The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Email issue .. Did i got Rooted

Discussion in 'E-mail Discussions' started by Gregd, Sep 16, 2004.

  1. Gregd

    Gregd Registered

    Joined:
    Oct 18, 2003
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Here is the email .. i'm getting thousend in que

    1C7wSw-0002gr-G5-H
    mailnull 47 12
    <>
    1095341906 0
    -ident mailnull
    -received_protocol local
    -body_linecount 49
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -frozen 1095342577
    -localerror
    XX
    1
    mail_999@hanmail.net

    156P Received: from mailnull by florida.vikingstudios.com with local (Exim 4.42)
    id 1C7wSw-0002gr-G5
    for mail_999@hanmail.net; Thu, 16 Sep 2004 09:38:26 -0400
    044 X-Failed-Recipients: jelove0913@hanmail.net
    031 Auto-Submitted: auto-generated
    069F From: Mail Delivery System <Mailer-Daemon@florida.vikingstudios.com>
    025T To: mail_999@hanmail.net
    059 Subject: Mail delivery failed: returning message to sender
    058I Message-Id: <E1C7wSw-0002gr-G5@florida.vikingstudios.com>
    038 Date: Thu, 16 Sep 2004 09:38:26 -0400


    1C7wSw-0002gr-G5-D
    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    jelove0913@hanmail.net
    SMTP error from remote mailer after MAIL FROM:<mail_999@hanmail.net> SIZE=4040:
    host mx3.hanmail.net [211.43.197.9]: 550 5.7.1 <mail_999@hanmail.net>... Sorry,access denied(66.199.252.42).Your mail server sent too many e-mails to us(1205).Spammer may abuse your mail server for mail relay.If you are not the system administrator,inform this message to your system administrator.

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <mail_999@hanmail.net>
    Received: from [220.121.52.207] (helo=user)
    by florida.vikingstudios.com with esmtp (Exim 4.42)
    id 1C7vDq-0008E6-PM
    for jelove0913@hanmail.net; Thu, 16 Sep 2004 08:18:47 -0400
    From: mail_999@hanmail.net
    Subject: =?EUC-KR?B?tKmxuLOqILTrw+KwobTJISC52bfOIL3Fw7vHz7y8v+Q=?=
    To: jelove0913@hanmail.net
    Content-Type: multipart/alternative;
    boundary="=_NextPart_2rfkindysadvnqw3nerasdf";
    charset="DEFAULT"
    MIME-Version: 1.0
    Content-Transfer-Encoding: quoted-printable
    Sender: mail_999@hanmail.net
    Reply-To: mail_999@hanmail.net
    Date: Thu, 16 Sep 2004 21:19:17 +0900
    X-Priority: 3
    X-Library: Indy 9.00.10
    X-Mailer:Dynamailer V 8.0
    X-MimeOLE:Produced By Mircosoft MimeOLE V6.00.2600.0000
    X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

    This is a multi-part message in MIME format

    --=_NextPart_2rfkindysadvnqw3nerasdf
    Content-Type: text/plain
    Content-Transfer-Encoding: quoted-printable
    charset="DEFAULT"


    --=_NextPart_2rfkindysadvnqw3nerasdf
    Content-Type: text/html
    Content-Transfer-Encoding: 7bit
    charset="DEFAULT"

