Doug Stewart on 24 Feb 2012 08:07:31 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Hacked server - recovery


I thought AIDE was the preferred tripwire replacement these days...

--
Doug Stewart

On Feb 24, 2012, at 10:45 AM, Fred Stluka <fred@bristle.com> wrote:

JP (or anyone else who knows),

Is there any advantage of fcheck over tripwire?

Also, logcheck over logwatch?

--Fred
Fred Stluka -- mailto:fred@bristle.com -- http://bristle.com/~fred/
Bristle Software, Inc -- http://bristle.com -- Glad to be of service!
Open Source: Without walls and fences, we need no Windows or Gates.

On 2/24/12 2:05 AM, JP Vossen wrote:
Date: Thu, 23 Feb 2012 18:37:08 -0500
From: "Eric at Lucii.org"<eric@lucii.org>

[...]
Now that I*believe*  I've cleaned up the malicious code and I'd
like to re-install and turn on postfix again.  Before I do, is
there a way to either throttle the email output (our expected
output is a couple of emails a day from the contact form) OR fire
off an alarm if there are more than<arbitrary low number>  emails
being sent in a single hour?  Perhaps there is yet another
alternative that I've not thought of?  [...]

I agree with other folks that the only way to be sure is to nuke it from orbit.  Having said that...

Too late now, but check out http://www.jpsdomain.org/public/2010_Cool_Ubuntu_Apps.pdf:

nullmailer - simple relay-only mail transport agent
fcheck - IDS filesystem baseline integrity checker
logcheck - mails anomalies in the system logfiles to the administrator

If you had the second two you'd have caught this much sooner and have a better idea what changed.  Both are pretty easy to set up.

As for the first one, it may or may not be able to replace Postfix, it depends on how stuff works.  But it might be worth a look.


Next, there are a bunch of log watching apps out there, like:
logwatch - log analyser with nice output written in Perl
swatch - Log file viewer with regexp matching, highlighting & hooks

I've never used them since I use either logcheck or my own Perl/shell/grep stuff, but either of them should be able to fire off an alarm like you want.

Even easier, if you still use Postfix, 'pflogsumm' will email you once a day with a whole bunch of summary details about your email traffic, including an hourly table of: received  delivered   deferred    bounced     rejected

pflogsumm - Postfix log entry summarizer

So there will be lag time until you notice an uptick, and you will only notice it if it routes via Postfix.  But IIRC it 's trivial to install and configure.  (I've used it for years, but it's Debian, I installed it once years ago and it just works... :)

All of the stuff above is in the repos and most of it is very easy.

Good luck,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug