From owner-freebsd-questions@FreeBSD.ORG Mon Aug 15 18:04:28 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 664E1106566C for ; Mon, 15 Aug 2011 18:04:28 +0000 (UTC) (envelope-from alexus@gmail.com) Received: from mail-pz0-f45.google.com (mail-pz0-f45.google.com [209.85.210.45]) by mx1.freebsd.org (Postfix) with ESMTP id 40B3E8FC0A for ; Mon, 15 Aug 2011 18:04:28 +0000 (UTC) Received: by pzk33 with SMTP id 33so5582118pzk.18 for ; Mon, 15 Aug 2011 11:04:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=WvSK8ht92WWL8H0Uzmf4Qb0PTpMCy4+U6UViIBwo62M=; b=NpPHds0oB0tjmflRfW08VPhRvNWGoGoQL4zyjKNzqGJJRD78xqLexfdLq7kGmvQLak atUF32T91OcJa9M+GZpUv1t5Um7FuB06mfXSE2hSt25V7+ngp/BFIP3k1/lwfGmTzLNp wOaAhm6zODZa35czbS+bhkzxZvel//Ixuv3AU= MIME-Version: 1.0 Received: by 10.142.55.4 with SMTP id d4mr1929285wfa.129.1313431467628; Mon, 15 Aug 2011 11:04:27 -0700 (PDT) Received: by 10.68.60.97 with HTTP; Mon, 15 Aug 2011 11:04:27 -0700 (PDT) In-Reply-To: References: Date: Mon, 15 Aug 2011 14:04:27 -0400 Message-ID: From: alexus To: Chuck Swiger Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: looking for a spammer/virii/malware .... on my system X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Aug 2011 18:04:28 -0000 I personally leaning towards that these headers are being modified and that there is no spam leaving my box (I may be wrong of couse) here is what I did to come up with that thought.... I sent myself an email -bash-3.2# echo $$ | mail alexus@gmail.com -bash-3.2# through google headers I see follwoing: Delivered-To: alexus@gmail.com Received: by 10.68.60.97 with SMTP id g1cs121928pbr; Mon, 15 Aug 2011 10:52:26 -0700 (PDT) Received: from mr.google.com ([10.52.21.70]) by 10.52.21.70 with SMTP id t6mr5504300vde.56.1313430746298 (num_hops =3D 1); Mon, 15 Aug 2011 10:52:26 -0700 (PDT) Received: by 10.52.21.70 with SMTP id t6mr3999448vde.56.1313430745493; Mon, 15 Aug 2011 10:52:25 -0700 (PDT) Return-Path: Received: from alexus.biz ([64.237.55.83]) by mx.google.com with ESMTPS id co6si13861841vdc.76.2011.08.15.10.5= 2.23 (version=3DTLSv1/SSLv3 cipher=3DOTHER); Mon, 15 Aug 2011 10:52:24 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning root@alexus.org does not designate 64.237.55.83 as permitted sender) client-ip=3D64.237.55.83; Authentication-Results: mx.google.com; spf=3Dsoftfail (google.com: domain of transitioning root@alexus.org does not designate 64.237.55.83 as permitted sender) smtp.mail=3Droot@alexus.org Received: from alexus.org (lama [64.237.55.83]) by alexus.biz (8.14.4/8.14.3) with ESMTP id p7FHqNvO049613 for ; Mon, 15 Aug 2011 13:52:23 -0400 (EDT) (envelope-from root@alexus.org) Received: (from root@localhost) by alexus.org (8.14.4/8.14.3/Submit) id p7FHqIl1049612 for alexus@gmail.com; Mon, 15 Aug 2011 13:52:18 -0400 (EDT) (envelope-from root) Date: Mon, 15 Aug 2011 13:52:18 -0400 (EDT) From: Charlie Root Message-Id: <201108151752.p7FHqIl1049612@alexus.org> To: alexus@gmail.com 49609 I see that whenever mail leaves my box (assuming it was left my box in a standard way) I see sendmail involves in the process and I see remote server tried to resolve my IP while the "original" email that was provided to me by my ISP doesn't have any of that... so that makes me think that nothing ever happened on my box and that my IP in that original email was just manually added there (without any emails ever leaving my box) but then again here is scenario #2 a user connects to a remote server not using standard ways but making a connection to remote webmail.west.cox.net directly (bypassing my sendmail) in that case my firewall rule should prevent this user from doing so ever a= gain then again doing so is not really resolving it (I still dont know where its origin from, and thats what I want/need to find out) I'm running apache httpd, so as far as I see it could be pretty much any site that I host generate that kind of issue so I'm back to square 1, how do I find it? if it's in php could be famous base64_decode();/base64_encode(); and then good luck for locating one of that... any other ideas? On Mon, Aug 15, 2011 at 1:39 PM, Chuck Swiger wrote: > On Aug 15, 2011, at 10:05 AM, alexus wrote: >> what else can I do to find it on my system who's trying to connect to >> remote webmail.west.cox.net ? > > Monitor your network for SMTP traffic: > > =C2=A0tcpdump -nA -s 0 port 25 > > If malware is sending out spam, you'll see it and can then use lsof or wh= atever to identify the specific user/process. > > Regards, > -- > -Chuck > > --=20 http://alexus.org/