How to hunt down a botnet?

[Cerulean]

So my supervisor sent me an e-mail to a spamcopy.net page that contained the following:

255.255.255.255 = external internet IP address of our firewall at Rackspace; I made it up so as to hide our actual external IP and not publish it here on the forums in public

SpamCop v 4.7.0.111 © 1992-2013 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:
http://www.spamcop.net/sc?id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Skip to Reports

Return-Path: [email protected]
Received: from [255.255.255.255] ([255.255.255.255])
by mail.kabis.net
; Fri, 15 Mar 2013 08:48:25 -0700
Received: from apache by cabrioletrepuestos.com.ar with local (Exim 4.67)
(envelope-from <[email protected]>)
id 58XHC1-6S0Q7J-W2
for <x>
Cc: <x>; Fri, 15 Mar 2013 09:48:25 -0600
To: <x>
Cc: <x>
Subject: Direct Deposit payment ID 437915564773 rejected
X-PHP-Script: cabrioletrepuestos.com.ar/sendmail.php for 255.255.255.255
From: =?koi8-r?B?IufFzs7BxMnKLvHLz9fMxddAZGlyZWN0Lm5hY2hhLm9yZyI=?=
<[email protected]>
X-Sender: =?koi8-r?B?IufFzs7BxMnKLvHLz9fMxddAZGlyZWN0Lm5hY2hhLm9yZyI=?=
<[email protected]>
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------09050200507010303040808"
Message-Id: <[email protected]>
Date: Fri, 15 Mar 2013 09:48:25 -0600

View entire message
Parsing header:
0: Received: from [255.255.255.255] ([255.255.255.255]) by mail.kabis.net ; Fri, 15 Mar 2013 08:48:25 -0700
No unique hostname found for source: 255.255.255.255
kabis.org received mail from sending system 255.255.255.255

Tracking message source: 255.255.255.255:
Routing details for 255.255.255.255
[refresh/show] Cached whois for 255.255.255.255 : [email protected]
Using abuse net on [email protected]
abuse net rackspace.com = [email protected]
Using best contacts [email protected]
Sorry, this email is too old to file a spam report. You must report spam within 2 days of receipt. This mail was received on Fri, 15 Mar 2013 08:48:25 -0700
Message is 4.0 days old
255.255.255.255 not listed in dnsbl.njabl.org ( 127.0.0.8 )
255.255.255.255 not listed in dnsbl.njabl.org ( 127.0.0.9 )
255.255.255.255 listed in cbl.abuseat.org ( 1 )
255.255.255.255 is an open proxy
255.255.255.255 not listed in accredit.habeas.com
255.255.255.255 not listed in plus.bondedsender.org
255.255.255.255 not listed in iadb.isipp.com
Finding links in message body
Recurse multipart:
Parsing text part
Parsing HTML part
Resolving link obfuscation
http://twowaysociety.nl/wp-content/plugins/wp_mod/wps.php?nacha
Tracking link: http://twowaysociety.nl/wp-content/plugins/wp_mod/wps.php?nacha
No recent reports, no history available
Host twowaysociety.nl (checking ip) = 85.158.203.17
Resolves to 85.158.203.17
Routing details for 85.158.203.17
[refresh/show] Cached whois for 85.158.203.17 : [email protected]
Using abuse net on [email protected]
No abuse net record for cyso.net
Using best contacts [email protected]
Finding IP block owner:
Routing details for 255.255.255.255
[refresh/show] Cached whois for 255.255.255.255 : [email protected]
Using abuse net on [email protected]
abuse net rackspace.com = [email protected]
Using best contacts [email protected]
Reports regarding this spam have already been sent:
Re: 255.255.255.255 (Administrator of network where email originates)
Reportid: 5924088135 To: [email protected]
If reported today, reports would be sent to:

Re: 255.255.255.255 (Administrator of IP block - statistics only)

[email protected]

Re: http://twowaysociety.nl/wp-content/plugins/wp_m... (Administrator of network hosting website referenced in spam)

[email protected]

Here is the full message:

CLICK 'BACK' BUTTON TO RETURN TO SPAMCOP
################################################################################
Return-Path: [email protected]
Received: from [255.255.255.255] ([255.255.255.255])
by mail.kabis.net
; Fri, 15 Mar 2013 08:48:25 -0700
Received: from apache by cabrioletrepuestos.com.ar with local (Exim 4.67)
(envelope-from <[email protected]>)
id 58XHC1-6S0Q7J-W2
for <x>
Cc: <x>; Fri, 15 Mar 2013 09:48:25 -0600
To: <x>
Cc: <x>
Subject: Direct Deposit payment ID 437915564773 rejected
X-PHP-Script: cabrioletrepuestos.com.ar/sendmail.php for 255.255.255.255
From: =?koi8-r?B?IufFzs7BxMnKLvHLz9fMxddAZGlyZWN0Lm5hY2hhLm9yZyI=?=
<[email protected]>
X-Sender: =?koi8-r?B?IufFzs7BxMnKLvHLz9fMxddAZGlyZWN0Lm5hY2hhLm9yZyI=?=
<[email protected]>
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------09050200507010303040808"
Message-Id: <[email protected]>
Date: Fri, 15 Mar 2013 09:48:25 -0600