    <!-- 2004-09-16 ¿ÀÈÄ 9:19:16--> <html> <head> <title>Á÷ÀåÀδëÃâ½Åû¸ÞÀÏ </title> <style> <!-- A:link { text-decoration: none;} A:visited {text-decoration: none;} a:hover {text-decoration: underline} font { font-size: 10pt; }--> </style> <style type="text/css"> <!-- .font { font-size: 9pt; font-style: normal; line-height: 12pt; color:"#666666"} .font2 { font-size: 9pt; font-style: normal; line-height: 12pt; color:#000000; text-decoration: none} .font3 { font-size: 9pt; font-style: normal; line-height: 12pt; color:#50C81F; text-decoration: none} .tbox { Background-color:white; Border:1x SOLID #B2B2B2;font-size: 9pt;font- face:'arial';color:'#666666'} td {font-size:9pt;font-family:µ¸¿ò,arial;color:"#666666"} Body {font-size:9pt;font-family:µ¸¿ò,arial;color:"#666666"} .t1{border:1px solid #c0c0c0;} .t2{border:1px solid #60B830;} --> </style> </HEAD> <body background='http://www.loancs.co.kr/mail/1/img/bg.gif' leftmargin='0' topmargin='0' marginwidth='0' marginheight='0'> <centeR> <table width="600" border="0" cellspacing="0" cellpadding="0"> <tr> <td bgcolor='#FFFFFF'><a href="http://www.loancs.co.kr/Register/openwin.asp?code=syahoo1" target="_blank"><img src="http://www.loancs.co.kr/mail/1/img/img.gif" width="600" height="650"></td> </tr> <tr> <td bgcolor="#CCCCCC" align="center"> <br> ¼ö½Å°ÅºÎ<b><a href="javascript:winopen()"><font color="#FFFFFF">[Deny]</font></a></b> ¹öÆ°À» Ŭ¸¯ÇÏ½Ã¸é ¼ö½Å°ÅºÎ󸮰¡ ÀÌ·ç¾î Áý´Ï´Ù.<br> À̸ÞÀÏ ÁÖ¼Ò¸¦ Àü¼ÛÇØÁÖ½Ã¸é ´õÀÌ»ó ±¤°í¼º ¸ÞÀÏÀÌ ¹ß¼ÛµÇÁö ¾Ê½À´Ï´Ù.<br> <br> If you don't want to receive this mail anymore, click here <b><a href="javascript:winopen()"><font color="#FFFFFF">[Deny]</font></a></b><br> Enter your email address if you do not want to receive this mail <br> <br> </td> </tr> </table> </centeR> </HTML>

    --=_NextPart_2rfkindysadvnqw3nerasdf--
     
  2. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    There is something new afoot about this. Got this in one of the security email lists:

    Try lsof to see what process are tied to what open ports. Do you have any backups,
    or an integrity database (aide/tripwire) of the files before putting this mail
    server into production??
    If you can not take the system offline, then you should try to a live system
    investigation. SecurityFocus has a couple step by step walkthroughs when working
    with a live unix/linux system.
    Shirkdog
    -----Original Message-----
    From: hiltond@hotpop.com [mailto:hiltond@hotpop.com]
    Sent: Tuesday, September 14, 2004 8:23 PM
    To: incidents@securityfocus.com
    Subject: suspicous activities...
    Importance: Low
    Hi All,

    I had this really strange occurrence the other night...

    Please find the course of events detailed below :

    We had just migrated a clients email (MX) to a new server and as soon as we
    switched the MX over the server received thousands of spam emails from
    a domain called hanmail.net (or something like that). Since I was in the
    process of putting the finishing touches on the server I had not introduced
    any anti-relay measures (not that anti-relay should have been an
    afterthought) the emails were successfully relayed to other hosts for about
    a minute (just until I could re-configure sophos to block that IP from
    relaying.)



    A bit later on I ran chkrootkit and got this message :

    (just for reference zzz.yyy.xxx.www is my ip and www.xxx.yyy.zzz is the mail
    server.)


    xyzhost:~# chkrootkit -q

    You have 2 process hidden for readdir command
    You have 2 process hidden for ps command
    Warning: Possible LKM Trojan installed
    eth0 is not promisc

    so I was like "AAARRRGGGHHH!!!" I then ran :

    xyzhost:~# w
    20:38:51 up 59 min, 3 users, load average: 0.07, 0.02, 0.00
    USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
    root pts/0 zzz.yyy.xxx.www 19:40 1:18 0.13s 0.00s tail -f
    /var/log/mail/mail.log
    root pts/1 zzz.yyy.xxx.www 20:06 46.00s 0.28s 0.18s watch -n 1
    mailq
    root pts/2 zzz.yyy.xxx.www 20:38 0.00s 0.02s 0.01s w
    I ran chkrootkit again and got this message...
    xyzhost:~# chkrootkit -q
    warning, got bogus tcp line.
    eth0 is not promisc
    Then I ran it again and got nothing...???:

