Re: looking for a spammer/virii/malware .... on my system
ok su-3.2# tcpdump -nnAvvvw webmail.west.cox.net 'dst host 68.6.19.1 and (dst port 80 or 443)' tcpdump: listening on bce0, link-type EN10MB (Ethernet), capture size 96 bytes Got 0 let's see what I capture... On Mon, Aug 15, 2011 at 6:19 PM, Paul Schmehl pschmehl_li...@tx.rr.com wrote: --On August 15, 2011 2:04:27 PM -0400 alexus ale...@gmail.com wrote: I personally leaning towards that these headers are being modified and that there is no spam leaving my box (I may be wrong of couse) here is what I did to come up with that thought I sent myself an email The tcpdump command that Chuck gave you is all you need. *If* all traffic exits your network through your box, you will see anything going to port 25 *anywhere*. That should tell you quickly what the problem is, if there is one. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead. Thomas Jefferson There are some ideas so wrong that only a very intelligent person could believe in them. George Orwell -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: looking for a spammer/virii/malware .... on my system
On Aug 18, 2011, at 9:36 AM, alexus wrote: su-3.2# tcpdump -nnAvvvw webmail.west.cox.net 'dst host 68.6.19.1 and (dst port 80 or 443)' tcpdump: listening on bce0, link-type EN10MB (Ethernet), capture size 96 bytes Got 0 let's see what I capture... You're going to capture traffic of people reading webmail from Cox.net. However, as much as that might be interesting, it is not useful for detecting outbound spam from a machine or network Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
looking for a spammer/virii/malware .... on my system
I received a SPAM complain from my ISP and we're trying to figure out what/where the problem is... from headers: Received: from 64.237.55.83 by webmail.west.cox.net; Sun, 14 Aug 2011 18:43:41 -0400 64.237.55.83 is an IP that resides on my box, obviously I'm not sending out any spam intentionally, so maybe some of my users do and not necessarily intentionally either could be a virus or malware or whatever doesn't really matter, I just want to stop it. so just for now I did this su-3.2# ipfw add 666 deny ip from any to webmail.west.cox.net via any 00666 deny ip from any to 68.6.19.1 su-3.2# what else can I do to find it on my system who's trying to connect to remote webmail.west.cox.net ? -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: looking for a spammer/virii/malware .... on my system
On Aug 15, 2011, at 10:05 AM, alexus wrote: what else can I do to find it on my system who's trying to connect to remote webmail.west.cox.net ? Monitor your network for SMTP traffic: tcpdump -nA -s 0 port 25 If malware is sending out spam, you'll see it and can then use lsof or whatever to identify the specific user/process. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: looking for a spammer/virii/malware .... on my system
I personally leaning towards that these headers are being modified and that there is no spam leaving my box (I may be wrong of couse) here is what I did to come up with that thought I sent myself an email -bash-3.2# echo $$ | mail ale...@gmail.com -bash-3.2# through google headers I see follwoing: Delivered-To: ale...@gmail.com Received: by 10.68.60.97 with SMTP id g1cs121928pbr; Mon, 15 Aug 2011 10:52:26 -0700 (PDT) Received: from mr.google.com ([10.52.21.70]) by 10.52.21.70 with SMTP id t6mr5504300vde.56.1313430746298 (num_hops = 1); Mon, 15 Aug 2011 10:52:26 -0700 (PDT) Received: by 10.52.21.70 with SMTP id t6mr3999448vde.56.1313430745493; Mon, 15 Aug 2011 10:52:25 -0700 (PDT) Return-Path: r...@alexus.org Received: from alexus.biz ([64.237.55.83]) by mx.google.com with ESMTPS id co6si13861841vdc.76.2011.08.15.10.52.23 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 15 Aug 2011 10:52:24 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning r...@alexus.org does not designate 64.237.55.83 as permitted sender) client-ip=64.237.55.83; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning r...@alexus.org does not designate 64.237.55.83 as permitted sender) smtp.mail=r...@alexus.org Received: from alexus.org (lama [64.237.55.83]) by alexus.biz (8.14.4/8.14.3) with ESMTP id p7FHqNvO049613 for ale...@gmail.com; Mon, 15 Aug 2011 13:52:23 -0400 (EDT) (envelope-from r...@alexus.org) Received: (from root@localhost) by alexus.org (8.14.4/8.14.3/Submit) id p7FHqIl1049612 for ale...@gmail.com; Mon, 15 Aug 2011 13:52:18 -0400 (EDT) (envelope-from root) Date: Mon, 15 Aug 2011 13:52:18 -0400 (EDT) From: Charlie Root r...@alexus.org Message-Id: 201108151752.p7fhqil1049...@alexus.org To: ale...