87.194.122.32 problem

[pedrodelafiesta]

Hi,

First time on here with little knowlege appart from what i've been learning in the last couple of weeks.

Our mail server is 87.194.122.32 and is registered on spam cop.

As far as I can tell, none of the known or likely problems exist on my network.

So i'm stumped. If anyone can help I would appreciate it greatly.

Thanks.

[Telarin]

Well, for starters, your IP address is listed at http://virbl.bit.nl/list.php for having sent Trojan infected emails out within the last few days. I would start out with a complete sweep of your network with a top tier anti-virus program. I would also suggest configuring your firewall to block all outgoing traffic to port 25 from any computer on your network except your mail server.

[DavidT]

Our mail server is 87.194.122.32 and is registered on spam cop. As far as I can tell, none of the known or likely problems exist on my network.

Perhaps a compromised Micro$loth Exchange server? It's apparently sending spew to the secret SpamCop spamtrap addresses...that's the reason given for it being currently listed. Looks like a chronic problem, in that the "listing history" on the SCBL states:

In the past 20.1 days, it has been listed 7 times for a total of 8.3 days

I also took a look at the Multi-RBL check:

http://www.robtex.com/rbl/87.194.122.32.html

and in addition to SpamCop it's currently listed in the cbl.abuseat.org and in several of the SpamHaus lists (actually due to the CBL listing):

http://cbl.abuseat.org/lookup.cgi?ip=87.19...;.submit=Lookup

There was only one SpamCop user report in the database:

Submitted: Friday, October 05, 2007 8:34:52 AM -0700:

Something hot

* 2541050181 ( 87.194.122.32 ) To: abuse[at]beunlimited.co.uk

So you should be in close contact with whomever receives the messages at abuse[at]beunlimited.co.uk, both now and in the future, to monitor any further reports. As for patching up your (most likely) compromised server, there's lots of info here in the FAQ resources. Happy reading. ;-)

DT

[GraemeL]

Hi,

First time on here with little knowlege appart from what i've been learning in the last couple of weeks.

Our mail server is 87.194.122.32 and is registered on spam cop.

As far as I can tell, none of the known or likely problems exist on my network.

Firstly, but not the cause of your listing is that your IP address reverses to 87-194-122-32.bethere.co.uk. This is a generic pointer record and likely to result in increased scores from any anti-spam software that scans mail sent from your machine.

Secondly, you are also listed in the cbl.abuseat.org blocklist. This indicates that either the machine itself, or a machine behind it on your network is probably trojaned and being used to send spam. Install up to date anti-virus software on all of the machines on your network.

Thirdly, you have SMTP AUTH enabled and an administrator account with a weak password. This enables anybody on the internet that can guess that password to use your machine as an open relay. Let me know if you want me to PM you the user and password concerned.

Fourthly, you have MS Terminal Services installed on the machine. As the machine has an easily guessable administrator password, you have no way of knowing if somebody has connected to the machine and installed a root kit. Remove the machine from the internet immediately, format all of its hard drives and rebuild it from scratch.

Fifthly, you should probably hire somebody with security experience to do a full audit of your network as it doesn't appear that your current administrators are competent to manage machines connected to the internet.

Edit to clarify point four.

[DavidT]

Wow...I think we were all helping "Pedro" almost simultaneously....and all with information that he can use to solve his problem. Yes, unplugging that machine from the Internet *immediately* would be a good start. I just found another hit when googling the IP...it was seen spewing out the "Trojan.Downloader-14101" back on the 28th of September. I just removed that from one of the machines on my network (it wasn't sending it out, but had received it from a machine like Pedro's recently).

DT

[Farelf]

I note another server in the same network - with IP address 87.194.122.69 - has been listed on SCbl and remains on several other blocklists (dnsbl.sorbs.net and consequently cbl.abuseat.org). And yes David, thanks to you and all others for stepping up so promptly on this. Special mention of GraemeL who has definitely gone the extra mile or two.

