termlimit
asked on
Help with identifying an intrusion
I am reviewing my mail logs and I have noticed an email originating from 127.0.0.1. This is not something that is normal for my mail server to do. I have since stopped my mail server from allowing 127.0.0.1, but the "program" is still attempting to send. I have done a netstat to see if it is originating from local or from a spoof. It seems to be originating from a local source (I will past netstat log below), which leads me to believe that it is in fact a virus of some sort. My virus scanner has not picked up anything of value.
I a trying to find the program or flaw that is responsible. Is there a way to find what program is responsible for the entry in netstat? I have edited the following netstat to show all the entries from port 25.
Proto Local Address Foreign Address State
TCP 127.0.0.1:3713 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3719 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3723 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3726 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3727 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3729 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3730 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3734 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3737 127.0.0.1:25 ESTABLISHED
TCP 127.0.0.1:3742 127.0.0.1:25 ESTABLISHED
TCP 127.0.0.1:3745 127.0.0.1:25 ESTABLISHED
Now to me that seems like an awful lot of connections for my little mail server. The entry in the logs comes up about every 20 seconds. Is there a way to track down this to make sure that it is in fact not a virus trying to send mail or if it is someone spoofing 127?
Any help would be appreciated.
Thanks.
Tom
I a trying to find the program or flaw that is responsible. Is there a way to find what program is responsible for the entry in netstat? I have edited the following netstat to show all the entries from port 25.
Proto Local Address Foreign Address State
TCP 127.0.0.1:3713 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3719 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3723 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3726 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3727 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3729 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3730 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3734 127.0.0.1:25 TIME_WAIT
TCP 127.0.0.1:3737 127.0.0.1:25 ESTABLISHED
TCP 127.0.0.1:3742 127.0.0.1:25 ESTABLISHED
TCP 127.0.0.1:3745 127.0.0.1:25 ESTABLISHED
Now to me that seems like an awful lot of connections for my little mail server. The entry in the logs comes up about every 20 seconds. Is there a way to track down this to make sure that it is in fact not a virus trying to send mail or if it is someone spoofing 127?
Any help would be appreciated.
Thanks.
Tom
ASKER
I have a virus scanner running, but it has not come up with anything. I also tried an online one to make sure, thinking that I might not have an update or something. Again came up with nothing.
Is there a process for scanning that you would recommend?
Is there a process for scanning that you would recommend?
ASKER
Here is the exerpt from the mail log. The only thing I have removed is some specific ips to the machine. But I have edited them for ease of reading. Normally the second line, the one that starts with Requested has an ip that is from the remote machine.
6/5/2006 11:51:51 PM - { 458} START SMTP
6/5/2006 11:51:51 PM - Requested SMTP connection from 127.0.0.1 [127.0.0.1], ID=458
6/5/2006 11:51:51 PM - ( 458) 220 mail.IPADDRESS.com Mail Server
6/5/2006 11:51:51 PM - ( 458) EHLO IP-ADDRESS
6/5/2006 11:51:51 PM - ( 458) 250-Welcome, 127.0.0.1 [127.0.0.1], pleased to meet you
6/5/2006 11:51:51 PM - ( 458) 250-AUTH=LOGIN
6/5/2006 11:51:51 PM - ( 458) 250-AUTH LOGIN
6/5/2006 11:51:51 PM - ( 458) 250-SIZE 15728640
6/5/2006 11:51:51 PM - ( 458) 250-ETRN
6/5/2006 11:51:51 PM - ( 458) 250 HELP
6/5/2006 11:51:52 PM - ( 458) MAIL FROM:<experts_on_boatpurch asing@yaho o.co.uk>
6/5/2006 11:51:52 PM - ( 458) 250 Sender "experts_on_boatpurchasing @yahoo.co. uk" OK...
6/5/2006 11:51:52 PM - ( 458) RCPT TO:<davesplastering@hotmai l>
6/5/2006 11:51:52 PM - ( 458) 551 User not local. Authentication required for relay
6/5/2006 11:51:52 PM - ( 458) RCPT TO:<com>
6/5/2006 11:51:52 PM - ( 458) 550 User unknown <com>
6/5/2006 11:51:52 PM - ( 458) RSET
6/5/2006 11:51:52 PM - ( 458) 250 Reset
Thanks
6/5/2006 11:51:51 PM - { 458} START SMTP
6/5/2006 11:51:51 PM - Requested SMTP connection from 127.0.0.1 [127.0.0.1], ID=458
6/5/2006 11:51:51 PM - ( 458) 220 mail.IPADDRESS.com Mail Server
6/5/2006 11:51:51 PM - ( 458) EHLO IP-ADDRESS
6/5/2006 11:51:51 PM - ( 458) 250-Welcome, 127.0.0.1 [127.0.0.1], pleased to meet you
6/5/2006 11:51:51 PM - ( 458) 250-AUTH=LOGIN
6/5/2006 11:51:51 PM - ( 458) 250-AUTH LOGIN
6/5/2006 11:51:51 PM - ( 458) 250-SIZE 15728640
6/5/2006 11:51:51 PM - ( 458) 250-ETRN
6/5/2006 11:51:51 PM - ( 458) 250 HELP
6/5/2006 11:51:52 PM - ( 458) MAIL FROM:<experts_on_boatpurch
6/5/2006 11:51:52 PM - ( 458) 250 Sender "experts_on_boatpurchasing
6/5/2006 11:51:52 PM - ( 458) RCPT TO:<davesplastering@hotmai
6/5/2006 11:51:52 PM - ( 458) 551 User not local. Authentication required for relay
6/5/2006 11:51:52 PM - ( 458) RCPT TO:<com>
6/5/2006 11:51:52 PM - ( 458) 550 User unknown <com>
6/5/2006 11:51:52 PM - ( 458) RSET
6/5/2006 11:51:52 PM - ( 458) 250 Reset
Thanks
virus scanners will not pick up a lot of spyware, a combination of virus and malware scanners is best, try that ewido link for starters
ASKER
I will try it. Be back in a bit
Hi Tom I may have the answer for you,
I use this great tool to monitor my ports.. please take a look at it.
