bassam778
asked on
What do they mean with Malicious Activities in that warning?
Hi,
What do they mean with Malicious Activities in that warning?
I received a notification for the primary owner of our Unix Server (Softlayer) that we are involved in malicious activities . In fact we are not !
we need to understand the meaning of these codes and what do they refer to ?
Is there any advice you can offer to sort out this problem ?
What do they mean with Malicious Activities in this notification? :
Dear Customer,
The following is a list of IP addresses on your network which we have
good reason to believe may be compromised systems engaging in
malicious activity. Please investigate and take appropriate action to
stop any malicious activity you verify.
The following is a list of types of activity that may appear in this
report:
BEAGLE BEAGLE3 BLASTER BOTNETS BOTS BRUTEFORCE
DAMEWARE DEFACEMENT DIPNET DNSBOTS MALWAREURL MYDOOM
NACHI PHATBOT PHISHING ROUTERS SCAN445 SCANNERS
SINIT SLAMMER SPAM SPYBOT TOXBOT
Open proxies and open mail relays may also appear in this report.
Open proxies are designated by a two-character identifier (s4, s5, wg,
hc, ho, hu, or fu) followed by a colon and a TCP port number. Open
mail relays are designated by the word "relay" followed by a colon and
a TCP port number.
A detailed description of each of these may be found at
https://security.gblx.net/reports.html
NOTE: IPs identified as hosting botnet controllers, phishing websites,
or malware distribution sites (marked with BOTNETS, PHISHING, or
MALWAREURL respectively) may be null routed by Global Crossing
following a separately emailed notice. We will make every effort
to avoid taking action which will impact legitimate services on
your network, and we will now send notices of botnet controllers
within one hour of their detection.
This report is sent every day. If you would prefer a weekly report,
sent on Mondays, please contact us by replying to this email to
request it. We would prefer, however, that you receive and act upon
these reports daily.
Unless otherwise indicated, time stamps are in UTC (GMT).
36351 | 67.228.164.208 | 2008-10-08 12:12:37 http://www.arabswata.org/forums/archive/index.php/f-77.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 12:23:18 http://www.arabswata.org/forums/archive/index.php/t-80.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 12:25:32 http://www.arabswata.org/forums/archive/index.php/f-30.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 12:27:05 http://www.arabswata.org/forums/archive/index.php/f-64.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 12:44:28 http://www.arabswata.org/site/Papers/index.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 12:51:55 http://www.arabswata.org/forums/archive/index.php/f-16.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 13:08:16 http://www.arabswata.org/forums/archive/index.php/f-97.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 13:08:36 http://www.arabswata.org/forums/archive/index.php/f-67.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 13:12:02 http://www.arabswata.org/forums/archive/index.php/f-63.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 13:16:14 http://www.arabswata.org/forums/archive/index.php/f-80.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 13:21:57 http://www.arabswata.org/forums/archive/index.php/f-62.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 15:59:10 http://www.arabswata.org/forums/archive/index.php/f-77.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 16:08:39 http://www.arabswata.org/forums/archive/index.php/t-80.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 16:10:30 http://www.arabswata.org/forums/archive/index.php/f-3
End of notification.
Thank you
What do they mean with Malicious Activities in that warning?
I received a notification for the primary owner of our Unix Server (Softlayer) that we are involved in malicious activities . In fact we are not !
we need to understand the meaning of these codes and what do they refer to ?
Is there any advice you can offer to sort out this problem ?
What do they mean with Malicious Activities in this notification? :
Dear Customer,
The following is a list of IP addresses on your network which we have
good reason to believe may be compromised systems engaging in
malicious activity. Please investigate and take appropriate action to
stop any malicious activity you verify.
The following is a list of types of activity that may appear in this
report:
BEAGLE BEAGLE3 BLASTER BOTNETS BOTS BRUTEFORCE
DAMEWARE DEFACEMENT DIPNET DNSBOTS MALWAREURL MYDOOM
NACHI PHATBOT PHISHING ROUTERS SCAN445 SCANNERS
SINIT SLAMMER SPAM SPYBOT TOXBOT
Open proxies and open mail relays may also appear in this report.
Open proxies are designated by a two-character identifier (s4, s5, wg,
hc, ho, hu, or fu) followed by a colon and a TCP port number. Open
mail relays are designated by the word "relay" followed by a colon and
a TCP port number.
A detailed description of each of these may be found at
https://security.gblx.net/reports.html
NOTE: IPs identified as hosting botnet controllers, phishing websites,
or malware distribution sites (marked with BOTNETS, PHISHING, or
MALWAREURL respectively) may be null routed by Global Crossing
following a separately emailed notice. We will make every effort
to avoid taking action which will impact legitimate services on
your network, and we will now send notices of botnet controllers
within one hour of their detection.
This report is sent every day. If you would prefer a weekly report,
sent on Mondays, please contact us by replying to this email to
request it. We would prefer, however, that you receive and act upon
these reports daily.
