Snifar (ngrep) filtrando a rede que estão usando no ataque (41.138.160.0/19)

ex. ngrep -d eth0 net 41.138.160.0/19

#################################################
Victório Felipe
http://choppnerd.com
linux user #306117 - counter.li.org
         Slackware Linux                          FreeBSD
               Because it works!                     The Power To Serve
#################################################


2010/7/14 Fernando Cordeiro <[email protected]>

> Não deu muito certo não.
>
> A origem volto a exececutar o scripts e nada da identificação da conta
> foi registrada no log:
>
> *** ENVELOPE RECORDS deferred/F/F036E2D94EB4 ***
> message_size:            2475            2505              50
> 0
> message_arrival_time: Wed Jul 14 17:33:38 2010
> sender: [email protected]
> named_attribute: client_address=41.138.179.204
> named_attribute: message_origin=unknown[41.138.179.204]
> named_attribute: helo_name=User
> named_attribute: protocol_name=ESMTP
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> original_recipient: [email protected]
> recipient: [email protected]
> *** MESSAGE CONTENTS deferred/F/F036E2D94EB4 ***
> Received: from User (unknown [41.138.179.204])
>        by webmail.SERVER.COM.br (Postfix) with ESMTP id B51652D94C32;
>        Wed, 14 Jul 2010 17:33:38 -0300 (BRT)
> Reply-To: <[email protected]>
> From: "Web Administration" <[email protected]>
> Subject:  Dear email user
> Date: Wed, 14 Jul 2010 21:32:44 +0100
> MIME-Version: 1.0
> Content-Type: text/plain;
>        charset="Windows-1251"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> Message-Id: <[email protected]>
> To: undisclosed-recipients:;
> X-SERVER.COM.br-MailScanner: Found to be clean
> X-SERVER.COM.br-MailScanner-SpamCheck:
> X-SERVER.COM.br-MailScanner-From: [email protected]
>
> This is to inform you, that we will be carrying out a seven days
> maintenance on our site starting from today to enable us control the
> rate of spammers and to upgrade our webpage into our new version in
> other to acceleration this site for a faster connection. During this
> period of maintenance you will experience difficulty in logging your
> account.  To prevent you from loosing access to your account, you are
> therefore required to activate your account by sending down the your
> account details.
>
> User name:
> Password:
> Date of birth:
> error codes: fh6xr
>
> NB:  We will not be liable for any lost account. Subscriber who did
> not comply with us during this exercise is at his/her own risk.
>
> We are truly sorry for any inconvenience.
>
> Regards,
> Administration Center.
>
> DISCLAIMER:
>
> "This communication is intended only for the named recipient and
> others authorized to receive it. It contains confidential or legally
> privileged information. If you are not the intended recipient, please
> notify us immediately, and note that any disclosure, copying,
> distribution or action you may take in reliance on this communication
> is strictly prohibited and may be unlawful. Unless indicated
> otherwise, this communication is not intended, nor should it be taken
> to create any legal and/or contractual relation or otherwise.  We are
> neither liable for the proper and complete transmission of the
> communication, nor for any delay in its receipt.
>
> Whilst we. undertakes all reasonable efforts to screen outgoing
> e-mails for viruses, it cannot be held liable for any viruses
> transmitted by this e-mail."
>
> --
> Esta mensagem foi verificada pelo sistema de
> anti-virus e anti-spam.
>
> *** HEADER EXTRACTED deferred/F/F036E2D94EB4 ***
> *** MESSAGE FILE END deferred/F/F036E2D94EB4 ***
>
> Alguma outra sugestão..?
>
> Em 14 de julho de 2010 14:14, Alexandre Gorges <[email protected]>
