looking for a spammer/virii/malware .... on my system

alexus alexus at gmail.com
Mon Aug 15 18:04:28 UTC 2011 

I personally leaning towards that these headers are being modified and
that there is no spam leaving my box (I may be wrong of couse)

here is what I did to come up with that thought....

I sent myself an email

-bash-3.2# echo $$ | mail alexus at gmail.com
-bash-3.2#

through google headers I see follwoing:

Delivered-To: alexus at gmail.com
Received: by 10.68.60.97 with SMTP id g1cs121928pbr;
        Mon, 15 Aug 2011 10:52:26 -0700 (PDT)
Received: from mr.google.com ([10.52.21.70])
        by 10.52.21.70 with SMTP id t6mr5504300vde.56.1313430746298
(num_hops = 1);
        Mon, 15 Aug 2011 10:52:26 -0700 (PDT)
Received: by 10.52.21.70 with SMTP id t6mr3999448vde.56.1313430745493;
        Mon, 15 Aug 2011 10:52:25 -0700 (PDT)
Return-Path: <root at alexus.org>
Received: from alexus.biz ([64.237.55.83])
        by mx.google.com with ESMTPS id co6si13861841vdc.76.2011.08.15.10.52.23
        (version=TLSv1/SSLv3 cipher=OTHER);
        Mon, 15 Aug 2011 10:52:24 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning
root at alexus.org does not designate 64.237.55.83 as permitted sender)
client-ip=64.237.55.83;
Authentication-Results: mx.google.com; spf=softfail (google.com:
domain of transitioning root at alexus.org does not designate
64.237.55.83 as permitted sender) smtp.mail=root at alexus.org
Received: from alexus.org (lama [64.237.55.83])
	by alexus.biz (8.14.4/8.14.3) with ESMTP id p7FHqNvO049613
	for <alexus at gmail.com>; Mon, 15 Aug 2011 13:52:23 -0400 (EDT)
	(envelope-from root at alexus.org)
Received: (from root at localhost)
	by alexus.org (8.14.4/8.14.3/Submit) id p7FHqIl1049612
	for alexus at gmail.com; Mon, 15 Aug 2011 13:52:18 -0400 (EDT)
	(envelope-from root)
Date: Mon, 15 Aug 2011 13:52:18 -0400 (EDT)
From: Charlie Root <root at alexus.org>
Message-Id: <201108151752.p7FHqIl1049612 at alexus.org>
To: alexus at gmail.com

49609

I see that whenever mail leaves my box (assuming it was left my box in
a standard way) I see sendmail involves in the process and I see
remote server tried to resolve my IP

while the "original" email that was provided to me by my ISP doesn't
have any of that... so that makes me think that nothing ever happened
on my box and that my IP in that original email was just manually
added there (without any emails ever leaving my box)


but then again here is scenario #2

a user connects to a remote server not using standard ways but making
a connection to remote webmail.west.cox.net directly (bypassing my
sendmail)
in that case my firewall rule should prevent this user from doing so ever again

then again doing so is not really resolving it (I still dont know
where its origin from, and thats what I want/need to find out)

I'm running apache httpd, so as far as I see it could be pretty much
any site that I host generate that kind of issue

so I'm back to square 1, how do I find it? if it's in php could be
famous base64_decode();/base64_encode();

and then good luck for locating one of that...

any other ideas?


On Mon, Aug 15, 2011 at 1:39 PM, Chuck Swiger <cswiger at mac.com> wrote:
> On Aug 15, 2011, at 10:05 AM, alexus wrote:
>> what else can I do to find it on my system who's trying to connect to
>> remote webmail.west.cox.net ?
>
> Monitor your network for SMTP traffic:
>
>  tcpdump -nA -s 0 port 25
>
> If malware is sending out spam, you'll see it and can then use lsof or whatever to identify the specific user/process.
>
> Regards,
> --
> -Chuck
>
>



-- 
http://alexus.org/

More information about the freebsd-questions mailing list