Yep. Firewalling the server is not a real solution because the server
is not being re-infected, it is just simply reinstalling the components
that were removed by the cleaning.
I have seen this before on a client's server where they were spewing
spam and they found a ton of traffic on an odd port. When I telneted to
this port, it answered with a Postfix-style answer, yet this was a
Windows machine running IMail. They were almost surely hacked through
IMail as they were running a vulnerable version (8.15).
Their solution was to firewall the server and that did stop their
primary issue of being used as a spam proxy, however there is no doubt
that the server was rooted and everything on it was compromised. Surely
if the hijacker cared, they could own the server once again. They
likely haven't been re-owned because much of this sort of activity is
fully automated. That doesn't mean however that there aren't multiple
bot-net owners with access to the box, and every one of them can not
only gain access to all of the passwords should they care to do so, but
they could also destroy the server and gain access to other servers and
your backups.
The only safe thing to do is format and reinstall, and change all other
passwords and do careful inspection of your other servers for odd access
and odd accounts.
When running any server attached to the Internet, all unnecessary ports
should be blocked, and every piece of software that handles connections
on that server needs to be patched regularly. If you have the
capabilities and understanding, blocking outbound ports that aren't
necessary can also be a benefit. For instance, often times the initial
infection installs an IRC client and uses that to download additional
software from an IRC channel or at least announces itself as being ready
for exploitation.
Matt
Doug Traylor wrote:
I finally closed every port on the server <snip>
<snip> it sure was easier than a re-format and reinstall.
And does absolutely zero good if you have been root-kitted and your
passwords compromised.
Richard,
Take Matt's advice. You mail server, and likely other computers in your
network, are under control of someone else now. The only way to be safe is
to nuke it and change all admin passwords at a minimum. Be sure to make a
note that the backups (you do backups don't you?) are infected too and to
treat them accordingly in case a restore is needed from them.
Good luck,
Doug Traylor
PS. Now might be a good time to build up that new server you've been
wanting and just switch over to it. You know you want to. :o)
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
