From owner-freebsd-ports@FreeBSD.ORG Mon Sep 8 12:35:56 2008 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6AA491065671 for ; Mon, 8 Sep 2008 12:35:56 +0000 (UTC) (envelope-from david@vizion2000.net) Received: from dns1.vizion2000.net (77-99-36-42.cable.ubr04.chap.blueyonder.co.uk [77.99.36.42]) by mx1.freebsd.org (Postfix) with ESMTP id 15E4B8FC1A for ; Mon, 8 Sep 2008 12:35:56 +0000 (UTC) (envelope-from david@vizion2000.net) Received: by dns1.vizion2000.net (Postfix, from userid 1007) id F28081CC2A; Mon, 8 Sep 2008 05:59:54 -0700 (PDT) From: David Southwell Organization: Voice and Vision To: Jeremy Chadwick Date: Mon, 8 Sep 2008 05:59:54 -0700 User-Agent: KMail/1.9.10 References: <200809080510.27779.david@vizion2000.net> <20080908121951.GB67339@icarus.home.lan> In-Reply-To: <20080908121951.GB67339@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200809080559.54658.david@vizion2000.net> Cc: freebsd-ports@freebsd.org Subject: Re: Mail services checking - URGENT X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 12:35:56 -0000 On Monday 08 September 2008 05:19:51 Jeremy Chadwick wrote: > On Mon, Sep 08, 2008 at 05:10:27AM -0700, David Southwell wrote: > > I have had a series of attacks on a system which resulted in a hijack of > > our mail system. > > > > I believe I have now fixed the main problem but I need a tool that will > > reliably, and independently of the mail logs check my network for all > > outgoing mails and hold them up until I am certain that there all > > loopholes have been closed. > > > > Can anyone please let me have some recomendations on the best way of > > going about this > > I'm not sure what exactly you want. Someone compromising your system > means they could've done *anything*, including running their own MTA, > replacing libc to include an open proxy for spamming, or any other > thing. There's no way to "detect" that sort of thing aside from deep > packet inspection to look for mail-like network traffic, which is > predominantly the job of a router or network tap. It's going to be > impossible for you to 100% ensure the system is in a working state. What happened was compromising 2 windows systems and installing a trojan on those two systems. They were used to send mail via the MTA's on the freebsd server to the outside world and in particular permissions to send mail to root on the freebsd server. There was no actual compromise of the freebsd server and the windows systems had no ability to access the server. > > Keeping it simple, making the (horrible) assumption that they > compromised something that affected your MTA: it depends completely an > entirely on what MTA you're using (sendmail, postfix, etc.). See the > your MTA's manpages for looking at outbound/delivery mail queue. In addition to the above I am loking for an additional way of monitoring smptd 25 outbound traffic at the network level, filter the traffic, and do an extra checks to make sure there is nothing left when I reopen the service to the local network. > > By the way, and I apologise if I'm stepping over a line here, but "fixed > the main problem" doesn't sound like you fixed anything. You might have > "addressed the hole they used to get in on", but what makes you think > they didn't replace binaries (including using touch -amcf to adjust > a/m/ctimes) or do something even more sneaky? The main problem was the trojan and stuff that it brought in. Hefty use of Kaspersky and about six other tools on the windows systems has resolved the issue. I have not been able to detect any attempts from the windows systems to abuse the mail system but I want to monitor dynamically for some time. > > If someone compromised one of your systems, do the world a favour: pull > the Ethernet out of it or have it shut off *immediately* (this is how > MIT does it -- yes I'm serious), go to the datacentre and format the > disk(s). No I am not exaggerating. The longer you keep that system up, > the higher the chance is that you'll get contacted by your provider, > Internet users (blacklisted, etc.), or possibly law enforcement. You are not out of line -- I understand That is why the system was shut down for 48 hours. David