[SOLVED] Has my server been comprimised? Receiving strange mails.

Zippy1970 · 10-17-2010, 08:59 AM

My webserver is running Debian Etch and up until last February, I've always done every single security update available (and applicable) for my server. But Etch is no longer maintained and I haven't upgraded to Lenny yet because I was afraid to do so.

But today I received a strange email (all admin mails from the webserver are redirected to my mailbox on the webserver). Actually, I had received a few weird emails earlier but more on that later.

Anyway, today I received this mail (I replaced the true domain name for obvious reasons, everything I changed is in grey):

Code:

From - Sun Oct 17 15:35:47 2010
X-Account-Key: account1
X-UIDL: UID56456-1181516889
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Mozilla-Keys:                                                                                 
Return-Path: <www-data@hostname.mydomain.com>
X-Original-To: webmaster@localhost
Delivered-To: webmaster@localhost.mydomain.com
Received: by hostname.mydomain.com (Postfix, from userid 33)
	id 78F6F228E2; Sun, 17 Oct 2010 12:53:16 +0200 (CEST)
To: webmaster@localhost.mydomain.com
Subject: does it work
From: webmaster@localhost.domain.com
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="==Multipart_Boundary_xaf23c604bd337ad9848be828c3ca04ffx"
Message-Id: <20101017105316.78F6F228E2@hostname.mydomain.com>
Date: Sun, 17 Oct 2010 12:53:16 +0200 (CEST)

This is a multi-part message in MIME format.

--==Multipart_Boundary_xaf23c604bd337ad9848be828c3ca04ffx
Content-Type:text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

yes

--==Multipart_Boundary_xaf23c604bd337ad9848be828c3ca04ffx
Content-Type: application/octet-stream;
 name="example.php"
Content-Transfer-Encoding: base64

PD8KaW5jbHVkZSgibWFpbGVyLmNsYXNzLnBocCIpOwokbWFpbGVyPW5ldyBtYWlsZXIoIndlYm1h

c3RlckBsb2NhbGhvc3QiLCJkb2VzIGl0IHdvcmsiLCJ5ZXMiLCJGcm9tOiB3ZWJtYXN0ZXJAbG9j

YWxob3N0Iik7CiRtYWlsZXItPmZpbGUoImV4YW1wbGUucGhwIik7CiRtYWlsZXItPmF0dGFjaCgi

dGV4dC9wbGFpbiIsInNlZS50eHQiLCJ0YWRhIDIgYXR0YWNobWVudHMiKTsKJHRlc3Q9JG1haWxl

ci0+c2VuZCgpOwplY2hvICR0ZXN0PyJzZW50IjoiZXJyb3IiOwo/Pg==



--==Multipart_Boundary_xaf23c604bd337ad9848be828c3ca04ffx
--==Multipart_Boundary_xaf23c604bd337ad9848be828c3ca04ffx
Content-Type: text/plain;
 name="see.txt"
Content-Transfer-Encoding: base64

dGFkYSAyIGF0dGFjaG1lbnRz



--==Multipart_Boundary_xaf23c604bd337ad9848be828c3ca04ffx

It looks like it's mail sent from my own webserver (I have postfix running on it). It has two attachement, one attachment is "example.php", the other "see.txt". My mail client displayes the first as the text "Yes", and the second as "tada 2 attachments".

If I look in my mail log, I find this:

Code:

Oct 17 12:53:16 hostname postfix/cleanup[24036]: 78F6F228E2: message-id=<20101017105316.78F6F228E2@hostname.mydomain.com>
Oct 17 12:53:16 hostname postfix/qmgr[23530]: 78F6F228E2: from=<www-data@hostname.mydomain.com>, size=1469, nrcpt=1 (queue
 active)
Oct 17 12:53:16 hostname postfix/local[24038]: 78F6F228E2: to=<myname@hostname.mydomain.com>, orig_to=<webmaster@localhost>,
relay=local, delay=0.13, delays=0.04/0/0/0.09, dsn=2.0.0, status=sent (delivered to maildir)
Oct 17 12:53:16 hostname postfix/qmgr[23530]: 78F6F228E2: removed

So what's up? My mailserver isn't an open relay but apparently someone has found a way in. What can I do to find out what's going on?

Zippy1970 · 10-17-2010, 09:06 AM

UID 33 (www-data) is the web user, so I guess someone is sending mail through an exploit of perhaps phpBB or something?

Hangdog42 · 10-17-2010, 10:10 AM

If you decode the base64 stuff, you'll find it is a PHP program that is trying to send the files you've seen as attachment. So you may be on to something expecting phpBB to be one of the culprits. However, we like to start with facts here, so at this point I would do a few things to try and gather some evidence as to what actually happened.

- Look for the attachment files and see if they are in an odd location, or are owned by someone unusual. Also look and see if the dates around those files makes any sense
- Have a good long look at your log files for anything out of the ordinary. Any dates you got from the files may be a clue, but go through the files pretty completely
- Look and see if there is anything listening that shouldn't be. lsof -Pwn and netstat -pane would be good commands to run and look at. You also might run ps -asfxwwwe to see if any processes are looking odd.
- It would be helpful if you could give us an idea of what this server is doing/running. You've mentioned phpBB, which has a history of poor security, but is there anything else?

I would also be a phenomenally good idea to either completely sever this computer from the internet or put up a firewall that prevents all access except SSH from a trusted IP.

Zippy1970 · 10-17-2010, 02:36 PM

Ok, going through all my log files, I found out where it came from. Apparently, one of my clients was testing a small mail script for one of his websites.

Guess I was just a little paranoid.

Hangdog42 · 10-17-2010, 05:43 PM

Quote:

Originally Posted by Zippy1970

Guess I was just a little paranoid.

That's probably a whole lot better than not being a little paranoid. Maybe you should look into something like Aide or Samhain, either of which would monitor your file system for changes. It might help tracking down issues like this in the future.