Email Malware on Fedora 18?
One of the things I like about Linux is that it's relatively free of malware, but lately I've been seeing symptoms I don't like. Specifically, I've gotten a few notices of undeliverable email regarding messages I never sent.
It's possible, of course, that someone has simply harvested my address and is putting it in the "FROM:" field of their spam, and I can't do anything about that except get a new address. But what worries me is the possibility that I've been infected with some sort of creep code that is actually sending emails from my machine. I'm a moderately knowledgeable Linux user (Red Hat and Fedora since the early 1990's), but I'm far from being a skilled sysadmin or security guru. Can anyone point me to some useful tools for checking and/or cleansing my system? Please don't just tell me "Delete everything and start over"; I do want to keep some things (address book, old emails, tool scripts, source files, etc.) and unless you can tell me how to make sure they're clean, I'm not prepared to "burn down the barn to kill the mice." |
what e-mail client are you using?
as you are running Fedora what level is SELinux configured for? also enable logging in firewalld or IPTables depending on what you are using. http://www.tecmint.com/monitor-ether...vity-in-linux/ and maybe install iftop as well. those tools can help narrow down if you are sending data or not. |
seeing as fedora 18 went End Of Life on January 14 2014
it has NOT received any security updates for the last 6 months so for any NOW!!! FIXED!!! security hole for the last 6 months fedora 18 is wide open to and will NEVER!!! be fixed do not use a unsupported OS install Fedora 20 ASAP!!! ( a new clean install after reformatting the drive ) then in a month or two reinstall with fedora 21 |
Quote:
Quote:
- How long has this been going on? - What have you checked yourself? - What measures have been applied since? - Can you show us actual headers? (Do obfuscate your IP and email address but nothing else please.) - What services does your machine provide publicly (if any)? - Do your daemon and system logs and login records show traffic / login irregularities? (Use Logwatch for reporting to spot anomalies easier.) - Do (any!) users home directory, crontab, shell history or directory holding temporary files show any anomalous commands? - Have you verified the integrity of your system? (See 'rpm -Vva|grep -v '^\.\{8\}';'.) - Are there any "odd" processes running? (See 'lsof -Pwln'.) |
Quote:
I've been seeing the problem about a week; this is complicated by my having been out of town a couple of times. I haven't done much myself, as I don't know what tools are available. Mostly I've been relying on Linux's (perceived) relative immunity to malware. I don't know how to check my SELinux settings, as I don't see a SELinux tool in the applications list. The SELinux Troubleshooter isn't showing me anything except messages about specific perceived glitches, none of which appear to be related. Both the rpm and lsof commands you gave me produced so much output I couldn't say if anything was anomalous; I didn't see anything that stood out, but that doesn't mean much. If I post a header, what is the IP I should obfuscate? My email address is, of course, obvious even to me. For the rest of what you ask, I can only say, "I don't understand." (I did say I'm no security guru.) One thing that does seem weird, though, is that all of the bogus messages seem to be sent to recipients in Germany, and are written in German. |
Quote:
Code:
grep -v ^# /etc/selinux/config|grep . Quote:
Quote:
Quote:
Quote:
- Do your daemon and system logs and login records show traffic / login irregularities? See 'man Logwatch'. - Are there any "odd" processes running? As I already said: run 'lsof -Pwln'. As root. - Do (any!) users home directory, crontab, shell history or directory holding temporary files show any anomalous commands? Start with Code:
find /root /home/* -maxdepth 1 -type f \*history\* -print0 2>/dev/null|xargs -0 -iX strings -an1 'X'; strings -an1 /var/spool/crontab/*; /bin/ls --time-style=long-iso --quoting-style=c -al /tmp /var/tmp |
Quote:
Also, here is the text of my latest rejection notice in its entirety: Quote:
|
What with one thing and another, I've decided to upgrade to Fedora 20 before taking this too much further. That will take me a day or so, between doing the upgrade installation and making sure everything still works. I'll repost when that's done and I've had a chance to re-evaluate if this problem still exists.
Followup: The upgrade is complete and I'm no longer seeing any "Message delayed/deleted" emails from my server. That may mean that whatever was sending out the bogus messages is now sending them out correctly, but I think it means that whatever malware I was suffering from is no longer functional. Are the "bad" files still there, but dormant? I don't know. Was it the upgrade that fixed it, or just the re-install? I don't know that either. If the problems comes back, I'll address it again then; until then, I'll keep looking for files that don't belong, but frankly I'm not optimistic about finding anything. I did see one thing interesting before the upgrade: I once saw that lsof was reporting files being held open by Evolution. Since I use Thunderbird exclusively, that was definitely suspicious. I didn't install Evolution in this round, so that may be why the problem has gone dormant. It's possible that doing a system-wide grep for "Evolution" will find something, and I will try that. We'll see. |
All times are GMT -5. The time now is 03:10 AM. |