Date: Sat, 28 Sep 2002 08:42:49 -0700 (PDT) From: Heywood Jblome <provencial1@yahoo.com> To: freebsd-stable@FreeBSD.ORG Subject: Re: Possible trojan since upgrade Message-ID: <20020928154249.55546.qmail@web21401.mail.yahoo.com> In-Reply-To: <200209280432.g8S4W2vU002581@gw.catspoiler.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I guess I wasn't very clear last night (slaps hand to head). The server in question is secured against thrid-party relay. It has been secured for at least 5 years. I do test it regularly - and especially after every CVSUP and upgrade :-). Last test was done Thursday after I noticed the weird entries in the log file. I also check a couple of blocklists to reduce spam. Hence the second entry that I included. That one was rejected after the blocklist was checked. I included it only to show the log entry that occurs when mail is rejected (I see similar entries for relay denied). The first entry is the only one in question. There is NO second entry associated with PID=1742, nor is there an indication on the one entry that exists for 1742 as to whether it was sent, rejected, etc. Note that the sent email size is zero. My host is zzzzzz.com. I guess it is possible that someone is trying to bounce something off the box. But it should show as rejected or blocklisted if they were. Or a second entry to show the status. With no second entry for PID 1742, I got suspicious. This happens almost once a day, and there is nothing in CRON that would be obvious. I did test using chkrootkit, but nothing showed. In addition, the box slows dramatically after this event occurs. I see it about once a day. But nothing shows in the process list to explain the slow system. What got my shields up was the fact that this behavior started as I CVSUPed to RC0, and I was concerned that something untoward had been stuck into one of the source files. I wondered if this entry was flagging an attempted connect to an outside server that would in turn remotely attack a vulnerablity in my host zzzzzz.com. Guess it's time to stick a packet sniffer on the network and see what's going out to the rest of the world when this happens. I was hoping someone could point me to a couple of places to look. Box is a PIII running RC-0. Thanks to all that replied. Sorry to use the throwaway yahoo account, but if there's a vulnerability, I don't want to announce it to the world. --- Don Lewis <dl-freebsd@catspoiler.org> wrote: > On 27 Sep, Heywood Jblome wrote: > > Since I upgraded to a recent Stable CVSUP, I've > seen > > this kind of message about once a day in the > > /var/log/maillog file. I suspect a trojan as the > > "root" user did not send email at this time, there > is > > no matching entry indicating that the mail was > sent, > > queued, or so forth. The system seems to slow > after > > this entry shows in the logs. > > It looks more like some spammer has discovered that > the host at IP > address 217.58.38.101 is an unsecured proxy is > either attempting to spam > you or to use your host as a spam relay. According > to the second log > entry, this attempt is being rejected because > 217.58.38.101 is listed in > the relays.osirusoft.com database. Complain to > <abuse@interbusiness.it>, but don't get your hopes > up. > > The first entry appears to be unrelated because it > is a different > sendmail process ID, and the soure IP address, > 202.80.192.29, is > different. In this case, it looks like a spammer > may be attempting to > get past any filters and relay his junk email > through your host by using > <root@zzzzzz.com> as the return address. Grep the > log file for more > entries from sendmail pid 1742 to see if this > spammer is succceeding or > if his attempts are being rejected. > > If spammers are exploiting your mail server it is > likely to feel the > impact. > > Be very sure that your server is not vulnerable to > being used to relay > third party email, since this is sure to attract > spammers. One way of > testing it is to telnet to relay-test.mail-abuse.org > from the host in > question. > > > Don't know for sure whether this came from a CVSUP > or > > somewhere else... there are only two users on the > > system. > > > > Can anyone point me where to look to eliminate > > whatever is causing this email connection? > > > > ----------------- > > from /var/log/maillog > > > > > > assume host zzzzzz.com > > > > -----------This is the entry in question-------- > > Sep 27 13:44:40 medusa sm-mta[1742]: > g8RIiXgt001742: > > from=<root@zzzzzz.com>, size=0, class=0, nrcpts=1, > > proto=ESMTP, daemon=MTA, relay=[202.80.192.29] > > -------------Next entry------------- > > Sep 27 13:46:59 medusa sm-mta[1746]: > > ruleset=check_relay, arg1=host101-38.pool21 > > 758.interbusiness.it, arg2=217.58.38.101, > > relay=host101-38.pool21758.interbusiness.it > > [217.58.38.101], reject=550 5.7.1 Mail Rejected - > see > > http://relays.osirusoft.com > > > __________________________________________________ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020928154249.55546.qmail>