[BlueOnyx:12318] Re: Server hacked?
Will Nordmeyer
will at wnahosting.com
Wed Feb 27 12:04:09 -05 2013
On Wed, 27 Feb 2013 10:13:34 -0600, "Chuck Tetlow" wrote:
---------- ORIGINAL MESSAGE -----------
From: Will Nordmeyer
To:
BlueOnyx General Mailing List
Sent: Wed, 27 Feb 2013 08:37:50 -0500
Subject: [BlueOnyx:12311] Re: Server hacked?
>
> On Wed, 27 Feb 2013
13:30:13 +0000, Steven Howes wrote:
>
> On 27 Feb 2013, at 13:23, Will
Nordmeyer wrote:
> I've been monitoring the ssh vulnerability and don't
see anything there, but I did notice that I have multiple processes when
I do a PS looking like this:
> root 7499 24331 0 14:13 ? 00:00:00
sendmail: server [201.238.254.243] cmd read
> root 7550 24331 0 14:13 ?
00:00:00 sendmail: server [201.238.254.243] cmd read
> root 8127 24331
0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read
> root
8523 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd
read
> root 9165 24331 0 14:13 ? 00:00:00 sendmail: server
[201.238.254.243] cmd read
> root 10050 24331 0 14:13 ? 00:00:00
sendmail: server [201.238.254.243] cmd read
> root 10562 24331 0 14:13
? 00:00:00 sendmail: server [201.238.254.243] cmd read
> root 10706
24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read
>
root 11208 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243]
startup
>
> I don't know who 201.238.254.243 is - and I'm not sure
where that server startup is coming from. Any advice? Quick? help? Well
that's not ssh. Could be someone exploiting your sendmail (well, trying
random passwords at least). Just firewall them out... It's unlikely to
be real mail, 201.238.254.243 doesn't listen on SMTP.
>
> S
> I
blocked them input and output via iptables:
> iptables -A INPUT
--source 201.238.254.243
> iptables -A OUTPUT --destination
201.238.254.243
> and added them to deny.hosts.rules in apf but when I
restart sendmail, there they are.
------- END OF ORIGINAL MESSAGE
-------
Will,
Using the -A switch probably won't work. That appends
the rule to the end of the chain, and the typical BX chain is already
full of "ALLOWS" - making your deny useless.
Plus, you're using the
wrong chain name. In BlueOnyx - use the chain "acctin", not "INPUT".
Try this syntax to block them out. I use this all the time.
iptables
-I acctin 1 -s 201.238.254.143 -j DROP
That will insert the rule as
number one in the incoming traffic chain - so it will be acted on before
any allows let the traffic in. And if you want to see if its working,
use
iptables -L -n -v
Which will display the IPTables rules along
with how many packets and bytes each rule has acted on. The first column
is packets. It should increment for each sendmail attempt that is
blocked. So you can watch it for a while and if its increasing - you've
successfully blocked that IP (which shouldn't be showing up in the
processes any more).
Chuck
Chuck,
I tried that, it didn't work -
it doesn't know the acctin target/chain. I did it on INPUT though. When
I do an iptables --list on INPUT, that's where it seems most blocks are
hitting. When I've troubleshot some clients who found themselves blocked
due to password issues, as I troubleshot, they ended up in the INPUT
list on iptables.
So I did that on INPUT instead of acctin (and I also
did the ip route suggestion to just drop them in the black hole). The
server seems to be OK now.
--Will
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130227/59e86a06/attachment.html>
More information about the Blueonyx
mailing list