status: rooted

June 14th, 2005

First of all, I've noticed some unforeseen activity on some back entries. Surprised as I may be, fun to see other people actually reading this.

Disclaimer: I'm afraid this is going to get very technical very fast, there's no way around it.

So I've been running a home server for a couple of years now, running www, mail and file services. I've also experimented with others from time to time. I never really paid much attention to security because hell, why bother if you're not forced to, eh? A potentially costly dismissal.

Today I turn on my computer, kontact starts automatically in my kde session and I see I'm getting 4000 identical spam messages from the imap server in the closet downstairs. Feels funny because with spamassassin I've been able to battle spam quite efficiently and I only get a couple of messages weekly that I have to filter by hand. Well, something's not right so I start checking my spam filters. It seems they aren't filtering these messages properly. I also took a closer look at the mail headers only to stumble upon the fact that there is only one mail hop in the trail. That means the messages seem to be sent from my mail server, oddly enough. The reason I'm also getting it is because I've set up postfix to bcc myself all outgoing mail, so that I can keep track of messages I send.

Sure enough, a couple of hours later I get an email from my ISP threatening to shut down my connection unless I can stop the flood of spam emanating from my computer. First things first, shut down postfix to stop all outgoing mail. Then I start looking at the server more closely. No strange processes spotted, nothing suspicious in lsof.. Then I see some changes in /tmp and /var/tmp. A couple of tar archives, some files unzipped, seemingly a binary compiled here and there. And under conspicuous names, like bash. :wth: Ran chkrootkit but it didn't report any changed binaries. This is odd, I can't figure out how those email messages are being sent. The files I spotted are all irc bots it seems, which would be a classic purpose of cracking a box.

But knowing I have no choice, I tar'ed up the whole filesystem and started reinstalling. I wonder if I can find out more about the damage on closer inspection.

:: random entries in this category ::

2 Responses to "status: rooted"

  1. Erik says:

    Can I skip this time? Excellent... :D

  2. numerodix says:

    granted :D