[opensuse] How to find a mysterious mailer?
Hi, this morning, my company's postmaster sent me an excerpt from the mail log stating that there is some software on one of my boxes that doesn't speak proper IMAP. 19-Jul-2017 22:38:33.49 tcp_local BS 0 rfc822; a1 LOGOUT 500 5.5.1 Unknown command "a1 LOGOUT" specified TCP|a.b.c.d|465|a.b.e.f|48270 The thing that I find most interesting is that I do not have any entries in /var/log/mail at this time. Some minutes earlier and some minutes later there are, but not at this time. Both hosts use the same time source. So I guess that there is a script running on the box that reads the postfix config entry for its relayhost (postconf -h relayhost) and sends a mail all by itself. And doing so, it uses a wrong IMAP command, LOGOUT instead of QUIT. The only LOGOUT in found outside binary files is in </usr/lib64/ruby/2.1.0/net/imap.rb>. As far as I understand the code, near line 1200 the command LOGOUT is sent to the mailhost. How can I find the script that uses this module? The file belongs to ruby2.1-stdlib, and this is required (rpm) by ruby2.1 only. This itself is required only by ruby, which in turn ist required by ruby-devel, yast2-services-manager and yast2-ruby-bindings. Would any of those packages run a script that bypasses my local MTA? None of them has an entry in /etc/cron*. And none of the entries in /etc/cron* is scheduled at this time... So, how could a find the script that is responsible for the mail log entries that my postmaster showed me? BTW, just to make sure the ruby library is the right place, I modified the code a bit so that it should send QUIT now. If there are no more log entries from that host on monday, I can be sure to have found the proper place. But I still do not now how to locate the script... Puzzled, Werner -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
21.07.2017 20:36, Werner Flamme пишет:
Hi,
this morning, my company's postmaster sent me an excerpt from the mail log stating that there is some software on one of my boxes that doesn't speak proper IMAP.
19-Jul-2017 22:38:33.49 tcp_local BS 0 rfc822; a1 LOGOUT 500 5.5.1 Unknown command "a1 LOGOUT" specified TCP|a.b.c.d|465|a.b.e.f|48270
The thing that I find most interesting is that I do not have any entries in /var/log/mail at this time. Some minutes earlier and some minutes later there are, but not at this time. Both hosts use the same time source.
So I guess that there is a script running on the box that reads the postfix config entry for its relayhost (postconf -h relayhost) and sends a mail all by itself. And doing so, it uses a wrong IMAP command, LOGOUT instead of QUIT.
The only LOGOUT in found outside binary files is in </usr/lib64/ruby/2.1.0/net/imap.rb>. As far as I understand the code, near line 1200 the command LOGOUT is sent to the mailhost.
How can I find the script that uses this module? The file belongs to ruby2.1-stdlib, and this is required (rpm) by ruby2.1 only. This itself
This is just library; it is the same as looking at libc and asking which program is using it.
is required only by ruby, which in turn ist required by ruby-devel, yast2-services-manager and yast2-ruby-bindings.
Would any of those packages run a script that bypasses my local MTA? None of them has an entry in /etc/cron*. And none of the entries in /etc/cron* is scheduled at this time...
So, how could a find the script that is responsible for the mail log entries that my postmaster showed me?
BTW, just to make sure the ruby library is the right place, I modified the code a bit so that it should send QUIT now. If there are no more log entries from that host on monday, I can be sure to have found the proper place. But I still do not now how to locate the script...
You could add statement that logs program name at this point. I have zero experience with ruby but I'm sure there is standard way to obtain it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, 21 Jul 2017 21:21:06 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
21.07.2017 20:36, Werner Flamme пишет:
Hi,
this morning, my company's postmaster sent me an excerpt from the mail log stating that there is some software on one of my boxes that doesn't speak proper IMAP.
19-Jul-2017 22:38:33.49 tcp_local BS 0 rfc822; a1 LOGOUT 500 5.5.1 Unknown command "a1 LOGOUT" specified TCP|a.b.c.d|465|a.b.e.f|48270
The thing that I find most interesting is that I do not have any entries in /var/log/mail at this time. Some minutes earlier and some minutes later there are, but not at this time. Both hosts use the same time source.
