最近被加入RBL名單

MS32-系列-郵件伺服器,郵件紀錄器的應用心得,問題與討論

版主: petertke200

jarvis
文章: 1
註冊時間: 週一 12月 05, 2016 9:36 am

最近被加入RBL名單

文章jarvis » 週一 12月 05, 2016 9:40 am

最近我司有兩台郵件伺服器均被加入黑名單 加入黑名單理由均為遭受入侵

型號:MS-1225
韌體:3.0.8.1

型號:MS-6420
韌體: 3.0.8.1

被封鎖資訊如下:

IP Address 59.120.61.3 is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.

It was last detected at 2016-12-01 01:00 GMT (+/- 30 minutes), approximately 4 days, 29 minutes ago.

The host at this IP address is infected with the Ebury Rootkit/Backdoor trojan.

Ebury is a SSH rootkit/backdoor trojan for Linux and Unix-style operating systems. It is installed by attackers on root-level compromised hosts by either replacing SSH related binaries (such as ssh or sshd) or a shared library (such as libkeyutils.so) used by SSH.

Ebury infected hosts are used for criminal activities, such as sending out spam emails or hosting exploit kits.

How are these detected? Login credentials harvested by Ebury from SSH connections from/to your system were seen being sent to a dropzone server for the malware.

Further information can be found in CERT-Bund: Ebury SSH Rootkit. We recommend that you follow all of their instructions very carefully.

One of our correspondant's noted that (on CentOS) an infected libkeyutils.so was around 35K bytes in size, where as the correct one is around 1K. So, one quick check is to find the file (under /lib) and examine the size. If it's much over 1-2K, reinstall it (eg: "yum reinstall keyutils-libs" on CentOS) and see if it changes.

This has far more detail. Note that it demonstrates that the rootkit even changes RPM checksums, so a RPM verify will not work.

EVEN IF you cannot find libkeyutils.so, or it is the right size, ebury is probably still present in a substituted ssh, sshd or some other related file.

頭像
peter
文章: 160
註冊時間: 週二 2月 06, 2007 5:55 pm
來自: 台中眾至資訊
聯繫:

Re: 最近被加入RBL名單

文章peter » 週一 12月 05, 2016 1:18 pm

Dear SIR

如果方便再請私訊您設備的連線資訊
後續來做檢測確認可能原因
謝謝您
圖檔
翁維聰 Peter
ShareTech Information Co., Ltd
Tel: 04-27050888 Fax:04-27020684
407台中市西屯路二段256巷6號3樓之1
e-mail:peter@sharetech.com.tw
SKYPE:tsungwei888

頭像
peter
文章: 160
註冊時間: 週二 2月 06, 2007 5:55 pm
來自: 台中眾至資訊
聯繫:

Re: 最近被加入RBL名單

文章peter » 週一 12月 05, 2016 1:58 pm

Dear SIR

有收到您的IP私訊訊息
但是都無法打開
是否有正常開啟對應呢
您有相關電話連繫資訊可再私訊提供?
圖檔
翁維聰 Peter
ShareTech Information Co., Ltd
Tel: 04-27050888 Fax:04-27020684
407台中市西屯路二段256巷6號3樓之1
e-mail:peter@sharetech.com.tw
SKYPE:tsungwei888


回到「MS32-系列-郵件伺服器」

誰在線上

正在瀏覽這個版面的使用者:沒有註冊會員 和 1 位訪客