Mass Mailing Worm on Linux

Hi,

Will appreciate any help on this problem.

I have a redHat 9 system that I had been using for the past few years.
Yesterday, one of our system adnins filtered my machine saying that it
is infected by a mass mailing worm that is sending spam.

The first thing that came to mind is that probably i have accidentally
configured sendmail as an open relay and some spammer was using it to
relay spams through my machine.

However I checked my sendmail.mc file and relaying has been disabled (It
listens only on the loop-back address).

Has anyone ever faced such a problem and what steps did they take to
eliminate it.

Regards
Shashank

"Shashank Khanvilkar" <shashank@mia.ece.uic.edu> wrote in message
news:c7rusc$bqj$1@newsx.cc.uic.edu

> However I checked my sendmail.mc file and relaying has been disabled
> (It listens only on the loop-back address).
>
> Has anyone ever faced such a problem and what steps did they take to
> eliminate it.

Why don't you check your maillog files to see where the stuff is coming
from? Listening only on 127.0.0.1 doesn't help if one is running an
insecure webmail application or provides other avenues of mail access.

Also perform an nmap and nessus scan from another machine on the network as
well as a machine from outside your LAN. You might be surprised at what
vulnerabilities you have wide open.

tony

--
use hotmail for email replies

On Tue, 11 May 2004 20:16:14 -0500, Shashank Khanvilkar wrote:


> I have a redHat 9 system that I had been using for the past few years.
> Yesterday, one of our system adnins filtered my machine saying that it
> is infected by a mass mailing worm that is sending spam.

Your machine has probably been broken into by a human or a worm, or you
have executed a trojan.

As a result you can no longer trust any of the files on the system to be
unmodified. Tools like ps and top may be fixed not to show the spammers
processes.

If you want to poke around and try to find out what has happened you'll
need to boot from something like a rescue CD/floppy or knoppix to be sure
you're running tools that are not tampered with.

> Has anyone ever faced such a problem and what steps did they take to
> eliminate it.

Plenty of people probably.

Erase and reinstall. Since even if your investigation turns out a rootkit
you can never be certain that there isn't one more modified program there
that will let the spammer right back in.

--
NPV

"the large print giveth, and the small print taketh away"
Tom Waits - Step right up

On Wed, 12 May 2004 07:56:13 +0000, Nils Petter Vaskinn wrote:

> On Tue, 11 May 2004 20:16:14 -0500, Shashank Khanvilkar wrote:
>
>
>> I have a redHat 9 system that I had been using for the past few years.
>> Yesterday, one of our system adnins filtered my machine saying that it
>> is infected by a mass mailing worm that is sending spam.
>
> Your machine has probably been broken into by a human or a worm, or you
> have executed a trojan.
>
> As a result you can no longer trust any of the files on the system to be
> unmodified. Tools like ps and top may be fixed not to show the spammers
> processes.
>
> If you want to poke around and try to find out what has happened you'll
> need to boot from something like a rescue CD/floppy or knoppix to be sure
> you're running tools that are not tampered with.
>
>> Has anyone ever faced such a problem and what steps did they take to
>> eliminate it.
>
> Plenty of people probably.
>
> Erase and reinstall. Since even if your investigation turns out a rootkit
> you can never be certain that there isn't one more modified program there
> that will let the spammer right back in.

You may (possibly) gain some useful information by monitoring the traffic
to and from the "compromised" box, using a secure, clean, impenetrable
machine to do the listening. Since this is impossible, the next best
thing is to monitor from a machine with no IP address, such as a bridge.

If you're really compromised, you'll probably find out where from (though
this information will be next to useless, as it's probably another
compromised host). If you've simply misconfigured something, the traffic
will tell you what.

--
Some say the Wired doesn't have political borders like the real world,
but there are far too many nonsense-spouting anarchists or idiots who
think that pranks are a revolution.

>
> I have a redHat 9 system that I had been using for the past few years.
> Yesterday, one of our system adnins filtered my machine saying that it
> is infected by a mass mailing worm that is sending spam.

.... Are you certain that the emails were sent by your machine ?..
Many "anti virus" software pretend you have send viruses because of
return-path addresses.. I do not say your sysadmin is a moron but who
knows..

Ask to see one of these emails and check that the last "Received:" line
( or the first from back to top ) contains your ip address..

Then 2 solutions:
a) this was not your workstation that sent the emails.
b) your sysadmin was right, you were (are) mass mailing

in case b), the first thing to do is to disconnect your station or at
least ask your sysadmin to block outgoing connections to port 25 from
you server. Shutdown sendmail / qmail / postifx / apache
Then if you have logs try to find who and when installed the rootkit or
exploited some vulnerability on your pc.
=> Check RBLS ( http://dsbl.org/ etc ) It will give you an idea of the
kind of vulnerabilities you have and the amount of spam you sent (
www.bondedsender.com )
=> basically if your web server is publicly accessible and is an open
proxy, this is the first thing to disable
=> chrootkit

Then once you have found the root cause the best is to reinstall
completely your system just in case you did not see some backdoor..