I have an IIS7 web server at Rackspace that is being utilized/attacked in some manner to send SPAM. I have run several variations of anti-virus and malware software on the server and cleaned anything found, but it is still happening.
I'm leaning towards some kind of web form attack, but there are several sites on this server and I didn't create all of them, so figuring out what form(s) is being used (or even where they all are) is proving challenging.
Does anyone know of any solution to pinpoint what script(s) might be firing off these emails? Is there any way to monitor the SMTP service with more information? I've looked at SMTP logs, but all I see are things like:
2014-02-14 06:00:52 127.0.0.1 [---server info, etc---] SMTPSVC1 [-compname-] 127.0.0.1 0 MAIL - +FROM:<--------#-------------------> 250 0 56 43 0 SMTP - - - -
In fact, there are 19,608 in about a 16 hour period in this one log file I'm looking at. But unfortunately, this doesn't seem helpful.
If anyone could offer any insight, that'd be great!
If I had to guess, you have a webpage that has been compromised (which is what I think you suspect), and is being used to generate all the messages. The webpage probably accepts a FROM and a TO, without any validation.
If you start seeing these come in, as a test, start shutting off websites, until you see the attack stop.
Then, start the website back up, see if it continues. Then, I would start grepping that website location for files relating to email.
Most likely your server is configured to act as an email relay server, which allows anyone to send email that is in transit to your server for your server to send on (relay). Spammers do this to cover up the original origination point of the email.
The fix is to configure your server not to be a relay server. More background info here:
http://en.wikipedia.org/wiki/Open_mail_relay
Related
I've seen many blogs and stack overflow questions about setting up nodejs to use a pre-existing smtp server, especially through modules like nodemailer etc. Some of what I've already seen:
https://www.zeolearn.com/magazine/sending-and-receiving-emails-using-nodejs
Use smtp client to send email without providing password
How can I create a custom smtp server to send out notification emails in Nodejs?
Sending emails in Node.js? (DON'T KNOW WHY IT IS CLOSED)
Use smtp client to send email without providing password
Nodemailer with Gmail and NodeJS
Nodemailer send email without smtp transport -- this is a tiny bit closer to what I want
How can I create a custom smtp server to send out notification emails in Nodejs? -- this one is so close yet no answers
Sending email via Node.js using nodemailer is not working
SmtpJs API not working! is there any way to send emails using SMTP server with JavaScript or JQuery
Email NodeJS cannot send
Any suggestion for smtp mail server in nodejs? -- this one may be the only one that even attempts to answer it, although from the docs for the service mentioned there (smtp-server), I don't see where the actual makings of the SMTP server from scratch are, i.e. I don't see the part that shows how to make your own myemail#mydomain.com using nodeJS (assuming the NodeJS server is configured on some kind of linux VM like google compete engine).
All of these answers and blogs only addressed sending emails via some other email client.
I am not interested in any other email servers.
I don't believe in gmail -- or any other 3rd party email providers.
I want to host my own.
From my own computer.
Don't question my intentions.
It's a perfectly valid programming question:
How do I create, from absolute scratch (i.e., only using the "net" built-in library in nodeJS, no external dependencies at all) create a SMTP mail server (assuming I have my own domain registered at an HTTPS virtual machine somewhere), that has the ability to receive mails at myemail#mydomain.com, and send emails from myemail#mydomain.com, without any 3rd party servers at all.
How can I at least start to do this? Any possible reference or tutorial that deals with the SMTP socket protocols would be a great start.
Some friendly advice -- you probably want to use an off-the-shelf MTA like postfix, exim4, or sendmail if you just want to receive mail on your local machine.
I say this because I have literally spent a good hunk of my career implementing MTAs and feel I should warn you that this is a solved problem that allows you to have complete control over your mail traffic, and there are some very tricky issues to solve to write an MTA that works at scale with large mail volumes.
That said, SMTP (note spelling) is a very simple protocol, and a great "first protocol" to implement if you're interested in that stuff. It would be very easy to write one in NodeJS.
The first edition you'd be interested in was released some time around 1982, as RFC-821, aka IETF STD-10. It was then updated over the years to RFC-2821 and a bunch of related specs, but basic RFC-821 support will get you what you need to talk to 99% of hosts on the Internet today. (That number will go down as you need ESMTP support for TLS - but this is not much harder nor much different).
