LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Email Malware on Fedora 18? (https://www.linuxquestions.org/questions/linux-security-4/email-malware-on-fedora-18-a-4175516436/)

andymck 08-26-2014 12:04 PM

Email Malware on Fedora 18?
 
One of the things I like about Linux is that it's relatively free of malware, but lately I've been seeing symptoms I don't like. Specifically, I've gotten a few notices of undeliverable email regarding messages I never sent.

It's possible, of course, that someone has simply harvested my address and is putting it in the "FROM:" field of their spam, and I can't do anything about that except get a new address. But what worries me is the possibility that I've been infected with some sort of creep code that is actually sending emails from my machine. I'm a moderately knowledgeable Linux user (Red Hat and Fedora since the early 1990's), but I'm far from being a skilled sysadmin or security guru. Can anyone point me to some useful tools for checking and/or cleansing my system?

Please don't just tell me "Delete everything and start over"; I do want to keep some things (address book, old emails, tool scripts, source files, etc.) and unless you can tell me how to make sure they're clean, I'm not prepared to "burn down the barn to kill the mice."

lleb 08-26-2014 07:10 PM

what e-mail client are you using?

as you are running Fedora what level is SELinux configured for?

also enable logging in firewalld or IPTables depending on what you are using.

http://www.tecmint.com/monitor-ether...vity-in-linux/

and maybe install iftop as well. those tools can help narrow down if you are sending data or not.

John VV 08-26-2014 08:34 PM

seeing as fedora 18 went End Of Life on January 14 2014
it has NOT received any security updates for the last 6 months

so for any NOW!!! FIXED!!! security hole for the last 6 months
fedora 18 is wide open to and will NEVER!!! be fixed
do not use a unsupported OS

install Fedora 20 ASAP!!!
( a new clean install after reformatting the drive )
then in a month or two
reinstall with fedora 21

unSpawn 08-27-2014 12:57 AM

Quote:

Originally Posted by John VV (Post 5227835)
seeing as fedora 18 went End Of Life on January 14 2014

While EOL notices are important they should be, especially in threads in the Linux Security forum, an integral part of the message. So next time please also address the OPs questions.


Quote:

Originally Posted by andymck (Post 5227622)
(..) I've gotten a few notices of undeliverable email regarding messages I never sent. (..) But what worries me is the possibility that I've been infected with some sort of (..) code that is actually sending emails from my machine. (..) Can anyone point me to some useful tools for checking (..) my system?

Even if you would have hardened your setup and complemented that by installing, configuring and running the audit service, a local file checker like Samhain (or AIDE or even tripwire), an IDS like Snort (or Suricata), etc, etc it will boil down to finding "evidence" like finding foreign files in temp dirs, changed time stamps, modified files, odd processes and log correlation. So, in addition to llebs questions:
- How long has this been going on?
- What have you checked yourself?
- What measures have been applied since?
- Can you show us actual headers? (Do obfuscate your IP and email address but nothing else please.)
- What services does your machine provide publicly (if any)?
- Do your daemon and system logs and login records show traffic / login irregularities? (Use Logwatch for reporting to spot anomalies easier.)
- Do (any!) users home directory, crontab, shell history or directory holding temporary files show any anomalous commands?
- Have you verified the integrity of your system? (See 'rpm -Vva|grep -v '^\.\{8\}';'.)
- Are there any "odd" processes running? (See 'lsof -Pwln'.)

andymck 08-28-2014 02:13 AM

Quote:

Originally Posted by unSpawn (Post 5227904)
While EOL notices are important they should be, especially in threads in the Linux Security forum, an integral part of the message. So next time please also address the OPs questions.



Even if you would have hardened your setup and complemented that by installing, configuring and running the audit service, a local file checker like Samhain (or AIDE or even tripwire), an IDS like Snort (or Suricata), etc, etc it will boil down to finding "evidence" like finding foreign files in temp dirs, changed time stamps, modified files, odd processes and log correlation. So, in addition to llebs questions:
- How long has this been going on?
- What have you checked yourself?
- What measures have been applied since?
- Can you show us actual headers? (Do obfuscate your IP and email address but nothing else please.)
- What services does your machine provide publicly (if any)?
- Do your daemon and system logs and login records show traffic / login irregularities? (Use Logwatch for reporting to spot anomalies easier.)
- Do (any!) users home directory, crontab, shell history or directory holding temporary files show any anomalous commands?
- Have you verified the integrity of your system? (See 'rpm -Vva|grep -v '^\.\{8\}';'.)
- Are there any "odd" processes running? (See 'lsof -Pwln'.)

