Solved

What do they mean with Malicious Activities in that warning?

Posted on 2008-10-13
20
765 Views
Last Modified: 2013-11-30
Hi,
What do they mean with Malicious Activities in that warning?
I received a notification for the primary owner of our Unix Server (Softlayer) that we are involved in malicious activities . In fact we are not !
we need to understand the meaning of these codes and what do they refer to ?
Is there any advice you can offer to sort out this problem ?
What do they mean with Malicious Activities in this notification? :



Dear Customer,
The following is a list of IP addresses on your network which we have
good reason to believe may be compromised systems engaging in
malicious activity. Please investigate and take appropriate action to
stop any malicious activity you verify.

The following is a list of types of activity that may appear in this
report:
BEAGLE BEAGLE3 BLASTER BOTNETS BOTS BRUTEFORCE
DAMEWARE DEFACEMENT DIPNET DNSBOTS MALWAREURL MYDOOM
NACHI PHATBOT PHISHING ROUTERS SCAN445 SCANNERS
SINIT SLAMMER SPAM SPYBOT TOXBOT

Open proxies and open mail relays may also appear in this report.
Open proxies are designated by a two-character identifier (s4, s5, wg,
hc, ho, hu, or fu) followed by a colon and a TCP port number. Open
mail relays are designated by the word "relay" followed by a colon and
a TCP port number.

A detailed description of each of these may be found at
https://security.gblx.net/reports.html

NOTE: IPs identified as hosting botnet controllers, phishing websites,
or malware distribution sites (marked with BOTNETS, PHISHING, or
MALWAREURL respectively) may be null routed by Global Crossing
following a separately emailed notice. We will make every effort
to avoid taking action which will impact legitimate services on
your network, and we will now send notices of botnet controllers
within one hour of their detection.

This report is sent every day. If you would prefer a weekly report,
sent on Mondays, please contact us by replying to this email to
request it. We would prefer, however, that you receive and act upon
these reports daily.

Unless otherwise indicated, time stamps are in UTC (GMT).


36351 | 67.228.164.208 | 2008-10-08 12:12:37 http://www.arabswata.org/forums/archive/index.php/f-77.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 12:23:18 http://www.arabswata.org/forums/archive/index.php/t-80.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 12:25:32 http://www.arabswata.org/forums/archive/index.php/f-30.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 12:27:05 http://www.arabswata.org/forums/archive/index.php/f-64.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 12:44:28 http://www.arabswata.org/site/Papers/index.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 12:51:55 http://www.arabswata.org/forums/archive/index.php/f-16.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 13:08:16 http://www.arabswata.org/forums/archive/index.php/f-97.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 13:08:36 http://www.arabswata.org/forums/archive/index.php/f-67.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 13:12:02 http://www.arabswata.org/forums/archive/index.php/f-63.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 13:16:14 http://www.arabswata.org/forums/archive/index.php/f-80.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 13:21:57 http://www.arabswata.org/forums/archive/index.php/f-62.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 15:59:10 http://www.arabswata.org/forums/archive/index.php/f-77.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 16:08:39 http://www.arabswata.org/forums/archive/index.php/t-80.html MALWAREURL | SOFTLAYER - SoftLayer Technologies Inc.
36351 | 67.228.164.208 | 2008-10-08 16:10:30 http://www.arabswata.org/forums/archive/index.php/f-3

End of notification.

Thank you
0
Comment
Question by:bassam778
  • 7
  • 6
  • 3
  • +4
20 Comments
 
LVL 9

Expert Comment

by:michofreiha
ID: 22701376
please check if your server is sending continuous request to their server and abuse their network
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22701384
check to see : tail -f /var/log/maillog   : it will show you real time , when some one is trying to send email via your server

is your server open relay ??
0
 

Author Comment

by:bassam778
ID: 22701439
Thank you fosiul01,
Please note that I am a biginner and I may not understand what do you mean with open relay server, should it be open? and how to secure it?
Here is the result of tail -f /var/log/maillog   :
Oct 13 13:54:57 arabs1 pop3d: LOGOUT, ip=[::ffff:127.0.0.1]
Oct 13 13:54:57 arabs1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Oct 13 13:54:57 arabs1 spamd[17006]: spamd: connection from localhost [127.0.0.1] at port 33284
Oct 13 13:54:57 arabs1 spamd[17006]: spamd: setuid to root succeeded
Oct 13 13:54:57 arabs1 spamd[17006]: spamd: still running as root: user not specified with -u, not found, or set to root, falling back to nobody
Oct 13 13:54:57 arabs1 spamd[17006]: spamd: processing message <GTUBE1.1010101@example.net> for root:99
Oct 13 13:54:57 arabs1 spamd[17006]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /.spamassassin/auto-whitelist.lock.arabs1.arabswata.org.17006 for /.spamassassin/auto-whitelist.lock: No such file or directory
Oct 13 13:54:57 arabs1 spamd[17006]: spamd: identified spam (1000.0/5.0) for root:99 in 0.0 seconds, 834 bytes.
Oct 13 13:54:57 arabs1 spamd[17006]: spamd: result: Y 999 - GTUBE,NO_RECEIVED,NO_RELAYS scantime=0.0,size=834,user=root,uid=99,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=33284,mid=<,autolearn=no,shortcircuit=no">GTUBE1.1010101@example.net>,autolearn=no,shortcircuit=no
Oct 13 13:54:57 arabs1 spamd[16992]: prefork: child states: II
 
0
 
LVL 28

Expert Comment

by:burrcm
ID: 22701440
Is your ISP Global Crossing? If so ring them and seek clarification. Otherwise it is a scam. Main thing is do not click any link in the email, or you will confirm your existence to the scammers.

