[BlueOnyx:10174] Re: Trojans and backdoors?

Chuck Tetlow chuck at tetlow.net
Wed Apr 18 14:43:06 -05 2012 

Darren,

That TCP SYN flag is the first step in the three-way TCP handshake to initiate a connection.  If you leave something like that out - its going to log and count every outgoing packet with destination TCP Port 25.  That will be a LOT, as a long e-mail with big attachment could be thousands of packets - and could all be valid e-mail.  So what I was trying to do was have it only log the TCP connection initiation, not every packet.  And I'm not sure why that didn't work - I've used that flag before.

Oh!  I see the problem - you've got to tell it what flags(bits) you want to match set and which ones not set.  So we'd want the SYN bit set and the ACK, FIN, and RST not set.  That's why the error wanted two arguments.

And what do you know - they've got a switch specifically for that.  Instead of using --tcp-flags, use --syn and it will only match packets with just the SYN bit set.  I've just tested this on my 5107R machine, and it worked:
iptables -I acctout 1 -p tcp --syn --dport 25 -j LOG --log-prefix Outgoing_Email

But if you have any other troubles, try this instead:
iptables -I acctout 1 -m state --state NEW -m tcp -p tcp --dport 25 LOG --log-prefix Outgoing_Email

That one will do essentially the same thing, it logs just the NEW connection - or in other words, the TCP connection setup.  You'll get one log entry for each new outgoing e-mail connection.

Chuck

P.S. - Don't forget to get rid of the other rule you put in the IPTables!  Look at what's currently in the firewall rules with "iptables -L -n -v |more", find the one you put in there before (probably line 1 in the acctout chain), and delete it with "iptables -D acctout 1" (change that number of course to match the line in acctout you want to delete).

---------- Original Message -----------
From: "Darren Shea" <dshea at ecpi.com> 
To: <blueonyx at mail.blueonyx.it> 
Sent: Wed, 18 Apr 2012 10:16:44 -0500 
Subject: [BlueOnyx:10171] Re: Trojans and backdoors?

> Chuck, 
>    That is a great idea, but when I tried to run the command, I got the 
> following message: 
> "iptables v1.3.5: --tcp-flags requires two args. 
> Try `iptables -h' or 'iptables --help' for more information." 
> 
> Unfortunately, neither iptables -h or --help include any info on the 
> --tcp-flags arguments - what does the "--tcp-flags SYN" part do, and can I 
> just run the command without it? From what I can read about iptables, the 
> command " iptables -I acctout 1 -p tcp --dport 25 -j LOG --log-prefix 
> Outgoing_E-mail" should have pretty much the same effect, right? It seems to 
> be generating entries already (over 3000 packets in about 12 minutes - all 
> look legitimate), but it doesn't tell me much about what program is sending 
> these out. 
> 
> I had already scanned all the sites for malicious code (and found one 
> straightforward, unobfuscated version of the r57 shell) after the problem 
> first began on Friday. As I said, I did remove all that code and all other 
> exampes of suspicious code I came across, and it appears we haven't had any 
> further recurrences in almost 23 hours 
> 
> Thank you, 
>  Darren 
>  ECPI Western Broadband 
>  (512)257-1077 
>  (254)213-6116 fax 
> 
> -----Original Message----- 
> 
> Darren, 
> 
> When I had some similar instances on our old BlueQuartz servers - I always 
> had a ton of crap mail that couldn't be delivered for one reason or 
> another.? That slowed down valid e-mail, and loaded up the CPU.? You can see 
> how much you've got by using the "mailq" command.? It will show the mail 
> waiting to be sent and give a count at the bottom of the list.? I usually 
> clean it all out during low-use periods (like middle of the night) by using 
> "rm -f /home/spool/mqueue/*".? Just realize, that will delete valid e-mail 
> as well as crap - so be careful! 
> 
> And if you're interested in tracking what your server is sending out - use a 
> custom IPTables firewall rule to log it.? Try: 
> iptables -I acctout 1 -p tcp --tcp-flags SYN --dport 25 -j LOG --log-prefix 
> Outgoing_E-mail 
> 
> That will log all outgoing TCP Port 25 connection initiations to 
> /var/log/messages.? Then periodically run "cat /var/log/messages | grep 
> Outgoing_E-mail | less" to see the outgoing mail connections.? From that - 
> you can get a pretty good guess if your server is still flooding out tons of 
> crap. 
> 
> Chuck 
> 
> _______________________________________________ 
> Blueonyx mailing list 
> Blueonyx at mail.blueonyx.it 
> http://mail.blueonyx.it/mailman/listinfo/blueonyx 
------- End of Original Message -------
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20120418/fe79b4ed/attachment.html>

More information about the Blueonyx mailing list