Results 1 to 6 of 6

Thread: Spambot?

  1. #1
    Join Date
    Jun 2008
    Location
    /earth/europe/uk/england/west-yorkshire/leeds/mystreet/myhouse
    Posts
    248

    Default Spambot?

    Hi all
    Long time no post (all has been well in the land of the badger) but now I notice something rather concerning in my Smoothwall's Webproxy logs.

    OK, I have Axigen mail server installed onto a Suse 11.0 machine, I just noticed tonight in my Smoothwall's transparent proxy log the following:

    http://208.50.223.240/SpamResolverNG...l?DoNewRequest

    There are about 3-5 entries in the log file for different IP addresses every minute. I don't know if I have been hacked and my machine is now some kind of mail spamming zombie, or if this is a valid URL. I looked up the IP address above and it returned:

    Code:
    OrgName:    Global Crossing 
    OrgID:      GBLX
    Address:    14605 South 50th Street
    City:       Phoenix
    StateProv:  AZ
    PostalCode: 85044-6471
    Country:    US
    
    ReferralServer: rwhois://rwhois.gblx.net:4321
    
    NetRange:   208.50.192.0 - 208.51.255.255 
    CIDR:       208.50.192.0/18, 208.51.0.0/16 
    NetName:    GBLX-6D
    NetHandle:  NET-208-50-192-0-1
    Parent:     NET-208-0-0-0-0
    NetType:    Direct Allocation
    NameServer: NAME.ROC.GBLX.NET
    NameServer: NAME.PHX.GBLX.NET
    NameServer: NAME.SNV.GBLX.NET
    NameServer: NAME.JFK1.GBLX.NET
    Comment:    THESE ADDRESSES ARE NON-PORTABLE
    RegDate:    
    Updated:    2002-10-14
    
    RTechHandle: IA12-ORG-ARIN
    RTechName:   GBLX-IPADMIN 
    RTechPhone:  +1-800-404-7714
    RTechEmail:  ipadmin@gblx.net 
    
    OrgAbuseHandle: GBLXA-ARIN
    OrgAbuseName:   GBLX-Abuse 
    OrgAbusePhone:  +1-800-404-7714
    OrgAbuseEmail:  abuse@gblx.net
    
    OrgNOCHandle: GBLXN-ARIN
    OrgNOCName:   GBLX-NOC 
    OrgNOCPhone:  +1-800-404-7714
    OrgNOCEmail:  gc-noc@gblx.net
    
    OrgTechHandle: IA12-ORG-ARIN
    OrgTechName:   GBLX-IPADMIN 
    OrgTechPhone:  +1-800-404-7714
    OrgTechEmail:  ipadmin@gblx.net
    Because each IP address is different, it makes me think that my webserver's been compromised


    Can someone please offer me some advice or what to check or logs to read?

  2. #2
    Join Date
    Sep 2008
    Location
    Toronto,Canada
    Posts
    549

    Default Re: Spambot?

    have a look at /var/log/messages and you might identify more attacks. Maybe you'll be able to identify on which port they are spamming you. I had issues on port 22(ssh) with attacks.

  3. #3
    Join Date
    Jun 2008
    Location
    /earth/europe/uk/england/west-yorkshire/leeds/mystreet/myhouse
    Posts
    248

    Default Re: Spambot?

    i checked the logs and saw multiple (hundreds!) of attempts on ports 22 and 21 which I immediately closed the ports on the firewall to stop these dead.

    However, the proxy log is showing OUTBOUND traffic from my network to the link I provided in my original post.

    I'm concerned that my mail server is hijacked into a spambot. I have since installed DansGuardian onto my firewall but it's still showing outbound traffic to the URL. Any ideas how to stop these dead?

  4. #4
    Join Date
    Sep 2008
    Location
    Toronto,Canada
    Posts
    549

    Default Re: Spambot?

    I wish I would know more to help you. So you are saying that ths server still connects or at least you can see in the log that it connects to that ip address. Can you stop the server completely? unless you need to use it. it might be that someone was able to successfully connect and get something installed on your side, but i cannot be sure. Maybe somebody else which knows more about mail server could help you out. I wrote a command to pull out from the log all the ip addresses which were attacking you, if you want to use it. Try to find the string which is part of each line logged(in my case was the server name and sshd (ex. aruba sshd)
    note: I used messages* in case you have multiple files and some of them were zipped by the system:
    zgrep 'your string' /var/log/messages* |grep 'user' |awk -f /path/awk_ip
    here are the lines needed in this small script awk_ip( you can use any name you want for your awk script and use any editor you like to create the file). Please don't forget to give u+x to the script and you have to run this as root in order to have access to the messages log files(or copy them to your user)

    #! /usr/bin/gawk -f

    {
    ip_array[$10]++;
    }
    END {
    for (ip_address in ip_array)
    {
    print "FROM ",ip_address," there were ",ip_array[ip_address],"attempts"
    }
    }

    and the result would be something like this:
    FROM 200.46.212.67 there were 737 attempts
    FROM 69.124.40.54 there were 2 attempts
    FROM 222.87.0.97 there were 1366 attempts
    FROM 221.6.179.212 there were 20 attempts
    FROM 77.51.250.130 there were 2710 attempts
    FROM 202.30.130.134 there were 221 attempts
    FROM 210.82.89.139 there were 330 attempts

    Good luck with your search and please let us know if you find anything. I will try to learn how to debug/maintain a mail server

  5. #5

    Default Re: Spambot?

    I would look at changing your mail server if this is anything to go on.. Get onto some security rss feeds use something like yahoo pipes to get the relevant ones you want.

    - Google Search

    Think like a hacker find the exploit..

    Though it looks like there is a fix with the vendor not really looked at the exploit if the server hasn't been compromised the fix might be good still.
    Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
    If I've helped click on the Rep button I don't know what it does but it sounds cool.

  6. #6
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Spambot?

    Could it be you have an infected machine on your LAN and it's trying to call home? Or maybe just some adware?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •