How to stop the nasty process EXE creating endless number of conn....
10/10/2018 15:30
Something nasty has probably been done with one of our emailservers.

There is a process called <<exe>> popping up which creates an endlessnumber of connections in a few seconds causing our firewall to be full(Conntrack table full) Killing the process solves the problem temporarily but it does start againby itself, sometimes in one minute and sometimes after two days.

The machine is a debian server with kernel 2.6. It is running apachewebserver with PHP, postfix mailserver together with spamassassin andamavis.

Searching old posts give us some suggestions but nothing which solves theproblem.

Any idéas? We do appriciate your help with this.

Best regards.

// Martin RådboTeknologia

Source is Usenet: comp.os.linux.security
Sign in to add a comment

Answer score: 5
10/10/2018 15:30 - Hi.

If we had known exactly what to do then I wouldn't have asked you guys for advice...

We are not 100 % sure this is malware but it seem to be. That's why we ask you. Of course we have change the root password and similar staff but that did not help either.

I know I have seen this problem before but can not remember where I read about it. Please help us if you have the information.

Thanks in advance yours sincerely// Martin RÃ¥dboTeknologia Colin McKinnon <colin.thisisnotmysurname@ntlworld.deletemeunlessURaBot.com> skrev i meddelandet news:iVjsf.24293$Dg6.5192@newsfe3-gui.ntli.net...

: : > Something nasty has probably been done with one of our emailservers.

: >: > There is a process called <<exe>> popping up which creates an endless: > number of connections in a few seconds causing our firewall to be full: > (Conntrack table full): >: > Killing the process solves the problem temporarily but it does start again: > by itself, sometimes in one minute and sometimes after two days.

: >: : If you know that this is malware then you also know that your box has been: compromised. You *should* know what to do with a compromised machine (hint: : you don't wait for responses to to an NNTP post).

: : Since this is 'one' of your emailservers you have the tools to identify: whether 'exe' is malware - it certainly seems to be.

: : C.

Source is Usenet: comp.os.linux.security
Sign in to add a comment

Answer score: 5
10/10/2018 15:30 - The *first* thing to do if you think a machine is compromised is to take it off the network. It could well be spreading infection or spewing out spam or being used to attack someone else.

Of course it won't if it has been compromised.

If you suspect a compromise, take the machine off the network. If you know it is compromised, reformat and install from clean sources.

As Colin implied, but did not explicitly state, if you have multiple mail servers you can compare the behaviour of the different mail servers.

Also, you should know what processes are meant to be running on your servers. If you don't, then you are in a very poor position to maintain them or detect any problems.


Source is Usenet: comp.os.linux.security
Sign in to add a comment

Answer score: 5
10/10/2018 15:30 - If you know that this is malware then you also know that your box has beencompromised. You *should* know what to do with a compromised machine (hint: you don't wait for responses to to an NNTP post).

Since this is 'one' of your emailservers you have the tools to identifywhether 'exe' is malware - it certainly seems to be.

C.


Source is Usenet: comp.os.linux.security
Sign in to add a comment

eDiscover
Helpforce eDiscover provides technical articles updated each dayHelpforce eDiscover RSS feed contains the latest technical articles in RSS
Click the logo to go back to the main page
Search eDiscover
  
Categories

Click an icon to go to that category

Helpforce eDiscover contains articles about Microsoft Windows Helpforce eDiscover contains articles about Apple products and MacOS Helpforce eDiscover contains articles about Linux and POSIX operating systems Helpforce eDiscover contains articles about Helpforce Helpforce has a large variety of technical information and articles for you to read Helpforce eDiscover contains articles about databases, MYSQL, SQL Server Oracle Helpforce eDiscover contains articles about Java, JVM and the JRE Helpforce eDiscover contains articles about the QNX operating system Helpforce eDiscover contains articles about Oracle Solaris and Open Solaris Helpforce eDiscover contains articles about RISC OS, Acorn and the BBC Micro Helpforce eDiscover contains articles about Amiga and AmigaOS

Type your comment into the box below