Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: Brad500 on April 20, 2004, 05:38:58 AM
-
So, I've installed 6.01-01, cause the older 5.6 version was hacked too, and now that same spammer has managed to hack twice. I was hoping I'd just needed some updates so, I installed a fresh copy of the "Custom ISO" copy discussed in these forums.
It appears he's using some buffer-overflow method (I'm no log expert). Here's a bit of the HTTP access log log entry:
www.pasadenalaw.com 209.78.208.93 - - [19/Apr/2004:17:29:23 -0700] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\....(pages of this stuff then ends with ...90\x90\x90" 414 271 "-" "-"
Shortly after this it seems the spam starts to flow. Sender UIDS log shows:
mess bytes sbytes rbytes recips tries xdelay uid
1 527 527 527 1 1 0.196170 0
1 764 764 764 1 1 0.184620 101
320 2862293 2809208 2862293 320 320 52.695518 400
296 3134897 3224730 3224730 332 332 219.798642 401
1 2064 2064 2064 1 1 2893.484848 406
About 700 messages since the hack around 5.29pm PDT.
Last time, it was thousands...
Here's some samples of stuff in the Outgoing mail log:
20 Apr 2004 01:07:11 GMT #914357 3216 <>
remote schuckfam@biz4hits.biz
20 Apr 2004 01:06:49 GMT #914358 3282 <>
remote schrismas@bettahits.biz
20 Apr 2004 01:07:00 GMT #914359 3204 <>
remote dealerro@biz4hits.biz
20 Apr 2004 01:07:11 GMT #914360 3222 <>
remote schuckfam@biz4hits.biz
20 Apr 2004 01:06:22 GMT #914317 3304 <>
remote bradae@biz4hits.biz
I've tried several things...abuse.net shows no open relay...
Anybody know what's going on? Is the hack via webmail? Cause it was enabled, but most everything else was not; no SSH, FTP, atalk, squid, smb, lpd or ldap.
Setup as server-gateway.
Thanks.
-
install mail-front mail-rules and deny any mail from *@*.biz going to *@*. This should stop it. Also, create a template fragment for /etc/hosts.deny and put pasadenalaw.com and 209.78.208.93 in it. Also, I would contact the owner of the IP, which I could not find, but here is the whois info:
Domain Name: PASADENALAW.COM
Registrar: DOMAIN REGISTRATION SERVICES
Whois Server: whois.dotearth.com
Referral URL: http://www.dotearth.com
Name Server: NS1.MYDOMAIN.COM
Name Server: NS2.MYDOMAIN.COM
Name Server: NS3.MYDOMAIN.COM
Name Server: NS4.MYDOMAIN.COM
Status: ACTIVE
Updated Date: 25-feb-2004
Creation Date: 12-mar-1999
Expiration Date: 12-mar-2005
and here is DOMAIN REGISTRATION SERVICES contact info:
Domain Registration Services, Inc. dba dotEarth.com
309 Fellowship Road
Mount Laurel, NJ 08054
United States
+1-888-339-9001
support@dotEarth.com
Also, try to ask your ISP for help, I am sure you are not the only one that is being bothered by this and this does put alot of undue pressure on their system. If you are an ISP, then enlist the help of your bandwidth provider.
HTH
-
This is rather disturbing. After the problems I've been having with large volumes of outgoing mail, I did some checking on my server (SME 5.6) searching the logs for the items you mentioned in your post.
Well, I found it, lots of it. There are 22 instances of "SEARCH/\x90\............." in my httpd access log, dating from the 15th of April to the 19th. The major difference is that the IP addresses I'm seeing are different, not just from yours but each IP in my log is unique!
Could this be a more widespread problem?
Maybe everyone should check thier logs.
Is the only way to fix this to reinstall the server from scratch? :cry:
Archer
-
"SEARCH/\x90\x02\xb1\.....
is the latest exploit against IIS with WebDav on MS Windows. There is a lot of info on the Internet.
Apache on Linux is not vulnerable, although it’s very annoying.
It shouldn't be related to sending e-mail.
