[plug] Finding a possible trojan/exploit?

Craig Foster craig at fostware.net
Sat Jan 20 00:26:04 WST 2007

> -----Original Message-----
> From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On
> Behalf Of Steve Baker
> Sent: Saturday, 20 January 2007 12:10 AM
> To: PLUG
> Subject: [plug] Finding a possible trojan/exploit?
> Hi PLUG,
> This is also a web (apache2), dns (bind9) and ftp (vsftpd) server, and
> apache2 is configured on the SSL port as a reverse-proxy for Outlook
> Web
> Access on the internal LAN.  mySQL is also running for PHP apps and
> MailScanner, but only accessible from localhost or our LAN.  Checking
> the web logs doesn't indicate anything unusual, although I haven't
> into enormous depth - I'm just looking up to about 30mins before the
> rogue email.  There are a couple of entries in the firewall log that
> don't appear in the apache logs (I checked all apache logs for all
> virtual servers, the IP doesn't show up anywhere):
> iptables logs: weird SSL connections:
> 15:57:19 SRC= DST=(my-ip) TTL=51 PROTO=TCP SPT=39192
> DPT=443
> WINDOW=5840
> 15:57:19 SRC= DST=(my-ip) TTL=51 PROTO=TCP SPT=39232
> DPT=443
> WINDOW=5840
> and the outbound email connection:
> 16:10:15 SRC=(my-ip) DST= TTL=64 PROTO=TCP SPT=36798
> DPT=25 WINDOW=5840
> As you can see these weird non-logged SSL connections happened 13 mins
> before the email went out, and might not be related.
> Chkrootkit and rkhunter say everything is clean.  I'm planning on
> attaching a sniffer with nessus and wireshark (aka ethereal) next week
> to hopefully give some more clues but I need to find/build a box to do
> that first.
> Does anyone have any other ideas of how else I can find out where this
> rogue email might be coming from?
> Regards,
> Steve

What does clamdscan say?

Clam finds quite a few linux Trojans and exploits, and a weekly scan of
servers is always recommended...

Craig F.

More information about the plug mailing list