Re: [PLUG] Hacked server

JP Vossen on 23 Feb 2012 23:05:22 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Hacked server - recovery

From: JP Vossen <jp@jpsdomain.org>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] Hacked server - recovery
Date: Fri, 24 Feb 2012 02:05:16 -0500
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: plug-bounces@lists.phillylinux.org
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2

Date: Thu, 23 Feb 2012 18:37:08 -0500
From: "Eric at Lucii.org"<eric@lucii.org>


[...]

Now that I*believe*  I've cleaned up the malicious code and I'd
like to re-install and turn on postfix again.  Before I do, is
there a way to either throttle the email output (our expected
output is a couple of emails a day from the contact form) OR fire
off an alarm if there are more than<arbitrary low number>  emails
being sent in a single hour?  Perhaps there is yet another
alternative that I've not thought of?  [...]

I agree with other folks that the only way to be sure is to nuke it fromorbit. Having said that...

Too late now, but check outhttp://www.jpsdomain.org/public/2010_Cool_Ubuntu_Apps.pdf:


nullmailer - simple relay-only mail transport agent
fcheck - IDS filesystem baseline integrity checker
logcheck - mails anomalies in the system logfiles to the administrator

If you had the second two you'd have caught this much sooner and have abetter idea what changed. Both are pretty easy to set up.

As for the first one, it may or may not be able to replace Postfix, itdepends on how stuff works. But it might be worth a look.



Next, there are a bunch of log watching apps out there, like:
logwatch - log analyser with nice output written in Perl
swatch - Log file viewer with regexp matching, highlighting & hooks

I've never used them since I use either logcheck or my ownPerl/shell/grep stuff, but either of them should be able to fire off analarm like you want.

Even easier, if you still use Postfix, 'pflogsumm' will email you once aday with a whole bunch of summary details about your email traffic,including an hourly table of: received delivered deferred bouncedrejected


pflogsumm - Postfix log entry summarizer

So there will be lag time until you notice an uptick, and you will onlynotice it if it routes via Postfix. But IIRC it 's trivial to installand configure. (I've used it for years, but it's Debian, I installed itonce years ago and it just works... :)


All of the stuff above is in the repos and most of it is very easy.

Good luck,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Hacked server - recovery
  - From: Fred Stluka <fred@bristle.com>

Prev by Date: Re: [PLUG] Hacked server - recovery
Next by Date: Re: [PLUG] Hacked server - recovery
Previous by thread: Re: [PLUG] Hacked server - recovery
Next by thread: Re: [PLUG] Hacked server - recovery
Index(es):
- Date
- Thread