2013

---------- Original Message -----------
From: Will Nordmeyer <will at wnahosting.com> 
To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it> 
Sent: Wed, 27 Feb 2013 08:37:50 -0500 
Subject: [BlueOnyx:12311] Re: Server hacked?

>  
> On Wed, 27 Feb 2013 13:30:13 +0000, Steven Howes <steve-lists at geekinter.net> wrote:
> 
> On 27 Feb 2013, at 13:23, Will Nordmeyer wrote:
> I've been monitoring the ssh vulnerability and don't see anything there, but I did notice that I have multiple processes when I do a PS looking like this:
> root      7499 24331  0 14:13 ?        00:00:00 sendmail: server [201.238.254.243] cmd read
> root      7550 24331  0 14:13 ?        00:00:00 sendmail: server [201.238.254.243] cmd read
> root      8127 24331  0 14:13 ?        00:00:00 sendmail: server [201.238.254.243] cmd read
> root      8523 24331  0 14:13 ?        00:00:00 sendmail: server [201.238.254.243] cmd read
> root      9165 24331  0 14:13 ?        00:00:00 sendmail: server [201.238.254.243] cmd read
> root     10050 24331  0 14:13 ?        00:00:00 sendmail: server [201.238.254.243] cmd read
> root     10562 24331  0 14:13 ?        00:00:00 sendmail: server [201.238.254.243] cmd read
> root     10706 24331  0 14:13 ?        00:00:00 sendmail: server [201.238.254.243] cmd read
> root     11208 24331  0 14:13 ?        00:00:00 sendmail: server [201.238.254.243] startup
> 
> I don't know who 201.238.254.243 is - and I'm not sure where that server startup is coming from.  Any advice?  Quick?  help?Well that's not ssh. Could be someone exploiting your sendmail (well, trying random passwords at least). Just firewall them out... It's unlikely to be real mail, 201.238.254.243 doesn't listen on SMTP.
> 
> S
> I blocked them input and output via iptables:
>   iptables -A INPUT --source 201.238.254.243
>   iptables -A OUTPUT --destination 201.238.254.243
> and added them to deny.hosts.rules in apf but when I restart sendmail, there they are.
------- End of Original Message -------

Will,

Using the -A switch probably won't work.  That appends the rule to the end of the chain, and the typical BX chain is already full of "ALLOWS" - making your deny useless.

Plus, you're using the wrong chain name.  In BlueOnyx - use the chain "acctin", not "INPUT".

Try this syntax to block them out.  I use this all the time.

iptables -I acctin 1 -s 201.238.254.143 -j DROP

That will insert the rule as number one in the incoming traffic chain - so it will be acted on before any allows let the traffic in.  And if you want to see if its working, use

iptables -L -n -v

Which will display the IPTables rules along with how many packets and bytes each rule has acted on.  The first column is packets.  It should increment for each sendmail attempt that is blocked.  So you can watch it for a while and if its increasing - you've successfully blocked that IP (which shouldn't be showing up in the processes any more).

Chuck

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130227/533ede92/attachment.html>