Hijacked server

Bill Nash plug-discuss@lists.plug.phoenix.az.us
Thu, 31 Oct 2002 19:29:13 +0000 (UTC) 

The funny thing about spam, is that in order for it to be effective, it's
got to point back at a business. BEFORE you contact them, do your
homework. Check with the various spam activist groups and find out if
there have been other intrusions like this, especially associated with the
business in question.

- Identify the software they've installed.
- Identify the intrusion method.
- Examine the configurations and look for 'call home' methods and
other personally identifying data.
- Examine your logs and look for source networks for the intrustion.
Chances are it was done internationally, but the business they're spamming
for might not be. Again, do the groundwork BEFORE tipping your hand to the
business, otherwise they may just deny any knowledge of it and lay low for
a while.

At some point, put the box back on the network behind a bridging firewall
and remove it from your normal service rotation. Turn it into a honeypot
and see what comes nosing around. Be prepared to log and store any and all
packets coming in and out of the machine.

If you need a hand with this, I've got a drive sitting on my desk with a
FreeBSD kernel already setup for bridging, I can rebuild the box it was in
within an hour or two (just not this weekend, off to the sand dunes.)

If you're interested in pursuing it, I highly suggest you get in touch
with some technically savvy feds. I know one, but I mislaid her card, but
I'll see if I can track her down. I know there's at least one abuse
administrator lurking on this list that has federal contacts (Yes, I mean
you. =)

Hope this helps.

- billn

On Thu, 31 Oct 2002, charlie bullen wrote:

> I have a server running e-smith 4.1 which uses qmail. It has been hijacked and someone is using it to forward spam. Currently it is of the net, but that is only a temporary fix.
>
> here is a listing of running processes: towards the bottom you can see 7016 and 7017 that seem to be bad guys.
>
> Any help would be appreciated
>
> THanks
>
> Charlie
>
>  PID TTY      STAT   TIME COMMAND
>     1 ?        S      0:07 init [7]
>     2 ?        SW     0:00 [kflushd]
>     3 ?        SW     0:00 [kupdate]
>     4 ?        SW     0:00 [kpiod]
>     5 ?        SW     0:02 [kswapd]
>     6 ?        SW<    0:00 [mdrecoveryd]
>    68 ?        SW     0:00 [khubd]
>   297 ?        S      0:03 syslogd -m 0 -a /home/dns/dev/log
>   307 ?        S      0:00 klogd -c 1
>   726 ?        S      0:00 crond
>   759 ?        S      0:00 xinetd -reuse -pidfile /var/run/xinetd.pid
>   815 ?        S      0:00 lpd Waiting
>   840 ?        S      0:00 /usr/sbin/dhcpd eth0
>   890 ?        S      0:00 /usr/sbin/slapd
>   932 ?        S      0:00 smtpfwdd -d /var/spool/smtpd/spool
>   962 ?        S      0:00 httpd
>   971 ?        S      0:00 httpd
>   972 ?        S      0:00 httpd
>   973 ?        S      0:00 httpd
>   974 ?        S      0:00 httpd
>   975 ?        S      0:00 httpd
>   976 ?        S      0:00 httpd
>   977 ?        S      0:00 httpd
>   978 ?        S      0:00 httpd
>   979 ?        S      0:00 httpd
>   984 ?        S      0:00 httpd
>   988 ?        S      0:00 /usr/sbin/sshd
>  1143 ?        S      0:00 /usr/sbin/httpd-admin -f /etc/httpd/admin-conf/httpd.co
>  1144 ?        S      0:00 /usr/sbin/httpd-admin -f /etc/httpd/admin-conf/httpd.co
>  1162 ?        S      0:00 sh /usr/bin/safe_mysqld --defaults-file=/etc/my.cnf
>  1207 ?        S      0:00 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --based
>  1213 ?        S      0:00 squid -D
>  1214 ?        S      0:00 (squid) -D
>  1244 ?        S      0:00 (unlinkd)
>  1245 ?        S      0:00 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --based
>  1246 ?        S      0:00 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --based
>  1263 ?        S      0:00 atalkd
>  1264 ?        S      0:00 smbd -D
>  1274 ?        S      0:00 nmbd -D
>  1276 ?        S      0:00 nmbd -D
>  1297 ?        S      0:01 /usr/sbin/named -f -u dns -g dns -t /home/dns
>  1298 ?        S      0:00 /usr/sbin/pptpd -f
>  1299 tty1     S      0:00 perl -wT /sbin/e-smith/console tty1
>  1300 tty2     S      0:00 /sbin/mingetty tty2
>  1301 tty3     S      0:00 /sbin/mingetty tty3
>  1302 ?        Z      0:00 [rpmq <defunct>]
>  1303 tty1     S      0:00 /usr/bin/logger -p local1.info -t console
>  1304 tty1     S      0:00 /usr/bin/whiptail --clear --backtitle e-smith server an
>  1321 ?        S      0:00 papd
>  1331 ?        S      0:00 afpd -c 20 -n linux-box
>  3053 ?        S      0:00 /usr/sbin/sshd
>  3102 pts/0    S      0:00 -bash
>  3864 ?        S      0:06 qmail-send
>  3865 ?        Z      0:00 [accustamp <defunct>]
>  3866 ?        S      0:00 qmail-lspawn ./Maildir/
>  3867 ?        S      0:00 qmail-rspawn
>  3868 ?        S      0:00 qmail-clean
>  5287 ?        S      0:00 smtpd
>  6612 ?        S      0:00 smtpd
>  6670 ?        S      0:00 smtpd
>  6877 ?        S      0:00 smtpd
>  6878 ?        S      0:00 smtpd
>  6956 ?        S      0:00 smbd -D
>  6987 ?        Z      0:00 [smtpfwdd <defunct>]
>  7006 ?        S      0:00 /usr/sbin/httpd-admin -f /etc/httpd/admin-conf/httpd.co
>  7009 ?        S      0:00 smtpd
>  7010 ?        S      0:00 smtpd
>  7016 ?        S      0:00 qmail-remote aol.com anonymous@thealtacenter.com gasbag
>  7017 ?        S      0:00 qmail-remote aol.com anonymous@thealtacenter.com gasbag
>  7019 ?        S      0:00 smtpd
>  7020 ?        S      0:00 smtpd
>  7021 pts/0    R      0:00 ps -xa
>
>
>