ASL.MalwareBlacklist.blekkoz.com.UNOFFICIAL FOUND

[aslus maximus]

Hi peeps. I keep getting this crap in my access logs with clamscan so I banned the ip address of the blekko.com server and now I get this as well, ASL.SpamDomain.erolove.in.UNOFFICIAL FOUND and ASL.MalwareBlacklist.blekkoz.com.UNOFFICIAL FOUND. I tried to ban the IPs of the servers but it had no affect. The originating IP is not from those servers it seems, but from an infected machine or bot net. Is this some sort of reflected attacked?

How do I ban them or is this anything to be concerned about at all, as it's only in the http access logs but it show up every 24hours?

[mikeshinn]

What vector is this coming in from? SMTP?

[aslus maximus]

No http. It requests random pages from my domains. Like someone is searching from those 2 servers or something. Banning the the server IP's does nothing. Still says it's coming from the same place.

I did have someone or something trying to brute force my email server the other day for about 2 hours so I installed fail2ban and it seems to have stopped them. Not sure if it has anything to do with this though.

[aslus maximus]

Nothing shows up in the asl gui about it, only in the http access logs.

[mikeshinn]

I'm not sure I follow, are you saying when you run clamscan against your access logs you get signatures like this being triggered:

ASL.SpamDomain.erolove.in.UNOFFICIAL FOUND

If so, see this FAQ:

https://www.atomicorp.com/wiki/index.ph ... malware.3F

Important Note: There are some directories you should not scan. For example, directories that contain signatures, and raw logs should not be scanned. They contain actual attack patterns that will trigger signatures, this is expected behavior. Other tools will process your logs looking for attacks and malicious code, and clamscan should not be used to scan log files.

[aslus maximus]

I think that was it. I ran that command and it found about 10 false alarms:

/var/clamav/ASL-securiteinfohtml.hdb: Atomicorp.Linux.Suspicious.Code.2011121313401.UNOFFICIAL FOUND
/var/clamav/ASL-securiteinfoelf.hdb: Atomicorp.Linux.Suspicious.Code.2011121313401.UNOFFICIAL FOUND
/var/clamav/ASL-securiteinfooffice.hdb: Atomicorp.Linux.Suspicious.Code.2011121313401.UNOFFICIAL FOUND
/var/clamav/ASL.hdb: Atomicorp.Linux.Suspicious.Code.2011121313401.UNOFFICIAL FOUND
/var/clamav/ASL-h.ndb: Atomicorp.Linux.Suspicious.Code.2011121313401.UNOFFICIAL

Isn't /var/clamav meant to be excluded too? What does the accent ^ do in that clamscan command? All the other web searches for clamascan I did don't seem to use it. Also that FAQ excluded /var/www/vhosts but I want to scan there to check uploaded images.

[mikeshinn]

^ is a regular expression used to denote the start of a string, in laymans terms it means "start of line". Dont remove that. The value is a regular expression.

[aslus maximus]

Ok thanks, so I'm going to do this with --exclude-dir=^/var/clamav/ included to stop the false positives. I guess the --exclude-dir=^/var/www/vhosts/.*/statistics/logs/ means scan everything under that dir except /statistics/logs/ ?

Code: Select all

nice -n 20 ionice -c 3 clamscan --exclude-dir=^/var/clamav/ --exclude-dir=^/var/ossec/ --exclude-dir=^/usr/share/doc/clamav --exclude-dir=^/var/www/vhosts/.*/statistics/logs/ --exclude-dir=^/sys --exclude-dir=^/dev --exclude-dir=^/proc --exclude-dir=^/var/lib/spamassassin --exclude-dir=^/var/asl --exclude-dir=^/usr/share/w3af --exclude-dir=^/var/lib/openvas/plugins --exclude-dir=^/home/.*/mail/ --exclude-dir=^/home/.*/tmp/awstats --exclude-dir=^/home/.*/tmp/webalizer -i -r /

Is there anyway to stop this with asl?

courier-pop3d: LOGIN FAILED, user=mailscanner, ip=[::ffff:130.185.157.96

I have about 10 pages full of them. My fail2ban doesn't seem to stop the login attempts. I must have set it up wrong or maybe it doesn't work with asl?

[mikeshinn]

Whats the full log line look like from courier, in other words is your system really not logging a time stamp? Either way, can you post the full log line for that event with timestamp and any trailing information?

Also, fail2ban is likely interfering with ASL. If its adding in firewall rules it may be preventing ASLs active response rules from working correctly. You do not need fail2ban if you are using ASL, so at the very least its redundant.

[aslus maximus]

Sorry, yes it has a time stamp and allthe rest of it.

-pop3d: Disconnected, ip=[::ffff:87.103.211.11]
Oct 12 03:45:50 server courier-pop3d: LOGIN FAILED, user=admin, ip=[::ffff:87.103.211.11]
Oct 12 03:45:50 server courier-pop3d: authentication error: Input/output error
Oct 12 03:45:50 server courier-pop3d: Connection, ip=[::ffff:87.103.211.11]
Oct 12 03:45:50 server last message repeated 2 times
Oct 12 03:45:50 server courier-pop3d: LOGIN FAILED, user=webmaster, ip=[::ffff:87.103.211.11]
Oct 12 03:45:50 server courier-pop3d: LOGIN FAILED, user=oracle8, ip=[::ffff:87.103.211.11]
Oct 12 03:45:50 server courier-pop3d: LOGIN FAILED, user=admin, ip=[::ffff:87.103.211.11]
Oct 12 03:45:50 server courier-pop3d: authentication error: Input/output error
Oct 12 03:45:50 server courier-pop3d: Connection, ip=[::ffff:87.103.211.11]
Oct 12 03:45:51 server courier-pop3d: LOGOUT, ip=[::ffff:87.103.211.11]
Oct 12 03:45:51 server courier-pop3d: Disconnected, ip=[::ffff:87.103.211.11]

And at 4:00AM every morning I get this but I think it's some mail log rotation or maintenance task started by plesk?

Time Agent Level ID Event
12 October
04:05:43 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:05:08 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:05:08 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
04:05:08 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:05:08 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
04:05:03 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
04:05:03 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:05:03 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
04:05:02 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:04:57 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:04:57 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
04:04:52 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:04:52 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
04:04:52 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:04:52 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0

[mikeshinn]

I see whats happening, the courier log format is different from what other versions of courier use. Short term, use the attached decoder and we'll update the one ASL shortly.

ungzip the attached file, which will give you decoder.xml, and copy it over this file:

/var/ossec/etc/decoder.xml

And restart ossec:

service ossec-hids restart

[aslus maximus]

Done. Do I need to set any options in that file or in the gui? Will it stop the login attempts for mail or ftp?

[aslus maximus]

Do I need to set the right permission on that file because it would be owned by root now.

Integrity checksum changed for: `/var/ossec/etc/decoder.xmlSize changed from `97114` to `97144Ownership was `0`, now it is `10001Group ownership was `0`, now it is `505What changed708c70< <program_name>^pop3d|^courierpop3login|^imaplogin</program_name--> <program_name>^pop3d|^courierpop3login|^imaplogin|^courier-pop3d|^courier-imapd</program_name

[mikeshinn]

Yes, the file permissions should always be set to the originals which are:

-rw-r--r-- 1 root root 97114 Oct 7 15:24 /var/ossec/etc/decoder.xml