ASL.MalwareBlacklist.blekkoz.com.UNOFFICIAL FOUND
- aslus maximus
- Forum User
- Posts: 59
- Joined: Tue Mar 05, 2013 1:10 pm
- Location: here
ASL.MalwareBlacklist.blekkoz.com.UNOFFICIAL FOUND
Hi peeps. I keep getting this crap in my access logs with clamscan so I banned the ip address of the blekko.com server and now I get this as well, ASL.SpamDomain.erolove.in.UNOFFICIAL FOUND and ASL.MalwareBlacklist.blekkoz.com.UNOFFICIAL FOUND. I tried to ban the IPs of the servers but it had no affect. The originating IP is not from those servers it seems, but from an infected machine or bot net. Is this some sort of reflected attacked?
How do I ban them or is this anything to be concerned about at all, as it's only in the http access logs but it show up every 24hours?
How do I ban them or is this anything to be concerned about at all, as it's only in the http access logs but it show up every 24hours?
Last edited by aslus maximus on Tue Sep 24, 2013 4:33 pm, edited 1 time in total.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ASL.MalwareBlacklist.blekkoz.com.UNOFFICIAL FOUND
What vector is this coming in from? SMTP?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
- aslus maximus
- Forum User
- Posts: 59
- Joined: Tue Mar 05, 2013 1:10 pm
- Location: here
Re: ASL.MalwareBlacklist.blekkoz.com.UNOFFICIAL FOUND
No http. It requests random pages from my domains. Like someone is searching from those 2 servers or something. Banning the the server IP's does nothing. Still says it's coming from the same place.
I did have someone or something trying to brute force my email server the other day for about 2 hours so I installed fail2ban and it seems to have stopped them. Not sure if it has anything to do with this though.
I did have someone or something trying to brute force my email server the other day for about 2 hours so I installed fail2ban and it seems to have stopped them. Not sure if it has anything to do with this though.
- aslus maximus
- Forum User
- Posts: 59
- Joined: Tue Mar 05, 2013 1:10 pm
- Location: here
Re: ASL.MalwareBlacklist.blekkoz.com.UNOFFICIAL FOUND
Nothing shows up in the asl gui about it, only in the http access logs.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ASL.MalwareBlacklist.blekkoz.com.UNOFFICIAL FOUND
I'm not sure I follow, are you saying when you run clamscan against your access logs you get signatures like this being triggered:
ASL.SpamDomain.erolove.in.UNOFFICIAL FOUND
If so, see this FAQ:
https://www.atomicorp.com/wiki/index.ph ... malware.3F
ASL.SpamDomain.erolove.in.UNOFFICIAL FOUND
If so, see this FAQ:
https://www.atomicorp.com/wiki/index.ph ... malware.3F
Important Note: There are some directories you should not scan. For example, directories that contain signatures, and raw logs should not be scanned. They contain actual attack patterns that will trigger signatures, this is expected behavior. Other tools will process your logs looking for attacks and malicious code, and clamscan should not be used to scan log files.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
- aslus maximus
- Forum User
- Posts: 59
- Joined: Tue Mar 05, 2013 1:10 pm
- Location: here
Re: ASL.MalwareBlacklist.blekkoz.com.UNOFFICIAL FOUND
I think that was it. I ran that command and it found about 10 false alarms:
/var/clamav/ASL-securiteinfohtml.hdb: Atomicorp.Linux.Suspicious.Code.2011121313401.UNOFFICIAL FOUND
/var/clamav/ASL-securiteinfoelf.hdb: Atomicorp.Linux.Suspicious.Code.2011121313401.UNOFFICIAL FOUND
/var/clamav/ASL-securiteinfooffice.hdb: Atomicorp.Linux.Suspicious.Code.2011121313401.UNOFFICIAL FOUND
/var/clamav/ASL.hdb: Atomicorp.Linux.Suspicious.Code.2011121313401.UNOFFICIAL FOUND
/var/clamav/ASL-h.ndb: Atomicorp.Linux.Suspicious.Code.2011121313401.UNOFFICIAL
Isn't /var/clamav meant to be excluded too? What does the accent ^ do in that clamscan command? All the other web searches for clamascan I did don't seem to use it. Also that FAQ excluded /var/www/vhosts but I want to scan there to check uploaded images.
