[plug] Finding a possible trojan/exploit?
Craig Foster
craig at fostware.net
Sat Jan 20 00:26:04 WST 2007
> -----Original Message-----
> From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On
> Behalf Of Steve Baker
> Sent: Saturday, 20 January 2007 12:10 AM
> To: PLUG
> Subject: [plug] Finding a possible trojan/exploit?
>
> Hi PLUG,
>
<snip>
>
> This is also a web (apache2), dns (bind9) and ftp (vsftpd) server, and
> apache2 is configured on the SSL port as a reverse-proxy for Outlook
> Web
> Access on the internal LAN. mySQL is also running for PHP apps and
> MailScanner, but only accessible from localhost or our LAN. Checking
> the web logs doesn't indicate anything unusual, although I haven't
gone
> into enormous depth - I'm just looking up to about 30mins before the
> rogue email. There are a couple of entries in the firewall log that
> don't appear in the apache logs (I checked all apache logs for all
> virtual servers, the 196.25.62.42 IP doesn't show up anywhere):
>
> iptables logs: weird SSL connections:
> 15:57:19 SRC=196.25.62.42 DST=(my-ip) TTL=51 PROTO=TCP SPT=39192
> DPT=443
> WINDOW=5840
> 15:57:19 SRC=196.25.62.42 DST=(my-ip) TTL=51 PROTO=TCP SPT=39232
> DPT=443
> WINDOW=5840
> and the outbound email connection:
> 16:10:15 SRC=(my-ip) DST=209.191.88.239 TTL=64 PROTO=TCP SPT=36798
> DPT=25 WINDOW=5840
>
> As you can see these weird non-logged SSL connections happened 13 mins
> before the email went out, and might not be related.
>
> Chkrootkit and rkhunter say everything is clean. I'm planning on
> attaching a sniffer with nessus and wireshark (aka ethereal) next week
> to hopefully give some more clues but I need to find/build a box to do
> that first.
>
> Does anyone have any other ideas of how else I can find out where this
> rogue email might be coming from?
>
> Regards,
> Steve
What does clamdscan say?
Clam finds quite a few linux Trojans and exploits, and a weekly scan of
servers is always recommended...
Craig F.
More information about the plug
mailing list