2

Possible Duplicate:
My server's been hacked EMERGENCY

About a week ago, a bot broke into one of our linux-servers and sent 70k spam-mails from it. I had a look into the logs and found out at what time the bot connected, what emails where sent to whom and what IP-Adress the bot used. However, I have no idea how he actually sent the mails. The bash-history seems empty and it seems like there where no files modified (I checked with "find"). We like to make sure that there are no hidden programs somewhere that start sending spam or worse as soon as we put the server online again.

So, I'm asking: Any ideas on how the bot send that e-mails? Could it be that he just executed one big command in bash? Should we completely reinstall the OS on the server, or is it safe to keep it running with the "hacked" system?

Thanks in advance

Community
  • 1
Stuffy
  • 177
  • 1
  • 1
  • 9
  • Did they get into the machine? If the history is empty and "last" doesn't show a IP you don't know about then maybe they didn't get in at all and instead exploited some script on the machine. There are so many generic form mailers out there that people use that are easy to exploit –  Apr 16 '12 at 11:30
  • Oh, thanks. I'm pretty new to this, can I somehow export my question there? –  Apr 16 '12 at 11:31
  • 1
    suggest migrating to Security Stack Exchange – Rory Alsop Apr 16 '12 at 11:31
  • We know how they got the ssh-password. A windows-machine was infected with a virus that grabbed the password from filezilla which seems to keep the passwords in clean, unencrypted form. – Stuffy Apr 16 '12 at 11:36
  • Is the bot an ELF binary or a script like perl? I guess it has builtin smtp features. – ott-- Apr 16 '12 at 13:17
  • Bots send email the same way any other program sends email. The list of ways that can happen is fairly long (connect to the local SMTP server, connect to a remote SMTP server discovered in a config file, directly connect to target SMTP servers, etc...) - Your bigger problem is the machine was compromised. Deal with that, and make sure to lock the doors when you're done rebuilding :-) – voretaq7 Apr 16 '12 at 15:09
  • @Stuffy That will teach you! 1. Do not use any `ssh` program which stores cleartext passwords. 2. Do not allow `ssh` from the outside into your server. If you must have such access, restrict it by source IP address. Use port knocking to conceal the port. 3. Always secure outbound ports in your firewall rules, not only incoming. For instance, most machines in your network do not need unrestricted access to port 25. Only those machines which send mail need port 25, and only to your specific SMTP server. – Kaz Apr 16 '12 at 18:48

2 Answers2

3

First of all - you need to assume the entire machine is compromised. Do not connect it back up - rebuild the entire thing from scratch. A very likely reason you can't see anything useful in bash history is that a rootkit of some kind has been used.

And the problem with rootkits is that any tools you use to find them can be subverted.

They may have used a separate bash instance, or your bash history and log files may have been compromised - difficult to tell at this stage.

Have a look at the Security Stack Exchange questions on rootkits for more info.

Community
  • 1
Rory Alsop
  • 1,184
  • 11
  • 21
  • You think they installed a rootkit? It seems like no human ever logged onto the machine since each session only lasted a few seconds. All they did was sending that emails. – Stuffy Apr 16 '12 at 11:39
  • It is such a simple option for an attacker that you have to consider it as a viable possibility. And at that point the only safe thing to do is a rebuild. It may be that all they did was use it as a relay, but unless you have access to good forensic tools (or use a forensics service) you won't know. – Rory Alsop Apr 16 '12 at 11:41
  • Keep in mind, the attacker had no root-access, just the limited access of a normal user. – Stuffy Apr 16 '12 at 11:46
  • If an attacker had ability to do remote execution on your machine, you really can't tell what they might have done. They only way you can be *totally* sure is to rebuild that server from scratch. – Andre Lackmann Apr 16 '12 at 13:08
  • Yep, we're probably going to do that. Thanks very much for all that answers. – Stuffy Apr 16 '12 at 13:18
0

Maybe your smtp daemon is just configured wrong, allowing to relay emails to all domains.

casper
  • 519
  • 2
  • 6
  • 12
  • No, I'm sure thats not the case. I've checked some of the adresses, and its clearly spam. – Stuffy Apr 16 '12 at 11:42
  • The two are not incompatible, in fact a lot of spam is sent from poorly configured smtp relays – Rory Alsop Apr 16 '12 at 11:54
  • We use a an smtp-server of our internet-provider. They where the one who called us at the weekend because 10-20% of the emails couldn't be delivered. I hope they know how to configure their servers. – Stuffy Apr 16 '12 at 11:58