From owner-freebsd-ports@FreeBSD.ORG Mon Sep 8 12:35:52 2008 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 400541065676 for ; Mon, 8 Sep 2008 12:35:52 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA09.emeryville.ca.mail.comcast.net (qmta09.emeryville.ca.mail.comcast.net [76.96.30.96]) by mx1.freebsd.org (Postfix) with ESMTP id 281238FC0A for ; Mon, 8 Sep 2008 12:35:52 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA03.emeryville.ca.mail.comcast.net ([76.96.30.27]) by QMTA09.emeryville.ca.mail.comcast.net with comcast id CAlA1a0080b6N64A9CKssZ; Mon, 08 Sep 2008 12:19:52 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA03.emeryville.ca.mail.comcast.net with comcast id CCKr1a0094v8bD78PCKsqN; Mon, 08 Sep 2008 12:19:52 +0000 X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=xUDxBCARe3wHKSo3Av4A:9 a=1iQr0l_zfMmlC5U7zYwDU0dnSmAA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id B07FA17B84F; Mon, 8 Sep 2008 05:19:51 -0700 (PDT) Date: Mon, 8 Sep 2008 05:19:51 -0700 From: Jeremy Chadwick To: David Southwell Message-ID: <20080908121951.GB67339@icarus.home.lan> References: <200809080510.27779.david@vizion2000.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200809080510.27779.david@vizion2000.net> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-ports@freebsd.org Subject: Re: Mail services checking - URGENT X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 12:35:52 -0000 On Mon, Sep 08, 2008 at 05:10:27AM -0700, David Southwell wrote: > I have had a series of attacks on a system which resulted in a hijack of our > mail system. > > I believe I have now fixed the main problem but I need a tool that will > reliably, and independently of the mail logs check my network for all > outgoing mails and hold them up until I am certain that there all loopholes > have been closed. > > Can anyone please let me have some recomendations on the best way of going > about this I'm not sure what exactly you want. Someone compromising your system means they could've done *anything*, including running their own MTA, replacing libc to include an open proxy for spamming, or any other thing. There's no way to "detect" that sort of thing aside from deep packet inspection to look for mail-like network traffic, which is predominantly the job of a router or network tap. It's going to be impossible for you to 100% ensure the system is in a working state. Keeping it simple, making the (horrible) assumption that they compromised something that affected your MTA: it depends completely an entirely on what MTA you're using (sendmail, postfix, etc.). See the your MTA's manpages for looking at outbound/delivery mail queue. By the way, and I apologise if I'm stepping over a line here, but "fixed the main problem" doesn't sound like you fixed anything. You might have "addressed the hole they used to get in on", but what makes you think they didn't replace binaries (including using touch -amcf to adjust a/m/ctimes) or do something even more sneaky? If someone compromised one of your systems, do the world a favour: pull the Ethernet out of it or have it shut off *immediately* (this is how MIT does it -- yes I'm serious), go to the datacentre and format the disk(s). No I am not exaggerating. The longer you keep that system up, the higher the chance is that you'll get contacted by your provider, Internet users (blacklisted, etc.), or possibly law enforcement. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |