Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
One of the things I like about Linux is that it's relatively free of malware, but lately I've been seeing symptoms I don't like. Specifically, I've gotten a few notices of undeliverable email regarding messages I never sent.
It's possible, of course, that someone has simply harvested my address and is putting it in the "FROM:" field of their spam, and I can't do anything about that except get a new address. But what worries me is the possibility that I've been infected with some sort of creep code that is actually sending emails from my machine. I'm a moderately knowledgeable Linux user (Red Hat and Fedora since the early 1990's), but I'm far from being a skilled sysadmin or security guru. Can anyone point me to some useful tools for checking and/or cleansing my system?
Please don't just tell me "Delete everything and start over"; I do want to keep some things (address book, old emails, tool scripts, source files, etc.) and unless you can tell me how to make sure they're clean, I'm not prepared to "burn down the barn to kill the mice."
seeing as fedora 18 went End Of Life on January 14 2014
While EOL notices are important they should be, especially in threads in the Linux Security forum, an integral part of the message. So next time please also address the OPs questions.
Quote:
Originally Posted by andymck
(..) I've gotten a few notices of undeliverable email regarding messages I never sent. (..) But what worries me is the possibility that I've been infected with some sort of (..) code that is actually sending emails from my machine. (..) Can anyone point me to some useful tools for checking (..) my system?
Even if you would have hardened your setup and complemented that by installing, configuring and running the audit service, a local file checker like Samhain (or AIDE or even tripwire), an IDS like Snort (or Suricata), etc, etc it will boil down to finding "evidence" like finding foreign files in temp dirs, changed time stamps, modified files, odd processes and log correlation. So, in addition to llebs questions:
- How long has this been going on?
- What have you checked yourself?
- What measures have been applied since?
- Can you show us actual headers? (Do obfuscate your IP and email address but nothing else please.)
- What services does your machine provide publicly (if any)?
- Do your daemon and system logs and login records show traffic / login irregularities? (Use Logwatch for reporting to spot anomalies easier.)
- Do (any!) users home directory, crontab, shell history or directory holding temporary files show any anomalous commands?
- Have you verified the integrity of your system? (See 'rpm -Vva|grep -v '^\.\{8\}';'.)
- Are there any "odd" processes running? (See 'lsof -Pwln'.)
While EOL notices are important they should be, especially in threads in the Linux Security forum, an integral part of the message. So next time please also address the OPs questions.
Even if you would have hardened your setup and complemented that by installing, configuring and running the audit service, a local file checker like Samhain (or AIDE or even tripwire), an IDS like Snort (or Suricata), etc, etc it will boil down to finding "evidence" like finding foreign files in temp dirs, changed time stamps, modified files, odd processes and log correlation. So, in addition to llebs questions:
- How long has this been going on?
- What have you checked yourself?
- What measures have been applied since?
- Can you show us actual headers? (Do obfuscate your IP and email address but nothing else please.)
- What services does your machine provide publicly (if any)?
- Do your daemon and system logs and login records show traffic / login irregularities? (Use Logwatch for reporting to spot anomalies easier.)
- Do (any!) users home directory, crontab, shell history or directory holding temporary files show any anomalous commands?
- Have you verified the integrity of your system? (See 'rpm -Vva|grep -v '^\.\{8\}';'.)
- Are there any "odd" processes running? (See 'lsof -Pwln'.)
I'm using the Thunderbird email client.
I've been seeing the problem about a week; this is complicated by my having been out of town a couple of times.
I haven't done much myself, as I don't know what tools are available. Mostly I've been relying on Linux's (perceived) relative immunity to malware.
I don't know how to check my SELinux settings, as I don't see a SELinux tool in the applications list. The SELinux Troubleshooter isn't showing me anything except messages about specific perceived glitches, none of which appear to be related.
Both the rpm and lsof commands you gave me produced so much output I couldn't say if anything was anomalous; I didn't see anything that stood out, but that doesn't mean much.
If I post a header, what is the IP I should obfuscate? My email address is, of course, obvious even to me.
For the rest of what you ask, I can only say, "I don't understand." (I did say I'm no security guru.) One thing that does seem weird, though, is that all of the bogus messages seem to be sent to recipients in Germany, and are written in German.
I don't know how to check my SELinux settings, as I don't see a SELinux tool in the applications list.
Code:
grep -v ^# /etc/selinux/config|grep .
Quote:
Originally Posted by andymck
The SELinux Troubleshooter isn't showing me anything except messages about specific perceived glitches, none of which appear to be related.
Problem is people often talk about issues while we would rather see actual output posted. That mainly has to do with clairvoyance as my ESP is exceptionally low these days and I can't read much into lines that include phrases like "doesn't work" or "I see nothing" ;-p
Quote:
Originally Posted by andymck
Both the rpm and lsof commands you gave me produced so much output I couldn't say if anything was anomalous; I didn't see anything that stood out, but that doesn't mean much.
Feel free to email me and discuss sharing data.
Quote:
Originally Posted by andymck
If I post a header, what is the IP I should obfuscate? My email address is, of course, obvious even to me.
Commonly your own public IP address and host name. See the "Return-Path:" and "Received: from" headers for example and do note some webmail systems may include a custom header with the IP address.
Quote:
Originally Posted by andymck
For the rest of what you ask, I can only say, "I don't understand."
- What services does your machine provide publicly (if any)?: Run 'netstat -antulpe' as root for starters.
- Do your daemon and system logs and login records show traffic / login irregularities? See 'man Logwatch'.
- Are there any "odd" processes running? As I already said: run 'lsof -Pwln'. As root.