So I guess that there is a script running on the box that reads the postfix config entry for its relayhost (postconf -h relayhost) and sends a mail all by itself. And doing so, it uses a wrong IMAP command, LOGOUT instead of QUIT.
The only LOGOUT in found outside binary files is in </usr/lib64/ruby/2.1.0/net/imap.rb>. As far as I understand the code, near line 1200 the command LOGOUT is sent to the mailhost.
How can I find the script that uses this module? The file belongs to ruby2.1-stdlib, and this is required (rpm) by ruby2.1 only. This itself
This is just library; it is the same as looking at libc and asking which program is using it.
is required only by ruby, which in turn ist required by ruby-devel, yast2-services-manager and yast2-ruby-bindings.
Would any of those packages run a script that bypasses my local MTA? None of them has an entry in /etc/cron*. And none of the entries in /etc/cron* is scheduled at this time...
So, how could a find the script that is responsible for the mail log entries that my postmaster showed me?
BTW, just to make sure the ruby library is the right place, I modified the code a bit so that it should send QUIT now. If there are no more log entries from that host on monday, I can be sure to have found the proper place. But I still do not now how to locate the script...
You could add statement that logs program name at this point. I have zero experience with ruby but I'm sure there is standard way to obtain it.
Me neither, but fortunately some people do: https://stackoverflow.com/questions/4834821/how-can-i-get-the-name-of-the-co... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dave Howorth [21.07.2017 22:27]:
On Fri, 21 Jul 2017 21:21:06 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
You could add statement that logs program name at this point. I have zero experience with ruby but I'm sure there is standard way to obtain it.
Me neither, but fortunately some people do: https://stackoverflow.com/questions/4834821/how-can-i-get-the-name-of-the-co...
I did so, and there was no output. Maybe it was a monitoring-plugin. check_tcp checks SMTP, and has "a1 LOGOUT" in its source code, but looking at the code this should show up only when used as check_imap, not as check_smtp (which is a separate plugin, btw, that has no LOGOUT in its source :)). Well, at least, after stopping stunnel, there are no log entries any more. So there was a piece of software using localhost:11125 as communication point and not remoteMX:465. I'll see more soon, curretly I'm happy my Postmaster stops complaining :) Thanks to everyone for input! Werner -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 21/07/17 01:36 PM, Werner Flamme wrote:
Hi,
this morning, my company's postmaster sent me an excerpt from the mail log stating that there is some software on one of my boxes that doesn't speak proper IMAP.
19-Jul-2017 22:38:33.49 tcp_local BS 0 rfc822; a1 LOGOUT 500 5.5.1 Unknown command "a1 LOGOUT" specified TCP|a.b.c.d|465|a.b.e.f|48270
It may be that the Ruby stuff is a sideline, an artefact from interpretation of the logs. It is unclear from the way way you've presented the communication from the Postmaster whether he's telling you that there is an IMAP server running on your machine or if there is an IMAP client. As far as I recall Postfix is only about SMTP. The 'fuser' program (RTFM) can identify what programs are making use of network sockets. There is also 'socklist'. An IMAP server will listen on port 143. An IMAP client, such as Thunderbird in my case, access port 143 on a remote machine # socklist | grep 143 type port inode uid pid fd name tcp 143 27363 0 1478 37 dovecot tcp 143 201937 477 28599 7 imap tcp 40406 204085 501 3794 143 thunderbird-bin tcp 143 203248 477 28609 7 imap tcp 143 201956 477 28602 7 imap # grep 477 /etc/passwd dovenull:x:477:475:User for Dovecot login:/var/run/dovecot:/bin/false # fuser -n tcp -u -v 143 USER PID ACCESS COMMAND 143/tcp: root 1478 F.... (root)dovecot anton 28602 F.... (anton)imap anton 28609 F.... (anton)imap I'm also running Postscript which is listening on port 25 # fuser -n tcp -u -v 25 USER PID ACCESS COMMAND 25/tcp: root 1687 F.... (root)master Once again, please do clarify what your Postmaster actually means. Also, please note that Postfix and Dovecot, and I should think any legitimate mail server, have their own log files. HOWEVER if there is a trojan or a rogue or undocumented or 'custom' service, be it a listener or a client, there is no guarantee that the coder included or activated calls to syslog. That I why I suggest looking at the actual ports in use and other information under /proc rather than the log files. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Anton Aylward [22.07.2017 00:14]:
On 21/07/17 01:36 PM, Werner Flamme wrote:
Hi,
this morning, my company's postmaster sent me an excerpt from the mail log stating that there is some software on one of my boxes that doesn't speak proper IMAP.
