Find the answer to your Linux question:
Results 1 to 6 of 6
I am running a standard SuSE v10 installation with all patches current. This is a home machine which is used as a http, ftp, name, and mail server. This machine ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2006
    Posts
    2

    Have I been hacked?


    I am running a standard SuSE v10 installation with all patches current. This is a home machine which is used as a http, ftp, name, and mail server. This machine was also my main firewall/router box as well. Recently I began to notice a lot of internet activity with this machine so I checked /var/log/firewall. This showed that I was being flooded with repeated (and denied) requests from 4 different ip addresses. I then purchased a small firewall appliance and moved the server box behind the appliance. The firewall appliance is set to allow http, ftp, mail, and pop3 to the server machine only. At the time I thought this was the end of the story.

    I am now beginning to receive spam emails from my own server address, such as root@homemachine.com, admistrator@homemachine.com, or most recently from my mailer daemon - mail@homemachine.com. Was their hack attempt successful or is this a trick that spammers have? How can I check to see what damage they have done? All of the spam emails are for the same product http://www.emailadvertisingagency.org/.

    I am using apache for the webserver and sendmail for my mail server. I almost always have ftp turned off and use qpopper for pop3. Any suggestions will be appreciated.

    Dave

  2. #2
    Linux Guru fingal's Avatar
    Join Date
    Jul 2003
    Location
    Birmingham - UK
    Posts
    1,539
    Hi - I found an article using Google here. As I'm not an expert on this I'll be interested to see what happens!

    A couple of ideas occur to me:
    • someone has tried a Denial of Service (DOS) attack against you; and/or
    • someone wants to hijack your bandwidth to make it appear that you are sending spam.

    Spamming is illegal, so if your IP address becomes associated with this you might receive unwanted attention from the law.

    My understanding is that ftp is an inherently insecure protocol. Better to use SSH instead. In fact, our workplace IT guru refuses to have either of these connected to our main server, arguing that this kind of access will lead to trouble.

    Does your mailing system have an anti-spam system in place? Have you 'hardened' your system using a range of security measures?
    I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso

  3. #3
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,934
    If you're always being attacked from the same four IP addresses, use the whois tool (there are web based ones on the internet if you google for them and dont want to use the command line version) to find out who owns the IP address.

    Then send a email to their abuse@ address, include snippets from your log if you like. Keep copies of the relevant sections of your log just in case you're asked to back up your claim. Whoever is doing it will get their account binned by their ISP.

    As far as the email goes, take a look at the entire email header. The addresses you quoted are probably just set in the return address field, and have no relevance to the sender. If you learn to read the full email headers, then you can learn quite a lot about who is sending this email to you. You can report spam directly to the senders ISP abuse address, just like their attempts to compromise you.

    Remember, you can always try spamcop if you're being sent unsolicited emails from a particular source - that doesn't work for some of the south american and south-east asian ISPs, but usually gets an account banned within a couple of hours if they're with one of the big US or European ISPs. I've sent emails to spamcop about legitimate UK companies before - including Sky TV who thought it was really funny to grab my email address from some other correspondence I'd had with them. It's technically illegal to do in the UK, but they (and many others) dont let the legal framework interfere with their marketing systems.
    Linux user #126863 - see http://linuxcounter.net/

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Apr 2005
    Posts
    62
    having to receive a spam emails does not mean that you'd been hacked, I'd been receiving lots of spam everyday on my yahoo.. gmail. and company account. and its not good to block a certain ip or network.. since spammers sometimes used public proxy server.. of course they already anticipated that you will be looking for the headers to track their IP but they already have that in mind, not to use their own IP address.... if you want your box to manage spam, then try to install spamassassin... google shows lots of docu on how to do it...

    and even if you have this spamassassin thing.. you have to set it to minimal, I mean the sort of level that spamassassin consider a certain email to be as spam, you might get lots of false positive...

    about logs, when you received something stating that certain IP's tried to break in but its been denied, so that means that your firewall is doing its job. protecting the system itself from intruders...

    another thing.. about why you started to recieve those spam email as you considered them, is because your mail server had been set to accept email from anyone... its normal.. of course that is the purpose why you build it... just make sure you're not building an open relay smtp server... by that.. chances are.. your IP or domain might get banned by ORDB and or DSBL and ts equivalent, and you might not be able to send/receive emails anymore..

