Hallo,
ich habe seid Heute eine Menge "Delivery Status Notification (Failure)" Mails in meinem Catchall Postfach, die in etwa so aussehen:
ZitatAlles anzeigenThis is an automatically generated Delivery Status Notification.
Delivery to the following recipients failed.
Reporting-MTA: dns;col0-mc2-f8.Col0.hotmail.com
Received-From-MTA: dns;[147.175.81.141]
Arrival-Date: Tue, 28 Jul 2009 06:38:59 -0700
Final-Recipient: rfc822;breakbeats@hotmail.com
Action: failed
Status: 5.5.0
Diagnostic-Code: smtp;550 Requested action not taken: mailbox unavailable (64168608:3309:-2147467259)
Betreff: For breakbeats
Von: avatisop2005@meinedomain.de
Datum: 28 Jul 2009 06:39:00 -0700
An: breakbeats@hotmail.com
Your private video here
Wenn ich das richtig sehe, wurde die ursprüngliche Mail (der SPAM) von einem Rechner mit der IP 147.175.81.141 gesendet. Der Server scheint in der Slovakei zu stehen.
Trotzdem hab ich zum einen geschaut, ob meine Logfiles weg oder leer sind, da ich zuerst dachte, dass hier wohl jemand ins System gekommen ist und SPAM verschickt und vermutlich zuerst die Logfiles gelöscht hat. Zum Glück schien da erstmal alles gut zu sein; Alle Logfiles der letzten Woche sind noch da und gefüllt.
Zu obiger Mail passt vermutlich folgender Logeintrag:
ZitatJul 28 15:39:30 vxxxxxxxxx postfix/virtual[14575]: 6FAED4C8B53: to=<admin@meinedomain.de>,orig_to=<avatisop2005@meinedomain.de>, relay=virtual, delay=0.54, delays=0.52/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Jul 28 15:39:30 vxxxxxxxxx postfix/qmgr[16890]: 6FAED4C8B53: removed
Für mich sieht das so aus, als wurde versucht über mein System ne Mail zu verschicken, sehe ich das richtig? Allerdings wurde das nicht erlaubt. Trotzdem hab ich so meine Zweifel ob mein System wirklich sauber ist.
Weitere Einträge, die permanent in der mail.log auftauchen, sehen z.B. wiefolgt aus:
ZitatJul 28 15:38:59 vxxxxxxxx postfix/smtpd[5017]: connect from 195-198-79-131.customer.telia.com[195.198.79.131]
Jul 28 15:39:00 vxxxxxxxxx postfix/smtpd[27844]: warning: 78.34.55.65.multi.uribl.com: RBL lookup error: Host or domain name not found. Name service error for name=78.34.55.65.multi.uribl.com type=A: Host not found, try again
Außerdem hab ich einmal chkrootkit ausgeführt:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not found
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... nothing found
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
[COLOR=Red]Checking `lkm'... SIGINVISIBLE Adore found
chkproc: Warning: Possible LKM Trojan installed[/COLOR]
Checking `rexedcs'... not found
[COLOR=Lime]Checking `sniffer'... /proc/1/fd/10: Permission denied[/COLOR]
eth0: PACKET SNIFFER((null)[(null)])
eth0:2227008611: PACKET SNIFFER((null)[(null)])
eth0: PACKET SNIFFER((null)[(null)])
eth0:2227008612: PACKET SNIFFER((null)[(null)])
eth0:2227008613: PACKET SNIFFER((null)[(null)])
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deletedDie roten Zeilen machen mir Sorgen 
Könne es tatsächlich sein, dass da so ein Trojaner sich befindet, bzw. wie kann ich dem auf die Spur kommen?
Das grün Markierte, kommt vermutlich durch den vserver oder?
Habt ihr noch Punkte, wo ich unbedingt schauen sollte, bzw. wie ich mich auch gegen diese Flut von "Delivery Status Notification (Failure)" Mails "schützen" kann?
mfg
