[plug] Finding a possible trojan/exploit?

[Paul Dean]

On Sat, 20 Jan 2007 09:49:47 +0900
Bernd Felsche <bernie at innovative.iinet.net.au> wrote:

> Steve Baker <steve at iinet.net.au> writes:
> 
> >So I force the server to relay through the ISP instead of going
> >direct. I turn on some packet logging and later today I find an
> >outbound mail connection going direct to a 3rd party mail server and
> >NOT through the ISP relayhost.  Interesting.  There is no mention of
> >this email in the postfix logs - obviously wasn't sent via postfix.
> 
> If you can detect an active connection, then you can use lsof to
> idetify the process ID; and from that process ID, the executable
> and other "files" open by that process. It may even identify the IP
> of the remote control being used as well as the listen ports of a
> bot, should they be open.
> 
> e.g. # lsof -i :25
> will list all processes on the local host that have a port 25 (smtp)
> open to anywhere.
> 
> If the system is forwarding from within the kernel (e.g. IP
> forwarding), then lsof will not show a process.

Hi Steve,

You can write an outgoing iptables rule to log on :25, ie

iptables -N emailout
iptables -A emailout -m limit --limit 15/minute -j LOG --log-level
debug --log-prefix "Emailed: "
iptables -A OUTPUT -o ${outiface} -s out.going.ip.add/32 -p tcp -m
tcp --dport 25 -j emailout

You could also do something similar on your forward table too.

This at least will log some info for you and give you an idea what time
stuff is happening and narrow it down in the logs for you.

It will also give you the destination IP to.

-- 

Thanks

Paul Dean.
Mob: 0403 622 009

Your IT Administrator Extraordinaire

QOTD
"Life is not WHAT you make it, it's WHO you have in it..."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20070121/1d4fd89f/attachment.pgp>