-
install mail-front mail-rules and deny any mail from *@*.biz going to *@*. This should stop it. Also, create a template fragment for /etc/hosts.deny and put pasadenalaw.com and 209.78.208.93 in it.
HTH
Hi HTH
Where can I d/l mail-front and mail-rules?
I also get the same spam.
how do I create a template fragment?
Thanks
Carlos
-
Thanks cc_skavenger,
Unfortunately, we ARE pasadenalaw.com. The mail server is at this IP (DNS MX=209.78.190.187)and the web stuff is being handled by a specialist company (DNS A=208.252.207.101)
And the domains that are being used (sent from) are numerous, not just *@*.biz.
There are other IP's that this hack comes in on like 209.78.209.148, and 209.78.208.51
And in the MESSAGES log there are a hundred of these shortly after the "x90\x02\xb1\x02\xb1\x02\xb1" mess:
Apr 19 19:33:06 ballmail kernel: denylog:IN=eth1 OUT= MAC=00:a0:cc:e2:92:c2:00:10:67:00:b1:e6:08:00 SRC=202.177.155.58 DST=209.78.190.187 LEN=48 TOS=0x00 PREC=0x00 TTL=100 ID=64087 DF PROTO=TCP SPT=1700 DPT=1025 WINDOW=16384 RES=0x00 SYN URGP=0
Apr 19 19:33:06 ballmail kernel: denylog:IN=eth1 OUT= MAC=00:a0:cc:e2:92:c2:00:10:67:00:b1:e6:08:00 SRC=202.177.155.58 DST=209.78.190.187 LEN=48 TOS=0x00 PREC=0x00 TTL=100 ID=64088 DF PROTO=TCP SPT=1704 DPT=6129 WINDOW=16384 RES=0x00 SYN URGP=0
Apr 19 19:33:06 ballmail kernel: denylog:IN=eth1 OUT= MAC=00:a0:cc:e2:92:c2:00:10:67:00:b1:e6:08:00 SRC=202.177.155.58 DST=209.78.190.187 LEN=48 TOS=0x00 PREC=0x00 TTL=100 ID=64091 DF PROTO=TCP SPT=1702 DPT=3127 WINDOW=16384 RES=0x00 SYN URGP=0
The "x90\x02\xb1\x02\xb1\x02" stuff may not be the hack, but there is someway he's getting in.
I've can run various logs and send them if anybody can make them out...or would be willing.
Thanks again.
brad
-
kernel: denylog:IN=eth1 OUT= MAC=
It is an indication that firewall doing its job and dropping malicious packets.
You could research on guardian add-on that automaticaly blocks offenders for 24 hours if they trying to scan your network.
-
From googling... "\x90\x02\xb1\x02\xb1"
It's the IIS WebDAV exploit: http://edgeos.com/threats/details.php?id=11413
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
If you're running Apache on *nix, those lines are just annoying (but can cause problems with Webalizer). If you have IIS, better start patching ASAP!
-
Things don't make sense...
I think the HTTP Log is just a coincedence.
I'm gessing that the mail is generated from
a workstation.
Are you sure that there are no workstations that have been hacked/infected with a trojan?
You can try:
1. Disconnect from internal net and see if
new messages are being generated.
2. Disconnect from the external net and
look at the header of the outgoing messages
to determine where is it originating from.
Good Luck
Ed
-
It was not internal - all workstations were checked.
I've installed a fresh copy, added Secure SMTP and turned most services off, especially Webmail. Box up about 18 hours, and so far, so good.
I'm thinking they got in via webmail because one box without webmail went 3 days without hacking. Machine with webmail only went a couple of hours.
But I'm not sure, which makes me nervous. I'd really like to know how, so it could be fixed.
We'll see what happens over the next few days...
b
-
Did you change the root/admin password on the new install?
Did you change all users passwords also?
these two are a must.
most hacks are social engineering or from getting a valid username/password combo and then using vulns to escalate privs
steve
-
So, I've installed 6.01-01, cause the older 5.6 version was hacked too, and now that same spammer has managed to hack twice.
Sure it's the sme server and not a M$ win client....!!
Sounds like your looking in the wrong place.
With all the vulnerabilities in M$ I would say it's a
client on your lan.