  6. #5
    Just Joined!
    Join Date
    Aug 2006
    Posts
    2

    More on the hacking

    I appreciate all of the responses. I do get my fair share of spam email just like everyone else. The ones that are raising my suspicions though are the ones that are made to appear that they are being generated from my own machine. Usually the spam emails will come from anybody@anywhere.com. The suspicious ones are coming from either root@mymailserver.net or mail-daemon@mymailserver.net. I looked at the suspicious emails with an editor and here is the message header information ( my domains changed).


    Return-Path: <mail@mymailserver.net>
    Received: from adsl-ull-107-60.46-151.net24.it (adsl-ull-107-60.46-151.net24.it [151.46.60.107])
    by myinternalnetwork.net (8.13.4/8.13.4/SuSE Linux 0.7) with SMTP id k7V2Ams1014042
    for <mail@mydomain.org>; Wed, 30 Aug 2006 22:10:54 -0400
    Date: Wed, 30 Aug 2006 22:10:48 -0400
    From: Mailer daemon <mail@mymailserver.net>
    Message-Id: <200608310210.k7V2Ams1014042@portal.cyberspace.net >
    To: mail@mydomain.org
    X-UIDL: O:b"!T5)"!Bg>"!;Uj"!

    After reading this I am making the assumption the message originated externally at adsl-ull-107-60.46-151.net24.it (adsl-ull-107-60.46-151.net24.it [151.46.60.107]). I am not quite sure how but the from header then changes and appears to originate from my mail server instead of the actual originator. Can anyone confirm and/or explain this to me?

    Thanks again,
    Dave

  7. #6
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,934
    Right, lets go through it, line by line...

    Quote Originally Posted by diacobel
    Return-Path: <mail@mymailserver.net>
    This is set by the sending mail client. It's a text field, and they can type in just about whatever they like.
    Quote Originally Posted by diacobel
    Received: from adsl-ull-107-60.46-151.net24.it (adsl-ull-107-60.46-151.net24.it [151.46.60.107])
    by myinternalnetwork.net (8.13.4/8.13.4/SuSE Linux 0.7) with SMTP id k7V2Ams1014042
    for <mail@mydomain.org>; Wed, 30 Aug 2006 22:10:54 -0400
    These are the real meat of the header. While there are internet proxies (actually called 'relays' for email), these should add an extra 'Received:' line to the mail, to show which server it's passed through. The 'Received: from...' line tells you who the email sender is - most smart anti-spam MTAs will check the IP address quoted here with a reverse DNS lookup to make sure the domain names match - if they dont match, then this is a strong candidate for dropping as spam. The 'by' and 'for' lines detail the receiving machine information and the intended recipient, the dont change much and aren't much use on their own.
    Quote Originally Posted by diacobel
    Date: Wed, 30 Aug 2006 22:10:48 -0400
    Fairly obvious - the date the mail was sent. Sometimes spam is sent with forged times and dates, so it doesn't appear at the top of your inbox where you notice it immediately and delete it...
    Quote Originally Posted by diacobel
    From: Mailer daemon <mail@mymailserver.net>
    The senders name field. This can easily be changed in the mail client, it's a text field, and is the bit the senders put your details in to make you wonder where it's come from.
    Quote Originally Posted by diacobel
    Message-Id: <200608310210.k7V2Ams1014042@portal.cyberspace.net >
    The message ID is assigned by the sending MTA, its only purpose is to track the message and help with logging.
    Quote Originally Posted by diacobel
    The target/recipient's email address, this is used to route the email to the right person.
    Quote Originally Posted by diacobel
    X-UIDL: O:b"!T5)"!Bg>"!;Uj"!
    Different parts of the message can be introduced using these kinds of tags, a bit like the content tags in HTML. They just determine the mime attachment type that is following. I'm unfamiliar with this one.
    Quote Originally Posted by diacobel
    After reading this I am making the assumption the message originated externally at adsl-ull-107-60.46-151.net24.it (adsl-ull-107-60.46-151.net24.it [151.46.60.107]). I am not quite sure how but the from header then changes and appears to originate from my mail server instead of the actual originator. Can anyone confirm and/or explain this to me?

    Thanks again,
    Dave
    Your assumption is correct, this is probably the originating computer's IP address and DNS assignment. Try doing a look-up on somewhere like dnstools or Demon internet's lookups page. There are many similar sites.
    Linux user #126863 - see http://linuxcounter.net/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •