Re: [PLUG] Hacked server

bergman on 24 Feb 2012 08:18:36 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Hacked server - recovery

From: bergman@merctech.com
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] Hacked server - recovery
Date: Fri, 24 Feb 2012 11:18:31 -0500
Reply-to: bergman@merctech.com, Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: plug-bounces@lists.phillylinux.org

In the message dated: Thu, 23 Feb 2012 18:37:08 EST,
The pithy ruminations from "Eric at Lucii.org" on 
<[PLUG] Hacked server - recovery> were:
=> -----BEGIN PGP SIGNED MESSAGE-----
=> Hash: SHA1
=> 
=> I'm trying to recover an Ubuntu-based web server that was hacked.
=> It was/is running a 2.x version of OpenRealty that contains more
=> vulnerabilities than I could imagine.
=> 
=> The hacker used it to send spam (no surprise.)  I was in a hurry
=> so to stop it I just did apt-get remove postfix.  That worked in
=> the same way that decapitation cures a headache.
 
:)

=> 
=> Now that I *believe* I've cleaned up the malicious code and I'd
=> like to re-install and turn on postfix again.  Before I do, is
=> there a way to either throttle the email output (our expected
=> output is a couple of emails a day from the contact form) OR fire
=> off an alarm if there are more than <arbitrary low number> emails
=> being sent in a single hour?  Perhaps there is yet another


Besides agreeing with all the advice about nuking the server (from orbit) as
the only way to be sure there are no alien traces left, I can answer your
first question.

Yes, you can use iptables to do outbound rate-limiting by port & protocol. I
use this technique on the server at $WORK to prevent multiple (50K)
compuational jobs (each sending begin/end mail) from swamping the corporate
mail servers.

This happens at the network layer, so the application (smtp server on your
machine) simply sees it as if the remote smtp server didn't respond to the
initial connection. Mail is a very easy app to throttle, as the sending smtp
instance will simply queue the outbound mail and patiently retry.

Here's the iptables rule that I use:

	iptables -A OUTPUT -p tcp --destination-port 25 -m limit --limit 3/sec --limit-burst 3 -j ACCEPT

It's pretty easy to combine this with a periodic check of the number of queued
messages:

	if [ `mailq | wc -l` -gt 100 ] ; then
		sound an alarm!
	fi

Mark


=> 
=> Eric
=> - -- 
=> #  Eric Lucas
=> #
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] Hacked server - recovery
  - From: "Eric at Lucii.org" <eric@lucii.org>

Prev by Date: Re: [PLUG] Hacked server - recovery
Next by Date: Re: [PLUG] Hacked server - recovery
Previous by thread: Re: [PLUG] Hacked server - recovery
Next by thread: Re: [PLUG] Hacked server - recovery
Index(es):
- Date
- Thread