Bot?
Keep getting calls from our provider at one location that our FreeBSD 8.0-RELEASE server is sending bursts of 1000 spam messages to 70K recipients. Since the first call a few weeks ago, I have MRTG and Mail Statistics graphs setup and see no spikes in traffic. Their last sighting was over the weekend and graphs show a reduction in traffic during that time as expected, again with no spikes in traffic or messages sent/received by our Postfix/Amavisd-maia MTA. All services on that server including SSH, SMTP and mail queue size all monitored by Nagios and have had no alerts from that server. Nonetheless, they claim I must have a bot and the mail is not passing through my own SMTP. And I suspect little traffic is needed for the alleged bursts. They have no envelope info. Can someone advise on what port(s) are available for bot detection and/or prevention? In all my years of running FreeBSD as mail gateways, this is the first time I've had this issue. --Robert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bot?
It's unlikely that the bot would relay outbound spam through your MTA - that would be inconvenient, slow and raise some suspicion. If the provider is right, you most likely have a bit of code running on the server that is directly connecting to external mail servers. There could be reasons you aren't seeing a spike, such as you're only looking at traffic processed by the MTA, or it simply doesn't show as a material increase on a graph of traffic on the network interface if the server is busy. Jerry On 1/5/2011 10:41 AM, Robert Fitzpatrick wrote: Keep getting calls from our provider at one location that our FreeBSD 8.0-RELEASE server is sending bursts of 1000 spam messages to 70K recipients. Since the first call a few weeks ago, I have MRTG and Mail Statistics graphs setup and see no spikes in traffic. Their last sighting was over the weekend and graphs show a reduction in traffic during that time as expected, again with no spikes in traffic or messages sent/received by our Postfix/Amavisd-maia MTA. All services on that server including SSH, SMTP and mail queue size all monitored by Nagios and have had no alerts from that server. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bot?
El dÃa Wednesday, January 05, 2011 a las 10:41:29AM -0500, Robert Fitzpatrick escribió: Keep getting calls from our provider at one location that our FreeBSD 8.0-RELEASE server is sending bursts of 1000 spam messages to 70K recipients. Since the first call a few weeks ago, I have MRTG and Mail Statistics graphs setup and see no spikes in traffic. Their last sighting was over the weekend and graphs show a reduction in traffic during that time as expected, again with no spikes in traffic or messages sent/received by our Postfix/Amavisd-maia MTA. All services on that server including SSH, SMTP and mail queue size all monitored by Nagios and have had no alerts from that server. Nonetheless, they claim I must have a bot and the mail is not passing through my own SMTP. And I suspect little traffic is needed for the alleged bursts. They have no envelope info. Can someone advise on what port(s) are available for bot detection and/or prevention? In all my years of running FreeBSD as mail gateways, this is the first time I've had this issue. --Robert Check with tcpdump (on another host connected by a HUB, no switch, to the box) if you can see that port 25 traffic of the NIC of the host; that would be my 1st check to catch it... If someone has lifted up your FreeBSD into a VM running on that bot, you will not see this inside the FreeBSD, I think. matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e g...@unixarea.de - w http://www.unixarea.de/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bot?
On 5 January 2011 10:47, Jerry Bell je...@nrdx.com wrote: There could be reasons you aren't seeing a spike, such as you're only looking at traffic processed by the MTA, or it simply doesn't show as a material increase on a graph of traffic on the network interface if the server is busy. Those are good points and to go a little further regarding looking at traffic... To really see what your machine is doing, consider taking a look at the network flows. pfflowd, netflowd, ipaudit and a host of others can get you flow data with mostly minimal overhead. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bot?
On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox kevin.wil...@gmail.com wrote: On 5 January 2011 10:47, Jerry Bell je...@nrdx.com wrote: There could be reasons you aren't seeing a spike, such as you're only looking at traffic processed by the MTA, or it simply doesn't show as a material increase on a graph of traffic on the network interface if the server is busy. Those are good points and to go a little further regarding looking at traffic... To really see what your machine is doing, consider taking a look at the network flows. pfflowd, netflowd, ipaudit and a host of others can get you flow data with mostly minimal overhead. Also, keep in mind that depending on how badly the machine has been compromised, you may not be able to trust the output of utilities running on the machine itself. You may have to resort to capturing its network traffic on another machine for analysis. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bot?
I agree on this point. That said, I once thought my employer's server was hacked and I ran local utilities and dug through months of logs only to discover that an install of either phpBB or phpMyAdmin had a slice of bad code that allowed someone to install software remotely and run its own p2p network off of it. I wasted a few days trying to dig in the wrong place. On Jan 5, 2011, at 12:25 PM, David Brodbeck wrote: On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox kevin.wil...@gmail.com wrote: On 5 January 2011 10:47, Jerry Bell je...@nrdx.com wrote: There could be reasons you aren't seeing a spike, such as you're only looking at traffic processed by the MTA, or it simply doesn't show as a material increase on a graph of traffic on the network interface if the server is busy. Those are good points and to go a little further regarding looking at traffic... To really see what your machine is doing, consider taking a look at the network flows. pfflowd, netflowd, ipaudit and a host of others can get you flow data with mostly minimal overhead. Also, keep in mind that depending on how badly the machine has been compromised, you may not be able to trust the output of utilities running on the machine itself. You may have to resort to capturing its network traffic on another machine for analysis. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bot?