Your daemon will need to listen on port 25, and need to process commands like this:
YOU: 220 my.computer.com SMTP Service Ready
THEM: EHLO blah blah
YOU: 500 Syntax Error. Try again using SMTP.
THEM: HELO blah blah
YOU: 250 G'day mate
THEM: MAIL FROM: <billg#microsoft.com>
YOU: 250 Sender Okay
THEM: RCPT TO: <steve#apple.com>
YOU: 250 OK
THEM: DATA
YOU: 354 Enter mail, end with "." on a line by itself...
THEM: <BUNCH OF STUFF>
.
YOU: 250 Mail accepted
THEM: QUIT
YOU: 221 Goodbye
Obviously there is more here wrt error handling etc -- read the spec -- but this is the gist of it. The numbers are response codes and have specific meanings. The lines are separated by \r\n and are supposed to be less than 1024 bytes wide.
<BUNCH OF STUFF> is an email message, and will not have a line which is just a dot in it. If the email had a dot like that, the other end will send an extra dot. This is in the spec.
Finally, write <XXXX><BUNCH OF STUFF> into your $MAIL file (probably /var/mail/username or /var/spool/mail/username) and point your MUA at it. Pine, Alpine, Elm, or mutt would make a good MUA for sorting this stuff out.
<XXXX> needs to start with From (NO colon) and end with \n. This is the Berkeley mbox file format. It should reflect the MAIL FROM header in the SMTP transaction.
This file format is very common and supported by most POP3 and IMAP4 servers. You can probably also read it with Mozilla Thunderbird. I know Netscape Mail supported it back in the day.
I am not a Heroku customer, just a plain old user out there.
But, I am getting a steady stream of web attacks from a herokuapp.com address. They are being blocked by my security software (Norton), but (a) they are affecting performance on my system; (b) if my security is off even for a moment, I am afraid I will get infected.
What can I do to stop the attacks. Can I get Heroku to stop them? Is there a number to call to report this? Here's the data...
IPS Alert Name -- Web Attack: JSCoinminer Website
Attacking computer -- thrillngos.herokuapp.com (54.243.125.28.443)
Source address -- thrillingos.herokuapp.com (54.243.125.28)
I signed up with Heroku and submitted a support ticket. That seems to be the way to get their attention, as the abuse team responded and reported shutting this app down within a couple of hours.
Unfortunately, the attacks continue from a variety of herokuapp addresses. I have informed them and am awaiting further responses
I'm trying to setup Zimbra so that it has an automatic fallover. The ideas is that two Zimbra servers will be running and if one fails there will be little to 0 downtime as the other will either be already routing emails to the client or start routing when the first fails.
I would have to assure that email is being sent to both servers so that there is no lose of data. Because of this I can't have both servers added the client because everyone would end up having two copies of every email.
Is there an easy way to do this or has anyone done this before?
warm standy not currently possible, this would have to be done at the VMware/OS layer.
Tough question. It has to do mainly with security, but also computers. Probably not been done yet.
I was wondering, is it possible to host for example a web application, yet be able to hide *where* the actual server is, and, or who is the originator, making it very very hard ( practically impossible ) for some one to track the origin of the server, and who is behind it?
I was thinking that this might be possible through a third party server, preferably with an owner unrelated to the proxy sites. But the question then also becomes an issue of reliability *of* the third party.
Does the TOR network have support for registering for recieving incoming requests rather than outgoing ones? How secure would that be? Might it be possible that the TOR network has been infiltrated by for example a big goverment ( read USA ) ( dont get angry, please enlighten me as I do not know much of how the TOR network is hosted ).
How can one possibly create such a secure third party server, that preferably does not even know who the final recipient of the request is? Third party companies might be subjected *to* pressure from goverments, either directly from powerful *nations* such as USA, or by the USA applying pressure on the goverments of the country where the server is, applying pressure on the company behind it, and force you to enable a backdoor. ( Just my wild fantasy, think worst case scenario is my motto :) ).