    xyzhost:~# chkrootkit -q
    eth0 is not promisc

    xyzhost:~# chkrootkit -q
    eth0 is not promisc



    --------------------------------------

    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
    tcp 0 0 www.xxx.yyy.zzz:25 0.0.0.0:* LISTEN
    tcp 0 0 www.xxx.yyy.zzz:22 zzz.yyy.xxx.www:3616
    ESTABLISHED
    tcp 0 0 www.xxx.yyy.zzz:22 zzz.yyy.xxx.www:3489
    ESTABLISHED
    tcp 0 0 www.xxx.yyy.zzz:22 zzz.yyy.xxx.www:3735
    ESTABLISHED
    tcp 1 0 www.xxx.yyy.zzz:33337 211.43.197.159:25
    CLOSE_WAIT
    tcp 0 0 www.xxx.yyy.zzz:33414 203.231.231.41:25
    ESTABLISHED
    Active UNIX domain sockets (servers and established)
    Proto RefCnt Flags Type State I-Node Path
    unix 2 [ ACC ] STREAM LISTENING 15838
    /var/run/mmsmtp.control
    unix 2 [ ACC ] STREAM LISTENING 221
    /var/run/courier/authdaemon/socket.tmp
    unix 7 [ ] DGRAM 155 /dev/log
    unix 2 [ ] DGRAM 299
    unix 2 [ ] DGRAM 253
    unix 2 [ ] DGRAM 245
    unix 2 [ ] DGRAM 220
    unix 2 [ ] DGRAM 198
     
