[CentOS] Help: Server security compromised?

Wed Aug 6 05:48:00 UTC 2008
Noob Centos Admin <centos.admin at gmail.com>

Hi,

Need some help about this as it's gotten me really concerned.

I'm probably reading too much into this but for about two weeks now my daily
log has increased by almost 10 times.

After running through a couple of days of logs with a script, it seems that
I'm getting flooded on SMTP from this IP
219.64.114.52 which belongs to VSNL and appears to be statically assigned IP
(219.64.114.52.chn.bb-static.vsnl.net). This IP address is apparently listed
in the spamhous.org Policy Block List, eXploit Block List and Composite
Block List, which basically indicates it's either an open proxy or a
hijacked system.

I'm not sure what it's trying to do, but for exactly 10 hours a day which
correspond to India 9:30am or so until 7pm or so, I will get massive amounts
of SMTP connections from this host. It will attempt to masquerade as domains
on my server while trying to send to non-existent accounts on these domains.

2008-08-06 13:32:58 H=(****.com) [219.64.114.52] F=<lnyz at hush.com>
rejected RCPT <484f6f23.8020304@****.com>:
2008-08-06 13:32:58 H=(****.com) [219.64.114.52] incomplete
transaction (connection lost) from <djclg at hotmail.com>
2008-08-06 13:32:58 unexpected disconnection while reading SMTP
command from (****.com) [219.64.114.52]
2008-08-06 13:32:58 H=(****.com) [219.64.114.52]
F=<48720243.8060909@****.com> rejected RCPT <285.8030501@****.com>:
2008-08-06 13:32:58 H=(****.com) [219.64.114.52] incomplete
transaction (connection lost) from <lnyz at hush.com>
2008-08-06 13:32:58 unexpected disconnection while reading SMTP
command from (****.com) [219.64.114.52]



At this point, I thought it was just a case of a dedicated spamming, until I
decided I had enough of multi-megabytes daily logs flooding my mailbox, plus
the fact it was probably contributing to an increase server load in the past
weeks as the mail daemon had to handle the connections.

So I thought I could just block the IP using iptables.

I had a bad experience locking myself out by accident after editing the
iptables file so for this time I decided to test from command line first
using instructions from the Internet like this

/sbin/iptables -A RH-Firewall-1-INPUT -s 219.64.114.52 -j DROP

and I got an error that chain/command

/sbin/iptables -L produces "blank" output

[root at myserver confused]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination



which was of course a shock to me, since that seems to say that my server
firewall is basically non-existent.

I did a /sbin/service iptables restart and iptables -L produced the expected
output showing all the rules on file. I could then add the new rule from
command line without any messages.

Minutes later, my tail -f on the exim log started spewing the smtp messages
AGAIN.

iptables -L again shows NO RULES

Everytime I restart, iptables, for a short while, the rules are there. But
minutes later, it's wiped. So I'm very concerned that the server had been
compromised and something is wiping my iptables.

Or am I just badly mistaken about the way iptables -L is supposed to work?

If not, what should I do next to find and eliminate this problem? Thanks in
advance for any advice!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20080806/b4aea838/attachment-0003.html>