Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 410
  • Last Modified:

Help with identifying an intrusion

I am reviewing my mail logs and I have noticed an email originating from 127.0.0.1.  This is not something that is normal for my mail server to do.  I have since stopped my mail server from allowing 127.0.0.1, but the "program" is still attempting to send.  I have done a netstat to see if it is originating from local or from a spoof.  It seems to be originating from a local source (I will past netstat log below), which leads me to believe that it is in fact a virus of some sort.  My virus scanner has not picked up anything of value.

I a trying to find the program or flaw that is responsible.  Is there a way to find what program is responsible for the entry in netstat?  I have edited the following netstat to show all the entries from port 25.
  Proto  Local Address          Foreign Address        State
  TCP    127.0.0.1:3713         127.0.0.1:25           TIME_WAIT
  TCP    127.0.0.1:3719         127.0.0.1:25           TIME_WAIT
  TCP    127.0.0.1:3723         127.0.0.1:25           TIME_WAIT
  TCP    127.0.0.1:3726         127.0.0.1:25           TIME_WAIT
  TCP    127.0.0.1:3727         127.0.0.1:25           TIME_WAIT
  TCP    127.0.0.1:3729         127.0.0.1:25           TIME_WAIT
  TCP    127.0.0.1:3730         127.0.0.1:25           TIME_WAIT
  TCP    127.0.0.1:3734         127.0.0.1:25           TIME_WAIT
  TCP    127.0.0.1:3737         127.0.0.1:25           ESTABLISHED
  TCP    127.0.0.1:3742         127.0.0.1:25           ESTABLISHED
  TCP    127.0.0.1:3745         127.0.0.1:25           ESTABLISHED

Now to me that seems like an awful lot of connections for my little mail server.  The entry in the logs comes up about every 20 seconds.  Is there a way to track down this to make sure that it is in fact not a virus trying to send mail or if it is someone spoofing 127?

Any help would be appreciated.

Thanks.
Tom
0
termlimit
Asked:
termlimit
  • 5
  • 4
  • 4
  • +3
1 Solution
 
Jay_Jay70Commented:
Hi termlimit,

127.0.0.1 is your loopback address - effectively yourself

i would be doing some scans....
0
 
Jay_Jay70Commented:
termlimit,

www.ewido.net
0
 
termlimitAuthor Commented:
I have a virus scanner running, but it has not come up with anything.  I also tried an online one to make sure, thinking that I might not have an update or something.  Again came up with nothing.

Is there a process for scanning that you would recommend?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
termlimitAuthor Commented:
Here is the exerpt from the mail log.  The only thing I have removed is some specific ips to the machine.  But I have edited them for ease of reading.  Normally the second line, the one that starts with Requested has an ip that is from the remote machine.

6/5/2006 11:51:51 PM - {   458} START SMTP
6/5/2006 11:51:51 PM - Requested SMTP connection from 127.0.0.1 [127.0.0.1], ID=458
6/5/2006 11:51:51 PM - (   458) 220 mail.IPADDRESS.com Mail Server
6/5/2006 11:51:51 PM - (   458) EHLO IP-ADDRESS
6/5/2006 11:51:51 PM - (   458) 250-Welcome, 127.0.0.1 [127.0.0.1], pleased to meet you
6/5/2006 11:51:51 PM - (   458) 250-AUTH=LOGIN
6/5/2006 11:51:51 PM - (   458) 250-AUTH LOGIN
6/5/2006 11:51:51 PM - (   458) 250-SIZE 15728640
6/5/2006 11:51:51 PM - (   458) 250-ETRN
6/5/2006 11:51:51 PM - (   458) 250 HELP
6/5/2006 11:51:52 PM - (   458) MAIL FROM:<experts_on_boatpurchasing@yahoo.co.uk>
6/5/2006 11:51:52 PM - (   458) 250 Sender "experts_on_boatpurchasing@yahoo.co.uk" OK...
6/5/2006 11:51:52 PM - (   458) RCPT TO:<davesplastering@hotmail>
6/5/2006 11:51:52 PM - (   458) 551 User not local.  Authentication required for relay
6/5/2006 11:51:52 PM - (   458) RCPT TO:<com>
6/5/2006 11:51:52 PM - (   458) 550 User unknown <com>
6/5/2006 11:51:52 PM - (   458) RSET
6/5/2006 11:51:52 PM - (   458) 250 Reset