Unless otherwise indicated, time stamps are in UTC (GMT).
36351 | 67.228.164.208 | 2008-10-08 12:12:37 http://www.arabswata.org/forums/archive/index.php/f-77.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 12:23:18 http://www.arabswata.org/forums/archive/index.php/t-80.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 12:25:32 http://www.arabswata.org/forums/archive/index.php/f-30.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 12:27:05 http://www.arabswata.org/forums/archive/index.php/f-64.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 12:44:28 http://www.arabswata.org/site/Papers/index.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 12:51:55 http://www.arabswata.org/forums/archive/index.php/f-16.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 13:08:16 http://www.arabswata.org/forums/archive/index.php/f-97.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 13:08:36 http://www.arabswata.org/forums/archive/index.php/f-67.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 13:12:02 http://www.arabswata.org/forums/archive/index.php/f-63.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 13:16:14 http://www.arabswata.org/forums/archive/index.php/f-80.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 13:21:57 http://www.arabswata.org/forums/archive/index.php/f-62.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 15:59:10 http://www.arabswata.org/forums/archive/index.php/f-77.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 16:08:39 http://www.arabswata.org/forums/archive/index.php/t-80.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 16:10:30 http://www.arabswata.org/forums/archive/index.php/f-3
End of notification.
Thank you
michofreiha
please check if your server is sending continuous request to their server and abuse their network
check to see : tail -f /var/log/maillog : it will show you real time , when some one is trying to send email via your server
is your server open relay ??
is your server open relay ??
ASKER
Thank you fosiul01,
Please note that I am a biginner and I may not understand what do you mean with open relay server, should it be open? and how to secure it?
Here is the result of tail -f /var/log/maillog :
Oct 13 13:54:57 arabs1 pop3d: LOGOUT, ip=[::ffff:127.0.0.1]
Oct 13 13:54:57 arabs1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Oct 13 13:54:57 arabs1 spamd[17006]: spamd: connection from localhost [127.0.0.1] at port 33284
Oct 13 13:54:57 arabs1 spamd[17006]: spamd: setuid to root succeeded
Oct 13 13:54:57 arabs1 spamd[17006]: spamd: still running as root: user not specified with -u, not found, or set to root, falling back to nobody
Oct 13 13:54:57 arabs1 spamd[17006]: spamd: processing message <GTUBE1.1010101@example.ne
Oct 13 13:54:57 arabs1 spamd[17006]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /.spamassassin/auto-whitel
Oct 13 13:54:57 arabs1 spamd[17006]: spamd: identified spam (1000.0/5.0) for root:99 in 0.0 seconds, 834 bytes.
Oct 13 13:54:57 arabs1 spamd[17006]: spamd: result: Y 999 - GTUBE,NO_RECEIVED,NO_RELAY
Oct 13 13:54:57 arabs1 spamd[16992]: prefork: child states: II
Please note that I am a biginner and I may not understand what do you mean with open relay server, should it be open? and how to secure it?
Here is the result of tail -f /var/log/maillog :
Oct 13 13:54:57 arabs1 pop3d: LOGOUT, ip=[::ffff:127.0.0.1]
Oct 13 13:54:57 arabs1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Oct 13 13:54:57 arabs1 spamd[17006]: spamd: connection from localhost [127.0.0.1] at port 33284
Oct 13 13:54:57 arabs1 spamd[17006]: spamd: setuid to root succeeded
Oct 13 13:54:57 arabs1 spamd[17006]: spamd: still running as root: user not specified with -u, not found, or set to root, falling back to nobody
Oct 13 13:54:57 arabs1 spamd[17006]: spamd: processing message <GTUBE1.1010101@example.ne
Oct 13 13:54:57 arabs1 spamd[17006]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /.spamassassin/auto-whitel
Oct 13 13:54:57 arabs1 spamd[17006]: spamd: identified spam (1000.0/5.0) for root:99 in 0.0 seconds, 834 bytes.
Oct 13 13:54:57 arabs1 spamd[17006]: spamd: result: Y 999 - GTUBE,NO_RECEIVED,NO_RELAY
Oct 13 13:54:57 arabs1 spamd[16992]: prefork: child states: II
Is your ISP Global Crossing? If so ring them and seek clarification. Otherwise it is a scam. Main thing is do not click any link in the email, or you will confirm your existence to the scammers.
Chris B
Chris B
ok http://www.abuse.net/relay.html
type your domain name
it will tell you if your server is open realy or not
let me know
type your domain name
it will tell you if your server is open realy or not
let me know
Does this IP Address: 67.228.164.208 belong to your network or allocated to you by your service provider? If yes, the message suggets that this ip is hosting some sites which are marked as malware (malicious software etc) hosting website by internet community.
On doing reverse domain lookup on this IP it seems there are approx. 17 domains hosted on this IP address.
Here are a few of them:
2527057.com
Almarwa.org
Arab-unity.net
& more
Please check if this IP address is used to host websites and if all websites hosted are legitimate. Check if system is not compromised in anyways.
