<p>On Wed, 27 Feb 2013 10:13:34 -0600, "Chuck Tetlow" <chuck@tetlow.net> wrote:</p>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px; width:100%"><!-- html ignored --><!-- head ignored --><!-- meta ignored --><!-- meta ignored --><!-- meta ignored --> <span style="font-size: x-small;"><strong>---------- Original Message -----------</strong> <br /> From: Will Nordmeyer <br /> To: BlueOnyx General Mailing List <br /> Sent: Wed, 27 Feb 2013 08:37:50 -0500 <br /> Subject: [BlueOnyx:12311] Re: Server hacked? <br /><br />> <br />> On Wed, 27 Feb 2013 13:30:13 +0000, Steven Howes wrote:
<blockquote style="padding-left: 5px; border-left: 2px solid #1010ff; margin-left: 5px; width: 100%;"><br />> <br />> On 27 Feb 2013, at 13:23, Will Nordmeyer wrote:
<blockquote style="padding-left: 5px; border-left: 2px solid #1010ff; margin-left: 5px; width: 100%;"><br />> I've been monitoring the ssh vulnerability and don't see anything there, but I did notice that I have multiple processes when I do a PS looking like this: <br />> root 7499 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read <br />> root 7550 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read <br />> root 8127 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read <br />> root 8523 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read <br />> root 9165 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read <br />> root 10050 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read <br />> root 10562 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read <br />> root 10706 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read <br />> root 11208 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] startup <br />> <br />> I don't know who 201.238.254.243 is - and I'm not sure where that server startup is coming from. Any advice? Quick? help?</blockquote>
Well that's not ssh. Could be someone exploiting your sendmail (well, trying random passwords at least). Just firewall them out... It's unlikely to be real mail, 201.238.254.243 doesn't listen on SMTP. <br />> <br />> S</blockquote>
<br />> I blocked them input and output via iptables: <br />> iptables -A INPUT --source 201.238.254.243 <br />> iptables -A OUTPUT --destination 201.238.254.243 <br />> and added them to deny.hosts.rules in apf but when I restart sendmail, there they are. <br /><strong>------- End of Original Message -------</strong> <br /><br /><span style="font-size: x-small;">Will, <br /><br />Using the -A sw<span style="font-size: x-small;">itch probably won't work. That appends the rule to the end of the chain, and the typical BX cha<span style="font-size: x-small;">in <span style="font-size: x-small;">is already full of "ALLOWS" - making your deny us<span style="font-size: x-small;">eless. <br /><br /><span style="font-size: x-small;">Plus, you're u<span style="font-size: x-small;">sing the wrong chai<span style="font-size: x-small;">n name. In B<span style="font-size: x-small;">lueOnyx</span> - use the chain "acctin", not "IN<span style="font-size: x-small;">PUT". <br /><br />Try this syntax <span style="font-size: x-small;">to</span> block them out. I use this all the time. <br /><br /><span style="font-size: x-small;">iptables -I acct<span style="font-size: x-small;">in 1 -s 201.23<span style="font-size: x-small;">8.254.143 -<span style="font-size: x-small;">j DROP <br /><br />T<span style="font-size: x-small;">hat will insert the rule as number one in the incom<span style="font-size: x-small;">ing traffic </span>chain - so it will be acted on before any allows let the traff<span style="font-size: x-small;">ic in. And if you want to see if its working, use <br /><br /><span style="font-size: x-small;">iptables -L -n -v <br /><br /><span style="font-size: x-small;">Which will display the <span style="font-size: x-small;">IPTables rules along with how many packets and bytes <span style="font-size: x-small;">each rule has acted on. The first column i<span style="font-size: x-small;">s <span style="font-size: x-small;">packets. It should increment for each sendmail attempt that is blocked. So you can watch it for a while and if its increasing - you've successfully blocked that IP (which shouldn't be showing up in the processes any more<span style="font-size: x-small;">). <br /><br /><br /><span style="font-size: x-small;">Chuck <br /><br /></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span> </span></blockquote>
<p>Chuck,</p>
<p>I tried that, it didn't work - it doesn't know the acctin target/chain. I did it on INPUT though. When I do an iptables --list on INPUT, that's where it seems most blocks are hitting. When I've troubleshot some clients who found themselves blocked due to password issues, as I troubleshot, they ended up in the INPUT list on iptables.</p>
<p>So I did that on INPUT instead of acctin (and I also did the ip route suggestion to just drop them in the black hole). The server seems to be OK now.</p>
<p>--Will</p>