Mail services checking - URGENT
David Southwell
david at vizion2000.net
Mon Sep 8 12:35:56 UTC 2008
On Monday 08 September 2008 05:19:51 Jeremy Chadwick wrote:
> On Mon, Sep 08, 2008 at 05:10:27AM -0700, David Southwell wrote:
> > I have had a series of attacks on a system which resulted in a hijack of
> > our mail system.
> >
> > I believe I have now fixed the main problem but I need a tool that will
> > reliably, and independently of the mail logs check my network for all
> > outgoing mails and hold them up until I am certain that there all
> > loopholes have been closed.
> >
> > Can anyone please let me have some recomendations on the best way of
> > going about this
>
> I'm not sure what exactly you want. Someone compromising your system
> means they could've done *anything*, including running their own MTA,
> replacing libc to include an open proxy for spamming, or any other
> thing. There's no way to "detect" that sort of thing aside from deep
> packet inspection to look for mail-like network traffic, which is
> predominantly the job of a router or network tap. It's going to be
> impossible for you to 100% ensure the system is in a working state.
What happened was compromising 2 windows systems and installing a trojan on
those two systems. They were used to send mail via the MTA's on the freebsd
server to the outside world and in particular permissions to send mail to
root on the freebsd server.
There was no actual compromise of the freebsd server and the windows systems
had no ability to access the server.
>
> Keeping it simple, making the (horrible) assumption that they
> compromised something that affected your MTA: it depends completely an
> entirely on what MTA you're using (sendmail, postfix, etc.). See the
> your MTA's manpages for looking at outbound/delivery mail queue.
In addition to the above I am loking for an additional way of monitoring smptd
25 outbound traffic at the network level, filter the traffic, and do an extra
checks to make sure there is nothing left when I reopen the service to the
local network.
>
> By the way, and I apologise if I'm stepping over a line here, but "fixed
> the main problem" doesn't sound like you fixed anything. You might have
> "addressed the hole they used to get in on", but what makes you think
> they didn't replace binaries (including using touch -amcf to adjust
> a/m/ctimes) or do something even more sneaky?
The main problem was the trojan and stuff that it brought in. Hefty use of
Kaspersky and about six other tools on the windows systems has resolved the
issue. I have not been able to detect any attempts from the windows systems
to abuse the mail system but I want to monitor dynamically for some time.
>
> If someone compromised one of your systems, do the world a favour: pull
> the Ethernet out of it or have it shut off *immediately* (this is how
> MIT does it -- yes I'm serious), go to the datacentre and format the
> disk(s). No I am not exaggerating. The longer you keep that system up,
> the higher the chance is that you'll get contacted by your provider,
> Internet users (blacklisted, etc.), or possibly law enforcement.
You are not out of line -- I understand
That is why the system was shut down for 48 hours.
David
More information about the freebsd-ports
mailing list