On 5 January 2011 13:25, David Brodbeck g...@gull.us wrote: On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox kevin.wil...@gmail.com wrote: To really see what your machine is doing, consider taking a look at the network flows. pfflowd, netflowd, ipaudit and a host of others can get you flow data with mostly minimal overhead. Also, keep in mind that depending on how badly the machine has been compromised, you may not be able to trust the output of utilities running on the machine itself. You may have to resort to capturing its network traffic on another machine for analysis. That's an excellent point. A span port from the upstream switch/router would be ideal unless you've verified, through mechanisms external to the machine (known good test media), the tools on that machine are trustworthy. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bot? / pf question
On 05-Jan-11 1:44 PM, Kevin Wilcox wrote: On 5 January 2011 13:25, David Brodbeckg...@gull.us wrote: On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcoxkevin.wil...@gmail.com wrote: To really see what your machine is doing, consider taking a look at the network flows. pfflowd, netflowd, ipaudit and a host of others can get you flow data with mostly minimal overhead. Also, keep in mind that depending on how badly the machine has been compromised, you may not be able to trust the output of utilities running on the machine itself. You may have to resort to capturing its network traffic on another machine for analysis. That's an excellent point. A span port from the upstream switch/router would be ideal unless you've verified, through mechanisms external to the machine (known good test media), the tools on that machine are trustworthy. kmw ___ Since I am going to be setting up a mail server sometime next week and have to keep things like this in mind; would it make sense to run pf and block all outbound traffic that isn't on port 25 ( port 995 , etc) and force any web administration programs onto a port other than 80 to help with this sort of thing? Any other thoughts on how to make sure future installations can be kept secure? As always, thanks in advance to everyone, Mark Moellering ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bot? / pf question
Yes and no. You want to leave ftp open, too, just in case for port upgrading/downloading, plus you would want to do monitoring across the wire (Nagios or something, maybe?). You could, though, do a dual-NIC setup and have one be a private network LAN for the servers if you aren't already considering it. On Jan 5, 2011, at 1:48 PM, Mark Moellering wrote: Since I am going to be setting up a mail server sometime next week and have to keep things like this in mind; would it make sense to run pf and block all outbound traffic that isn't on port 25 ( port 995 , etc) and force any web administration programs onto a port other than 80 to help with this sort of thing? Any other thoughts on how to make sure future installations can be kept secure? As always, thanks in advance to everyone, Mark Moellering ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bot? / pf question
On Wed, Jan 5, 2011 at 1:48 PM, Mark Moellering m...@msen.com wrote: That's an excellent point. A span port from the upstream switch/router Since I am going to be setting up a mail server sometime next week and have to keep things like this in mind; would it make sense to run pf and block all outbound traffic that isn't on port 25 ( port 995 , etc) and force any web administration programs onto a port other than 80 to help with this sort of thing? Any other thoughts on how to make sure future installations can be kept secure? As always, thanks in advance to everyone, That a great example of when jails should be used, I put each service into it's own jail eg MTA, FTP, www. Actually I use something like pound then put each different website in it's own jail. Make sure each database backed service has separate login/passwords. Then if something like phplist, or an MTA is compromised the host OS and utilities can still be trusted, in theory at least. Also a managed port can help you deal with issues by tracking stat metrics/port mirroring/etc. You can use something ezjail to make administration tasks easier, and if you isolate the jail FS's(UFS/ZFS) make use of the snapshotting utilities. There are a couple of utilities in ports to help automate snapshots too. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
gtn bot ?
Hi all, Checking my mrtg and trafshow this morning I seem to have an ircd bot running on one of my servers. Does anyone know where I might find some info on 'gtn'?? ps -ax: 62067 1 www Wed Oct 17 20:49:47 2007 gtn (perl5.8.8)35990 1 www Wed Oct 17 18:15:59 2007 [eggdrop] I see several of each of these. ANy help will be appreciated, -Grant ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: gtn bot ?
Hi all, I missed one to. I have never seen this process befor, any ideas? 6313 1 Mon Oct 15 19:34:39 2007 0:02.71 [prox] - Original Message - From: Grant Peel To: freebsd-questions@freebsd.org Sent: Thursday, October 18, 2007 7:53 AM Subject: gtn bot ? Hi all, Checking my mrtg and trafshow this morning I seem to have an ircd bot running on one of my servers. Does anyone know where I might find some info on 'gtn'?? ps -ax: 62067 1 www Wed Oct 17 20:49:47 2007 gtn (perl5.8.8)35990 1 www Wed Oct 17 18:15:59 2007 [eggdrop] I see several of each of these. ANy help will be appreciated, -Grant ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Total Control Panel Login To: [EMAIL PROTECTED] Block messages from this sender (blacklist) From: [EMAIL PROTECTED] Remove this sender from my whitelist You received this message because the sender is on your whitelist. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: gtn bot ?
Does anyone know where I might find some info on 'gtn'?? It would be advisable to review the thread entitled Strange perl script that is currently active on the list, dated from Oct 17th. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: gtn bot ?
--On Thursday, October 18, 2007 08:28:46 -0400 Grant Peel [EMAIL PROTECTED] wrote: Hi all, I missed one to. I have never seen this process befor, any ideas? 6313 1 Mon Oct 15 19:34:39 2007 0:02.71 [prox] The problem with this approach is that the bad guys don't try to accomodate you by using common naming conventions. Searching for gtn or prox or eggdrop will most likely be a fruitless exercise. What you need to do is 1) identify what it is by locating it and all its associated files on the hard drive, 2) determing how to stop it so you can clean up and 3) figuring out how the box was broken into so you can prevent a reoccurrence. If you need help with that, I would suggest taking it private. It's best not to post these kinds of details in an open forum. I'd be happy to help, and I'm sure there are others here, even more experienced than I am, who can help. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
