Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: help with email spamming.

  1. #11
    Join Date
    Aug 2010
    Beans
    40

    Re: help with email spamming.

    ahh, yes much better. so I have a lot of activity to look at here but not a clue what it means.

    This one bothers me a bit.
    2021-11-25 18:52:23.195285 IP 68.94.156.1.53 > 192.168.0.25.56740: 62415 3/0/0 CNAME www.glb.paypal.com., CNAME www-fastly.glb.paypal.com., A 151.101.193.21 (95)

    but I may have made a paypal purchase at that time.

    I do see a lot of large ports but figure maybe I should look for mail stuff

    Code:
    2021-11-25 19:36:25.420502 IP 142.250.9.109.465 > 192.168.0.111.42034: Flags [.], ack 261, win 261, options [nop,nop,TS val 2323951554 ecr 3637127513], length 0
    2021-11-25 19:36:25.420549 IP 142.250.9.109.465 > 192.168.0.111.42034: Flags [.], seq 1:1419, ack 261, win 261, options [nop,nop,TS val 2323951554 ecr 3637127513], length 1418
    2021-11-25 19:36:25.420600 IP 142.250.9.109.465 > 192.168.0.111.42034: Flags [.], seq 1419:2837, ack 261, win 261, options [nop,nop,TS val 2323951554 ecr 3637127513], length 1418
    2021-11-25 19:36:25.420723 IP 142.250.9.109.465 > 192.168.0.111.42034: Flags [.], seq 2837:4255, ack 261, win 261, options [nop,nop,TS val 2323951554 ecr 3637127513], length 1418
    2021-11-25 19:36:25.420730 IP 142.250.9.109.465 > 192.168.0.111.42034: Flags [P.], seq 4255:4277, ack 261, win 261, options [nop,nop,TS val 2323951554 ecr 3637127513], length 22
    
    2021-11-25 19:44:40.246956 IP 87.248.97.12.995 > 192.168.0.31.49653: Flags [.], ack 204, win 15, length 0
    2021-11-25 19:44:40.250097 IP 87.248.97.12.995 > 192.168.0.31.49653: Flags [.], seq 1:1461, ack 204, win 15, length 1460
    2021-11-25 19:44:40.250361 IP 87.248.97.12.995 > 192.168.0.31.49653: Flags [.], seq 1461:2921, ack 204, win 15, length 1460
    2021-11-25 19:44:40.250527 IP 87.248.97.12.995 > 192.168.0.31.49653: Flags [P.], seq 2921:4341, ack 204, win 15, length 1420
    2021-11-25 19:44:41.459477 IP 87.248.97.12.995 > 192.168.0.31.49653: Flags [P.], seq 4461:4570, ack 332, win 15, length 109
    
    2021-11-25 20:00:41.290829 IP 80.12.24.12.993 > 192.168.0.31.51664: Flags [.], ack 515, win 4893, length 0
    2021-11-25 20:00:50.617010 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], ack 208, win 60, length 0
    2021-11-25 20:00:50.621489 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 1:1461, ack 208, win 60, length 1460
    2021-11-25 20:00:50.621759 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 1461:2921, ack 208, win 60, length 1460
    2021-11-25 20:00:50.621998 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 2921:4381, ack 208, win 60, length 1460
    2021-11-25 20:00:50.622223 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 4381:5841, ack 208, win 60, length 1460
    2021-11-25 20:00:50.622523 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 5841:7301, ack 208, win 60, length 1460
    2021-11-25 20:00:50.622745 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 7301:8761, ack 208, win 60, length 1460
    2021-11-25 20:00:50.622778 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 8761:10221, ack 208, win 60, length 1460
    2021-11-25 20:00:50.622804 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 10221:11681, ack 208, win 60, length 1460
    2021-11-25 20:00:50.622853 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 11681:13141, ack 208, win 60, length 1460
    2021-11-25 20:00:50.622904 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 13141:14601, ack 208, win 60, length 1460
    
    2021-11-25 20:00:55.595947 IP 1.1.1.1.53 > 192.168.0.31.53561: 27833 1/0/0 A 104.100.154.143 (54)
    2021-11-25 20:01:18.501763 IP 1.1.1.1.53 > 192.168.0.31.55394: 56497 1/0/0 A 104.100.154.143 (52)
    Strange ports range all over the place
    65215
    2021-11-25 20:02:10.442216 IP 192.168.0.104.64248 > 151.106.6.79.65215: UDP, length 105

    53120
    2021-11-25 20:02:12.105529 IP 192.168.0.27.53120 > 104.244.42.194.443: Flags [.], ack 2372, win 16494, length 0

    61995
    2021-11-25 20:02:10.445756 IP 192.168.0.104.61995 > 18.67.0.77.443: Flags [P.], seq 1310:1334, ack 21516, win 4320, length 24

    saw this - Is this a vnc probe?
    2021-11-25 20:02:10.446044 IP 95.143.179.195.27677 > 192.168.0.25.5900: Flags [P.], seq 1:13, ack 13, win 64228, length 12

    The files is large (1 meg) but this form will not let me attach it compressed 100k. So much in here to look at.

