Jump to content
When you buy through links on our site, we may earn an affiliate commission.
  • Current Donation Goals

Hacking?


freddy333

Recommended Posts

For the past several days, I have been seeing a significant rise in activity on our FreeBSD mail server. So, today, I began running netstat -an | more to see who is doing what. I found 2 IPs (64.12.88.131 & 64.12.88.163 - both AOL IPs... though I suspect it is the same person) logging in every few minutes. When I see them on, I disconnect them with tcpdrop. I have also added 64.12.88 to the .htaccess in the root... but they continue to reappear.

 

Just a few minutes ago, I noticed that when I tcpdrop'd them, the following message would appear (I'm logged in as root at the console & the root account is disabled on the network side) & it looks like this person was attempting to either send or generate email through our server (even though I am the only user logged on).

 

Can anyone recommend a more permanent way to block these IPs or how to prohibit them from generating AOL email through our server?

64.12.88.163.jpg

Link to comment
Share on other sites

This has nothing to do with RWG... This is a mail server unrelated to RWG.

If you know what a DOS attack is, then you can see that this is not that. Based on the screenshot, I think they are using our server to send email to or through AOL. But, more than that, I do not know. Finding out what that error in the screenshot means is why I posted here. Anyone with Unix admin experience see this error before & know how to permanently block these 2 IPs (the .htaccess in / is not affecting them).

Link to comment
Share on other sites

I do not know if this will be relevant for your experience, but the server's firewall is /etc/ipf.rules.

The guy who setup the server configured the ipf.rules to block all logins except my local IP. So whenever I change my IP (roughly monthy), I have to edit ipf.rules to reflect this, so I can login for maintenance. Up until a few days ago, for the 20 years the server has been online, I have never seen anyone able to do what these guys are doing.

 

Anyway, is there anything similar to your iptables command that will work for ipf.rules?

5 minutes ago, docthor said:

Just was searching for it...
Maybe this helps...
http://www.webhostingtalk.com/showthread.php?t=530618
 

I think you are on to something.... I did find a pf.conf, but the commands listed on that web page are a bit too advanced for me since it has been so long since I dabbled.

Question -

In post 14 on that page, I am confused when the author says ' Paste this into a new copy of your '/etc/pf.conf''.

Do you think he means to replace the original pf.conf or just copy/paste his code into the existing pf.conf?

Link to comment
Share on other sites

I followed the instructions in post 14 from that 'how to block ip in freebsd' (creating a new pf.conf) & got it running, but it has no affect on these IPs. They continue processing some type of mail program.

Any other suggestions? Or, do you know any BSD admins who would be willing to take a look? At this point, whatever it is that these miscreants are running on our server, it is slowing the server to a crawl.

Link to comment
Share on other sites

Well...knowing nothing about ipf I'd start with the basics...

Is ipf runing?

"service ipfilter status"

If it's not running

"service ipfilter start"

Check the ruleset

"ipfstat -ion"

There's a good explanation of ipf and how it works on FreeBSD.org

https://www.freebsd.org/doc/handbook/firewalls-ipf.html

Hope that helps :)



Gesendet von meinem SM-A310F mit Tapatalk

Link to comment
Share on other sites

Unfortunately, service does not appear to be installed on our server either.

I may be grabbing at straws, but I wonder if the bolded line from post 14 in your original web link refers to a port number?

 

# External
ext_if = "em1"
set loginterface $ext_if
set block-policy drop

 

The reason I ask is because pf.conf seems to be running, but it has no affect on these IPs. & I am not sure what "em1" is? If it is a port, how do I know it is the correct port for our server?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...
Please Sign In or Sign Up