Let us know...........
Sorry didn't read your last post, however I still
think it derives from a M$ client starting it off.
-
Yes, it is usually likely to be one of the clients (about 8 of them), but I don't think so. We tried several ways to isolate and the clients didn't seem to be the culprit.
I've gotten aver 200 hits to the firewall from several of the IP's that seemed to be the problem - they are trying. The MS/WebDAV hack twice, but that should not work on Linux...
All clients are now hooked up and on - and Secure SMTP does not force SMTP auth from local clients - I wish I had that option. So, if it's client based, wouldn't the spam still be flowing currently? IE, a client hacked/compromised to relay spam?
If this client was closer, I'd put a 2nd machine out there configured the same but WITH webmail on...
b
-
My thinking was that there may be a trojan on one of the boxes and it keystroking/capturing a userid and the password to the SME.
With so many SME out there, I just can't believe that someone is getting in to the SME box without a password.
Download SpyBot from http://www.safer-networking.org/
and see if anything comes up.....
Ed
-
I found this thread after experiencing the same problems. I have a spammer on my office network and I can't find him. I have looked at my logs on my SME 6.0.1 server and I am sending thousands of e-mails. I never had webmail enabled or access from the internet. The mail has always been setup for internal access only and my clients are pulling POP mail from the ISP and not using the SME server as mail. I read that Brad500 reloaded his server and turned off webmail and has seemed to resolved the problem and others have been looking at the Microsoft clients for Trojan. I am wondering what everyone found? was it a Trojan or was it a server breach?
Thanks
Texasboy
-
Texasboy,
It could be either. If you do not have SMTP Auth enabled and there is nothing in the CVM logs then they are not getting in that way.
Are you using FormMail on a web site on your server. If so and it is not the updated version then this can be hacked by spammers. Check your http access logs
However I would more suspect a spam sending Trojan on one of your client machines. If it sending that much spam you should be able to see it on the network hub/switch. Look for unusual amounts of traffic activity coming from one machine.
Disconnect all machines from the network and see if the mail sending stops. You will have to give it some time for the queue to clear.
It doesn't matter that the clients are not using the SME server as their mail server, the Trojans generally install their own SMTP server.
However SME 6.0.1 has SMTP Proxy enabled by default so any SMTP traffic no matter where it comes from on the local network will go via the SME SMTP server even if you have the mail client SMTP server setting as your ISP.
In the mean time I seriously suggest that you disconnect your server from the internet. You will very quickly find yourself on one or more of the SPAM Block lists.
Jon
-
It was not internal - all workstations were checked.
Checking workstations will not tell you that it was not internal. It might only tell you something about your checking procedure.
Examining your smtpfront-qmail logs *will* tell you whether it was internal. Instead of guessing, identify where the mail is coming from.
-
I found this thread after experiencing the same problems. I have a spammer on my office network and I can't find him.
Do you have any wireless access in your office? If you have an open access point, it wouldn't be surprising if you couldn't find the offender.
-
Hello everyone, Thanks for all the suggestion. I have post my smtpfront-qmail logs below because I am not the best on deciphering what all this means. I have also remoted into the SME server and downed the eth0 interface or the LAN. I will keep it down this weekend and see if I receive anymore bounced e-mails. I also do not have any wireless access on the network. It is cable modem to SME 6.0.1 - Gateway, then to switch and the rest of the network. I will also post a few other log files and if anybody sees something please let me know, like I said I am not always the best at deciphering what all the log file mean.
Thanks again to the SME community for the help and the learning experience.