Active Ports - easy to use tool that enables you to monitor all open TCP/IP and UDP ports on the local computer. Active Ports maps ports to the owning application so you can watch which process has opened which port. It also displays a local and remote IP address for each connection and allows you to close any port. Active Ports can help you to detect trojans and other malicious programs.
http://www.snapfiles.com/get/activeports.html
I use this great tool to monitor my ports.. please take a look at it.
Active Ports - easy to use tool that enables you to monitor all open TCP/IP and UDP ports on the local computer. Active Ports maps ports to the owning application so you can watch which process has opened which port. It also displays a local and remote IP address for each connection and allows you to close any port. Active Ports can help you to detect trojans and other malicious programs.
http://www.snapfiles.com/get/activeports.html
use sys internals tool to monitor the activities of the application which are running in your local system.
http://www.sysinternals.com/Utilities/TdiMon.html
TDIMon is an application that lets you monitor TCP and UDP activity on your local system. It is the most powerful tool available for tracking down network-related configuration problems and analyzing application network usage.
it will let u the clue, where the packet is orginating
srini ms
http://www.sysinternals.com/Utilities/TdiMon.html
TDIMon is an application that lets you monitor TCP and UDP activity on your local system. It is the most powerful tool available for tracking down network-related configuration problems and analyzing application network usage.
it will let u the clue, where the packet is orginating
srini ms
I usually have Security Task Manager running on my computer to picks up suspcious processes. There is trial version available for download:
http://www.neuber.com/taskmanager/index.html
http://www.neuber.com/taskmanager/index.html
Oh man you got a tough one
read this
http://www.securiteam.com/securitynews/5GP0E1P8AK.html
ill be back with a possible solution
read this
http://www.securiteam.com/securitynews/5GP0E1P8AK.html
ill be back with a possible solution
In the mean time please make sure that all your software is up to date look for updates for your OS and Mail server
I cant find any solutions for your issue right now but it seems that some sort of worm or virus has infected your machine and its trying to exploit the w3c css vulneravility currently i dont think that there is a solution but i will recommend you to do a full scan for spyware and viruses to see if maybe something was dropped in your mail server.
ASKER
Thanks for the updates on this everyone. I am working the issue right now.
Jimmymcp02 - I dont believe that it is the proxy issue only because if I turn off the web server the exploit is still happening in the mail logs. If the exploit works through the w3c service, turning it off should stop that. Thoughts?
Tom
Jimmymcp02 - I dont believe that it is the proxy issue only because if I turn off the web server the exploit is still happening in the mail logs. If the exploit works through the w3c service, turning it off should stop that. Thoughts?
Tom
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
jimmymcp02 :)
could you please think about your answer or suggestion before posting, I get hundreds of emails most of which is unnecessary when everyone keeps posting one for each idea. I would appreciate it.
Thanks Merete
could you please think about your answer or suggestion before posting, I get hundreds of emails most of which is unnecessary when everyone keeps posting one for each idea. I would appreciate it.
Thanks Merete
Merete :-) Same goes to you...You could have posted your message for me underneath your last comment... Also if posted my first comment without doing anymore research for a solution it was because i felt that this issue was something that presented a threat to termlimit i didnt mean to spam any one with my suggestions but as you can see the link that i posted it shows a w3c ccc proxying vulneravility which im not familiar with but i decided to investigate and warn the user that it would be a possible trojan.
Apologies. most of the 90% of the time it only takes me one answer to solve an issue its just that i have not come accross something like this.
Apologies. most of the 90% of the time it only takes me one answer to solve an issue its just that i have not come accross something like this.
ASKER
Thanks for all the help gang. I wish I could have given credit to more than one person. But in the end I gave it to Meret because Activeports solved the problem. There was a vulnerability with some Coldfusion code that I was using. It was allowing someone to use the mail server through the form. Activeports pointed to Jrun and lead to this conclusion. I shut down Jrun and the problem stopped. I then further went into all my CF code that I had outsourced and found a flaw in the programming. So much for trusting others with programming work.
Well thanks again guys. Experts-Exchange does the trick again.
T
Well thanks again guys. Experts-Exchange does the trick again.
T
thank you termlimit good to see you did tried it I knew it would help you.
And being free what an excellent tool.
Cheers Merete
@jimmymcp02 no worries hey :)
And being free what an excellent tool.
Cheers Merete
@jimmymcp02 no worries hey :)
127.0.0.1 is your loopback address - effectively yourself
i would be doing some scans....