[GraemeL]

Special mention of GraemeL who has definitely gone the extra mile or two.

Thanks, but it was all pretty simple really. Three terminal windows and four commands.

• dig -x 87.194.122.69
  
• rblcheck 87.194.122.69
  
• salt 87.194.122.69
  
• nmap -O -P0 -sS -v -v 87.194.122.69
  

Sit back and wait for the results. The machine was pretty slow, so the password scan took quite a while to finish.

Not very subtle, but there's no reason to be when you're trying to help somebody else out. Any IDS on the network would be lighting up like mad. Though from the way things looked, I think it unlikely that they have one. Anybody with enough knowledge to be running an IDS wouldn't be making as many mistakes in basic security.

[pedrodelafiesta]

Thanks for your prompt responses. They are much appreciated. I am acting upon all f your recommendations.

pedro

[Merlyn]

mail.nukleuz.com points to 87.194.122.32 but 87.194.122.32 point to 87-194-122-32.bethere.co.uk

That is not a good but thing you can fix that

Also your server is infected and under spammer control.

You are alsso listed in

CBL The CBL - Composite Blocking List: cbl.abuseat.org -> 127.0.0.2

Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=87.194.122.32

--------------------------------------------------------------------------------

SPAMCOP SpamCop Blocking List: bl.spamcop.net -> 127.0.0.2

Blocked - see http://www.spamcop.net/bl.shtml?87.194.122.32

--------------------------------------------------------------------------------

UBL LashBack’s Unsubscribe Blacklist: ubl.unsubscore.com -> 127.0.0.2

Sender has sent to LashBack Unsubscribe Probe accounts

--------------------------------------------------------------------------------

APEWS Anonymous Postmasters Early Warning System: l2.apews.dnsbl.uceprotect.net -> 127.0.0.2

UCEPROTECT and SORBS have dropped the APEWS Mirrors. See http://www.uceprotect.net/en/apews.html

--------------------------------------------------------------------------------

TQM3 TQMcube real time blacklists: dnsbl.tqmcube.com -> 127.0.0.2

87.194.122.32 Dynamic IP or generic rDNS. Please create a unique pointer or use your ISP's mail service. Removal Requests: http://tqmcube.com/dnsbl/dnsbl_remove.php

--------------------------------------------------------------------------------

DNSBLAUT1 Reynolds Technology Type 1: t1.dnsbl.net.au -> 127.0.0.2

Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=87.194.122.32

--------------------------------------------------------------------------------

[pedrodelafiesta]

Hi. Ive had my tech people deal with this. Can you advise if im ok to ask for removal from spam cop or if the problems still exist.

Thanks in advance

pedro

[DavidT]

Ive had my tech people deal with this. Can you advise if im ok to ask for removal from spam cop or if the problems still exist.

I don't think your tech people have done a very good job....it's still listed on the SpamCop BL because spam is still actively being transmitted/relayed by 87.194.122.32. The other BLs still have the IP listed also...take another look here:

http://www.robtex.com/rbl/87.194.122.32.html

and here:

http://cbl.abuseat.org/lookup.cgi?ip=87.19...;.submit=Lookup

So, no, I don't think you're "ok" yet. I just looked at some of the other IPs in the "neghborhood" controlled by "bethere.co.uk" on Senderbase.org and I think you're in a bad neighborhood...I'd suggest moving to a different host.

DT

[GraemeL]

Hi. Ive had my tech people deal with this. Can you advise if im ok to ask for removal from spam cop or if the problems still exist.

Had a quick look at everything that I listed previously. The only thing that seems to have been done is that remote access has been removed from the machine. The box still has AUTH LOGIN enabled and still has an administrator equivalent account with a comically easy password. This would suggest that the box has not been formatted and rebuilt from scratch. You have no way of knowing if the box has been rooted with multiple back doors installed on it.

