weird malware
Locked
 
|
One for the technorati:
For the past few months I've been seeing the following message appear in my logs fairly frequently: Jul 29 08:45:54 SamsungBlue postfix/smtpd[28632]: warning: Illegal address syntax from localhost[::1] in MAIL command: <SRS0=KqpXd=PB=ninus.ocn.ne.jp="toki214."@hpcoders.com.au> Jul 29 08:45:54 SamsungBlue postfix/smtpd[28632]: warning: Illegal address syntax from localhost[::1] in MAIL command: <SRS0=kc6Up=RN=globe.ocn.ne.jp="bello."@hpcoders.com.au> What is is saying is that something on my localhost (a laptop) is attempting to send email to an invalid email address, the rather bizarre globe.ocn.ne.jp="bello."@hpcoders.com.au I'm guessing this is some sort of attempted mail relay, but I can't see a rogue process on the system, and the SMTP port is blocked externally, so its not coming from outside AFICT. Also, cannot see any suspicious files hanging around in the postfix staging directory /var/spool/postfix. The problem persists through booting. Has anyone seen anything like this before? Nothing turns up on Google. Cheers -- ---------------------------------------------------------------------------- Dr Russell Standish Phone 0425 253119 (mobile) Principal, High Performance Coders Visiting Senior Research Fellow [hidden email] Economics, Kingston University http://www.hpcoders.com.au ---------------------------------------------------------------------------- ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
|
If you search on ninus.ocn.ne.jp, you get lots of spam warnings. If coerced, I'd guess that you have a program on your machine or in your network that's trying to send out those spam emails. Perhaps you're part of a botnet? On 07/28/2016 03:54 PM, Russell Standish wrote: > One for the technorati: > > For the past few months I've been seeing the following message appear > in my logs fairly frequently: > > Jul 29 08:45:54 SamsungBlue postfix/smtpd[28632]: warning: Illegal address syntax from localhost[::1] in MAIL command: <SRS0=KqpXd=PB=ninus.ocn.ne.jp="toki214."@hpcoders.com.au> > Jul 29 08:45:54 SamsungBlue postfix/smtpd[28632]: warning: Illegal address syntax from localhost[::1] in MAIL command: <SRS0=kc6Up=RN=globe.ocn.ne.jp="bello."@hpcoders.com.au> > > What is is saying is that something on my localhost (a laptop) is > attempting to send email to an invalid email address, the rather > bizarre globe.ocn.ne.jp="bello."@hpcoders.com.au > > I'm guessing this is some sort of attempted mail relay, but I can't > see a rogue process on the system, and the SMTP port is blocked > externally, so its not coming from outside AFICT. Also, cannot see any > suspicious files hanging around in the postfix staging directory > /var/spool/postfix. > > The problem persists through booting. > > Has anyone seen anything like this before? Nothing turns up on Google. > > Cheers > -- ☣ glen ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
uǝʃƃ ⊥ glen
|
|
|
Frankly I can't wait until our systems all are as fluxed with
symbiotic-ware (what is the benign form of malware) as our own personal biomes... maybe we are already on our way down that road? Does anyone track Stephanie Forrest's computer immune systems? I'm betting we have some evolutionary biologists here as well? On 7/28/16 5:15 PM, glen ☣ wrote: > > If you search on ninus.ocn.ne.jp, you get lots of spam warnings. If > coerced, I'd guess that you have a program on your machine or in your > network that's trying to send out those spam emails. Perhaps you're > part of a botnet? > > On 07/28/2016 03:54 PM, Russell Standish wrote: >> One for the technorati: >> >> For the past few months I've been seeing the following message appear >> in my logs fairly frequently: >> >> Jul 29 08:45:54 SamsungBlue postfix/smtpd[28632]: warning: Illegal >> address syntax from localhost[::1] in MAIL command: >> <SRS0=KqpXd=PB=ninus.ocn.ne.jp="toki214."@hpcoders.com.au> >> Jul 29 08:45:54 SamsungBlue postfix/smtpd[28632]: warning: Illegal >> address syntax from localhost[::1] in MAIL command: >> <SRS0=kc6Up=RN=globe.ocn.ne.jp="bello."@hpcoders.com.au> >> >> What is is saying is that something on my localhost (a laptop) is >> attempting to send email to an invalid email address, the rather >> bizarre globe.ocn.ne.jp="bello."@hpcoders.com.au >> >> I'm guessing this is some sort of attempted mail relay, but I can't >> see a rogue process on the system, and the SMTP port is blocked >> externally, so its not coming from outside AFICT. Also, cannot see any >> suspicious files hanging around in the postfix staging directory >> /var/spool/postfix. >> >> The problem persists through booting. >> >> Has anyone seen anything like this before? Nothing turns up on Google. >> >> Cheers >> > ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
|
|
For the analogy to work, we'd have to use corewars or tierra or somesuch. The ben-ware, in competing for the available resources, prevent the mal-ware population from exploding. And we'd have some who had to take regular ben-ware supplements in order to mitigate irritable-output-syndrome and cpu-overgrowth-syndrome. Personally, I use the analog of frequent, broad-spectrum, antibiotic treatments ... on my phone, at least. Nothing beats a ROM wipe every week or two to keep your system clean! On 07/28/2016 04:45 PM, Steven A Smith wrote: > Frankly I can't wait until our systems all are as fluxed with symbiotic-ware (what is the benign form of malware) as our own personal biomes... maybe we are already on our way down that road? > > Does anyone track Stephanie Forrest's computer immune systems? > > I'm betting we have some evolutionary biologists here as well? -- ☣ glen ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
uǝʃƃ ⊥ glen
|
|
|
In reply to this post by gepr
On Thu, Jul 28, 2016 at 04:15:21PM -0700, glen ☣ wrote:
> > If you search on ninus.ocn.ne.jp, you get lots of spam warnings. If coerced, I'd guess that you have a program on your machine or in your network that's trying to send out those spam emails. Perhaps you're part of a botnet? > That's what bothers me. But I can't seem to find anything about it. BTW - this is an openSUSE linux system. Cheers -- ---------------------------------------------------------------------------- Dr Russell Standish Phone 0425 253119 (mobile) Principal, High Performance Coders Visiting Senior Research Fellow [hidden email] Economics, Kingston University http://www.hpcoders.com.au ---------------------------------------------------------------------------- ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
|
|
Russ, if it's a browser thing Chrome has a known issue where even on linux extensions (try to) hijack put in malware etc. Quite a few threads about this issue. I don't know what kind of malware and addware gets to linux Did you forums to see if it's (relatively)normal, or how your log files get formated etc? On Thu, Jul 28, 2016 at 7:05 PM, Russell Standish <[hidden email]> wrote: On Thu, Jul 28, 2016 at 04:15:21PM -0700, glen ☣ wrote: ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
|
|
In reply to this post by Russell Standish-2
This may help:
http://security.stackexchange.com/questions/11558/how-can-i-find-the-process-that-is-trying-to-use-smtp-to-send-email The postfix option debug_peer_level may help, though the man page says it's for remote clients. On July 28, 2016 6:05:35 PM PDT, Russell Standish <[hidden email]> wrote: >On Thu, Jul 28, 2016 at 04:15:21PM -0700, glen ☣ wrote: >> >> If you search on ninus.ocn.ne.jp, you get lots of spam warnings. If >coerced, I'd guess that you have a program on your machine or in your >network that's trying to send out those spam emails. Perhaps you're >part of a botnet? >> > >That's what bothers me. But I can't seem to find anything about >it. > >BTW - this is an openSUSE linux system. > >Cheers > >-- > >---------------------------------------------------------------------------- >Dr Russell Standish Phone 0425 253119 (mobile) >Principal, High Performance Coders >Visiting Senior Research Fellow [hidden email] >Economics, Kingston University http://www.hpcoders.com.au >---------------------------------------------------------------------------- > >============================================================ >FRIAM Applied Complexity Group listserv >Meets Fridays 9a-11:30 at cafe at St. John's College >to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com -- glen ⛧ ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
uǝʃƃ ⊥ glen
|
|
|
Thanks - I'll try that suggestion...