  2. #12
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,101
    Distro
    Ubuntu Development Release

    Re: help with email spamming.

    Quote Originally Posted by ulao3 View Post
    This one bothers me a bit.
    2021-11-25 18:52:23.195285 IP 68.94.156.1.53 > 192.168.0.25.56740: 62415 3/0/0 CNAME www.glb.paypal.com., CNAME www-fastly.glb.paypal.com., A 151.101.193.21 (95)

    but I may have made a paypal purchase at that time.
    That is a DNS lookup response. You can tell by the use of port 53 on the DNS server end.

    Quote Originally Posted by ulao3 View Post
    I do see a lot of large ports but figure maybe I should look for mail stuff

    Code:
    2021-11-25 19:36:25.420502 IP 142.250.9.109.465 > 192.168.0.111.42034: Flags [.], ack 261, win 261, options [nop,nop,TS val 2323951554 ecr 3637127513], length 0
    2021-11-25 19:36:25.420549 IP 142.250.9.109.465 > 192.168.0.111.42034: Flags [.], seq 1:1419, ack 261, win 261, options [nop,nop,TS val 2323951554 ecr 3637127513], length 1418
    2021-11-25 19:36:25.420600 IP 142.250.9.109.465 > 192.168.0.111.42034: Flags [.], seq 1419:2837, ack 261, win 261, options [nop,nop,TS val 2323951554 ecr 3637127513], length 1418
    2021-11-25 19:36:25.420723 IP 142.250.9.109.465 > 192.168.0.111.42034: Flags [.], seq 2837:4255, ack 261, win 261, options [nop,nop,TS val 2323951554 ecr 3637127513], length 1418
    2021-11-25 19:36:25.420730 IP 142.250.9.109.465 > 192.168.0.111.42034: Flags [P.], seq 4255:4277, ack 261, win 261, options [nop,nop,TS val 2323951554 ecr 3637127513], length 22
    
    2021-11-25 19:44:40.246956 IP 87.248.97.12.995 > 192.168.0.31.49653: Flags [.], ack 204, win 15, length 0
    2021-11-25 19:44:40.250097 IP 87.248.97.12.995 > 192.168.0.31.49653: Flags [.], seq 1:1461, ack 204, win 15, length 1460
    2021-11-25 19:44:40.250361 IP 87.248.97.12.995 > 192.168.0.31.49653: Flags [.], seq 1461:2921, ack 204, win 15, length 1460
    2021-11-25 19:44:40.250527 IP 87.248.97.12.995 > 192.168.0.31.49653: Flags [P.], seq 2921:4341, ack 204, win 15, length 1420
    2021-11-25 19:44:41.459477 IP 87.248.97.12.995 > 192.168.0.31.49653: Flags [P.], seq 4461:4570, ack 332, win 15, length 109
    
    2021-11-25 20:00:41.290829 IP 80.12.24.12.993 > 192.168.0.31.51664: Flags [.], ack 515, win 4893, length 0
    2021-11-25 20:00:50.617010 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], ack 208, win 60, length 0
    2021-11-25 20:00:50.621489 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 1:1461, ack 208, win 60, length 1460
    2021-11-25 20:00:50.621759 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 1461:2921, ack 208, win 60, length 1460
    2021-11-25 20:00:50.621998 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 2921:4381, ack 208, win 60, length 1460
    2021-11-25 20:00:50.622223 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 4381:5841, ack 208, win 60, length 1460
    2021-11-25 20:00:50.622523 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 5841:7301, ack 208, win 60, length 1460
    2021-11-25 20:00:50.622745 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 7301:8761, ack 208, win 60, length 1460
    2021-11-25 20:00:50.622778 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 8761:10221, ack 208, win 60, length 1460
    2021-11-25 20:00:50.622804 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 10221:11681, ack 208, win 60, length 1460
    2021-11-25 20:00:50.622853 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 11681:13141, ack 208, win 60, length 1460
    2021-11-25 20:00:50.622904 IP 77.238.185.51.993 > 192.168.0.31.51804: Flags [.], seq 13141:14601, ack 208, win 60, length 1460
    
    2021-11-25 20:00:55.595947 IP 1.1.1.1.53 > 192.168.0.31.53561: 27833 1/0/0 A 104.100.154.143 (54)
    2021-11-25 20:01:18.501763 IP 1.1.1.1.53 > 192.168.0.31.55394: 56497 1/0/0 A 104.100.154.143 (52)
    O.K. so you have identified 192.168.0.111 as the source in the first example; 192.168.0.31 in the second and third examples. The 4th example are more DNS packets. Which sessions might be bad and which legitimate, I don't know, but assume you can correlate with expected email activity to deduce.