The box continues to hit Spamcop spamtraps (they're only known to Spamcop staff, I have no idea what they are) as well as being reported by Spamcop users.

At this point, all I can do is reiterate my point five above in a more forceful manner: I believe that your current "tech people" are not competent to maintain corporate servers on the internet. I strongly suggest that you replace them with people who have an understanding of running servers in a secure manner.

[agsteele]

Firstly, but not the cause of your listing is that your IP address reverses to 87-194-122-32.bethere.co.uk. This is a generic pointer record and likely to result in increased scores from any anti-spam software that scans mail sent from your machine.

So to clarify... It sounds like a dynamic IP on a dsl line. All the more reason for rbl listings to continue I fear.

Andrew

[pedrodelafiesta]

So to clarify... It sounds like a dynamic IP on a dsl line. All the more reason for rbl listings to continue I fear.

Andrew

More info.

I have an internet service provider called BeThere. This would explain the BeThere bit but unfortunately I dont understand. They supplied me with one static ip address, the one thats compromised. They also supplied the router. I would think from the eveidence that quite a few ip addresses supplied by BeThere are compromised but they could be anywhere in the uk and not related at all appart from by the internet service provider.

Behind the router I have a windows 2003 server.

We found 2 trojans on one PC on the small network of PCs I have on the network. They were cleaned. Everything else appeared completely clean.

We dont have a hardware firewall but it is ordered.

Again, I have to thank you all for your assistance and in the meantime I'm searching for the best advisers to rectify the situation.

[DavidT]

Pedro,

There haven't been any further reports to SpamCop in the last 24 hours, and your IP has fallen off the CBL, but it's still listed on some others, such as SORBS (you can go to SORBS and request to be de-listed). It seems that the removal of the trojans (which other sites were complaining about from your IP back in September) has helped your situation.

However, I don't see that you've responded to this serious issue, raised by Graeme:

The box still has AUTH LOGIN enabled and still has an administrator equivalent account with a comically easy password. This would suggest that the box has not been formatted and rebuilt from scratch. You have no way of knowing if the box has been rooted with multiple back doors installed on it.

You need to disable the AUTH LOGIN and/or fix the password problem, and Graeme also points out that you should really should format the server and rebuild it from scratch, due to other possible "nasties" that might have snuck onto it when it was vulnerable....right, Graeme?

DT

[GraemeL]

You need to disable the AUTH LOGIN and/or fix the password problem, and Graeme also points out that you should really should format the server and rebuild it from scratch, due to other possible "nasties" that might have snuck onto it when it was vulnerable....right, Graeme?

Correct. I've exchanged a couple of PMs with him in the last 24 hours going into more detail, which is why I didn't reply to the thread here again.

[pedrodelafiesta]

Pedro,

There haven't been any further reports to SpamCop in the last 24 hours, and your IP has fallen off the CBL, but it's still listed on some others, such as SORBS (you can go to SORBS and request to be de-listed). It seems that the removal of the trojans (which other sites were complaining about from your IP back in September) has helped your situation.

However, I don't see that you've responded to this serious issue, raised by Graeme:

You need to disable the AUTH LOGIN and/or fix the password problem, and Graeme also points out that you should really should format the server and rebuild it from scratch, due to other possible "nasties" that might have snuck onto it when it was vulnerable....right, Graeme?

DT

I delisted from CBL yesterday but its been relisted today.

I do not believe my windows server is compromised but we are looking at every bit of it to be sure.

The login you are talking about may have been a NAS on the network. Out of interest, if accessed can a NAS be used to send spam?

[GraemeL]

I delisted from CBL yesterday but its been relisted today.

I do not believe my windows server is compromised but we are looking at every bit of it to be sure.

The login you are talking about may have been a NAS on the network. Out of interest, if accessed can a NAS be used to send spam?