19-Jul-2017 22:38:33.49 tcp_local BS 0 rfc822; a1 LOGOUT 500 5.5.1 Unknown command "a1 LOGOUT" specified TCP|a.b.c.d|465|a.b.e.f|48270
It may be that the Ruby stuff is a sideline, an artefact from interpretation of the logs.
It is unclear from the way way you've presented the communication from the Postmaster whether he's telling you that there is an IMAP server running on your machine or if there is an IMAP client.
Yes, you nailed it. My postmaster sent log excerpts from his SMTP logs. On my host, something wants to deliver mail to the central (internal) MX. Doing so, it suddenly uses an IMAP command.
As far as I recall Postfix is only about SMTP.
and LMTP, but "a1 LOGOUT" isn't an LMTP command either :)
Once again, please do clarify what your Postmaster actually means.
I tried, see above.
Also, please note that Postfix and Dovecot, and I should think any legitimate mail server, have their own log files.
There is no Dovecot on these hosts. And I already looked into /var/log/mail and found no entries at that time, as I wrote in OP.
HOWEVER if there is a trojan or a rogue or undocumented or 'custom' service, be it a listener or a client, there is no guarantee that the coder included or activated calls to syslog.
That I why I suggest looking at the actual ports in use and other information under /proc rather than the log files.
Of course, I can use something like "lsof -i:25" to find out that my postfix master process is listening here, but how would I find a sending script with this method? Which port should I look at? I only know the destination host and port (465). The sending port (in OP "48270") changes in every log entry. If it was postfix that causes this error, I do not know why not all the world complains about postfix using IMAP commands in an SMTP dialogue. It is about the last piece of software I'd suspect of that. Besides, postfix makes nice log entries, and there are none at this time. Werner -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 24/07/17 06:03 AM, Werner Flamme wrote:
There is no Dovecot on these hosts. And I already looked into /var/log/mail and found no entries at that time, as I wrote in OP.
You are making what might be an unwarranted assumption. Quite apart from mail.err, mail.log, mail.warn, there may be something in messages. It may be that journald is doing the relevant logging. It may be that a Thunderbird or Firefox process is responsible.
HOWEVER if there is a trojan or a rogue or undocumented or 'custom' service, be it a listener or a client, there is no guarantee that the coder included or activated calls to syslog.
That I why I suggest looking at the actual ports in use and other information under /proc rather than the log files.
Of course, I can use something like "lsof -i:25" to find out that my postfix master process is listening here, but how would I find a sending script with this method? Which port should I look at?
In fact 'lsof' will list everything for you. You'll need a 'smart eyeball' method to scan and discard the know stuff, what Marcus Ranum called 'artificial ignorance, progressive 'grep -v' to cut out thinks you can be sure aren't the problem. As you say. Postfix is port 25. Obviously that's not the one. It won't be a UDP or a UNIX Domain socket either :-) You might also try the 'fuser' command, as in # fuser tcp/imap RTFM for details about other parameters. I only know the
destination host and port (465). The sending port (in OP "48270") changes in every log entry.
If it was postfix that causes this error, I do not know why not all the world complains about postfix using IMAP commands in an SMTP dialogue. It is about the last piece of software I'd suspect of that. Besides, postfix makes nice log entries, and there are none at this time.
-- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Anton Aylward [24.07.2017 13:13]:
On 24/07/17 06:03 AM, Werner Flamme wrote:
There is no Dovecot on these hosts. And I already looked into /var/log/mail and found no entries at that time, as I wrote in OP.
You are making what might be an unwarranted assumption. Quite apart from mail.err, mail.log, mail.warn, there may be something in messages. It may be that journald is doing the relevant logging. It may be that a Thunderbird or Firefox process is responsible.
The host in question is a server. There is nothing like a Thunderbird installed on it. Of course, nonsense files like mail.err, mail.log, mail.warn are empty. I only look at /var/log/mail - I need to collect all data to a connection, and the mail.prio files do not have those.
HOWEVER if there is a trojan or a rogue or undocumented or 'custom' service, be it a listener or a client, there is no guarantee that the coder included or activated calls to syslog.
