Mail services checking - URGENT

Jeremy Chadwick koitsu at FreeBSD.org
Mon Sep 8 12:35:52 UTC 2008 

On Mon, Sep 08, 2008 at 05:10:27AM -0700, David Southwell wrote:
> I have had a series of attacks on a system which resulted in a hijack of our 
> mail system.
> 
> I believe I have now fixed the main problem but I need a tool that will 
> reliably, and independently of the mail logs check my network for all 
> outgoing mails and hold them up until I am certain that there all loopholes 
> have been closed.
> 
> Can anyone please let me have some recomendations on the best way of going 
> about this

I'm not sure what exactly you want.  Someone compromising your system
means they could've done *anything*, including running their own MTA,
replacing libc to include an open proxy for spamming, or any other
thing.  There's no way to "detect" that sort of thing aside from deep
packet inspection to look for mail-like network traffic, which is
predominantly the job of a router or network tap.  It's going to be
impossible for you to 100% ensure the system is in a working state.

Keeping it simple, making the (horrible) assumption that they
compromised something that affected your MTA: it depends completely an
entirely on what MTA you're using (sendmail, postfix, etc.).  See the
your MTA's manpages for looking at outbound/delivery mail queue.

By the way, and I apologise if I'm stepping over a line here, but "fixed
the main problem" doesn't sound like you fixed anything.  You might have
"addressed the hole they used to get in on", but what makes you think
they didn't replace binaries (including using touch -amcf to adjust
a/m/ctimes) or do something even more sneaky?

If someone compromised one of your systems, do the world a favour: pull
the Ethernet out of it or have it shut off *immediately* (this is how
MIT does it -- yes I'm serious), go to the datacentre and format the
disk(s).  No I am not exaggerating.  The longer you keep that system up,
the higher the chance is that you'll get contacted by your provider,
Internet users (blacklisted, etc.), or possibly law enforcement.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-ports mailing list