Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a zentyal server, and today I got a message from hotmail "Your domain is bloked for spam activities"
Checking on my auth.log I could see this message
ebox : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/var/lib/zentyal/tmp/UKipoqrRQ4.cmd
I'm not using root as a user, is this means that my server have been hacked?
Also I dont understand the .cmd files on /var/lib/zentyal/tmp/
I'm not using root as a user, is this means that my server have been hacked?
(..)I dont understand the .cmd files on /var/lib/zentyal/tmp/
Not necessarily: "TTY=unknown" means the process doesn't have a terminal attached like a user would have on login, "PWD=/" could denote an automated process like a cron daemon and /var/lib/zentyal/tmp/ seems to be a directory for temporary files.
It wouldn't hurt looking at what services your machine runs (web server, email, FTP and other servers), their logs and user login records. Do you have shell access via SSH or do you only use the web-based management panel?
Thanks a lot for your help, I can access to the server by SSH and by Web-Base-Management (Zentyal control panel), but both are only accesible from local network.
But a russian hacker is still sending spamming from my server.
Quote:
Originally Posted by unSpawn
Not necessarily: "TTY=unknown" means the process doesn't have a terminal attached like a user would have on login, "PWD=/" could denote an automated process like a cron daemon and /var/lib/zentyal/tmp/ seems to be a directory for temporary files.
It wouldn't hurt looking at what services your machine runs (web server, email, FTP and other servers), their logs and user login records. Do you have shell access via SSH or do you only use the web-based management panel?
Also why in that log it shows as root I have no user root only administrator
Last edited by unSpawn; 11-12-2012 at 01:59 PM.
Reason: //Merge
I can access to the server by SSH and by Web-Base-Management (Zentyal control panel), but both are only accesible from local network.
Good precaution.
Quote:
Originally Posted by ctamayoa
But a russian hacker is still sending spamming from my server.
OK, tell us what your web server provides like Joomla or another CMS, Wordpress, maybe a forum or statistics package, that kind of software, look at your standard syslog and mail server log files for clues, as root run the lastlog, last and who commands to check who has accessed your server and list the files in /var/lib/zentyal/tmp/.
Quote:
Originally Posted by ctamayoa
Also why in that log it shows as root I have no user root only administrator
"root" is a standard account in UNIX. It is not (or should not be) used as a user account, only for system maintenance.
Sorry I'm wrong I have no CMS no webpages are located in my server.
The only web app is the default control panel of Zentyal.
Can I post some logs here please?
Last edited by unSpawn; 11-12-2012 at 03:15 PM.
Reason: //Fix quote tag
then check the plain text file "/tmp/output.log" for any IP addresses you need to obscure, then attach the file to your reply.
Thanks a lot for your help my friend.
I did just what you said but I could'n find an ip that doesn't belong to our network.
Here I uploaded "output.log"
I also uploaded the mail.log file
Can you check them out please?
I can't figure out how my server is used for spamming activities. What log do I have to check because I have no clue about this
But I can see that is still sending spamming because in spamhouse I'm getting this message.
IP Address 186.101.6.94 is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.
It was last detected at 2012-11-12 17:00 GMT (+/- 30 minutes), approximately 13 hours ago.
This IP is infected (or NATting for a computer that is infected) with the cutwail spambot. In other words, it's participating in a botnet.
Last edited by unSpawn; 11-13-2012 at 07:01 AM.
Reason: //Removed attachments
Thanks. It seems your "administrator" account does not have the rights you need: you have to be root or be able to run the commands as root. Since I noticed you run Postgrey I also added that as reporting tool. Please run this modified set of commands as root user:
Thanks. It seems your "administrator" account does not have the rights you need: you have to be root or be able to run the commands as root. Since I noticed you run Postgrey I also added that as reporting tool. Please run this modified set of commands as root user:
Thanks a lot again for your time, maybe if before running this command line I type sudo, because I don't know how else I can run it as a root.
I mean like this:
Code:
sudo ( [ `id -u` -eq 0 ]|| exit.........
Last edited by unSpawn; 11-13-2012 at 09:25 AM.
Reason: //Fix quotes *again*???
Really Thank you my friend.
I just did it.
Unfortunately I can't upload the log here because its size is too big.
Here I uploaded the output.log http://mailing-ecuador.info/output1.log
By the way in the report of spamhouse says:
This IP is infected (or NATting for a computer that is infected) with the cutwail spambot. In other words, it's participating in a botnet.
So I guess some computer in my local network is infected CUTWAIL spambot, but I need to find which one is.
I would like to know if there a way to log all outgoing emails with postfix.
Last edited by ctamayoa; 11-14-2012 at 12:56 AM.