    Quote Originally Posted by ulao3 View Post
    Strange ports range all over the place
    65215
    2021-11-25 20:02:10.442216 IP 192.168.0.104.64248 > 151.106.6.79.65215: UDP, length 105

    53120
    2021-11-25 20:02:12.105529 IP 192.168.0.27.53120 > 104.244.42.194.443: Flags [.], ack 2372, win 16494, length 0

    61995
    2021-11-25 20:02:10.445756 IP 192.168.0.104.61995 > 18.67.0.77.443: Flags [P.], seq 1310:1334, ack 21516, win 4320, length 24

    saw this - Is this a vnc probe?
    2021-11-25 20:02:10.446044 IP 95.143.179.195.27677 > 192.168.0.25.5900: Flags [P.], seq 1:13, ack 13, win 64228, length 12

    The files is large (1 meg) but this form will not let me attach it compressed 100k. So much in here to look at.
    I do not know why 192.168.0.104 might be communicating with 151.106.79 on high port numbers.
    192.168.0.27 has a HTTPS session going with 18.67.0.77. The source port number is meaningless, and is used just for traffic control for the session.
    Yes, 192.168.0.25 might have a VNC session going. Port 5900 is typically a default 1st VNC session port. You would have to extract more packets to know more, but it isn't a SYN packet, so has the appearance of an in progress tcp session. If it was the session initiator, I do not know how 95.143.179.195 might have become FORWARDed to 192.168.0.25 in the first place.
    Last edited by Doug S; November 27th, 2021 at 07:58 PM.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  3. #13
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    15,652
    Distro
    Kubuntu Development Release

    Re: help with email spamming.

    Quote Originally Posted by ulao3 View Post
    I thought maybe I could use iptables like
    Code:
    iptables -A INPUT -p tcp -s 192.168.0.0/25 --dport 25 -j LOG --log-level debug
    and tail -f /var/log/kern.log and there I see a few messages once a second but it looks like my FW is blocking it.[/code]
    No, it's not blocking anything of the sort. Look at the destination ports "DPT" in the log file. None of them are 25, or 465, or 587.

    Code:
    Nov 24 14:38:48 ubuntuspawn kernel: [6630908.886197] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=185.219.52.172 DST=[myIP] LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=38447 DF PROTO=TCP SPT=41304 DPT=5927 WINDOW=0 RES=0x00 RST URGP=0
    Nov 24 14:38:54 ubuntuspawn kernel: [6630915.201554] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=46.232.211.193 DST=[myIP] LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=24534 DF PROTO=TCP SPT=37905 DPT=40945 WINDOW=64240 RES=0x00 SYN URGP=0
    You had the glimmerings of a good idea by trying to block outbound traffic to port 25. The problem is where is the rule placed. Do you have a Linux box running as your router where you can add iptables rules that apply to the entire network? If all the clients talk to an ordinary router, then you'd need to be able to add the rule there. Depends on the brand and model.

    BTW, the "--log-prefix" parameter to iptables lets you label specific rules in the log.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  4. #14
    Join Date
    Aug 2010
    Beans
    40

    Re: help with email spamming.

    yeah my linux server is my router with two nics...

    I use iptable and have routs for my vnc like so.
    Code:
    iptables -t nat -A PREROUTING -i enp0s2 -p tcp --dport 5925 -j DNAT --to-destination 192.168.0.25:5900
    and I used to do my blocking in there but moved to ufw, I have a few choice blocking going on.