Chris B
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22701475
ok http://www.abuse.net/relay.html

type your domain name

it will tell you if your server is open realy or not

let me know
0
 
LVL 1

Expert Comment

by:smshah78
ID: 22701486
Does this IP Address: 67.228.164.208 belong to your network or allocated to you by your service provider? If yes, the message suggets that this ip is hosting some sites which are marked as malware (malicious software etc) hosting website by internet community.

On doing reverse domain lookup on this IP it seems there are approx. 17 domains hosted on this IP address.
Here are a few of them:

2527057.com
Almarwa.org
Arab-unity.net
& more

Please check if this IP address is used to host websites and if all websites hosted are legitimate. Check if system is not compromised in anyways.

Hope this helps a bit.
0
 

Author Comment

by:bassam778
ID: 22701586
Dear smshah78,
Yes, this IP Address: 67.228.164.208 belongs to my server, so as the list of 17 websites you got, they are hosted bye me at this server, I use only one IP address for them all, I think no problem with that.
Is there any problem in the return of   tail -f /var/log/maillog ?
 
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22701717
have you check your domain with this web site ??
http://www.abuse.net/relay.html

and also , did you see any log in you maillog.log something like this

http://www.experts-exchange.com/OS/Linux/Q_23725672.html
0
 
LVL 1

Expert Comment

by:smshah78
ID: 22701797
Dear bassam778,

Sorry can't comment on maillog output.

I suggest speaking with Global Crossing to find out what exact URLs are they classifying as MALWAREURL and why? They might be also using a database as a reference for this classification. Try and find who manages this database and speaking to them might give more clues. At times it is just the case of incorrect classification. It may also be just a scam as suggested by fellow expert : burrcm
0
 

Author Comment

by:bassam778
ID: 22701805
Here is the result of mail relay testing in http://www.abuse.net/relay.html
Relay test result
Hmmn, at first glance, host appeared to accept a message for relay.
THIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY.
Some systems appear to accept relay mail, but then reject messages internally rather than delivering them, but you cannot tell at this point whether the message will be relayed or not.
If it is really an open relay, the test message will be delivered to you. If you do not receive the test message in your e-mail in the next few hours, it IS NOT an open relay.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 29

Expert Comment

by:fosiul01
ID: 22701832
ommmmmm

Here is the big big problem!!!

host appeared to accept a message for relay.

ok wait for this to come " If it is really an open relay, the test message will be delivered to you. If you do not receive the test message in your e-mail in the next few hours, it IS NOT an open relay."
did you give them your email address to sent you report ??
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22701836
test your domain here awell,
http://www.mxtoolbox.com/diagnostic.aspx

and tell me what its saying
0
 

Author Comment

by:bassam778
ID: 22701928
Dear fosiul01,
WARNING! Your server could be an open relay.
!!!!
 
You can also check it from your dide and see the result, just inter  s1.arabswata.org in the mail server field to test.
Thank you
0
 

Author Comment

by:bassam778
ID: 22701954
Dear smshah78,
It seams a good way to be sure if there is a problem, but can you help me please how to speak with Global Crossing?  I spoke with my ISP and asked them if they are Global Crossing, they are not, also tey don't know or understand my issue.
Thank you
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22701968
yes, i have checked that one before

what mail server you using ??
0
 

Author Comment

by:bassam778
ID: 22702032
what mail server you using ??
Exim
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22702079
ommmmm i could of help you with sendmail, but i dont work with exim,

you can open a new post " how prevent Exim server from open realy"  and see what other people say
good luck,

you should fix this problem asap
0
 
LVL 17

Expert Comment

by:owensleftfoot
ID: 22702400
0
 
LVL 13

Expert Comment

by:kdearing
ID: 22702628
Once you have your Open Relay issue resolved, you may still have another problem.
You IP address may be blacklisted on any one of the many BlockLists that are used to filter spam.

http://www.dmoz.org/Computers/Internet/E-mail/Spam/Blacklists/
0
 
LVL 1

Accepted Solution

by:
smshah78 earned 250 total points
ID: 22708756
Hello bassam778,

Global Crossing can be contacted via following email: security@gblx.net

Phone details can be found on page below:
https://security.gblx.net/incident.html

Looking at the email you have received following is my interpretation:

IP: 67.228.164.208 has been found to host some website which as per Global Crossing is involved in distributing MALWARE (malicious software https://security.gblx.net/reports.html
) and potential site (out of the 17 that you are hosting on this ip address) is  http://www.arabswata.org/

As per Global Crossing, IPs identified as hosting botnet controllers, phishing websites, or malware distribution sites (marked with BOTNETS, PHISHING, or MALWAREURL respectively) may be null routed by Global Crossing following a separately emailed notice (THIS is the notice that you have received via email). This means that your IP "might" have been null routed by Global Crossing meaning some portion of Internet using GlbX as their ISP might not be able to use your websites. You can contact them and find out why they classified your site as MALWAREURL and if they can remove null routing for your IP Address.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco switch SVI 17 42
Replacing a switch in a 3com 5500 switch stack 2 45
WAN IP Conflict on Sonicwall 5 60
EIGRP Full Mesh 2 36
Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now