[Hidden-tech] Need help finding what hijacked our email server? port 25
Robert Heller
heller at deepsoft.com
Wed Sep 11 19:14:49 UTC 2024
Modern Linuxes that use udev (I think all do now) have /dev as a RAMDISK, so
nothing persists there -- a reboot will clear it, unless udev has been hacked
or nafarious rules have been added to /etc/udev/rules.d. Yes it is likely a
rootkit. The first step is to install chkrootkit and run that. It is likely
the only good cure might be a fresh re-install (from the "bare metal" up). And
*THEN* do regular updates (eg weekly run apt full-upgrade if Debian flavored or
yum/dnf update if RHEL flavored). I run a weekly cron job listing all
available updates on my VPS -- I can set you up with that.
It is possible that the mail server itself has been corrupted. That is your
email server is still running, just that it is sending spam instead of what it
should be.
At Wed, 11 Sep 2024 18:26:07 +0000 "matthew at crocker.com" <matthew at crocker.com> wrote:
>
> <html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
> /* Font Definitions */
> @font-face
> {font-family:"Cambria Math";
> panose-1:2 4 5 3 5 4 6 3 2 4;}
> @font-face
> {font-family:Aptos;
> panose-1:2 11 0 4 2 2 2 2 2 4;}
> /* Style Definitions */
> p.MsoNormal, li.MsoNormal, div.MsoNormal
> {margin:0in;
> font-size:12.0pt;
> font-family:"Aptos",sans-serif;}
> a:link, span.MsoHyperlink
> {mso-style-priority:99;
> color:blue;
> text-decoration:underline;}
> span.EmailStyle18
> {mso-style-type:personal-reply;
> font-family:"Aptos",sans-serif;
> color:windowtext;}
> MsoChpDefault
> {mso-style-type:export-only;
> font-size:10.0pt;
> mso-ligatures:none;}
> @page WordSection1
> {size:8.5in 11.0in;
> margin:1.0in 1.0in 1.0in 1.0in;}
> div.WordSection1
> {page:WordSection1;}
> --></style></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>It has been a while since I removed malware from a linux box.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>What flavor of linux are you running?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Do a google search for malware removal tools for the linux you are running<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Most modern linux can run a MD5 checksum scan of all files vs the known good version to identify the bad files.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Most malware also replaces a l
ot of files so things like md5sum is not reliable so you need to make sure you install a clean version of everything. The malware removal toolkits do that for you.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Malware likes to hide in /dev, you can search /dev for files of type file (should be devices). Any file living in /dev is probably bad.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>You’ll never be 100% certain you are clean unless you do a full format/re-install of the OS<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Good luck, chasing this stuff is like a game of whack-a-mole<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p>&nbs
p;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>-Matt<o:p></o:p></span></p><p class=MsoNormal><i><span style='font-size:11.0pt'><o:p> </o:p></span></i></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='color:black'>From: </span></b><span style='color:black'>Hidden-discuss <hidden-discuss-bounces at lists.hidden-tech.net> on behalf of Steven Aronstein via Hidden-discuss <hidden-discuss at lists.hidden-tech.net><br><b>Date: </b>Wednesday, September 11, 2024 at 1:40</span><span style='font-family:"Arial",sans-serif;color:black'> </span><span style='color:black'>PM<br><b>To: </b>Hidden-Tech Tech <Hidden-discuss at lists.hidden-tech.net><br><b>Subject: </b>[Hidden-tech] Need help finding what hijacked our email server port 25<o:p></o:p></span></p></div><div id=mail-editor-re
ference-message-container><div><div><p class=MsoNormal>Hi,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>We have an email server (Communigate hosted on Linode) that stopped responding. We discovered it was because something else on the server started using port 25. Except it wasn't anything we installed. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal>master 811 root 13u IPv4 28666 0t0 TCP <a href="http://127.0.0.1:25">127.0.0.1:25</a> (LISTEN) master 811 root 14u IPv6 28667 0t0 TCP [::1]:25 (LISTEN)<o:p></o:p></p></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Then Linode warned us (and blocked) our server because the detected spam being sent from it. Which wasn't us.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o
:p></p></div><div><p class=MsoNormal>So, we appear to have some kind of virus or app that has hacked into our server and is using it.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>This may actually be a fairly simple process for someone in the know, but we don't have the resources at this moment to be that someone fast enough We've had enough bad experiences hiring random gig workers online that we don't want to trust someone like that with access, however brief, to our mail server.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Is there anyone in this group or locally or that people here trust up for a quick gig finding and purging the uninvited guest from our server so the mail server starts running and Linode will unblock it?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>You can call or text or email me privately as well.
All suggestions, guidance, or references welcome.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks!<o:p></o:p></p></div><div><p class=MsoNormal>Steve<o:p></o:p></p></div><div><p class=MsoNormal>413-207-5610<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div></div></div></div></body></html>
> _______________________________________________
> Hidden-discuss mailing list - home page: http://www.hidden-tech.net
> Hidden-discuss at lists.hidden-tech.net
>
> You are receiving this because you are on the Hidden-Tech Discussion list.
> If you would like to change your list preferences, Go to the Members
> page on the Hidden Tech Web site.
> http://www.hidden-tech.net/members
>
>
--
Robert Heller -- Cell: 413-658-7953 GV: 978-633-5364
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller at deepsoft.com -- Webhosting Services
More information about the Hidden-discuss
mailing list