Hope this helps a bit.
On doing reverse domain lookup on this IP it seems there are approx. 17 domains hosted on this IP address.
Here are a few of them:
2527057.com
Almarwa.org
Arab-unity.net
& more
Please check if this IP address is used to host websites and if all websites hosted are legitimate. Check if system is not compromised in anyways.
Hope this helps a bit.
ASKER
Dear smshah78,
Yes, this IP Address: 67.228.164.208 belongs to my server, so as the list of 17 websites you got, they are hosted bye me at this server, I use only one IP address for them all, I think no problem with that.
Is there any problem in the return of tail -f /var/log/maillog ?
Yes, this IP Address: 67.228.164.208 belongs to my server, so as the list of 17 websites you got, they are hosted bye me at this server, I use only one IP address for them all, I think no problem with that.
Is there any problem in the return of tail -f /var/log/maillog ?
have you check your domain with this web site ??
http://www.abuse.net/relay.html
and also , did you see any log in you maillog.log something like this
https://www.experts-exchange.com/questions/23725672/detecting-compromized-sendmail-server.html
http://www.abuse.net/relay.html
and also , did you see any log in you maillog.log something like this
https://www.experts-exchange.com/questions/23725672/detecting-compromized-sendmail-server.html
Dear bassam778,
Sorry can't comment on maillog output.
I suggest speaking with Global Crossing to find out what exact URLs are they classifying as MALWAREURL and why? They might be also using a database as a reference for this classification. Try and find who manages this database and speaking to them might give more clues. At times it is just the case of incorrect classification. It may also be just a scam as suggested by fellow expert : burrcm
Sorry can't comment on maillog output.
I suggest speaking with Global Crossing to find out what exact URLs are they classifying as MALWAREURL and why? They might be also using a database as a reference for this classification. Try and find who manages this database and speaking to them might give more clues. At times it is just the case of incorrect classification. It may also be just a scam as suggested by fellow expert : burrcm
ASKER
Here is the result of mail relay testing in http://www.abuse.net/relay
Relay test result
Hmmn, at first glance, host appeared to accept a message for relay.
THIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY.
Some systems appear to accept relay mail, but then reject messages internally rather than delivering them, but you cannot tell at this point whether the message will be relayed or not.
If it is really an open relay, the test message will be delivered to you. If you do not receive the test message in your e-mail in the next few hours, it IS NOT an open relay.
Relay test result
Hmmn, at first glance, host appeared to accept a message for relay.
THIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY.
Some systems appear to accept relay mail, but then reject messages internally rather than delivering them, but you cannot tell at this point whether the message will be relayed or not.
If it is really an open relay, the test message will be delivered to you. If you do not receive the test message in your e-mail in the next few hours, it IS NOT an open relay.
ommmmmm
Here is the big big problem!!!
host appeared to accept a message for relay.
ok wait for this to come " If it is really an open relay, the test message will be delivered to you. If you do not receive the test message in your e-mail in the next few hours, it IS NOT an open relay."
did you give them your email address to sent you report ??
Here is the big big problem!!!
host appeared to accept a message for relay.
ok wait for this to come " If it is really an open relay, the test message will be delivered to you. If you do not receive the test message in your e-mail in the next few hours, it IS NOT an open relay."
did you give them your email address to sent you report ??
ASKER
Dear fosiul01,
WARNING! Your server could be an open relay.
!!!!
You can also check it from your dide and see the result, just inter s1.arabswata.org in the mail server field to test.
Thank you
WARNING! Your server could be an open relay.
!!!!
You can also check it from your dide and see the result, just inter s1.arabswata.org in the mail server field to test.
Thank you
ASKER
Dear smshah78,
It seams a good way to be sure if there is a problem, but can you help me please how to speak with Global Crossing? I spoke with my ISP and asked them if they are Global Crossing, they are not, also tey don't know or understand my issue.
Thank you
It seams a good way to be sure if there is a problem, but can you help me please how to speak with Global Crossing? I spoke with my ISP and asked them if they are Global Crossing, they are not, also tey don't know or understand my issue.
Thank you
yes, i have checked that one before
what mail server you using ??
what mail server you using ??
ASKER
what mail server you using ??
Exim
Exim
ommmmm i could of help you with sendmail, but i dont work with exim,
you can open a new post " how prevent Exim server from open realy" and see what other people say
good luck,
you should fix this problem asap
you can open a new post " how prevent Exim server from open realy" and see what other people say
good luck,
you should fix this problem asap
Once you have your Open Relay issue resolved, you may still have another problem.
You IP address may be blacklisted on any one of the many BlockLists that are used to filter spam.
http://www.dmoz.org/Computers/Internet/E-mail/Spam/Blacklists/
You IP address may be blacklisted on any one of the many BlockLists that are used to filter spam.
http://www.dmoz.org/Computers/Internet/E-mail/Spam/Blacklists/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.