[CLUE-Tech] SUSE 9.0 syslog files, hackers, and emails...

Sun Jul 25 09:52:37 MDT 2004

Jeff,

Part of the problem is that I'm not 100% sure that I am or am not, I
just don't know.  I was getting a lot of emails recently that supposedly
came from my box (or whatever) and now I'm getting emails stating that
the mailing lists are getting bounced emails.

So, how do I know?  I'm not sure, but I want to have a better idea of
how do I know.

One of the questions I have is: since in the MS world emails are the
preferred ways of sending viruses are those viruses sent via Postfix or
some other way?  From that point, I can search via Postfix if I'm
sending out stuff via a hacker/cracker, if not then I have to find a
different way to see what's happening.

Most of the stuff I've read is either generic enough for those that know
what to do or too simple enough to take me to the next step.

Thanks for the tips, though.

Kevin

On Sat, 2004-07-24 at 22:39, Jeff Falgout wrote:
> >>> kevincu at orci.com 07/24/04 9:40 PM >>>
> Hi all,
> 
> Am in the process of building a new AMD64 machine and will be upgrading
> my older PIII to SUSE 9.1 (from Novell, thanks Jeff) and was going
> through my syslog files and found this because of some weird email
> traffic:
> 
> Jul 24 20:53:42 linux kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC=
> SRC=4.225.214.132 DST=4.228.150.39 LEN=48 TOS=0x00 PREC=0x00 TTL=125
> ID=26413 DF PROTO=TCP SPT=2832 DPT=445 WINDOW=8760 RES=0x00 SYN
> URGP=22913 OPT (020405B401010402)
> 
> I guess that I've been hacked.  I thought I had done everything, but
> what clued me into this was rather than doing a:
> 
> $tail -100 /var/log/messages | grep "message"
> 
> I did a straight:
> 
> $tail -100 /var/log/messages
> 
> I been using the first method to find out how many messages are
> downloading and when they are done and when I can get offline (hey, if
> you know a way of automating this, I'd be interested) but got lazy one
> day recently and found the above /var/log/message with the second
> command.
> 
> 1. I would like to copy my /home directory and do a fresh install of
> 9.1.  With that in mind, in the Security HOWTO by Kevin Fenzi he stated
> that make sure you don't copy binaries. What else should I not copy?
> 
> 2.  Is a copied virus from one machine to another active or inert?
> 
> 3.  How can I look at what is being sent (it's a German liberal
> political message to a company in Italy, I think) via Postfix and then
> stop the outgoing hackers emails?
> 
> I know that I need to "plug the security holes" first, but I want to
> learn about this a little more before I do a "reinstall" to fix it.
> 
> Any suggestions as always are appreciated.
> 
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>
> 
> Why do you think you've been hacked?
> 
> >From the log line you posted, the SYN (not an ack or anything else)
> packet was dropped on the ppp interface - a packet to tcp 445
> (microsoft-ds), Based on the ttl (yeah, I know they can be changed) of
> 125 (Windows defaults to 128) it looks like a lousy window's box doing
> whatever they do on 445. I see this all the time. I wouldn't worry about
> it if this is the only reason you think you've been hacked.
> 
> 
> Jeff
> _______________________________________________
> CLUE-Tech mailing list
> Post messages to: CLUE-Tech at clue.denver.co.us
> Unsubscribe or manage your options: http://clue.denver.co.us/mailman/listinfo/clue-tech