/var/clamav/ASL-securiteinfohtml.hdb: Atomicorp.Linux.Suspicious.Code.2011121313401.UNOFFICIAL FOUND
/var/clamav/ASL-securiteinfoelf.hdb: Atomicorp.Linux.Suspicious.Code.2011121313401.UNOFFICIAL FOUND
/var/clamav/ASL-securiteinfooffice.hdb: Atomicorp.Linux.Suspicious.Code.2011121313401.UNOFFICIAL FOUND
/var/clamav/ASL.hdb: Atomicorp.Linux.Suspicious.Code.2011121313401.UNOFFICIAL FOUND
/var/clamav/ASL-h.ndb: Atomicorp.Linux.Suspicious.Code.2011121313401.UNOFFICIAL
Isn't /var/clamav meant to be excluded too? What does the accent ^ do in that clamscan command? All the other web searches for clamascan I did don't seem to use it. Also that FAQ excluded /var/www/vhosts but I want to scan there to check uploaded images.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ASL.MalwareBlacklist.blekkoz.com.UNOFFICIAL FOUND
^ is a regular expression used to denote the start of a string, in laymans terms it means "start of line". Dont remove that. The value is a regular expression.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
- aslus maximus
- Forum User
- Posts: 59
- Joined: Tue Mar 05, 2013 1:10 pm
- Location: here
Re: ASL.MalwareBlacklist.blekkoz.com.UNOFFICIAL FOUND
Ok thanks, so I'm going to do this with --exclude-dir=^/var/clamav/ included to stop the false positives. I guess the --exclude-dir=^/var/www/vhosts/.*/statistics/logs/ means scan everything under that dir except /statistics/logs/ ?
Is there anyway to stop this with asl?
courier-pop3d: LOGIN FAILED, user=mailscanner, ip=[::ffff:130.185.157.96
I have about 10 pages full of them. My fail2ban doesn't seem to stop the login attempts. I must have set it up wrong or maybe it doesn't work with asl?
Code: Select all
nice -n 20 ionice -c 3 clamscan --exclude-dir=^/var/clamav/ --exclude-dir=^/var/ossec/ --exclude-dir=^/usr/share/doc/clamav --exclude-dir=^/var/www/vhosts/.*/statistics/logs/ --exclude-dir=^/sys --exclude-dir=^/dev --exclude-dir=^/proc --exclude-dir=^/var/lib/spamassassin --exclude-dir=^/var/asl --exclude-dir=^/usr/share/w3af --exclude-dir=^/var/lib/openvas/plugins --exclude-dir=^/home/.*/mail/ --exclude-dir=^/home/.*/tmp/awstats --exclude-dir=^/home/.*/tmp/webalizer -i -r /
Is there anyway to stop this with asl?
courier-pop3d: LOGIN FAILED, user=mailscanner, ip=[::ffff:130.185.157.96
I have about 10 pages full of them. My fail2ban doesn't seem to stop the login attempts. I must have set it up wrong or maybe it doesn't work with asl?
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ASL.MalwareBlacklist.blekkoz.com.UNOFFICIAL FOUND
Whats the full log line look like from courier, in other words is your system really not logging a time stamp? Either way, can you post the full log line for that event with timestamp and any trailing information?
Also, fail2ban is likely interfering with ASL. If its adding in firewall rules it may be preventing ASLs active response rules from working correctly. You do not need fail2ban if you are using ASL, so at the very least its redundant.
Also, fail2ban is likely interfering with ASL. If its adding in firewall rules it may be preventing ASLs active response rules from working correctly. You do not need fail2ban if you are using ASL, so at the very least its redundant.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
- aslus maximus
- Forum User
- Posts: 59
- Joined: Tue Mar 05, 2013 1:10 pm
- Location: here
Re: ASL.MalwareBlacklist.blekkoz.com.UNOFFICIAL FOUND
Sorry, yes it has a time stamp and allthe rest of it.
-pop3d: Disconnected, ip=[::ffff:87.103.211.11]
Oct 12 03:45:50 server courier-pop3d: LOGIN FAILED, user=admin, ip=[::ffff:87.103.211.11]
Oct 12 03:45:50 server courier-pop3d: authentication error: Input/output error
Oct 12 03:45:50 server courier-pop3d: Connection, ip=[::ffff:87.103.211.11]
Oct 12 03:45:50 server last message repeated 2 times
Oct 12 03:45:50 server courier-pop3d: LOGIN FAILED, user=webmaster, ip=[::ffff:87.103.211.11]
Oct 12 03:45:50 server courier-pop3d: LOGIN FAILED, user=oracle8, ip=[::ffff:87.103.211.11]
Oct 12 03:45:50 server courier-pop3d: LOGIN FAILED, user=admin, ip=[::ffff:87.103.211.11]
Oct 12 03:45:50 server courier-pop3d: authentication error: Input/output error
Oct 12 03:45:50 server courier-pop3d: Connection, ip=[::ffff:87.103.211.11]
Oct 12 03:45:51 server courier-pop3d: LOGOUT, ip=[::ffff:87.103.211.11]
Oct 12 03:45:51 server courier-pop3d: Disconnected, ip=[::ffff:87.103.211.11]
And at 4:00AM every morning I get this but I think it's some mail log rotation or maintenance task started by plesk?
