[plug] Finding a possible trojan/exploit?
craig at fostware.net
Sat Jan 20 00:26:04 WST 2007
> -----Original Message-----
> From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On
> Behalf Of Steve Baker
> Sent: Saturday, 20 January 2007 12:10 AM
> To: PLUG
> Subject: [plug] Finding a possible trojan/exploit?
> Hi PLUG,
> This is also a web (apache2), dns (bind9) and ftp (vsftpd) server, and
> apache2 is configured on the SSL port as a reverse-proxy for Outlook
> Access on the internal LAN. mySQL is also running for PHP apps and
> MailScanner, but only accessible from localhost or our LAN. Checking
> the web logs doesn't indicate anything unusual, although I haven't
> into enormous depth - I'm just looking up to about 30mins before the
> rogue email. There are a couple of entries in the firewall log that
> don't appear in the apache logs (I checked all apache logs for all
> virtual servers, the 184.108.40.206 IP doesn't show up anywhere):
> iptables logs: weird SSL connections:
> 15:57:19 SRC=220.127.116.11 DST=(my-ip) TTL=51 PROTO=TCP SPT=39192
> 15:57:19 SRC=18.104.22.168 DST=(my-ip) TTL=51 PROTO=TCP SPT=39232
> and the outbound email connection:
> 16:10:15 SRC=(my-ip) DST=22.214.171.124 TTL=64 PROTO=TCP SPT=36798
> DPT=25 WINDOW=5840
> As you can see these weird non-logged SSL connections happened 13 mins
> before the email went out, and might not be related.
> Chkrootkit and rkhunter say everything is clean. I'm planning on
> attaching a sniffer with nessus and wireshark (aka ethereal) next week
> to hopefully give some more clues but I need to find/build a box to do
> that first.
> Does anyone have any other ideas of how else I can find out where this
> rogue email might be coming from?
What does clamdscan say?
Clam finds quite a few linux Trojans and exploits, and a weekly scan of
servers is always recommended...
More information about the plug