Topic: Spammer is hacking my boxes - spam is flowing...

[Brad500]

So, I've installed 6.01-01, cause the older 5.6 version was hacked too, and now that same spammer has managed to hack twice. I was hoping I'd just needed some updates so, I installed a fresh copy of the "Custom ISO" copy discussed in these forums.

It appears he's using some buffer-overflow method (I'm no log expert). Here's a bit of the HTTP access log log entry:

www.pasadenalaw.com 209.78.208.93 - - [19/Apr/2004:17:29:23 -0700] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\....(pages of this stuff then ends with ...90\x90\x90" 414 271 "-" "-"

Shortly after this it seems the spam starts to flow. Sender UIDS log shows:

mess    bytes   sbytes   rbytes  recips  tries       xdelay  uid
   1      527      527      527       1      1     0.196170  0
   1      764      764      764       1      1     0.184620  101
 320  2862293  2809208  2862293     320    320    52.695518  400
 296  3134897  3224730  3224730     332    332   219.798642  401
   1     2064     2064     2064       1      1  2893.484848  406

About 700 messages since the hack around 5.29pm PDT.

Last time, it was thousands...

Here's some samples of stuff in the Outgoing mail log:

20 Apr 2004 01:07:11 GMT  #914357  3216  <>
   remote   schuckfam@biz4hits.biz
20 Apr 2004 01:06:49 GMT  #914358  3282  <>
   remote   schrismas@bettahits.biz
20 Apr 2004 01:07:00 GMT  #914359  3204  <>
   remote   dealerro@biz4hits.biz
20 Apr 2004 01:07:11 GMT  #914360  3222  <>
   remote   schuckfam@biz4hits.biz
20 Apr 2004 01:06:22 GMT  #914317  3304  <>
   remote   bradae@biz4hits.biz


I've tried several things...abuse.net shows no open relay...

Anybody know what's going on? Is the hack via webmail? Cause it was enabled, but most everything else was not; no SSH, FTP, atalk, squid, smb, lpd or ldap.

Setup as server-gateway.

Thanks.

[cc_skavenger]

install mail-front mail-rules and deny any mail from *@*.biz going to *@*.  This should stop it.  Also, create a template fragment for /etc/hosts.deny and put pasadenalaw.com and 209.78.208.93 in it.  Also, I would contact the owner of the IP, which I could not find, but here is the whois info:

   Domain Name: PASADENALAW.COM
   Registrar: DOMAIN REGISTRATION SERVICES
   Whois Server: whois.dotearth.com
   Referral URL: http://www.dotearth.com
   Name Server: NS1.MYDOMAIN.COM
   Name Server: NS2.MYDOMAIN.COM
   Name Server: NS3.MYDOMAIN.COM
   Name Server: NS4.MYDOMAIN.COM
   Status: ACTIVE
   Updated Date: 25-feb-2004
   Creation Date: 12-mar-1999
   Expiration Date: 12-mar-2005

and here is  DOMAIN REGISTRATION SERVICES contact info:

Domain Registration Services, Inc. dba dotEarth.com
309 Fellowship Road
Mount Laurel, NJ 08054
United States
+1-888-339-9001
support@dotEarth.com
 
Also, try to ask your ISP for help, I am sure you are not the only one that is being bothered by this and this does put alot of undue pressure on their system.  If you are an ISP, then enlist the help of your bandwidth provider.

HTH

[Archer]

This is rather disturbing. After the problems I've been having with large volumes of outgoing mail, I did some checking on my server (SME 5.6) searching the logs for the items you mentioned in your post.

Well, I found it, lots of it. There are 22 instances of "SEARCH/\x90\............." in my httpd access log, dating from the 15th of April to the 19th. The major difference is that the IP addresses I'm seeing are different, not just from yours but each IP in my log is unique!

Could this be a more widespread problem?
Maybe everyone should check thier logs.

Is the only way to fix this to reinstall the server from scratch?

Archer

[Boris]

"SEARCH/\x90\x02\xb1\.....
is the latest exploit against IIS with WebDav on MS Windows. There is a lot of info on the Internet.
Apache on Linux is not vulnerable, although it’s very annoying.  
It shouldn't be related to sending e-mail.

[carlosp]

install mail-front mail-rules and deny any mail from *@*.biz going to *@*.  This should stop it.  Also, create a template fragment for /etc/hosts.deny and put pasadenalaw.com and 209.78.208.93 in it.

HTH

Hi HTH

Where can I d/l mail-front and mail-rules?
I also get the same spam.
how do I create a template fragment?

Thanks
Carlos

[Brad500]

Thanks cc_skavenger,

Unfortunately, we ARE pasadenalaw.com. The mail server is at this IP (DNS MX=209.78.190.187)and the web stuff is being handled by a specialist company (DNS A=208.252.207.101)

And the domains that are being used (sent from) are numerous, not just *@*.biz.