I'm using the Thunderbird email client.

I've been seeing the problem about a week; this is complicated by my having been out of town a couple of times.

I haven't done much myself, as I don't know what tools are available. Mostly I've been relying on Linux's (perceived) relative immunity to malware.

I don't know how to check my SELinux settings, as I don't see a SELinux tool in the applications list. The SELinux Troubleshooter isn't showing me anything except messages about specific perceived glitches, none of which appear to be related.

Both the rpm and lsof commands you gave me produced so much output I couldn't say if anything was anomalous; I didn't see anything that stood out, but that doesn't mean much.

If I post a header, what is the IP I should obfuscate? My email address is, of course, obvious even to me.

For the rest of what you ask, I can only say, "I don't understand." (I did say I'm no security guru.) One thing that does seem weird, though, is that all of the bogus messages seem to be sent to recipients in Germany, and are written in German.

unSpawn 08-28-2014 04:11 AM

Quote:

Originally Posted by andymck (Post 5228515)
I don't know how to check my SELinux settings, as I don't see a SELinux tool in the applications list.

Code:

grep -v ^# /etc/selinux/config|grep .

Quote:

Originally Posted by andymck (Post 5228515)
The SELinux Troubleshooter isn't showing me anything except messages about specific perceived glitches, none of which appear to be related.

Problem is people often talk about issues while we would rather see actual output posted. That mainly has to do with clairvoyance as my ESP is exceptionally low these days and I can't read much into lines that include phrases like "doesn't work" or "I see nothing" ;-p


Quote:

Originally Posted by andymck (Post 5228515)
Both the rpm and lsof commands you gave me produced so much output I couldn't say if anything was anomalous; I didn't see anything that stood out, but that doesn't mean much.

Feel free to email me and discuss sharing data.


Quote:

Originally Posted by andymck (Post 5228515)
If I post a header, what is the IP I should obfuscate? My email address is, of course, obvious even to me.

Commonly your own public IP address and host name. See the "Return-Path:" and "Received: from" headers for example and do note some webmail systems may include a custom header with the IP address.


Quote:

Originally Posted by andymck (Post 5228515)
For the rest of what you ask, I can only say, "I don't understand."

- What services does your machine provide publicly (if any)?: Run 'netstat -antulpe' as root for starters.
- Do your daemon and system logs and login records show traffic / login irregularities? See 'man Logwatch'.
- Are there any "odd" processes running? As I already said: run 'lsof -Pwln'. As root.
- Do (any!) users home directory, crontab, shell history or directory holding temporary files show any anomalous commands? Start with
Code:

find /root /home/* -maxdepth 1 -type f \*history\* -print0 2>/dev/null|xargs -0 -iX strings -an1 'X'; strings -an1 /var/spool/crontab/*; /bin/ls --time-style=long-iso --quoting-style=c -al /tmp /var/tmp
as root.

andymck 08-28-2014 05:36 PM

Quote:

Originally Posted by unSpawn (Post 5228548)
Code:

grep -v ^# /etc/selinux/config|grep .


Problem is people often talk about issues while we would rather see actual output posted. That mainly has to do with clairvoyance as my ESP is exceptionally low these days and I can't read much into lines that include phrases like "doesn't work" or "I see nothing" ;-p



Feel free to email me and discuss sharing data.



Commonly your own public IP address and host name. See the "Return-Path:" and "Received: from" headers for example and do note some webmail systems may include a custom header with the IP address.



- What services does your machine provide publicly (if any)?: Run 'netstat -antulpe' as root for starters.
- Do your daemon and system logs and login records show traffic / login irregularities? See 'man Logwatch'.
- Are there any "odd" processes running? As I already said: run 'lsof -Pwln'. As root.
- Do (any!) users home directory, crontab, shell history or directory holding temporary files show any anomalous commands? Start with
Code:

find /root /home/* -maxdepth 1 -type f \*history\* -print0 2>/dev/null|xargs -0 -iX strings -an1 'X'; strings -an1 /var/spool/crontab/*; /bin/ls --time-style=long-iso --quoting-style=c -al /tmp /var/tmp
as root.

OK, thanks. I'll get to work on these and get back to you. About the "SELinus Troubleshooter", the messages I saw related to the xulrunner plugin not being able to write to a specific file; I'm pretty sure this is a problem related to Adobe not making updates to the Linux version of Flash. I've been seeing it for months -- much longer than I've had the problem we're discussing.