Reason: Added more text
Can't open ..nosingle_line: No such file or directory at /usr/bin/postgreyreport line 184.
Can't open ..check_sender=mx,a: No such file or directory at /usr/bin/postgreyreport line 184.
Can't open ..separate_by_subnet==net=\n: No such file or directory at /usr/bin/postgreyreport line 184.
Please check your postgreyreport man page on how to run it.
Quote:
Originally Posted by ctamayoa
So I guess some computer in my local network is infected CUTWAIL spambot, but I need to find which one is.
Back to the local network infection I'll ask a few questions so I better understand things:
* By approximation, how long has this infection been going on?
* Have you had earlier cases of LAN machines being infected and what did you do at that time?
* How many machines are in your LAN and how many of those run Windows?
I'll outline in short what you should do:
0. Perform log analysis of all network and related log files in /var/log including Squid, Dansguardian and ClamAV and their rotated logs (as in "/var/log/dansguardian/access.log.*.gz"). Include bwmonitor logs in your analysis, maybe the amount of traffic or timing may provide clues,
1. Remove all white listing in Dansguardian because all in- and outbound network traffic must be scanned,
2. Review your firewall rules so no traffic passes in or out without filtering,
3. Remove all white listing in Postgrey (/etc/postgrey/whitelist_* ?) because all in- and outbound mail traffic must be subject to filtering,
4. Snort IDS seems to be supported in Zentyal so install it. While the current rules only consider Cutwail Command and Control URI's (Pushdo A, B and C because D encrypts traffic) it's better than nothing. Get the rule set from the Snort website, disable rules for services you don't run or that are otherwise outside of the scope (like deleted, Oracle, SCADA, VoIP, etc, etc). The rule set you must keep is botnet-cnc.rules. Then get the rule set from the Emerging Threats web site and disable along the same lines. The rule you must keep is called emerging-current_events.rules,
5. Scan every LAN machine with what you know from the "Scanning your machine for exploits" document.
Can't open ..nosingle_line: No such file or directory at /usr/bin/postgreyreport line 184.
Can't open ..check_sender=mx,a: No such file or directory at /usr/bin/postgreyreport line 184.
Can't open ..separate_by_subnet==net=\n: No such file or directory at /usr/bin/postgreyreport line 184.
Please check your postgreyreport man page on how to run it.
This is what happens when you try to run postgreyreport with sudo. You need to run it from a room prompt. I tried this yesterday on an Ubuntu host and got this exact same result, line number 184 and everything, which is what prompted me to make the post about using sudo -i to get the root shell.
Can't open ..nosingle_line: No such file or directory at /usr/bin/postgreyreport line 184.
Can't open ..check_sender=mx,a: No such file or directory at /usr/bin/postgreyreport line 184.
Can't open ..separate_by_subnet==net=\n: No such file or directory at /usr/bin/postgreyreport line 184.
Please check your postgreyreport man page on how to run it.
Back to the local network infection I'll ask a few questions so I better understand things:
* By approximation, how long has this infection been going on?
* Have you had earlier cases of LAN machines being infected and what did you do at that time?
* How many machines are in your LAN and how many of those run Windows?
1) This infection is approximately two and a half weeks
2) Is the first time I see a critical virus on my lan, it happens before but with little pen drive viruses, I always have updated my Nod 32 antivirus and running in every machine, if is still the problem I delete it manually.
3) I have 20 machines in my Lan with Windows
Quote:
Originally Posted by unSpawn
I'll outline in short what you should do:
0. Perform log analysis of all network and related log files in /var/log including Squid, Dansguardian and ClamAV and their rotated logs (as in "/var/log/dansguardian/access.log.*.gz"). Include bwmonitor logs in your analysis, maybe the amount of traffic or timing may provide clues,
1. Remove all white listing in Dansguardian because all in- and outbound network traffic must be scanned,
2. Review your firewall rules so no traffic passes in or out without filtering,
3. Remove all white listing in Postgrey (/etc/postgrey/whitelist_* ?) because all in- and outbound mail traffic must be subject to filtering,
4. Snort IDS seems to be supported in Zentyal so install it. While the current rules only consider Cutwail Command and Control URI's (Pushdo A, B and C because D encrypts traffic) it's better than nothing. Get the rule set from the Snort website, disable rules for services you don't run or that are otherwise outside of the scope (like deleted, Oracle, SCADA, VoIP, etc, etc). The rule set you must keep is botnet-cnc.rules. Then get the rule set from the Emerging Threats web site and disable along the same lines. The rule you must keep is called emerging-current_events.rules,
5. Scan every LAN machine with what you know from the "Scanning your machine for exploits" document.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.