There are other IP's that this hack comes in on like 209.78.209.148, and 209.78.208.51

And in the MESSAGES log there are a hundred of these shortly after the "x90\x02\xb1\x02\xb1\x02\xb1" mess:

Apr 19 19:33:06 ballmail kernel: denylog:IN=eth1 OUT= MAC=00:a0:cc:e2:92:c2:00:10:67:00:b1:e6:08:00 SRC=202.177.155.58 DST=209.78.190.187 LEN=48 TOS=0x00 PREC=0x00 TTL=100 ID=64087 DF PROTO=TCP SPT=1700 DPT=1025 WINDOW=16384 RES=0x00 SYN URGP=0
Apr 19 19:33:06 ballmail kernel: denylog:IN=eth1 OUT= MAC=00:a0:cc:e2:92:c2:00:10:67:00:b1:e6:08:00 SRC=202.177.155.58 DST=209.78.190.187 LEN=48 TOS=0x00 PREC=0x00 TTL=100 ID=64088 DF PROTO=TCP SPT=1704 DPT=6129 WINDOW=16384 RES=0x00 SYN URGP=0
Apr 19 19:33:06 ballmail kernel: denylog:IN=eth1 OUT= MAC=00:a0:cc:e2:92:c2:00:10:67:00:b1:e6:08:00 SRC=202.177.155.58 DST=209.78.190.187 LEN=48 TOS=0x00 PREC=0x00 TTL=100 ID=64091 DF PROTO=TCP SPT=1702 DPT=3127 WINDOW=16384 RES=0x00 SYN URGP=0

The "x90\x02\xb1\x02\xb1\x02" stuff may not be the hack, but there is someway he's getting in.

I've can run various logs and send them if anybody can make them out...or would be willing.

Thanks again.

brad

[Boris]

kernel: denylog:IN=eth1 OUT= MAC=
It is an indication that firewall doing its job and dropping malicious packets.
You could research on guardian add-on that automaticaly blocks offenders for 24 hours if they trying to scan your network.

[Ed]

From googling... "\x90\x02\xb1\x02\xb1"

It's the IIS WebDAV exploit: http://edgeos.com/threats/details.php?id=11413
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx

If you're running Apache on *nix, those lines are just annoying (but can cause problems with Webalizer). If you have IIS, better start patching ASAP!

[Ed]

Things don't make sense...
I think the HTTP Log is just a coincedence.
I'm gessing that the mail is generated from
a workstation.

Are you sure that there are no workstations that have been hacked/infected with a trojan?

You can try:
1.  Disconnect from internal net and see if
    new messages are being generated.
2.  Disconnect from the external net and
    look at the header of the outgoing messages
    to determine where is it originating from.

Good Luck
Ed

[Brad500]

It was not internal - all workstations were checked.

I've installed a fresh copy, added Secure SMTP and turned most services off, especially Webmail. Box up about 18 hours, and so far, so good.

I'm thinking they got in via webmail because one box without webmail went 3 days without hacking. Machine with webmail only went a couple of hours.

But I'm not sure, which makes me nervous. I'd really like to know how, so it could be fixed.

We'll see what happens over the next few days...

b

[sspfunk]

Did you change the root/admin password on the new install?
Did you change all users passwords also?
these two are a must.
most hacks are social engineering or from getting a valid username/password combo and then using vulns to escalate privs

steve

[electroman00]

So, I've installed 6.01-01, cause the older 5.6 version was hacked too, and now that same spammer has managed to hack twice.

Sure it's the sme server and not a M$ win client....!!

Sounds like your looking in the wrong place.

With all the vulnerabilities in M$ I would say it's a
client on your lan.

Let us know...........

Sorry didn't read your last post, however I still
think it derives from a M$ client starting it off.

[Brad500]

Yes, it is usually likely to be one of the clients (about 8 of them), but I don't think so. We tried several ways to isolate and the clients didn't seem to be the culprit.

I've gotten aver 200 hits to the firewall from several of the IP's that seemed to be the problem - they are trying. The MS/WebDAV hack twice, but that should not work on Linux...

All clients are now hooked up and on - and Secure SMTP does not force SMTP auth from local clients - I wish I had that option. So, if it's client based, wouldn't the spam still be flowing currently? IE, a client hacked/compromised to relay spam?

If this client was closer, I'd put a 2nd machine out there configured the same but WITH webmail on...

b

[Ed]

My thinking was that there may be a trojan on one of the boxes and it keystroking/capturing a userid and the password to the SME.

With so many SME out there, I just can't believe that someone is getting in to the SME box without a password.

Download SpyBot from http://www.safer-networking.org/
and see if anything comes up.....

Ed

[Texasboy]

I found this thread after experiencing the same problems. I have a spammer on my office network and I can't find him. I have looked at my logs on my SME 6.0.1 server and I am sending thousands of e-mails. I never had webmail enabled or access from the internet. The mail has always been setup for internal access only and my clients are pulling POP mail from the ISP and not using the SME server as mail. I read that Brad500 reloaded his server and turned off webmail and has seemed to resolved the problem and others have been looking at the Microsoft clients for Trojan. I am wondering what everyone found? was it a Trojan or was it a server breach?

Thanks
Texasboy