@gmail.com 49609 I see that whenever mail leaves my box (assuming it was left my box in a standard way) I see sendmail involves in the process and I see remote server tried to resolve my IP while the original email that was provided to me by my ISP doesn't have any of that... so that makes me think that nothing ever happened on my box and that my IP in that original email was just manually added there (without any emails ever leaving my box) but then again here is scenario #2 a user connects to a remote server not using standard ways but making a connection to remote webmail.west.cox.net directly (bypassing my sendmail) in that case my firewall rule should prevent this user from doing so ever again then again doing so is not really resolving it (I still dont know where its origin from, and thats what I want/need to find out) I'm running apache httpd, so as far as I see it could be pretty much any site that I host generate that kind of issue so I'm back to square 1, how do I find it? if it's in php could be famous base64_decode();/base64_encode(); and then good luck for locating one of that... any other ideas? On Mon, Aug 15, 2011 at 1:39 PM, Chuck Swiger cswi...@mac.com wrote: On Aug 15, 2011, at 10:05 AM, alexus wrote: what else can I do to find it on my system who's trying to connect to remote webmail.west.cox.net ? Monitor your network for SMTP traffic: tcpdump -nA -s 0 port 25 If malware is sending out spam, you'll see it and can then use lsof or whatever to identify the specific user/process. Regards, -- -Chuck -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: looking for a spammer/virii/malware .... on my system
From owner-freebsd-questi...@freebsd.org Mon Aug 15 12:37:33 2011 Date: Mon, 15 Aug 2011 13:05:15 -0400 From: alexus ale...@gmail.com To: freebsd-questions@freebsd.org Subject: looking for a spammer/virii/malware on my system I received a SPAM complain from my ISP and we're trying to figure out what/where the problem is... from headers: Received: from 64.237.55.83 by webmail.west.cox.net; Sun, 14 Aug 2011 18:43:41 -0400 64.237.55.83 is an IP that resides on my box, obviously I'm not sending out any spam intentionally, so maybe some of my users do and not necessarily intentionally either could be a virus or malware or whatever doesn't really matter, I just want to stop it. so just for now I did this su-3.2# ipfw add 666 deny ip from any to webmail.west.cox.net via any 00666 deny ip from any to 68.6.19.1 su-3.2# what else can I do to find it on my system who's trying to connect to remote webmail.west.cox.net ? -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: looking for a spammer/virii/malware .... on my system
Robert Bonomi: I didn't received anything from you other then part of my own email... On Mon, Aug 15, 2011 at 2:57 PM, Robert Bonomi bon...@mail.r-bonomi.com wrote: From owner-freebsd-questi...@freebsd.org Mon Aug 15 12:37:33 2011 Date: Mon, 15 Aug 2011 13:05:15 -0400 From: alexus ale...@gmail.com To: freebsd-questions@freebsd.org Subject: looking for a spammer/virii/malware on my system I received a SPAM complain from my ISP and we're trying to figure out what/where the problem is... from headers: Received: from 64.237.55.83 by webmail.west.cox.net; Sun, 14 Aug 2011 18:43:41 -0400 64.237.55.83 is an IP that resides on my box, obviously I'm not sending out any spam intentionally, so maybe some of my users do and not necessarily intentionally either could be a virus or malware or whatever doesn't really matter, I just want to stop it. so just for now I did this su-3.2# ipfw add 666 deny ip from any to webmail.west.cox.net via any 00666 deny ip from any to 68.6.19.1 su-3.2# what else can I do to find it on my system who's trying to connect to remote webmail.west.cox.net ? -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: looking for a spammer/virii/malware .... on my system
--On August 15, 2011 2:04:27 PM -0400 alexus ale...@gmail.com wrote: I personally leaning towards that these headers are being modified and that there is no spam leaving my box (I may be wrong of couse) here is what I did to come up with that thought I sent myself an email The tcpdump command that Chuck gave you is all you need. *If* all traffic exits your network through your box, you will see anything going to port 25 *anywhere*. That should tell you quickly what the problem is, if there is one. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead. Thomas Jefferson There are some ideas so wrong that only a very intelligent person could believe in them. George Orwell ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org