- Do (any!) users home directory, crontab, shell history or directory holding temporary files show any anomalous commands? Start with
Problem is people often talk about issues while we would rather see actual output posted. That mainly has to do with clairvoyance as my ESP is exceptionally low these days and I can't read much into lines that include phrases like "doesn't work" or "I see nothing" ;-p
Feel free to email me and discuss sharing data.
Commonly your own public IP address and host name. See the "Return-Path:" and "Received: from" headers for example and do note some webmail systems may include a custom header with the IP address.
- What services does your machine provide publicly (if any)?: Run 'netstat -antulpe' as root for starters.
- Do your daemon and system logs and login records show traffic / login irregularities? See 'man Logwatch'.
- Are there any "odd" processes running? As I already said: run 'lsof -Pwln'. As root.
- Do (any!) users home directory, crontab, shell history or directory holding temporary files show any anomalous commands? Start with
OK, thanks. I'll get to work on these and get back to you. About the "SELinus Troubleshooter", the messages I saw related to the xulrunner plugin not being able to write to a specific file; I'm pretty sure this is a problem related to Adobe not making updates to the Linux version of Flash. I've been seeing it for months -- much longer than I've had the problem we're discussing.
Also, here is the text of my latest rejection notice in its entirety:
Quote:
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of
its recipients. This is a permanent error. The following address
failed:
"kuno.westermann@t-online.de":
SMTP error from remote server after transfer of mail text:
host: mx03.t-online.de
5.7.0 Message considered as spam or virus, rejected
5.7.0 Your IP: NNN.NNN.NNN.NNN
5.7.0 Mailhost: mailin51.aul.t-online.de
5.7.0 Timestamp: 2014-08-28T21:27:50Z
5.7.0 Expurgate-ID: 149288::1409261270-00001494-1F60D365/0-0/0-7
5.7.0 Authenticator: F314B6F42FB6A0021932417AE644B97D4096DF17303DED7EA639E85232316808F623CE96
5.7.0
5.7.0 Your message has been rejected due to spam or virus classification.
5.7.0 If you feel this is inapplicable, please report the above error codes
5.7.0 back to FPR@RX.T-ONLINE.DE to help us fix possible misclassification.
5.7.0 We apologize for any inconvenience and thank you for your assistance!
5.7.0
5.7.0 Die Annahme Ihrer Nachricht wurde abgelehnt, da sie als Spam oder
5.7.0 Virus eingestuft wurde. Sollten Sie dies als unzutreffend ansehen,
5.7.0 senden Sie bitte obige Fehlercodes an FPR@RX.T-ONLINE.DE, damit wir
5.7.0 die Klassifizierung untersuchen können. Wir entschuldigen uns für
5.7.0 etwaige Unannehmlichkeiten und bedanken uns für Ihre Unterstützung!
--- The header of the original message is following. ---
Received: from [213.165.67.104] ([213.165.67.104]) by mx-ha.web.de (mxweb006)
with ESMTP (Nemesis) id 0MHmvd-1XJWrg1JFd-003hoD for
<kuno.westermann@t-online.de>; Thu, 28 Aug 2014 23:27:49 +0200
Received: from vms173023pub.verizon.net ([206.46.173.23]) by mx-ha.web.de
(mxweb006) with ESMTP (Nemesis) id 0LllYm-1WnmPl1Iwq-00ZSim for
<kuno.westermann@web.de>; Thu, 28 Aug 2014 23:27:49 +0200
Received: from gastecker155 ([unknown] [91.113.144.26])
by vms173023.mailsrvcs.net
(Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009))
with ESMTPA id <0NAY005VB70TO9B0@vms173023.mailsrvcs.net> for kuno.westermann@web.de; Tue, 26 Aug 2014 23:27:10 -0500 (CDT)
From: "Stellvertretender Rechtsanwalt" <my_address@my_mail_ISP>
To: "Kuno Westermann" <kuno.westermann@web.de>
Subject: Die automatische Kontoabbuchung konnte nicht vorgenommen werden
Date: Wed, 27 Aug 2014 04:26:53 +0000 (GMT)
Message-id: <01ede884.29b4ba2a5649bd3c@gastecker155>
MIME-version: 1.0
Content-type: multipart/mixed;
boundary="----=_NextPart_000_0018_75191E5C.341FCC65"
X-UI-Out-Filterresults: junk:10;
I've obfuscated my IP and email address, but the name associated with my address in the "From:" record is unchanged; it is NOT my name, nor anything like it, as you can see.
What with one thing and another, I've decided to upgrade to Fedora 20 before taking this too much further. That will take me a day or so, between doing the upgrade installation and making sure everything still works. I'll repost when that's done and I've had a chance to re-evaluate if this problem still exists.
Followup: The upgrade is complete and I'm no longer seeing any "Message delayed/deleted" emails from my server. That may mean that whatever was sending out the bogus messages is now sending them out correctly, but I think it means that whatever malware I was suffering from is no longer functional. Are the "bad" files still there, but dormant? I don't know. Was it the upgrade that fixed it, or just the re-install? I don't know that either. If the problems comes back, I'll address it again then; until then, I'll keep looking for files that don't belong, but frankly I'm not optimistic about finding anything.
I did see one thing interesting before the upgrade: I once saw that lsof was reporting files being held open by Evolution. Since I use Thunderbird exclusively, that was definitely suspicious. I didn't install Evolution in this round, so that may be why the problem has gone dormant. It's possible that doing a system-wide grep for "Evolution" will find something, and I will try that. We'll see.
Last edited by andymck; 09-03-2014 at 04:58 PM.
Reason: new information
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