Every bit of it needs to include alternate data streams on every file on the box. You should also do a full scan with Rootkit Revealer. Even if those checks were run, my level of confidence in the integrity of the box would still be low. Once there is a chance that the box has been compromised, you can never be sure that it can be trusted.

I replied to your other point in a PM as it included sensitive information.

[Merlyn]

I delisted from CBL yesterday but its been relisted today.

I do not believe my windows server is compromised but we are looking at every bit of it to be sure.

The login you are talking about may have been a NAS on the network. Out of interest, if accessed can a NAS be used to send spam?

Your server is compromised and exploitable. You are in many blocklists. You should disconnect this machine until you can scrub and reload it.

[Telarin]

On the off chance that the source of the spam is not the server, but one of the other boxes on the network, I strongly suggest configuring your firewall to ONLY allow outbound SMTP traffic from the mail server. The resulting reject logs would also help you pinpoint the culprit that is trying to send direct to MX.

[GraemeL]

On the off chance that the source of the spam is not the server, but one of the other boxes on the network, I strongly suggest configuring your firewall to ONLY allow outbound SMTP traffic from the mail server. The resulting reject logs would also help you pinpoint the culprit that is trying to send direct to MX.

He doesn't have a firewall...

He now knows that that was a bad decision and (I think) has people working to rectify it.

[Merlyn]

It was still detected sending spam approximately 1 days, 4 hours, 30 minutes ago from the time of this post

SMTP - 25 220 mail.nukleuz.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Tue, 30 Oct 2007 20:57:42 +0000

HTTP - 80 HTTP/1.1 200 OK

Content-Length: 6264

Content-Type: text/html

Content-Location: http://87-194-122-32.bethere.co.uk/Default.htm

Last-Modified: Wed, 23 Feb 2005 19:33:57 GMT

Accept-Ranges: bytes

ETag: "8080c09dde19c51:49b"

Server: Microsoft-IIS/6.0

MicrosoftOfficeWebServer: 5.0_Pub

X-Powered-By: ASP.NET

Date: Tue, 30 Oct 2007 20:57:42 GMT

Connection: close

[pedrodelafiesta]

It was still detected sending spam approximately 1 days, 4 hours, 30 minutes ago from the time of this post

SMTP - 25 220 mail.nukleuz.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Tue, 30 Oct 2007 20:57:42 +0000

HTTP - 80 HTTP/1.1 200 OK

Content-Length: 6264

Content-Type: text/html

Content-Location: http://87-194-122-32.bethere.co.uk/Default.htm

Last-Modified: Wed, 23 Feb 2005 19:33:57 GMT

Accept-Ranges: bytes

ETag: "8080c09dde19c51:49b"

Server: Microsoft-IIS/6.0

MicrosoftOfficeWebServer: 5.0_Pub

X-Powered-By: ASP.NET

Date: Tue, 30 Oct 2007 20:57:42 GMT

Connection: close

Firewall installed. I would appreciate any evidence of further problems. I am now hoping we are getting on top of this but if there is some kind of very deep rooted cause of the spam on the server then its possible that its not been resolved. But we will now be sure it is the server if there is still spam coming from my ip.

[turetzsr]

...Reports from SpamCop users would go to:

SpamCop v 640 Copyright © 1998-2006, IronPort Systems, Inc. All rights reserved.

Parsing input: 87.194.122.32

Reporting addresses:

abuse[at]beunlimited.co.uk

...You could also check SenderBase statistics.

[GraemeL]

This has been a tough learning experience for Pedro, but I think he's about to come to the end of it now.

He now has:

Updated anti-virus software on his machines.

A firewall installed.

Removed all obviously weak user/password combinations.

The Senderbase statistics for today show a 0.0 magnitude for his IP address.

I have made a few more recommendations to him in PMs, but everything that I would consider critical has now been taken care of.

Although it took longer than would have been optimal, I think we're close to closing this one off now. Thanks to Pedro for working through getting his systems cleaned up.