[BlueOnyx:17531] Hacking and Spamming..

Thu May 7 09:01:24 -05 2015

is there is BlueOnyx equivalent to do the iptables commands below? 

They also mention lsof.    Where can I get that from for blueOnyx?

>From the CBL:

{http://cbl.abuseat.org/lookup.cgi?ip=x.x.x.x}
Finding the problem by network activity: Linux/FreeBSD etc

One way of finding the user that is infected and spewing spam is to
use the "lsof" (list open files) utility.
"lsof" is available for most versions of UNIX-like systems such as Linux
as part
of the official distribution, but may not be installed by default.
So first, make sure you have it installed.  On many systems such as Ubuntu,
you can install it by:

sudo apt-get install lsof

Once lsof is installed, you can issue the following command

sudo lsof -i | grep smtp

Preventing it Happening Again

Make absolutely certain that ALL CMS software (Joomla, Cpanel, Wordpress, Plesk etc) is
kept up to date at all times. 
Do not let your users make any excuses for not doing so.

Make it impossible for such infections (and they will happen again) to spam the world
by implementing the blocking of email sent direct from the machine without going through
your mail server.

Some of your customers may believe that they need to be allowed to do this.
The best answer for them is to configure their software to relay it through the
mail server software on the machine or to an external smart-host.

For blocking: With Cpanel you can use ConfigServer Security Firewall (CSF).
It's free.
CSF has the "SMTP_BLOCK" configuration option - turn it on.

Basic Cpanel, there's also "WHM SMTP Tweak" would should also help.

The following is an equivalent for non-Cpanel installations - it permits
local mail submission and blocks external mail submission:

iptables -A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mail -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mailman -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --uid-owner root -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable

The above permits users to send mail via a local mail server, permits local mail server
software (running under userid root, or gid mail or mailman)
to send email to the Internet, but prevents any ordinary user making direct
SMTP connections to the Internet.
You may have to adjust this for Qmail or Exim.  Check which userids are used.
Note that the iptables settings will probably be lost next time you reboot.

Many versions of Linux (Debian, Ubuntu etc) have a package called "iptables-persistent".
You can install this package ("sudo apt-get install iptables-persistent")
and manage your boot-time iptables entries using it.

If you're using cPanel and APF, APF by default will wipe out iptables
rules you enter manually leaving the server vulnerable.
If you are using APF, you should make the above change via APF and
that will take care of reissuing the commands upon reboot or reset.

Do you really need PHP script support?  CGI support?  PHP mail functions?
Turn off the ones you don't need.  Some people, for example, turn off CGIs,
and PHP "fsocketopen" or "exec" functions in the PHP ini files (either
for the whole site, or individual environments), and manage to
inhibit many infections.

Some of these scripts get installed into /tmp.
If /tmp is a separate file system, you can stop it being used
by malicious scripts by adjusting the /etc/fstab file to mount /tmp
with the "noexec" and "nosuid" flags.
This means that the O/S will not run programs that are in the /tmp directory nor
treat them as setuid.

Turn off customer FTP if you don't need it.
Note that some CMS packages install FTP with anonymous FTP turned
on by default.  This is ALWAYS a bad idea, so make sure "anonymous
login" is turned off.

It is necessary to force password changes on those users whose web sites
have been compromised.
If you can't tell exactly which users have been compromised, it's strongly
recommended you change all passwords.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20150507/4bb06852/attachment.html>