[plug] Finding a possible trojan/exploit?
steve at iinet.net.au
Sat Jan 20 00:10:19 WST 2007
My mail server somehow gets onto the CBL blacklist
(http://cbl.abuseat.org/). I cleared it (requested removal), it gets
put back on the next day. I email the CBL admin asking for some info
about why I'm listed - details of IPs, content, etc. He refuses because
'it helps spammers to work around the traps' and then he points me at
some (windows) tips. He says that the machine was 'sending email in
such a way as to strongly indicate that the IP itself was operating an
open http or socks proxy, or a trojan spam package'. The only other
information he gives is that our server 'sent email claiming to be a
machine we know it cannot be' - with no other details.
So I force the server to relay through the ISP instead of going direct.
I turn on some packet logging and later today I find an outbound mail
connection going direct to a 3rd party mail server and NOT through the
ISP relayhost. Interesting. There is no mention of this email in the
postfix logs - obviously wasn't sent via postfix.
This is also a web (apache2), dns (bind9) and ftp (vsftpd) server, and
apache2 is configured on the SSL port as a reverse-proxy for Outlook Web
Access on the internal LAN. mySQL is also running for PHP apps and
MailScanner, but only accessible from localhost or our LAN. Checking
the web logs doesn't indicate anything unusual, although I haven't gone
into enormous depth - I'm just looking up to about 30mins before the
rogue email. There are a couple of entries in the firewall log that
don't appear in the apache logs (I checked all apache logs for all
virtual servers, the 126.96.36.199 IP doesn't show up anywhere):
iptables logs: weird SSL connections:
15:57:19 SRC=188.8.131.52 DST=(my-ip) TTL=51 PROTO=TCP SPT=39192 DPT=443
15:57:19 SRC=184.108.40.206 DST=(my-ip) TTL=51 PROTO=TCP SPT=39232 DPT=443
and the outbound email connection:
16:10:15 SRC=(my-ip) DST=220.127.116.11 TTL=64 PROTO=TCP SPT=36798
As you can see these weird non-logged SSL connections happened 13 mins
before the email went out, and might not be related.
Chkrootkit and rkhunter say everything is clean. I'm planning on
attaching a sniffer with nessus and wireshark (aka ethereal) next week
to hopefully give some more clues but I need to find/build a box to do
Does anyone have any other ideas of how else I can find out where this
rogue email might be coming from?
More information about the plug