That I why I suggest looking at the actual ports in use and other information under /proc rather than the log files.
Of course, I can use something like "lsof -i:25" to find out that my postfix master process is listening here, but how would I find a sending script with this method? Which port should I look at?
In fact 'lsof' will list everything for you. You'll need a 'smart eyeball' method to scan and discard the know stuff, what Marcus Ranum called 'artificial ignorance, progressive 'grep -v' to cut out thinks you can be sure aren't the problem.
I think there is no need for a grep. "lsof -i @internalMX:465" should suffice according to the man page. Or "lsof -i @127.0.0.1:11125", since this is an stunnel to the internalMX host. But neither command produces any output, though stunnel is running and connects localhost:11125 with internalMX:465 :-\ And how often should I run lsof to catch the event? Any second, until I accidentally catch the victim? :)
As you say. Postfix is port 25. Obviously that's not the one. It won't be a UDP or a UNIX Domain socket either :-)
You might also try the 'fuser' command, as in
# fuser tcp/imap
RTFM for details about other parameters.
Well, "man fuser" tells me that "fuser telnet/tcp" "shows all processes at the (local) TELNET port." Very nice feature. Again the question: which port should I look at? Only servers use constant ports, since this is needed for incoming connections. A sending process uses any port it can claim. Postfix does not send via port 25, it listens for incoming connections there. # LANG=C fuser -v smtp/tcp USER PID ACCESS COMMAND smtp/tcp: root 8185 F.... master Nice, here I see postix listening on incoming connections. Werner -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 24/07/17 07:48 AM, Werner Flamme wrote:
Of course, nonsense files like mail.err, mail.log, mail.warn are empty. I only look at /var/log/mail - I need to collect all data to a connection, and the mail.prio files do not have those.
Actually /var/log/mail is a mail.prio file as well :-) But that's beside the point. Clearly this isn't a 'conventional' email service. At the extreme, a rogue, or as Carlos mentions, some malware, a trojan or something, isn't going to write to log files. Lsof and fuser will tell you about network connections and their associated processes. if you can't account for them all, be suspicious. There may be some parasite calling home. if you're not running Thunderbird and Firefox, which account for most of the connections my workstation has to all manner of sites, then the deviations from patterns you need to watch out for a re going to be more obvious. A full listing of IP connections with lsof might show up something you can't account for. Please don't expect a single lsof parameter to instantly tell you. You are going to have to do a bit of creative detective work. Yes, there are 'watcher' programs that will look out for the opening or creation of file or a network link. The issue is that you need to know what you are looking for in the first place. Assuming that this really is port 134 or port 25 might be like the drunk looking for his keys under the lamp post. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/24/2017 05:33 AM, Anton Aylward wrote:
On 24/07/17 07:48 AM, Werner Flamme wrote:
Of course, nonsense files like mail.err, mail.log, mail.warn are empty. I only look at /var/log/mail - I need to collect all data to a connection, and the mail.prio files do not have those. Actually /var/log/mail is a mail.prio file as well :-)
But that's beside the point. Clearly this isn't a 'conventional' email service. At the extreme, a rogue, or as Carlos mentions, some malware, a trojan or something, isn't going to write to log files.
Lsof and fuser will tell you about network connections and their associated processes.
if you can't account for them all, be suspicious. There may be some parasite calling home. if you're not running Thunderbird and Firefox, which account for most of the connections my workstation has to all manner of sites, then the deviations from patterns you need to watch out for a re going to be more obvious. A full listing of IP connections with lsof might show up something you can't account for.
Please don't expect a single lsof parameter to instantly tell you. You are going to have to do a bit of creative detective work.
Yes, there are 'watcher' programs that will look out for the opening or creation of file or a network link. The issue is that you need to know what you are looking for in the first place. Assuming that this really is port 134 or port 25 might be like the drunk looking for his keys under the lamp post.
Of course, if malware is suspected you can't trust anything on the system, including programs like ps, ls, lsof, netstat, etc. Rootkits will modify these binaries and libraries so that they will seem to work, but won't show the malware's presence and activities. Statically linked binaries from DVD should be used for diagnosis if possible. I've been using "aide" to take md5 fingerprints of all important binaries and config files, with the signatures being stored off-machine. I've never caught anything, but it is sound practice and makes me feel a bit better. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, 21 Jul 2017 19:36, Werner Flamme wrote:
Hi,
this morning, my company's postmaster sent me an excerpt from the mail log stating that there is some software on one of my boxes that doesn't speak proper IMAP.