On Thu, Jul 28, 2016 at 07:23:37PM -0700, glen wrote: > This may help: > http://security.stackexchange.com/questions/11558/how-can-i-find-the-process-that-is-trying-to-use-smtp-to-send-email > > The postfix option debug_peer_level may help, though the man page says it's for remote clients. > > > > On July 28, 2016 6:05:35 PM PDT, Russell Standish <[hidden email]> wrote: > >On Thu, Jul 28, 2016 at 04:15:21PM -0700, glen ☣ wrote: > >> > >> If you search on ninus.ocn.ne.jp, you get lots of spam warnings. If > >coerced, I'd guess that you have a program on your machine or in your > >network that's trying to send out those spam emails. Perhaps you're > >part of a botnet? > >> > > > >That's what bothers me. But I can't seem to find anything about > >it. > > > >BTW - this is an openSUSE linux system. > > > >Cheers > > > >-- > > > >---------------------------------------------------------------------------- > >Dr Russell Standish Phone 0425 253119 (mobile) > >Principal, High Performance Coders > >Visiting Senior Research Fellow [hidden email] > >Economics, Kingston University http://www.hpcoders.com.au > >---------------------------------------------------------------------------- > > > >============================================================ > >FRIAM Applied Complexity Group listserv > >Meets Fridays 9a-11:30 at cafe at St. John's College > >to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com > > -- > glen ⛧ > > ============================================================ > FRIAM Applied Complexity Group listserv > Meets Fridays 9a-11:30 at cafe at St. John's College > to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com -- ---------------------------------------------------------------------------- Dr Russell Standish Phone 0425 253119 (mobile) Principal, High Performance Coders Visiting Senior Research Fellow [hidden email] Economics, Kingston University http://www.hpcoders.com.au ---------------------------------------------------------------------------- ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
|
|
Mystery solved!
It was all a bit more innocuous than it first appeared. There were two messages stuck in the inbox of my POP server, which because they had malformed return address could not be downloaded nor deleted from the pop server, so there they stayed, unread by anyone. Postfix was writing a message to the log complaining about the malformed address. I was able to web mail into the pop server directly, and after a bit of fiddling with the unfamiliar interface, managed to delete them They were just the usual run-of-the-mill Nigerian-style scam letters, nothing to be too worried about. Cheers On Fri, Jul 29, 2016 at 03:06:20PM +1000, Russell Standish wrote: > Thanks - I'll try that suggestion... > > On Thu, Jul 28, 2016 at 07:23:37PM -0700, glen wrote: > > This may help: > > http://security.stackexchange.com/questions/11558/how-can-i-find-the-process-that-is-trying-to-use-smtp-to-send-email > > > > The postfix option debug_peer_level may help, though the man page says it's for remote clients. > > > > > > > > On July 28, 2016 6:05:35 PM PDT, Russell Standish <[hidden email]> wrote: > > >On Thu, Jul 28, 2016 at 04:15:21PM -0700, glen ☣ wrote: > > >> > > >> If you search on ninus.ocn.ne.jp, you get lots of spam warnings. If > > >coerced, I'd guess that you have a program on your machine or in your > > >network that's trying to send out those spam emails. Perhaps you're > > >part of a botnet? > > >> > > > > > >That's what bothers me. But I can't seem to find anything about > > >it. > > > > > >BTW - this is an openSUSE linux system. > > > > > >Cheers > > > > > >-- > > > > > >---------------------------------------------------------------------------- > > >Dr Russell Standish Phone 0425 253119 (mobile) > > >Principal, High Performance Coders > > >Visiting Senior Research Fellow [hidden email] > > >Economics, Kingston University http://www.hpcoders.com.au > > >---------------------------------------------------------------------------- > > > > > >============================================================ > > >FRIAM Applied Complexity Group listserv > > >Meets Fridays 9a-11:30 at cafe at St. John's College > > >to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com > > > > -- > > glen ⛧ > > > > ============================================================ > > FRIAM Applied Complexity Group listserv > > Meets Fridays 9a-11:30 at cafe at St. John's College > > to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com > > -- > > ---------------------------------------------------------------------------- > Dr Russell Standish Phone 0425 253119 (mobile) > Principal, High Performance Coders > Visiting Senior Research Fellow [hidden email] > Economics, Kingston University http://www.hpcoders.com.au > ---------------------------------------------------------------------------- > > ============================================================ > FRIAM Applied Complexity Group listserv > Meets Fridays 9a-11:30 at cafe at St. John's College > to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com -- ---------------------------------------------------------------------------- Dr Russell Standish Phone 0425 253119 (mobile) Principal, High Performance Coders Visiting Senior Research Fellow [hidden email] Economics, Kingston University http://www.hpcoders.com.au ---------------------------------------------------------------------------- ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
«
Return to Friam
|
1 view|%1 views
| Free forum by Nabble | Edit this page |