    Code:
    To                         Action      From
    --                         ------      ----
    443/tcp                    ALLOW       Anywhere
    22/tcp                     ALLOW       Anywhere
    80/tcp                     ALLOW       Anywhere
    21/tcp                     ALLOW       Anywhere
    Samba                      ALLOW       Anywhere
    Apache                     ALLOW       Anywhere
    Apache Full                ALLOW       Anywhere
    5919                       ALLOW       Anywhere
    5901                       DENY        Anywhere
    5904                       DENY        Anywhere
    5902                       DENY        Anywhere
    5903                       DENY        Anywhere
    5905                       DENY        Anywhere
    5906                       DENY        Anywhere
    5907                       DENY        Anywhere
    5910:5931/tcp              ALLOW       Anywhere
    443/tcp (v6)               ALLOW       Anywhere (v6)
    22/tcp (v6)                ALLOW       Anywhere (v6)
    80/tcp (v6)                ALLOW       Anywhere (v6)
    21/tcp (v6)                ALLOW       Anywhere (v6)
    Apache (v6)                ALLOW       Anywhere (v6)
    Apache Full (v6)           ALLOW       Anywhere (v6)
    Samba (v6)                 ALLOW       Anywhere (v6)
    5919 (v6)                  ALLOW       Anywhere (v6)
    5901 (v6)                  DENY        Anywhere (v6)
    5904 (v6)                  DENY        Anywhere (v6)
    5902 (v6)                  DENY        Anywhere (v6)
    5903 (v6)                  DENY        Anywhere (v6)
    5905 (v6)                  DENY        Anywhere (v6)
    5906 (v6)                  DENY        Anywhere (v6)
    5907 (v6)                  DENY        Anywhere (v6)
    5910:5931/tcp (v6)         ALLOW       Anywhere (v6)
    
    53,113,123/udp             ALLOW OUT   Anywhere
    53,113,123/udp (v6)        ALLOW OUT   Anywhere (v6)

    O.K. so you have identified 192.168.0.111 as the source in the first example
    You mean the source of the mail issue?

  5. #15
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,101
    Distro
    Ubuntu Development Release

    Re: help with email spamming.

    Quote Originally Posted by ulao3 View Post
    You mean the source of the mail issue?
    I have no way of knowing. I'll rephrase: It is email traffic involving 192.168.0.111. You will have to determine is it legitimate email or bad guy
    stuff.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  6. #16
    Join Date
    Aug 2010
    Beans
    40

    Re: help with email spamming.

    ahh, then maybe I need to close email clients, and or do not do email activity for x hours, and run this again.

    is there a way to use the commands above filter 192.168.0.31 and port 993 ?
    and woudl there be a way to echo these details to the screen so I can see it live?

    UPDATE using this tcpdump -n -tttt -i enp3s5 port 993


    seem to do what I need to investigate with this pc
    Last edited by ulao3; November 28th, 2021 at 05:08 PM.

  7. #17
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,101
    Distro
    Ubuntu Development Release

    Re: help with email spamming.

    Quote Originally Posted by ulao3 View Post
    is there a way to use the commands above filter 192.168.0.31 and port 993 ?
    and woudl there be a way to echo these details to the screen so I can see it live?

    UPDATE using this tcpdump -n -tttt -i enp3s5 port 993
    Yes, exactly. Once things get narrowed down and we have some idea what we are looking for, then yes the next step is exactly what you have done.

    EDIT: You could also run multiple tcpdump sessions, one per terminal, watching other ports at the same time:
    Code:
     tcpdump -n -tttt  -i enp3s5 port 465
    you could also re-process the previously captured data with increased focus:
    Code:
    $ for f in int*.bin; do tcpdump -n -tttt -r $f port 993 >>port993.txt; done
    Last edited by Doug S; November 28th, 2021 at 06:42 PM.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  8. #18
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    15,652
    Distro
    Kubuntu Development Release

    Re: help with email spamming.

    Quote Originally Posted by ulao3 View Post
    and I used to do my blocking in there but moved to ufw, I have a few choice blocking going on.
    There are no rules in the list you presented that block outbound traffic to TCP ports 25, 465, and 587.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  9. #19
    Join Date
    Aug 2010
    Beans
    40

    Re: help with email spamming.

    Doug, thx for all the help, its
    https://en.wikipedia.org/wiki/Trojan:Win32/Agent
    and its all over the place... A rely nasty one to remove. KS is able to find it but it likes to come back. I think I got it from here, this all really helped allot thx!

  10. #20
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,101
    Distro
    Ubuntu Development Release

    Re: help with email spamming.

    Quote Originally Posted by ulao3 View Post
    Doug, thx for all the help, its
    https://en.wikipedia.org/wiki/Trojan:Win32/Agent
    and its all over the place... A rely nasty one to remove. KS is able to find it but it likes to come back. I think I got it from here, this all really helped allot thx!
    Thanks for reporting back.

    When you say you "got it from here" what do you mean? Do you mean from these forums? If yes, I don't think so.
    Also, what is "KS"?
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

Page 2 of 3 FirstFirst 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •