Email spammer on my server

Moose · Jan 20, 2013

My server (Ubuntu 12.04) has recently been unable to send emails as it's IP has been blocked due to it being reported for email spam. I decided to investigate and was not pleased by what I discovered!

A wireshark capture revealed an email attempted to be sent about once every 10 seconds, further investigation seemed to show that sshd sessions were being initiated which were sending tons of emails, the sshd sessions also appeared to be connected to other ips who were presumably logged in?

The sshd sessions are called "sshd: root" so they are logged in as root, first thing I did was change the root password and remove all the keys.

Still sshd connections are being made and are sending emails! What can I do?

Athlon2K15 · Jan 20, 2013

hit the power button?

W1zzard · Jan 20, 2013

look in the logs, check what's happening, fix it

Aquinus · Jan 20, 2013

W1zzard said:
look in the logs, check what's happening, fix it

+1: But I would still kill sshd until he figures it out.

Moose said:
Still sshd connections are being made and are sending emails! What can I do?

A: disable sshd if you can work locally.
(sudo /etc/init.d/sshd stop)

B: Disable password authentication (biggest vulnerability in a *nix system IMHO.)
@ /etc/ssh/sshd_config
You want:

Code:

PasswordAuthentication no
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys
PermitRootLogin no

C: Enable shared key auth (and only shared key auth,) and generate a public/private RSA key pair.
(ssh-keygen -b 4096)

D: Allowing SSH into root is also dangerous. I would disable root login in then sshd config.

E: Copy your public key somewhere and enable sshd and you should be all set. That way the only way a hacker can get in through SSH is if they have your private key.

One of the more common reasons that mail fails (not initially, but over time) is when DNS is not properly setup. Maybe you're missing or have a bad MX or PTR record and the email server keeps retrying. That will make mail servers reject your email very quickly after a little while.

W1zzard · Jan 20, 2013

I'm not even sure that SSH is the source of his problems

qubit · Jan 20, 2013

I'd do a format and reinstall if it looks like the box has been rooted. Otherwise, fix the leak and monitor activity like a hawk.

W1zzard · Jan 20, 2013

qubit said:
I'd do a format and reinstall if it looks like the box has been rooted. Otherwise, fix the leak and monitor activity like a hawk.

+1, rooted = reinstall

Aquinus · Jan 20, 2013

W1zzard said:
I'm not even sure that SSH is the source of his problems

I know a couple of people who have been compromised because SSH was open and it allowed password authentication. Always use a key-pair when ever possible and if you can, require it. I agree though, there could be a problem elsewhere but that doesn't mean you shouldn't fix a potential problem before it happens if it wasn't SSH.

qubit said:
I'd do a format and reinstall if it looks like the box has been rooted. Otherwise, fix the leak and monitor activity like a hawk.

W1zzard said:
+1, rooted = reinstall

This. Fixing the problem is only a stop-gap measure. If they're in root they can make it very easy to get back in short of you turning the machine off or taking it off the network. Take it off the network, back it up and nuke it. After you re-install though, make sure to not go too lenient on the security settings for things like SSH though. Don't need this happening again. Make sure to change your password that you use on this box as well, for all accounts that had sudo and the password for root.

Occasionally a connection from China will try to make its way into my network. You may want to consider blocking IP ranges that you know that should never contact your server.

W1zzard · Jan 20, 2013

Aquinus said:
Always use a key-pair when ever possible and if you can, require it

The fun starts when you lose your private key due to fuckup, HDD crash or similar. Also trojan on your system could steal the private key (just like a keylogger can steal your typed password).

SSH password logins are perfectly safe and probably 90% of unix systems run with it. Weak passwords are not.

We moved SSH to another port on our servers to get rid of random (chinese) people trying to bruteforce it.

Aquinus · Jan 20, 2013

W1zzard said:
We moved SSH to another port on our servers to get rid of random (chinese) people trying to bruteforce it.

+1: Always a good choice. My personal favorite is 60031.

Moose · Jan 20, 2013

W1zzard said:
The fun starts when you lose your private key due to fuckup, HDD crash or similar. Also trojan on your system could steal the private key (just like a keylogger can steal your typed password).

SSH password logins are perfectly safe and probably 90% of unix systems run with it. Weak passwords are not.

We moved SSH to another port on our servers to get rid of random (chinese) people trying to bruteforce it.

I'm trying to work out how anyone could get my ssh password and I don't think they could, 10 digits long random letters and numbers to anyone but me. More likely is someone stole the key off my pc with a trojan, but still not very likely.

Is there anyway for me to get rid of this thing? What logs would tell me which processes are responsible? Because there must be something running as root that is letting them in now after I have changed the password and key. Btw the server is in a datacenter.

W1zzard · Jan 20, 2013

use the "last" command, "top", "ps", check /var/log/messages

documentation for these commands can be found by running "man last" or "man top" etc

Moose · Jan 20, 2013

Well the good thing is "last" command shows that my ip and :1 are the only ones to login to the server as any user including root for the past month.

Using top and ps x and ps aux, nothing struck me as being an obvious problem except the 2-4 "sshd: root" processes running and the 2-4 "sshd: root@notty" processes running (but apparently neither are being logged into?!)

W1zzard · Jan 20, 2013

find out what process is sending those emails, find out how it got on your system

Moose · Jan 21, 2013

Well the process is "sshd: root" it's the one connecting to mail servers.

I have stopped it doing it by changing sshd port, but that isn't a very good fix as they shouldn't be able to do it on any port!

qubit · Jan 21, 2013

Does it look to you like the server has been rooted ie running malware? If so, format and reinstall, don't waste your time trying to clean it up.

Moose · Jan 22, 2013

I reinstalled on a new server new IP helped and was cheaper, took hours of time though.

qubit · Jan 22, 2013

Yeah, ya just gotta go clean with it sometimes. I know what you mean about spending hours on it, lol.

System Name	Moose 5800X3D
Processor	AMD Ryzen 7 5800X3D 3.4Ghz 4.5Ghz Boost 96MB L3 Cache
Motherboard	Asus Prime X570-P
Cooling	Custom Liquid Cooling covering CPU and GPU including liquid backplate for graphics memory cooling
Memory	G.Skill Trident Z RGB 32GB (2 x 16GB) DDR4 DRAM 3600MHz CL18
Video Card(s)	PNY GeForce RTX 3090 XLR8 Gaming 24GB
Storage	WD Black SN770 2 TB PCIe 4.0 NVMe M.2 + Samsung 970 EVO 1TB PCIe NVMe M.2 + 2x WD Caviar Black 750GB
Display(s)	AOC 34" CU34G2/BK Ultra Wide @ 3440x1440
Case	Thermaltake Level 20 HT
Audio Device(s)	Creative Sound Blaster Z SE
Power Supply	Corsair TX850M 850W Semi Modular
Mouse	Razer Viper Ultimate
Keyboard	Rii K61c
Software	Windows 11 Pro

Processor	Intel Core i9 11900K
Motherboard	MSI Z590 Carbon EK X
Cooling	Custom Water
Memory	Team DDR4 4000MHz
Video Card(s)	ASUS TUF RTX 3080 OC
Storage	WD WN850 1TB
Display(s)	43" LG NanoCell 4K 120Hz
Power Supply	Asus Thor 1200w
Mouse	Asus Strix Evolve
Keyboard	Asus Strix Claymore

Processor	Ryzen 7 5700X
Memory	48 GB
Video Card(s)	RTX 4080
Storage	2x HDD RAID 1, 3x M.2 NVMe
Display(s)	30" 2560x1600 + 19" 1280x1024
Software	Windows 10 64-bit

System Name	Apollo
Processor	Intel Core i9 9880H
Motherboard	Some proprietary Apple thing.
Memory	64GB DDR4-2667
Video Card(s)	AMD Radeon Pro 5600M, 8GB HBM2
Storage	1TB Apple NVMe, 4TB External
Display(s)	Laptop @ 3072x1920 + 2x LG 5k Ultrafine TB3 displays
Case	MacBook Pro (16", 2019)
Audio Device(s)	AirPods Pro, Sennheiser HD 380s w/ FIIO Alpen 2, or Logitech 2.1 Speakers
Power Supply	96w Power Adapter
Mouse	Logitech MX Master 3
Keyboard	Logitech G915, GL Clicky
Software	MacOS 12.1

Processor	Ryzen 7 5700X
Memory	48 GB
Video Card(s)	RTX 4080
Storage	2x HDD RAID 1, 3x M.2 NVMe
Display(s)	30" 2560x1600 + 19" 1280x1024
Software	Windows 10 64-bit

Email spammer on my server

Moose

Athlon2K15

HyperVtX™

W1zzard

Administrator

Aquinus

Resident Wat-man

W1zzard

Administrator

qubit

Overclocked quantum bit

W1zzard

Administrator

Aquinus

Resident Wat-man

W1zzard

Administrator

Aquinus

Resident Wat-man

Moose

W1zzard

Administrator

Moose

W1zzard

Administrator

Moose

qubit

Overclocked quantum bit

Moose

qubit

Overclocked quantum bit

System Name	Quantumville™
Processor	Intel Core i7-2700K @ 4GHz
Motherboard	Asus P8Z68-V PRO/GEN3
Cooling	Noctua NH-D14
Memory	16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s)	MSI RTX 2080 SUPER Gaming X Trio
Storage	Samsung 850 Pro 256GB \| WD Black 4TB \| WD Blue 6TB
Display(s)	ASUS ROG Strix XG27UQR (4K, 144Hz, G-SYNC compatible) \| Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case	Cooler Master HAF 922
Audio Device(s)	Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply	Corsair AX1600i
Mouse	Microsoft Intellimouse Pro - Black Shadow
Keyboard	Yes
Software	Windows 10 Pro 64-bit