19-Jul-2017 22:38:33.49 tcp_local BS 0 rfc822; a1 LOGOUT 500 5.5.1 Unknown command "a1 LOGOUT" specified TCP|a.b.c.d|465|a.b.e.f|48270 [snip] The only LOGOUT in found outside binary files is in </usr/lib64/ruby/2.1.0/net/imap.rb>. As far as I understand the code, near line 1200 the command LOGOUT is sent to the mailhost. [snip] BTW, just to make sure the ruby library is the right place, I modified the code a bit so that it should send QUIT now. If there are no more log entries from that host on monday, I can be sure to have found the proper place. But I still do not now how to locate the script...
If you can program ruby, add a syslog call with PID, UID and calling program name as message to the ruby function. Can't help you there, Ruby as language gives me the cold shakies. Extra hint: If you 'grep' binaries for the LOGOUT command, verify that other imap commands are also in the same file. A telling hint would be the existence of other valid imap commands, the 'LOGOUT' but missing the 'QUIT' command. - Yamaban. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-07-21 19:36, Werner Flamme wrote:
Hi,
this morning, my company's postmaster sent me an excerpt from the mail log stating that there is some software on one of my boxes that doesn't speak proper IMAP.
19-Jul-2017 22:38:33.49 tcp_local BS 0 rfc822; a1 LOGOUT 500 5.5.1 Unknown command "a1 LOGOUT" specified TCP|a.b.c.d|465|a.b.e.f|48270
The thing that I find most interesting is that I do not have any entries in /var/log/mail at this time. Some minutes earlier and some minutes later there are, but not at this time. Both hosts use the same time source.
So I guess that there is a script running on the box that reads the postfix config entry for its relayhost (postconf -h relayhost) and sends a mail all by itself. And doing so, it uses a wrong IMAP command, LOGOUT instead of QUIT.
This is not consistent. Postfix talks SMTP, not IMAP. You can not send an email using IMAP. If someone is using IMAP, the server component would be dovecot, cyrus, or something else. Not postfix. You have to first identify which mail server component is really affected. Ie, what is "tcp_local"? Google search indicates Oracle and SMTP, so it is impossible this can be an IMAP command. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
Carlos E. R. [22.07.2017 14:22]:
On 2017-07-21 19:36, Werner Flamme wrote:
Hi,
this morning, my company's postmaster sent me an excerpt from the mail log stating that there is some software on one of my boxes that doesn't speak proper IMAP.
19-Jul-2017 22:38:33.49 tcp_local BS 0 rfc822; a1 LOGOUT 500 5.5.1 Unknown command "a1 LOGOUT" specified TCP|a.b.c.d|465|a.b.e.f|48270
The thing that I find most interesting is that I do not have any entries in /var/log/mail at this time. Some minutes earlier and some minutes later there are, but not at this time. Both hosts use the same time source.
So I guess that there is a script running on the box that reads the postfix config entry for its relayhost (postconf -h relayhost) and sends a mail all by itself. And doing so, it uses a wrong IMAP command, LOGOUT instead of QUIT.
This is not consistent.
Aye.
Postfix talks SMTP, not IMAP. You can not send an email using IMAP.
*I* don't. Something not yet identified on my host tries to do so.
If someone is using IMAP, the server component would be dovecot, cyrus, or something else. Not postfix.
Exactly. Since there are neither dovecot nor cyrus on this host, I'm looking for "something else". This is what I called "mysterious mailer". BTW, I don't believe that dovecot would open an SMTP connection to port 465 and try to end an IMAP conversion here. It was an SMTP dialogue all right up to here, since my Postmaster says due to this false finishing command the sessions keep hanging and the mail is sent later only.
You have to first identify which mail server component is really affected. Ie, what is "tcp_local"?
Google search indicates Oracle and SMTP, so it is impossible this can be an IMAP command.
tcp_local is used on that central internal MX. AFAIK it is running Oracle Communications software. The logs are from the SMTP queues. So I'm looking for something that uses an IMAP command in an SMTP dialogue to end it. Werner -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-07-24 12:09, Werner Flamme wrote:
Carlos E. R. [22.07.2017 14:22]:
This is not consistent.
