<HTML>
<HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content="OPENWEBMAIL" name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff>
<font size="2"><b>---------- Original Message
-----------</b>
<br />
From: Will Nordmeyer <will@wnahosting.com>
<br />
To: BlueOnyx General Mailing List <blueonyx@mail.blueonyx.it>
<br />
Sent: Wed, 27 Feb 2013 08:37:50 -0500
<br />
Subject: [BlueOnyx:12311] Re: Server hacked?
<br />
<br />>
<br />> On Wed, 27 Feb 2013 13:30:13 +0000, Steven Howes
<steve-lists@geekinter.net>
wrote:
<blockquote style="padding-left: 5px; border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; width: 100%;" type="cite">
<br />>
<br />> On 27 Feb 2013, at 13:23, Will Nordmeyer
wrote:
<blockquote style="padding-left: 5px; border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; width: 100%;" type="cite">
<br />> I've been monitoring the ssh vulnerability and don't see anything
there, but I did notice that I have multiple processes when I do a PS looking
like
this:
<br />> root 7499 24331 0 14:13 ?
00:00:00 sendmail: server [201.238.254.243] cmd
read
<br />> root 7550 24331 0 14:13 ?
00:00:00 sendmail: server [201.238.254.243]
cmd read
<br />> root 8127 24331 0 14:13 ?
00:00:00 sendmail: server [201.238.254.243]
cmd read
<br />> root 8523 24331 0 14:13 ?
00:00:00 sendmail: server [201.238.254.243]
cmd read
<br />> root 9165 24331 0 14:13 ?
00:00:00 sendmail: server [201.238.254.243]
cmd read
<br />> root 10050 24331 0 14:13 ?
00:00:00 sendmail: server [201.238.254.243]
cmd read
<br />> root 10562 24331 0 14:13 ?
00:00:00 sendmail: server [201.238.254.243]
cmd read
<br />> root 10706 24331 0 14:13 ?
00:00:00 sendmail: server [201.238.254.243]
cmd read
<br />> root 11208 24331 0 14:13 ?
00:00:00 sendmail: server [201.238.254.243]
startup
<br />>
<br />> I don't know who 201.238.254.243 is - and I'm not sure
where that server startup is coming from. Any advice? Quick?
help?
</blockquote>
Well that's not ssh. Could be someone exploiting your sendmail (well, trying
random passwords at least). Just firewall them out... It's unlikely to be real
mail, 201.238.254.243 doesn't listen on
SMTP.
<br />>
<br />>
S
</blockquote>
<br />> I blocked them input and output via
iptables:
<br />> iptables -A INPUT --source 201.238.254.243
<br />>
iptables -A OUTPUT --destination
201.238.254.243
<br />> and added them to deny.hosts.rules in apf but when I restart sendmail,
there they
are.
<br /><b>------- End of Original Message
-------</b>
<br />
<br /><font size="2">Will,
<br />
<br />Using the -A sw<font size="2">itch probably won't work. That appends the rule to the end of the chain, and the typical BX cha<font size="2">in <font size="2">is already full of "ALLOWS" - making your deny us<font size="2">eless.
<br />
<br /><font size="2">Plus, you're u<font size="2">sing the wrong chai<font size="2">n name. In B<font size="2">lueOnyx</font> - use the chain "acctin", not "IN<font size="2">PUT".
<br />
<br />Try this syntax <font size="2">to</font> block them out. I use this all the time.
<br />
<br /><font size="2">iptables -I acct<font size="2">in 1 -s 201.23<font size="2">8.254.143 -<font size="2">j DROP
<br />
<br />T<font size="2">hat will insert the rule as number one in the incom<font size="2">ing traffic </font>chain - so it will be acted on before any allows let the traff<font size="2">ic in. And if you want to see if its working, use
<br />
<br /><font size="2">iptables -L -n -v
<br />
<br /><font size="2">Which will display the <font size="2">IPTables rules along with how many packets and bytes <font size="2">each rule has acted on. The first column i<font size="2">s <font size="2">packets. It should increment for each sendmail attempt that is blocked. So you can watch it for a while and if its increasing - you've successfully blocked that IP (which shouldn't be showing up in the processes any more<font size="2">).
<br />
<br />
<br /><font size="2">Chuck
<br />
<br /></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font>
</font>
</BODY>
</HTML>