0

I'm trying to figure out why our server has been block at Spamhaus. It comes up with:

139.162.208.xxx is listed in the XBL, because it appears in:

CBL Lookup

Following the link, it says:

This IP address is infected with, or is NATting for a machine infected with the "nymaim" malicious botnet.

"nymaim" is also known as "Gamarue".

More information about Gamarue can be obtained from Proofpoint, and Microsoft.

Gamarue is involved with a variety of malicious things, including backdoor downloads, Banking Trojans and Ransomware.

This was detected by a TCP connection from "139.162.208.xxx" on port "36752" going to IP address "216.218.185.xxx" (the sinkhole) on port "80".

The botnet command and control domain for this connection was "www.ltaet.com".

This detection corresponds to a connection at Mon Sep 9 09:48:26 2019 UTC (this timestamp is believed accurate to within one second).

How would you go about cleaning this up? I've tried a few malware detection tools, but none of them ever come up with anything.

The OS is Ubuntu 16.04

Thanks

Andrew Newby
  • 1,041
  • 1
  • 22
  • 48
  • 1
    It doesn't _have_ to be your server, could always be some user behind it (NAT) or a false-positive. – Lenniey Sep 10 '19 at 10:12
  • @Lenniey ah ok - so maybe its them detecting so called "spam" from one of our newsletters, and being marked as this? – Andrew Newby Sep 10 '19 at 10:16
  • No it's not detecting spam, it's detecting mails linked to the listed malware/botnet "nymaim/Gamarue", either by heuristics or by specific links/attachments/whatever. Check your mailserver logs against the given information (IP + port), etc. etc. – Lenniey Sep 10 '19 at 10:41
  • Ah ok. So looking at the auth.log file from yesterday I can see stuff like: Sep 4 20:39:40 admin sshd[16909]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=79.137.35.70 Sep 4 20:39:42 admin sshd[16909]: Failed password for invalid user user from 79.137.35.70 port 36752 ssh2 Sep 4 20:39:42 admin sshd[16909]: Received disconnect from 79.137.35.70 port 36752:11: Bye Bye [preauth] Does this mean they are log in as "admin" on ssh? – Andrew Newby Sep 10 '19 at 12:06
  • That's just regular SSH scanning. What's your sysctl value for IP forwarding and what's your iptables policy for the forward table? – Ginnungagap Sep 10 '19 at 12:12
  • Also, is this mail server purely for newsletter or does it have actual users? If no actual users, irregularities in your mail log should stand out quite easily. – Ginnungagap Sep 10 '19 at 12:14
  • Also, do your SSH logs show any irregular successful logins? Especially on users you don't expect (please tell me you don't login as root with a password)? – Ginnungagap Sep 10 '19 at 12:16
  • @Ginnungagap - how would I find the sysctl for the ip forwarding? As to regarding what the server is - its a normal web server, but we sometimes send out newsletters to our customers (and also welcome emails, lost password, etc etc) – Andrew Newby Sep 10 '19 at 12:16
  • `sysctl net.ipv4.ip_forward` – Ginnungagap Sep 10 '19 at 12:17
  • @Ginnungagap which log file would be the ssh logs? Its merged into auth.log isn't it? And regarding the password for root - yes we do use a password (but we have IP tables blocking multiple failures for password scanning, and its also a super long + secure password). Whats the better way? Oh, and we have SSH disabled for all other users (only root has access to ssh) – Andrew Newby Sep 10 '19 at 12:18
  • Thanks. It returns: `sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 0` – Andrew Newby Sep 10 '19 at 12:18
  • If you haven't configured your syslog daemon to log to a separate file, yes it's `auth.log` and all its rotated log files (`/var/log/auth.log.*`). SSH best practice would be to disable logging in as root, mandate SSH keys and allow individual users to `sudo` if they need to run administrative commands. – Ginnungagap Sep 10 '19 at 12:20
  • @Ginnungagap yeah I just had all of it put into the main auth.log files (rotated daily). For the SSH keys - I'll take a look into that. I know I tried to get it working when originally setting up the server, but I couldn't get it right (and didn't want to lock myself out of my own server ;)) – Andrew Newby Sep 10 '19 at 12:21
  • In any case, if you're not being used to NAT someone else's (nymaim's) mails, the only valid answer is the first comment. – Ginnungagap Sep 10 '19 at 12:22
  • @Ginnungagap thanks for that. Which first comment? :) (I'm also looking at setting up the SSH keys for my root logins , by testing it on the dev server first) – Andrew Newby Sep 10 '19 at 12:24
  • 1
    The question referenced by @Lenniey – Ginnungagap Sep 10 '19 at 12:24
  • Ah ok - I'll do some more digging. Thanks for your help – Andrew Newby Sep 10 '19 at 12:25

0 Answers0