[BlueOnyx:10171] Re: Trojans and backdoors?

Darren Shea dshea at ecpi.com
Wed Apr 18 10:16:44 -05 2012 

Chuck,
    That is a great idea, but when I tried to run the command, I got the
following message:
"iptables v1.3.5: --tcp-flags requires two args.
Try `iptables -h' or 'iptables --help' for more information."

Unfortunately, neither iptables -h or --help include any info on the
--tcp-flags arguments - what does the "--tcp-flags SYN" part do, and can I
just run the command without it? From what I can read about iptables, the
command " iptables -I acctout 1 -p tcp --dport 25 -j LOG --log-prefix
Outgoing_E-mail" should have pretty much the same effect, right? It seems to
be generating entries already (over 3000 packets in about 12 minutes - all
look legitimate), but it doesn't tell me much about what program is sending
these out.

I had already scanned all the sites for malicious code (and found one
straightforward, unobfuscated version of the r57 shell) after the problem
first began on Friday. As I said, I did remove all that code and all other
exampes of suspicious code I came across, and it appears we haven't had any
further recurrences in almost 23 hours

Thank you,
  Darren
  ECPI Western Broadband
  (512)257-1077
  (254)213-6116 fax 

-----Original Message-----

Darren,

When I had some similar instances on our old BlueQuartz servers - I always
had a ton of crap mail that couldn't be delivered for one reason or
another.? That slowed down valid e-mail, and loaded up the CPU.? You can see
how much you've got by using the "mailq" command.? It will show the mail
waiting to be sent and give a count at the bottom of the list.? I usually
clean it all out during low-use periods (like middle of the night) by using
"rm -f /home/spool/mqueue/*".? Just realize, that will delete valid e-mail
as well as crap - so be careful!

And if you're interested in tracking what your server is sending out - use a
custom IPTables firewall rule to log it.? Try:
iptables -I acctout 1 -p tcp --tcp-flags SYN --dport 25 -j LOG --log-prefix
Outgoing_E-mail

That will log all outgoing TCP Port 25 connection initiations to
/var/log/messages.? Then periodically run "cat /var/log/messages | grep
Outgoing_E-mail | less" to see the outgoing mail connections.? From that -
you can get a pretty good guess if your server is still flooding out tons of
crap.

Chuck

More information about the Blueonyx mailing list