<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>It has been a while since I removed malware from a linux box.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>What flavor of linux are you running?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Do a google search for malware removal tools for the linux you are running<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Most modern linux can run a MD5 checksum scan of all files vs the known good version to identify the bad files.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Most malware also replaces a lot of files so things like md5sum is not reliable so you need to make sure you install a clean version of everything. The malware removal toolkits do that for you.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Malware likes to hide in /dev, you can search /dev for files of type file (should be devices). Any file living in /dev is probably bad.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>You’ll never be 100% certain you are clean unless you do a full format/re-install of the OS<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Good luck, chasing this stuff is like a game of whack-a-mole<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>-Matt<o:p></o:p></span></p><p class=MsoNormal><i><span style='font-size:11.0pt'><o:p> </o:p></span></i></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='color:black'>From: </span></b><span style='color:black'>Hidden-discuss <hidden-discuss-bounces@lists.hidden-tech.net> on behalf of Steven Aronstein via Hidden-discuss <hidden-discuss@lists.hidden-tech.net><br><b>Date: </b>Wednesday, September 11, 2024 at 1:40</span><span style='font-family:"Arial",sans-serif;color:black'> </span><span style='color:black'>PM<br><b>To: </b>Hidden-Tech Tech <Hidden-discuss@lists.hidden-tech.net><br><b>Subject: </b>[Hidden-tech] Need help finding what hijacked our email server port 25<o:p></o:p></span></p></div><div id=mail-editor-reference-message-container><div><div><p class=MsoNormal>Hi,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>We have an email server (Communigate hosted on Linode) that stopped responding. We discovered it was because something else on the server started using port 25. Except it wasn't anything we installed. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal>master 811 root 13u IPv4 28666 0t0 TCP <a href="http://127.0.0.1:25">127.0.0.1:25</a> (LISTEN) master 811 root 14u IPv6 28667 0t0 TCP [::1]:25 (LISTEN)<o:p></o:p></p></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Then Linode warned us (and blocked) our server because the detected spam being sent from it. Which wasn't us.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>So, we appear to have some kind of virus or app that has hacked into our server and is using it.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>This may actually be a fairly simple process for someone in the know, but we don't have the resources at this moment to be that someone fast enough We've had enough bad experiences hiring random gig workers online that we don't want to trust someone like that with access, however brief, to our mail server.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Is there anyone in this group or locally or that people here trust up for a quick gig finding and purging the uninvited guest from our server so the mail server starts running and Linode will unblock it?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>You can call or text or email me privately as well. All suggestions, guidance, or references welcome.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks!<o:p></o:p></p></div><div><p class=MsoNormal>Steve<o:p></o:p></p></div><div><p class=MsoNormal>413-207-5610<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div></div></div></div></body></html>