> escreveu:
> > Sim também ajuda. Eu uso isso com o meu mysql
> >
> > smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-login.cf
> > smtpd_sender_restrictions = ....
> > reject_authenticated_sender_login_mismatch,
> >  reject_sender_login_mismatch,
> > ....
> >
> > Funciona perfeitamente. Ai vai de você configurar no seu sistema.
> >
> >
> >
> >
> > []'s
> > Alexandre Gorges
> > http://www.google.com.br/profiles/algorges
> > MSN/Gtalk/iCHAT/Skype/Buzz: [email protected]
> > ICQ: 2031408
> >
> >
> >
> >
> >> From: Fernando Cordeiro <[email protected]>
> >> Reply-To: Lista Postfix-br <[email protected]>
> >> Date: Wed, 14 Jul 2010 14:02:15 -0300
> >> To: Lista Postfix-br <[email protected]>
> >> Subject: Re: [Postfix-BR] Servidor utilizado para enviar SPAM de várias
> redes
> >>
> >> Alexandre, coloquei a linha que você sugeriu, vou esperar mais alguém
> tentar.
> >>
> >> Dei uma pesquisada enquanto isto e, achei este link com uma informação
> >> interessante e, acredito que também irá ajudar. Estou testando.
> >>
> >>
> http://www.linuxadm.com.br/2009/11/30/impedir-saida-de-emails-forjados-no-post
> >> fix/
> >>
> >> Segue a dica para vocês. Não sei se vai dar certo, para isto vou
> >> desbloquear a rede que estava enviando ou executando o ataque.
> >>
> >> Vamos ver no que dá.
> >>
> >>
> >>
> >> Em 14 de julho de 2010 11:30, irado furioso com tudo
> >> <[email protected]> escreveu:
> >>> Em Wed, 14 Jul 2010 10:36:15 -0300
> >>> Fernando Cordeiro <[email protected]>, conhecido
> consumidor/usuário
> >>> de drogas (Windows e BigMac com Coke) escreveu:
> >>>
> >>>> Não conseguiu uma forma de identificar de qual conta esta partindo?
> >>>> Em uma das mensagens eu consegui identificar um dos remetentes e
> >>>> alterei a senha, o problema é que são mais de 1000 contas.
> >>>> tenho que descobrir as contas genéricas.
> >>>>
> >>>> Alguma sugestão antes dessa alteração geral de enforcamento? =/
> >>>
> >>> a dica do diego bernardo deve resolver seu problema, além da alteração
> >>> de senha.
> >>>
> >>> como (normalmente) os procedimentos para essa "invasão" são
> >>> automatizados, provavelmente só uma conta foi "contaminada" (pelo menos
> >>> aqui foi assim); examine um ou dois email dos "refused" ou "user
> >>> unknow" (destinatario desconhecido) que são os mais prováveis de conter
> >>> a informação que importa (conta, etc).
> >>>
> >>> --
> >>>  saudações,
> >>>  irado furioso com tudo
> >>>  Linux User 179402/FreeBSD BSD50853/FUG-BR 154
> >>>  Não uso drogas - 100% Miko$hit-free
> >>> "Me pergunto em que tipo de sociedade vivemos, que democracia é essa
> >>> que temos onde os corruptos vivem na impunidade, e a fome das pessoas é
> >>> considerada subversiva" [Ernesto Sábato, Antes do Fim (1998)]
> >>> _______________________________________________
> >>> Postfix-BR mailing list
> >>> [email protected]
> >>> http://listas.softwarelivre.org/mailman/listinfo/postfix-br
> >>>
> >>
> >>
> >>
> >> --
> >> Fernando
> >> http://mula-veia.blogspot.com
> >> _______________________________________________
> >> Postfix-BR mailing list
> >> [email protected]
> >> http://listas.softwarelivre.org/mailman/listinfo/postfix-br
> >
> >
> > _______________________________________________
> > Postfix-BR mailing list
> > [email protected]
> > http://listas.softwarelivre.org/mailman/listinfo/postfix-br
> >
>
>
>
> --
> Fernando
> http://mula-veia.blogspot.com
> _______________________________________________
> Postfix-BR mailing list
> [email protected]
> http://listas.softwarelivre.org/mailman/listinfo/postfix-br
>
_______________________________________________
Postfix-BR mailing list
[email protected]
http://listas.softwarelivre.org/mailman/listinfo/postfix-br

Responder a