  3. Gregd

    Gregd Registered

    Joined:
    Oct 18, 2003
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I installed and run chkrootkit but no errors but than i run rkhunter and here is the outpoot
    * System tools
    Info: prelinked files found
    Performing 'known good' check...
    /usr/sbin/prelink: /sbin/depmod: at least one of file's dependencies has changed since prelinking /sbin/depmod [ BAD ]
    /usr/sbin/prelink: /sbin/init: at least one of file's dependencies has changed since prelinking
    /sbin/init [ BAD ]
    /usr/sbin/prelink: /sbin/insmod: at least one of file's dependencies has changed since prelinking /sbin/insmod [ BAD ]
    /usr/sbin/prelink: /sbin/ip: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /sbin/ip: at least one of file's dependencies has changed since prelinking
    /sbin/ip [ BAD ]
    /usr/sbin/prelink: /sbin/ksyms: at least one of file's dependencies has changed since prelinking /sbin/ksyms [ BAD ]
    /usr/sbin/prelink: /sbin/lsmod: at least one of file's dependencies has changed since prelinking /sbin/lsmod [ BAD ]
    /usr/sbin/prelink: /sbin/modinfo: at least one of file's dependencies has changed since prelinking /sbin/modinfo [ BAD ]
    /usr/sbin/prelink: /sbin/modprobe: at least one of file's dependencies has changed since prelinking /sbin/modprobe [ BAD ]
    /usr/sbin/prelink: /sbin/rmmod: at least one of file's dependencies has changed since prelinking /sbin/rmmod [ BAD ]
    /usr/sbin/prelink: /bin/cat: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/cat: at least one of file's dependencies has changed since prelinking
    /bin/cat [ BAD ]
    /usr/sbin/prelink: /bin/chown: at least one of file's dependencies has changed since prelinking/usr/sbin/prelink: /bin/chown: at least one of file's dependencies has changed since prelinking /bin/chown [ BAD ]
    /usr/sbin/prelink: /bin/df: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/df: at least one of file's dependencies has changed since prelinking
    /bin/df [ BAD ]
    /usr/sbin/prelink: /bin/echo: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/echo: at least one of file's dependencies has changed since prelinking
    /bin/echo [ BAD ]
    /usr/sbin/prelink: /bin/egrep: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/egrep: at least one of file's dependencies has changed since prelinking /bin/egrep [ BAD ]
    /usr/sbin/prelink: /bin/fgrep: at least one of file's dependencies has changed since prelinking/usr/sbin/prelink: /bin/fgrep: at least one of file's dependencies has changed since prelinking /bin/fgrep [ BAD ]
    /usr/sbin/prelink: /bin/grep: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/grep: at least one of file's dependencies has changed since prelinking
    /bin/grep [ BAD ]
    /usr/sbin/prelink: /bin/kill: at least one of file's dependencies has changed since prelinking
    /bin/kill [ BAD ]
    /usr/sbin/prelink: /bin/login: at least one of file's dependencies has changed since prelinking
    /bin/login [ BAD ]
    /usr/sbin/prelink: /bin/ls: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/ls: at least one of file's dependencies has changed since prelinking
    /bin/ls [ BAD ]
    /usr/sbin/prelink: /bin/more: at least one of file's dependencies has changed since prelinking
    /bin/more [ BAD ]
    /usr/sbin/prelink: /bin/mount: at least one of file's dependencies has changed since prelinking
    /bin/mount [ BAD ]
    /bin/netstat [ OK ]
    /usr/sbin/prelink: /bin/ps: at least one of file's dependencies has changed since prelinking
    /bin/ps [ BAD ]
    /usr/sbin/prelink: /bin/sort: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/sort: at least one of file's dependencies has changed since prelinking
    /bin/sort [ BAD ]
    /usr/sbin/prelink: /bin/su: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/su: at least one of file's dependencies has changed since prelinking
    /bin/su [ BAD ]
    /usr/sbin/prelink: /usr/bin/chattr: at least one of file's dependencies has changed since prelinking
    /usr/bin/chattr [ BAD ]
    /usr/sbin/prelink: /usr/bin/file: at least one of file's dependencies has changed since prelinking
    /usr/bin/file [ BAD ]
    /usr/bin/find [ OK ]
    /usr/sbin/prelink: /usr/bin/kill: at least one of file's dependencies has changed since prelinking /usr/sbin/prelink: /usr/bin/kill: at least one of file's dependencies has changed since prelinking /usr/bin/kill [ BAD ]
    /usr/sbin/prelink: /usr/bin/last: at least one of file's dependencies has changed since prelinking /usr/bin/last [ BAD ]
    /usr/sbin/prelink: /usr/bin/lastlog: at least one of file's dependencies has changed since prelinking /usr/bin/lastlog [ BAD ]
    /usr/sbin/prelink: /usr/bin/less: at least one of file's dependencies has changed since prelinking /usr/sbin/prelink: /usr/bin/less: at least one of file's dependencies has changed since prelinking /usr/bin/less [ BAD ]
    /usr/sbin/prelink: /usr/bin/logger: at least one of file's dependencies has changed since prelinking /usr/bin/logger [ BAD ]
    /usr/sbin/prelink: /usr/bin/lsattr: at least one of file's dependencies has changed since prelinking /usr/bin/lsattr [ BAD ]
    /usr/sbin/prelink: /usr/bin/md5sum: at least one of file's dependencies has changed since prelinking/usr/sbin/prelink: /usr/bin/md5sum: at least one of file's dependencies has changed since prelinking
    /usr/bin/md5sum [ BAD ]
    /usr/sbin/prelink: /usr/bin/passwd: at least one of file's dependencies has changed since prelinking /usr/bin/passwd [ BAD ]
    /usr/sbin/prelink: /usr/bin/pstree: at least one of file's dependencies has changed since prelinking
    /usr/bin/pstree [ BAD ]
    /usr/sbin/prelink: /usr/bin/sha1sum: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /usr/bin/sha1sum: at least one of file's dependencies has changed since prelinking /usr/bin/sha1sum [ BAD ]
    /usr/sbin/prelink: /usr/bin/size: at least one of file's dependencies has changed since prelinking /usr/sbin/prelink: /usr/bin/size: at least one of file's dependencies has changed since prelinking /usr/bin/size [ BAD ]
    /usr/sbin/prelink: /usr/bin/slocate: at least one of file's dependencies has changed since prelinking /usr/sbin/prelink: /usr/bin/slocate: at least one of file's dependencies has changed since prelinking
    /usr/bin/slocate [ BAD ]
    /usr/sbin/prelink: /usr/bin/strace: at least one of file's dependencies has changed since prelinking/usr/sbin/prelink: /usr/bin/strace: at least one of file's dependencies has changed since prelinking/usr/sbin/prelink: /usr/bin/strace: at least one of file's dependencies has changed since prelinking /usr/bin/strace [ BAD ]
    /usr/sbin/prelink: /usr/bin/strings: at least one of file's dependencies has changed since prelinking/usr/sbin/prelink: /usr/bin/strings: at least one of file's dependencies has changed since prelinking /usr/bin/strings [ BAD ]
    /usr/sbin/prelink: /usr/bin/test: at least one of file's dependencies has changed since prelinking/usr/sbin/prelink: /usr/bin/test: at least one of file's dependencies has changed since prelinking /usr/bin/test [ BAD ]
    /usr/sbin/prelink: /usr/bin/top: at least one of file's dependencies has changed since prelinking/usr/sbin/prelink: /usr/bin/top: at least one of file's dependencies has changed since prelinking /usr/bin/top [ BAD ]
    /usr/sbin/prelink: /usr/bin/w: at least one of file's dependencies has changed since
    i'm also getting the hootmail thing just like that.
     
Loading...

Share This Page