Also, here is the text of my latest rejection notice in its entirety:
Quote:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of
its recipients. This is a permanent error. The following address
failed:

"kuno.westermann@t-online.de":
SMTP error from remote server after transfer of mail text:
host: mx03.t-online.de
5.7.0 Message considered as spam or virus, rejected
5.7.0 Your IP: NNN.NNN.NNN.NNN
5.7.0 Mailhost: mailin51.aul.t-online.de
5.7.0 Timestamp: 2014-08-28T21:27:50Z
5.7.0 Expurgate-ID: 149288::1409261270-00001494-1F60D365/0-0/0-7
5.7.0 Authenticator: F314B6F42FB6A0021932417AE644B97D4096DF17303DED7EA639E85232316808F623CE96
5.7.0
5.7.0 Your message has been rejected due to spam or virus classification.
5.7.0 If you feel this is inapplicable, please report the above error codes
5.7.0 back to FPR@RX.T-ONLINE.DE to help us fix possible misclassification.
5.7.0 We apologize for any inconvenience and thank you for your assistance!
5.7.0
5.7.0 Die Annahme Ihrer Nachricht wurde abgelehnt, da sie als Spam oder
5.7.0 Virus eingestuft wurde. Sollten Sie dies als unzutreffend ansehen,
5.7.0 senden Sie bitte obige Fehlercodes an FPR@RX.T-ONLINE.DE, damit wir
5.7.0 die Klassifizierung untersuchen können. Wir entschuldigen uns für
5.7.0 etwaige Unannehmlichkeiten und bedanken uns für Ihre Unterstützung!


--- The header of the original message is following. ---

Received: from [213.165.67.104] ([213.165.67.104]) by mx-ha.web.de (mxweb006)
with ESMTP (Nemesis) id 0MHmvd-1XJWrg1JFd-003hoD for
<kuno.westermann@t-online.de>; Thu, 28 Aug 2014 23:27:49 +0200
Received: from vms173023pub.verizon.net ([206.46.173.23]) by mx-ha.web.de
(mxweb006) with ESMTP (Nemesis) id 0LllYm-1WnmPl1Iwq-00ZSim for
<kuno.westermann@web.de>; Thu, 28 Aug 2014 23:27:49 +0200
Received: from gastecker155 ([unknown] [91.113.144.26])
by vms173023.mailsrvcs.net
(Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009))
with ESMTPA id <0NAY005VB70TO9B0@vms173023.mailsrvcs.net> for
kuno.westermann@web.de; Tue, 26 Aug 2014 23:27:10 -0500 (CDT)
From: "Stellvertretender Rechtsanwalt" <my_address@my_mail_ISP>
To: "Kuno Westermann" <kuno.westermann@web.de>
Subject: Die automatische Kontoabbuchung konnte nicht vorgenommen werden
Date: Wed, 27 Aug 2014 04:26:53 +0000 (GMT)
Message-id: <01ede884.29b4ba2a5649bd3c@gastecker155>
MIME-version: 1.0
Content-type: multipart/mixed;
boundary="----=_NextPart_000_0018_75191E5C.341FCC65"
X-UI-Out-Filterresults: junk:10;
I've obfuscated my IP and email address, but the name associated with my address in the "From:" record is unchanged; it is NOT my name, nor anything like it, as you can see.

andymck 09-02-2014 02:04 PM

What with one thing and another, I've decided to upgrade to Fedora 20 before taking this too much further. That will take me a day or so, between doing the upgrade installation and making sure everything still works. I'll repost when that's done and I've had a chance to re-evaluate if this problem still exists.

Followup: The upgrade is complete and I'm no longer seeing any "Message delayed/deleted" emails from my server. That may mean that whatever was sending out the bogus messages is now sending them out correctly, but I think it means that whatever malware I was suffering from is no longer functional. Are the "bad" files still there, but dormant? I don't know. Was it the upgrade that fixed it, or just the re-install? I don't know that either. If the problems comes back, I'll address it again then; until then, I'll keep looking for files that don't belong, but frankly I'm not optimistic about finding anything.

I did see one thing interesting before the upgrade: I once saw that lsof was reporting files being held open by Evolution. Since I use Thunderbird exclusively, that was definitely suspicious. I didn't install Evolution in this round, so that may be why the problem has gone dormant. It's possible that doing a system-wide grep for "Evolution" will find something, and I will try that. We'll see.


All times are GMT -5. The time now is 03:10 AM.