Texasboy --- log are below ---
smtpfront-qmail log
2005-09-24 10:12:32.309807500 tcpserver: status: 0/40
2005-09-24 10:15:49.283061500 tcpserver: status: 1/40
2005-09-24 10:15:49.284192500 tcpserver: pid 4407 from 192.147.171.15
2005-09-24 10:15:50.159366500 tcpserver: ok 4407 0:70.185.74.182:25 belgarath.linfield.edu:192.147.171.15::54509
2005-09-24 10:15:50.456841500 smtpfront-qmail[4407]: MAIL FROM:<>
2005-09-24 10:15:50.457466500 smtpfront-qmail[4407]: RCPT TO:<root@mondini.dyndns.org>
2005-09-24 10:15:51.092245500 smtpfront-qmail[4407]: Accepted message qp 4408 bytes 17002
2005-09-24 10:15:51.093005500 smtpfront-qmail[4407]: bytes in: 17481 bytes out: 213
2005-09-24 10:15:51.094461500 tcpserver: end 4407 status 0
2005-09-24 10:15:51.094474500 tcpserver: status: 0/40
2005-09-24 10:21:39.263172500 tcpserver: status: 1/40
2005-09-24 10:21:39.264310500 tcpserver: pid 4481 from 66.76.2.51
2005-09-24 10:21:39.539527500 tcpserver: ok 4481 0:70.185.74.182:25 fe6.cox-internet.com:66.76.2.51::62120
2005-09-24 10:21:39.697124500 smtpfront-qmail[4481]: MAIL FROM:<>
2005-09-24 10:21:39.710057500 smtpfront-qmail[4481]: RCPT TO:<root@mondini.dyndns.org>
2005-09-24 10:21:39.930045500 smtpfront-qmail[4481]: Accepted message qp 4482 bytes 15901
2005-09-24 10:21:39.944626500 smtpfront-qmail[4481]: bytes in: 16365 bytes out: 213
2005-09-24 10:21:39.945920500 tcpserver: end 4481 status 0
2005-09-24 10:21:39.946127500 tcpserver: status: 0/40
2005-09-24 10:23:14.233676500 tcpserver: status: 1/40
2005-09-24 10:23:14.234807500 tcpserver: pid 4538 from 209.184.44.144
2005-09-24 10:23:14.239312500 tcpserver: ok 4538 0:70.185.74.182:25 mail-ecsn09.twotrees.com:209.184.44.144::58880
2005-09-24 10:23:14.335708500 smtpfront-qmail[4538]: MAIL FROM:<>
2005-09-24 10:23:14.372129500 smtpfront-qmail[4538]: RCPT TO:<root@mondini.dyndns.org>
2005-09-24 10:23:14.444639500 smtpfront-qmail[4538]: MAIL FROM:<>
2005-09-24 10:23:14.479254500 smtpfront-qmail[4538]: RCPT TO:<postmaster@mondini.dyndns.org>
2005-09-24 10:23:14.512130500 smtpfront-qmail[4538]: bytes in: 147 bytes out: 195
2005-09-24 10:23:14.513744500 tcpserver: end 4538 status 0
2005-09-24 10:23:14.513760500 tcpserver: status: 0/40
Sender uids --- log
mess bytes sbytes rbytes recips tries xdelay uid
14310 219774543 124802 219774543 14310 24831 9972.497404 101
14419 219704829 219704829 219704829 14419 14419 10003.909998 400
508 7526299 7526299 7526299 508 508 317.852642 401
13911 210268591 210268591 210268591 13911 13911 10742.130520 406
CVM ---- log
Viewed at Sat 24 Sep 2005 10:39:42 AM CDT.
2005-09-20 08:03:17.046747500 Starting.
-
I have post my smtpfront-qmail logs below because I am not the best on deciphering what all this means.
...
smtpfront-qmail log
2005-09-24 10:12:32.309807500 tcpserver: status: 0/40
2005-09-24 10:15:49.283061500 tcpserver: status: 1/40
2005-09-24 10:15:49.284192500 tcpserver: pid 4407 from 192.147.171.15
2005-09-24 10:15:50.159366500 tcpserver: ok 4407 0:70.185.74.182:25 belgarath.linfield.edu:192.147.171.15::54509
2005-09-24 10:15:50.456841500 smtpfront-qmail[4407]: MAIL FROM:<>
2005-09-24 10:15:50.457466500 smtpfront-qmail[4407]: RCPT TO:<root@mondini.dyndns.org>
2005-09-24 10:15:51.092245500 smtpfront-qmail[4407]: Accepted message qp 4408 bytes 17002
2005-09-24 10:15:51.093005500 smtpfront-qmail[4407]: bytes in: 17481 bytes out: 213
2005-09-24 10:15:51.094461500 tcpserver: end 4407 status 0
2005-09-24 10:15:51.094474500 tcpserver: status: 0/40
I assume that your domain name is mondini.dyndns.org. These messages are all bounce messages coming from various sites, returning messages to root and postmaster addresses. Someone sent mail with a from address of root@mondini.dyndns.org to various sites which didn't accept it, and returned a bounce message. That could have been your box, or it could have been someone (a virus, a spammer) who forged the address. If you look at the bounce messages, you will probably find remnants of the returned message, and determine which of those is true.