Time Agent Level ID Event
12 October
04:05:43 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:05:08 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:05:08 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
04:05:08 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:05:08 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
04:05:03 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
04:05:03 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:05:03 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
04:05:02 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:04:57 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:04:57 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
04:04:52 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:04:52 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
04:04:52 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:04:52 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
-pop3d: Disconnected, ip=[::ffff:87.103.211.11]
Oct 12 03:45:50 server courier-pop3d: LOGIN FAILED, user=admin, ip=[::ffff:87.103.211.11]
Oct 12 03:45:50 server courier-pop3d: authentication error: Input/output error
Oct 12 03:45:50 server courier-pop3d: Connection, ip=[::ffff:87.103.211.11]
Oct 12 03:45:50 server last message repeated 2 times
Oct 12 03:45:50 server courier-pop3d: LOGIN FAILED, user=webmaster, ip=[::ffff:87.103.211.11]
Oct 12 03:45:50 server courier-pop3d: LOGIN FAILED, user=oracle8, ip=[::ffff:87.103.211.11]
Oct 12 03:45:50 server courier-pop3d: LOGIN FAILED, user=admin, ip=[::ffff:87.103.211.11]
Oct 12 03:45:50 server courier-pop3d: authentication error: Input/output error
Oct 12 03:45:50 server courier-pop3d: Connection, ip=[::ffff:87.103.211.11]
Oct 12 03:45:51 server courier-pop3d: LOGOUT, ip=[::ffff:87.103.211.11]
Oct 12 03:45:51 server courier-pop3d: Disconnected, ip=[::ffff:87.103.211.11]
And at 4:00AM every morning I get this but I think it's some mail log rotation or maintenance task started by plesk?
Time Agent Level ID Event
12 October
04:05:43 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:05:08 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:05:08 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
04:05:08 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:05:08 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
04:05:03 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
04:05:03 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:05:03 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
04:05:02 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:04:57 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:04:57 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
04:04:52 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:04:52 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
04:04:52 server 7 5502 server su: pam_unix(su-l:session): session closed for user popuse
04:04:52 server 3 5501 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ASL.MalwareBlacklist.blekkoz.com.UNOFFICIAL FOUND
I see whats happening, the courier log format is different from what other versions of courier use. Short term, use the attached decoder and we'll update the one ASL shortly.
ungzip the attached file, which will give you decoder.xml, and copy it over this file:
/var/ossec/etc/decoder.xml
And restart ossec:
service ossec-hids restart
ungzip the attached file, which will give you decoder.xml, and copy it over this file:
/var/ossec/etc/decoder.xml
And restart ossec:
service ossec-hids restart
- Attachments
-
- decoder.xml.gz
- (25.53 KiB) Downloaded 515 times
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
- aslus maximus
- Forum User
- Posts: 59
- Joined: Tue Mar 05, 2013 1:10 pm
- Location: here
Re: ASL.MalwareBlacklist.blekkoz.com.UNOFFICIAL FOUND
Done. Do I need to set any options in that file or in the gui? Will it stop the login attempts for mail or ftp?
- aslus maximus
- Forum User
- Posts: 59
- Joined: Tue Mar 05, 2013 1:10 pm
- Location: here
Re: ASL.MalwareBlacklist.blekkoz.com.UNOFFICIAL FOUND
Do I need to set the right permission on that file because it would be owned by root now.
Integrity checksum changed for: `/var/ossec/etc/decoder.xmlSize changed from `97114` to `97144Ownership was `0`, now it is `10001Group ownership was `0`, now it is `505What changed708c70< <program_name>^pop3d|^courierpop3login|^imaplogin</program_name--> <program_name>^pop3d|^courierpop3login|^imaplogin|^courier-pop3d|^courier-imapd</program_name
Integrity checksum changed for: `/var/ossec/etc/decoder.xmlSize changed from `97114` to `97144Ownership was `0`, now it is `10001Group ownership was `0`, now it is `505What changed708c70< <program_name>^pop3d|^courierpop3login|^imaplogin</program_name--> <program_name>^pop3d|^courierpop3login|^imaplogin|^courier-pop3d|^courier-imapd</program_name
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ASL.MalwareBlacklist.blekkoz.com.UNOFFICIAL FOUND
Yes, the file permissions should always be set to the originals which are:
-rw-r--r-- 1 root root 97114 Oct 7 15:24 /var/ossec/etc/decoder.xml
-rw-r--r-- 1 root root 97114 Oct 7 15:24 /var/ossec/etc/decoder.xml
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone