[plug] Finding a possible trojan/exploit?

Steve Baker steve at iinet.net.au
Sat Jan 20 00:10:19 WST 2007 

Hi PLUG,

My mail server somehow gets onto the CBL blacklist 
(http://cbl.abuseat.org/).  I cleared it (requested removal), it gets 
put back on the next day.  I email the CBL admin asking for some info 
about why I'm listed - details of IPs, content, etc.  He refuses because 
'it helps spammers to work around the traps' and then he points me at 
some (windows) tips.  He says that the machine was 'sending email in 
such a way as to strongly indicate that the IP itself was operating an 
open http or socks proxy, or a trojan spam package'.  The only other 
information he gives is that our server 'sent email claiming to be a 
machine we know it cannot be' - with no other details.

So I force the server to relay through the ISP instead of going direct.  
I turn on some packet logging and later today I find an outbound mail 
connection going direct to a 3rd party mail server and NOT through the 
ISP relayhost.  Interesting.  There is no mention of this email in the 
postfix logs - obviously wasn't sent via postfix.

This is also a web (apache2), dns (bind9) and ftp (vsftpd) server, and 
apache2 is configured on the SSL port as a reverse-proxy for Outlook Web 
Access on the internal LAN.  mySQL is also running for PHP apps and 
MailScanner, but only accessible from localhost or our LAN.  Checking 
the web logs doesn't indicate anything unusual, although I haven't gone 
into enormous depth - I'm just looking up to about 30mins before the 
rogue email.  There are a couple of entries in the firewall log that 
don't appear in the apache logs (I checked all apache logs for all 
virtual servers, the 196.25.62.42 IP doesn't show up anywhere):

iptables logs: weird SSL connections:
15:57:19 SRC=196.25.62.42 DST=(my-ip) TTL=51 PROTO=TCP SPT=39192 DPT=443 
WINDOW=5840
15:57:19 SRC=196.25.62.42 DST=(my-ip) TTL=51 PROTO=TCP SPT=39232 DPT=443 
WINDOW=5840
and the outbound email connection:
16:10:15 SRC=(my-ip) DST=209.191.88.239 TTL=64 PROTO=TCP SPT=36798 
DPT=25 WINDOW=5840

As you can see these weird non-logged SSL connections happened 13 mins 
before the email went out, and might not be related.

Chkrootkit and rkhunter say everything is clean.  I'm planning on 
attaching a sniffer with nessus and wireshark (aka ethereal) next week 
to hopefully give some more clues but I need to find/build a box to do 
that first. 

Does anyone have any other ideas of how else I can find out where this 
rogue email might be coming from?

Regards,
Steve

More information about the plug mailing list