Thanks
0
 
Jay_Jay70Commented:
virus scanners will not pick up a lot of spyware, a combination of virus and malware scanners is best, try that ewido link for starters
0
 
termlimitAuthor Commented:
I will try it.  Be back in a bit
0
 
MereteCommented:
Hi Tom I may have the answer for you,
I use this great tool to monitor my ports.. please take a look at it.
Active Ports - easy to use tool that enables you to monitor all open TCP/IP and UDP ports on the local computer. Active Ports maps ports to the owning application so you can watch which process has opened which port. It also displays a local and remote IP address for each connection and allows you to close any port. Active Ports can help you to detect trojans and other malicious programs.
http://www.snapfiles.com/get/activeports.html
0
 
srinimsCommented:
use sys internals tool to monitor the activities of the application which are running in your local system.

http://www.sysinternals.com/Utilities/TdiMon.html

TDIMon is an application that lets you monitor TCP and UDP activity on your local system. It is the most powerful tool available for tracking down network-related configuration problems and analyzing application network usage.

it will let u the clue, where the packet is orginating

srini ms
0
 
DCreatureCommented:
I usually have Security Task Manager running on my computer to picks up suspcious processes. There is trial version available for download:

http://www.neuber.com/taskmanager/index.html
0
 
jimmymcp02Commented:
Oh man you got a tough one

read this
http://www.securiteam.com/securitynews/5GP0E1P8AK.html
ill be back with a possible solution

0
 
jimmymcp02Commented:
In the mean time please make sure that all your software is up to date look for updates for your OS and Mail server
0
 
jimmymcp02Commented:
I cant find any solutions for your issue right now but it seems that some sort of worm or virus has infected your machine and its trying to exploit the w3c css vulneravility currently i dont think that there is a solution but i will recommend you to do a full scan for spyware and viruses to see if maybe something was dropped in your mail server.
0
 
termlimitAuthor Commented:
Thanks for the updates on this everyone.  I am working the issue right now.

Jimmymcp02 - I dont believe that it is the proxy issue only because if I turn off the web server the exploit is still happening in the mail logs.  If the exploit works through the w3c service, turning it off should stop that.  Thoughts?

Tom
0
 
MereteCommented:
termlimit  use the port monitor it shows all the acivity and runs a red bar whenever someone tries to access the server
you then click on the ip addres and quiry it.

 enables you to monitor all > open TCP/IP < and UDP ports on the local computer. Active Ports >>maps ports to >>the owning application so you can watch which process has opened which port. It also displays a local and remote IP address for each connection and allows you to close any port. Active Ports can help you to detect trojans and other malicious programs.
http://www.snapfiles.com/get/activeports.html
0
 
MereteCommented:
jimmymcp02 :)
 could you please think about your answer or suggestion before posting, I get hundreds of emails most of which is unnecessary when everyone keeps posting one for each idea. I would appreciate it.
Thanks Merete
0
 
jimmymcp02Commented:
Merete :-) Same goes to you...You could have posted your message for me underneath your last comment... Also if posted my first comment without doing anymore research for a solution it was because i felt that this issue was something that presented a threat to termlimit i didnt mean to spam any one with my suggestions but as you can see the link that i posted it shows a w3c ccc proxying vulneravility  which im not familiar with but i decided to investigate and warn the user that it would be a possible trojan.

Apologies. most of the 90% of the time it only takes me one answer to solve an issue its just that i have not come accross something like this.
0
 
termlimitAuthor Commented:
Thanks for all the help gang.  I wish I could have given credit to more than one person.  But in the end I gave it to Meret because Activeports solved the problem.  There was a vulnerability with some Coldfusion code that I was using.  It was allowing someone to use the mail server through the form.  Activeports pointed to Jrun and lead to this conclusion.  I shut down Jrun and the problem stopped.  I then further went into all my CF code that I had outsourced and found a flaw in the programming.  So much for trusting others with programming work.

Well thanks again guys.  Experts-Exchange does the trick again.

T
0
 
MereteCommented:
thank you termlimit good to see you did tried it I knew it would help you.
And being free what an excellent tool.
Cheers Merete

@jimmymcp02 no worries hey :)
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 5
  • 4
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now