Aye.
Postfix talks SMTP, not IMAP. You can not send an email using IMAP.
*I* don't. Something not yet identified on my host tries to do so.
Yes, I see from your other response that this is something very different and strange. ...
tcp_local is used on that central internal MX. AFAIK it is running Oracle Communications software.
The logs are from the SMTP queues. So I'm looking for something that uses an IMAP command in an SMTP dialogue to end it.
I would be considering malware at this point. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
Carlos E. R. [24.07.2017 13:38]:
On 2017-07-24 12:09, Werner Flamme wrote:
Carlos E. R. [22.07.2017 14:22]:
This is not consistent.
Aye.
Postfix talks SMTP, not IMAP. You can not send an email using IMAP.
*I* don't. Something not yet identified on my host tries to do so.
Yes, I see from your other response that this is something very different and strange.
...
tcp_local is used on that central internal MX. AFAIK it is running Oracle Communications software.
The logs are from the SMTP queues. So I'm looking for something that uses an IMAP command in an SMTP dialogue to end it.
I would be considering malware at this point.
I changed the postfix config on the three hosts in question so that they send their mails to a relay host, where I have full access to the mail log. They send a bazillion mails per day, two of them are running SAP systems that spread notification mails. Sigh. I can't simply stop them and install anew before the existence of malware on those is proven. Werner -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-07-24 13:53, Werner Flamme wrote:
Carlos E. R. [24.07.2017 13:38]:
I would be considering malware at this point.
I changed the postfix config on the three hosts in question so that they send their mails to a relay host, where I have full access to the mail log.
So if something goes a different route it is a rogue.
They send a bazillion mails per day, two of them are running SAP systems that spread notification mails. Sigh. I can't simply stop them and install anew before the existence of malware on those is proven.
Of course. But maybe you can search for it. :-? -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 24/07/17 08:07 AM, Carlos E. R. wrote:
They send a bazillion mails per day, two of them are running SAP systems that spread notification mails. Sigh. I can't simply stop them and install anew before the existence of malware on those is proven.
Of course.
Well, Werner, you can start by running an integrity check on all your executables. But it comes down to what constitutes 'proof', what amounts to sufficient evidence. That it exists as a phenomena but is absent from the logs might be enough for some of the more paranoid of us. There is also the matter that binaries here have UNIX semantics not Windows semantics. If a program opens a library file on start up then so long as it holds the file handle open it has the file as it was when the program started. We often see this after running 'zypper up' if we run 'zypper ps'. We can see that running programs are using library files that have been deleted and upgraded to a later version in the zypper process. The program runs, uninterrupted, with the old library. Some process, IIR Postfix is one, can be sent a signal telling them to restart. For some, that is just re-read the config files, others, it is a complete reinitialization. Worst case there is the 'systemctl restart', or one of the combination reload and or restart options. Think of it as a 'Bounce': down then back up again immediately.
But maybe you can search for it. :-?
A bit of detective work ... -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Den 2017-07-21 kl. 19:36, skrev Werner Flamme:
Hi,
this morning, my company's postmaster sent me an excerpt from the mail log stating that there is some software on one of my boxes that doesn't speak proper IMAP.
19-Jul-2017 22:38:33.49 tcp_local BS 0 rfc822; a1 LOGOUT 500 5.5.1 Unknown command "a1 LOGOUT" specified TCP|a.b.c.d|465|a.b.e.f|48270
Hi, I would try (given that there is no evil going on that corrupted your iptables) with iptables and tracking the log and then trigger a script to run lsof when this happens. Something like this if the port is 465: iptables -I OUTPUT 1 -m state --state NEW -p tcp --dport 465 -j LOG --log-prefix "New-OUTPUT-465-Connection: " journalctl -f | awk '/New-OUTPUT-IMAP-Connection/ {system("/usr/local/bin/script.sh")}' Create script.sh and edit it to your liking. Beware that there can be race conditions between the logs and running the script. regards, -- /bengan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (8)
-
Andrei Borzenkov -
Anton Aylward -
Bengt Gördén -
Carlos E. R. -
Dave Howorth -
Lew Wolfgang -
Werner Flamme -
Yamaban