[plug] Finding a possible trojan/exploit?
Steve Baker
steve at iinet.net.au
Mon Jan 22 08:36:37 WST 2007
Paul Dean wrote:
>On Sat, 20 Jan 2007 09:49:47 +0900
>Bernd Felsche <bernie at innovative.iinet.net.au> wrote:
>
>
>>Steve Baker <steve at iinet.net.au> writes:
>>
>>
>>>So I force the server to relay through the ISP instead of going
>>>direct. I turn on some packet logging and later today I find an
>>>outbound mail connection going direct to a 3rd party mail server and
>>>NOT through the ISP relayhost. Interesting. There is no mention of
>>>this email in the postfix logs - obviously wasn't sent via postfix.
>>>
>>>
>>If you can detect an active connection, then you can use lsof to
>>idetify the process ID; and from that process ID, the executable
>>and other "files" open by that process. It may even identify the IP
>>of the remote control being used as well as the listen ports of a
>>bot, should they be open.
>>
>>e.g. # lsof -i :25
>>will list all processes on the local host that have a port 25 (smtp)
>>open to anywhere.
>>
>>If the system is forwarding from within the kernel (e.g. IP
>>forwarding), then lsof will not show a process.
>>
>>
>
>Hi Steve,
>
>You can write an outgoing iptables rule to log on :25, ie
>
>iptables -N emailout
>iptables -A emailout -m limit --limit 15/minute -j LOG --log-level
>debug --log-prefix "Emailed: "
>iptables -A OUTPUT -o ${outiface} -s out.going.ip.add/32 -p tcp -m
>tcp --dport 25 -j emailout
>
>You could also do something similar on your forward table too.
>
>This at least will log some info for you and give you an idea what time
>stuff is happening and narrow it down in the logs for you.
>
>It will also give you the destination IP to.
>
>
Hi Paul,
Thanks for the suggestion - I have already set up something similar by
adding extra bits to my Shorewall rules file to log info for outbound
connections on that port.
My next job is to follow Bernd's suggestion and use logfmon or similar
to trigger lsof when something unusual is logged, and get wireshark
going on a monitor port on the switch.
Regards,
Steve
More information about the plug
mailing list