These log files don't indicate that there is anything wrong with your box.
-
Hay Charliebrady thanks for the ideal. I total over looked the internet header of the e-mail. Some times when you are looking for the forest you bump into some trees :-D
I have also noticed that after disabling the LAN interface all has been quite today. I also setup my "yum" and updated the server. I have attached a mail header from some of the bounced mail for documentation of what is going on and I also noticed that the mail seems to have a common theme of "update your ebay account ---- click here"
mail header
Received: from fe7.cox-internet.com ([66.76.2.52])
by spike2.scsu.edu (SMSSMTP 4.1.7.33) with SMTP id M2005092321180322727
for <cmjohnson@scsu.edu>; Fri, 23 Sep 2005 21:18:03 -0400
Received: from mondini.dyndns.org ([70.185.74.182]) by fe7.cox-internet.com
(InterMail vK.4.04.00.03 201-232-140-20030416 license c6744489d3c0f75228b0e65fdc3f0157)
with SMTP id <20050924011714.QRFZ1483.fe7@mondini.dyndns.org>
for <cmjohnson@scsu.edu>; Fri, 23 Sep 2005 20:17:14 -0500
Received: (qmail 9140 invoked by uid 0); 19 Sep 2005 12:04:14 -0000
Date: 19 Sep 2005 12:04:14 -0000
Message-ID: <20050919120414.9139.qmail@mondini.dyndns.org>
To: cmjohnson@scsu.edu
Subject: Unauthorized transactions on your account
From: security@ebay.com <security@ebay.com>
Content-Type: text/html
thanks
texasboy
-
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/double%20bounce%20message%20deletion%20HOWTO%20for%20sme%20server.htm
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Mail%20system%20tweaks%20HOWTO%20for%20sme%20server.htm
-
Well the bad news is it isn't coming from a workstation because I got another round of bounced mail today. With the LAN interface down it makes it imposable for a workstation to be sending mail. I do not think it is a hijacked e-mail address because when I check my mail logs I see sender UID 401 and 101 message counts have grown to 10551 mail messages. Is their any way to tie the UID 401 under the mail log "senders UID" to something useful? If I can tie the 401 UID to something I will be real close to stopping the spammer. I have done a "ps -aux" hoping that the PID was the same a UID but nothing. I am guessing that Monday morning I will reload the SME server or pull it out of production.
Texasboy
-
The uid's can be found in /etc/passwd:
401 - qmaild
101 - admin
-
I had a little bit simular problem for some time ago. It was not not a SME server and it was not Qmail but Redhat with Postfix.
Well something happened with the mail server, it produced mail log files that filled up gigabytes on the server. I believed it was hacked. I also found different wariants of IIS specific buffer flow attacs and I thought this might be a part of the problem.
I then tried to look into the trafic using the iptraf trafic monitor and ethereal. (As I did not understand completely the mail and web log.)
What appear to be the case were that there were no realy faults on the mail server at all. The mail server recieved a stream of thousends of mail to false user accounts, and every time one were denyed this produced a log entry.
I think this stream of false mail vere running a week or so before I noticed it because of logfiles that filled gigs of data. I then applied some firewall rules that locked it out.
Don't know if this can have anything to do with the case mentioned above. Just some ideas ..
-
By the way, this was a server on a server farm so I guess the spam came from some Windows neighbours or from internet.
-
Texasboy
Charlie gave you the answer, it's mail being sent by other systems who are using your return address and sending messages to real and not real email addresses.
You WILL GET all the undelivered messages bounces. Use the tip I posted to auto delete all of these. The problem is most likely external and there is nothing much you can do about it !