I just came with the idea, that being that this is probably *impossible*, the best way would be to have a bunch of distributed servers, across several nations, make it as hard as possible to go through each and one of them to find the next bouncing server. This would have to be in a linked list, with one public server being registered on a DNS. If compromised, the public server needs to be replaced with another one.
request from user0 -> server1 -> server2 -> server3 -> final processing server -> response to user0 or through the incoming server chain.
When sending a response to someone, could it be done using UDP rather than TCP and hide who the sender was ( also in a web application ) ? So that a middle man listening on user0 computer incoming responses ( and outgoing requests ) do not figure *out who the final* processing server is, if we decide to respond directly to user0 from the final processing server?
The IP of server1 will be public and known to anyone, server1 will send the message to server2 and it is possibly to figure out by listening directly behind server1 traffic node, but perhaps it could hide its own origin if not being listened to directly, so that if big goverments have filters on big traffic nodes or routers, they wouldn't be able to track who it came from, and therefore what the message to server2 is intended for. It would blend in with all other requests.
Anyhow, if you have followed my thoughts this far I think you should know by now what I am thinking about.
Could this be possibly through a P2P network, with a central server behind it, and have the P2P network deliver it to the final server respond in some pattern? The idea is to have one processing server, and then have "minor", "cheaper" servers that acts as proxys?
Why I keep saying central server, is that I am thinking web. But any thoughts on the matter is interesting.
For those that wonders, why... I am looking into creating as secure as possible, and that could withstand goverment pressure ( read BlackBerry, Skype and others ).
This is also a theoretical question.
PS.
I would also be interested in knowing how one have a distributed SECURE database ( for keeping usernames, friendlists and passwords for example ) but this time, it is not neccessery for it to be on the web. A P2P software with a distributed secure database.
Thanks!
Yes, you're reinventing Tor. You should research Tor more fully before going further. In particular, see Hidden Service Protocol. Tor is not perfect, but you should understand it before you try to reinvent it.
If you want to find an ant's nest, follow the ants. If you want to find the original server, follow the ip packets. If you meet a proxy server not willing to provide their path, call the server administrator and have your men in black put a gun on his head. If he does not comply, eliminate the administrator and the server. Carry on following the ants in their new path. Repeat the operation until server is reached or server can't communicate anymore.
So no, you can't protect the origin and keep your server up and running when your men in black can reach any physical entity.
I'm trying to write a small website monitoring program, that can check my web hosts to see whether they are down or not, and to calculate the uptime or warn me if it's down. It's going to be a standalone app.
I wanted to know whether pinging is a good way of finding out whether a site is down or not?
Thanks in advance.
That's one thing that you can do but it's by no means a certainty either way.
Some sites will ignore ICMP packets so that no ping response is given. Some sites will respond to pings even when the web server (or whatever service you're after) is down.
The only way you can be certain that a given site will provide a service is to, well, use that service. Nothing else will be as accurate.
A better method would be to provide a series of steps which would detect where a fault lay, at least in the infrastructure that you can control. For example:
allow pings to be received and acted upon.
have a static web page in the web server.
have a dynamic page in the application server which delivers static content.
have a dynamic page in the application server which uses the database.
Then your tester client would simply attempt to "contact" those four points and report on the success. Since you would expect your site to be up most of the time, I'd just check the fourth option to see if everything was okay, and do the other checks only if a problem were found.
It depends on how you define ping. If you're talking about the "low level" ICMP echo, then no it isn't likely to be a good indicator of whether or not your site is down. You would be better off to actually have an application pull a page down from your site to ensure that the HTTP server is running. There are plenty of services for this and likely some code you could download from google as well. http://www.dailyblogtips.com/test-if-a-website-is-down-for-everyone-or-just-for-your/
ICMP can prove the server is alive.
TCP checking can show the web server is working, but not the site.
To perform site checking, you should do http GET request(even HEAD doesn't work sometimes) to make sure the page was fine.(return status 200)
You can write your own checking system or use some third party site like http://allping.net/
ping gives you insight in latency from a specific location and also points to possible network issues (packet loss). As said in a previous answer, some servers don't respond to ping requests in which case ping is useless.
To check a server with ping from over 50 locations worldwide have a look at this free tool: http://just-ping.com/