Hi,
Need some help about this as it's gotten me really concerned.
I'm probably reading too much into this but for about two weeks now my daily log has increased by almost 10 times.
After running through a couple of days of logs with a script, it seems that I'm getting flooded on SMTP from this IP
219.64.114.52 which belongs to VSNL and appears to be statically assigned IP (219.64.114.52.chn.bb-static.vsnl.net). This IP address is apparently listed in the spamhous.org Policy Block List, eXploit Block List and Composite Block List, which basically indicates it's either an open proxy or a hijacked system.
I'm not sure what it's trying to do, but for exactly 10 hours a day which correspond to India 9:30am or so until 7pm or so, I will get massive amounts of SMTP connections from this host. It will attempt to masquerade as domains on my server while trying to send to non-existent accounts on these domains.
At this point, I thought it was just a case of a dedicated spamming, until I decided I had enough of multi-megabytes daily logs flooding my mailbox, plus the fact it was probably contributing to an increase server load in the past weeks as the mail daemon had to handle the connections.
So I thought I could just block the IP using iptables.
I had a bad experience locking myself out by accident after editing the iptables file so for this time I decided to test from command line first using instructions from the Internet like this
/sbin/iptables -A RH-Firewall-1-INPUT -s 219.64.114.52 -j DROP
and I got an error that chain/command
/sbin/iptables -L produces "blank" output
which was of course a shock to me, since that seems to say that my server firewall is basically non-existent.
I did a /sbin/service iptables restart and iptables -L produced the expected output showing all the rules on file. I could then add the new rule from command line without any messages.
Minutes later, my tail -f on the exim log started spewing the smtp messages AGAIN.
iptables -L again shows NO RULES
Everytime I restart, iptables, for a short while, the rules are there. But minutes later, it's wiped. So I'm very concerned that the server had been compromised and something is wiping my iptables.
Or am I just badly mistaken about the way iptables -L is supposed to work?
If not, what should I do next to find and eliminate this problem? Thanks in advance for any advice!
Need some help about this as it's gotten me really concerned.
I'm probably reading too much into this but for about two weeks now my daily log has increased by almost 10 times.
After running through a couple of days of logs with a script, it seems that I'm getting flooded on SMTP from this IP
219.64.114.52 which belongs to VSNL and appears to be statically assigned IP (219.64.114.52.chn.bb-static.vsnl.net). This IP address is apparently listed in the spamhous.org Policy Block List, eXploit Block List and Composite Block List, which basically indicates it's either an open proxy or a hijacked system.
I'm not sure what it's trying to do, but for exactly 10 hours a day which correspond to India 9:30am or so until 7pm or so, I will get massive amounts of SMTP connections from this host. It will attempt to masquerade as domains on my server while trying to send to non-existent accounts on these domains.
2008-08-06 13:32:58 H=(****.com) [219.64.114.52] F=<lnyz@xxxxxxxx> rejected RCPT <484f6f23.8020304@****.com>:
2008-08-06 13:32:58 H=(****.com) [219.64.114.52] incomplete transaction (connection lost) from <djclg@xxxxxxxxxxx>
2008-08-06 13:32:58 unexpected disconnection while reading SMTP command from (****.com) [219.64.114.52]
2008-08-06 13:32:58 H=(****.com) [219.64.114.52] F=<48720243.8060909@****.com> rejected RCPT <285.8030501@****.com>:
2008-08-06 13:32:58 H=(****.com) [219.64.114.52] incomplete transaction (connection lost) from <lnyz@xxxxxxxx>
2008-08-06 13:32:58 unexpected disconnection while reading SMTP command from (****.com) [219.64.114.52]
At this point, I thought it was just a case of a dedicated spamming, until I decided I had enough of multi-megabytes daily logs flooding my mailbox, plus the fact it was probably contributing to an increase server load in the past weeks as the mail daemon had to handle the connections.
So I thought I could just block the IP using iptables.
I had a bad experience locking myself out by accident after editing the iptables file so for this time I decided to test from command line first using instructions from the Internet like this
/sbin/iptables -A RH-Firewall-1-INPUT -s 219.64.114.52 -j DROP
and I got an error that chain/command
/sbin/iptables -L produces "blank" output
[root@myserver confused]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
which was of course a shock to me, since that seems to say that my server firewall is basically non-existent.
I did a /sbin/service iptables restart and iptables -L produced the expected output showing all the rules on file. I could then add the new rule from command line without any messages.
Minutes later, my tail -f on the exim log started spewing the smtp messages AGAIN.
iptables -L again shows NO RULES
Everytime I restart, iptables, for a short while, the rules are there. But minutes later, it's wiped. So I'm very concerned that the server had been compromised and something is wiping my iptables.
Or am I just badly mistaken about the way iptables -L is supposed to work?
If not, what should I do next to find and eliminate this problem? Thanks in advance for any advice!
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