This is a multi-part message in MIME format.
--------------09050200507010303040808
Content-Type: text/plain; charset="us-ascii"; format=flowed

Attn: Chief AccountantWe regret to inform you, that your most recent Direct Deposit via ACH transaction (Int. No.563699049977) was rejected,because your business software package was out of date. The details regarding this matter are available in our secure section::Click here for more informationPlease refer to your financial institution to acquire your updated version of the software needed.Sincerely yoursACH Network Rules DepartmentNACHA - The Electronic Payments Association19777 Sunrise Valley Drive, Suite 336Herndon, VA 20170Phone: 703-561-6679 Fax: 703-787-3660

--------------09050200507010303040808
Content-Type: text/html; charset="windows-1250"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body bgcolor="#ffffff" text="#000000">
Attn: Chief Accountant<BR><BR>

We regret to inform you, that your most recent Direct Deposit via ACH transaction (Int. No.563699049977) was rejected,because your business software package was out of date. The details regarding this matter are available in our secure section::<BR><BR>

<a href="http://twowaysociety.nl/wp-content/plugins/wp_mod/wps.php?nacha" title="Details">Click here for more information</a>
<BR><BR>
Please refer to your financial institution to acquire your updated version of the software needed.
<BR><BR>
Sincerely yours
<BR><BR>

ACH Network Rules Department<BR>
NACHA - The Electronic Payments Association<BR>
<BR><BR>
19777 Sunrise Valley Drive, Suite 336<BR>
Herndon, VA 20170<BR>
Phone: 703-561-6679 Fax: 703-787-3660<BR>

</body>
</html>

--------------09050200507010303040808--

According to my supervisor, our IP address is not shared with anyone else and belongs to our own private pool at Rackspace. Behind this IP = only our equipment. We have a big vSphere-based setup in this private pool.

This is my question: how should I trace this down since all I have is that 4 days ago some SPAM had left 255.255.255.255. While spamcop.net says 255.255.255.255 is an open relay, my supervisor says this is not true as he had checked the firewall device (255.255.255.255) to make sure ports were locked down and that there wasn't anything strange.

I did an Intense Scan + TCP and UDP port scan on 255.255.255.255 from my laptop at my apartment, and it found literally nothing (0/zero/nada/zilch). I can't do it from my work laptop because ICMP seems to be blocked when I try to scan 255.255.255.255 from the inside of the network (I might get different results if I do it from one of the VMs, which I will proceed to do soon).

EDIT: I can tell you that we do have an Exchange server, but we are not using it for real e-mail yet because we have yet to do a migration from our very old IceWarp server (which runs off a totally different external IP and subnet, and is physically located at a local DC in town). In addition, every week we reset all our VDIs.

EDIT2: My supervisor has observed this to happen unpredictably. It might send out a handful of messages one day, and then go dark for 5-7 or so days before doing it again. Every time it is a different message, and to a different recipient.

 

[timberdoodle]

That's interesting, last week we got infected with a spambot and I still have not been able to find the source. What I find interesting is that we were picked up by CBL first and nobody else and I see that you were as well. I don't think 255.255.255.255 is representative of an actual address since it is a broadcast address. I assumed it was spoofed, but I was having the same sort of issue. So far after blocking all smtp traffic on the firewall with the exception of our email server our domain has not been flagged on CBL. Has been only 3 days though....

 

[Cerulean]

That's interesting, last week we got infected with a spambot and I still have not been able to find the source. What I find interesting is that we were picked up by CBL first and nobody else and I see that you were as well. I don't think 255.255.255.255 is representative of an actual address since it is a broadcast address. I assumed it was spoofed, but I was having the same sort of issue. So far after blocking all smtp traffic on the firewall with the exception of our email server our domain has not been flagged on CBL. Has been only 3 days though....

255.255.255.255 is something I made up so as to not reveal our external IP address here on the forums in public.

 

[Haven]

Did you test port 25 on that IP address by telnetting to it and seeing what you can do? Can you send e-mail through it?

telnet 192.168.0.xxx 25
ehlo mail.otherserver.com
mail from:[email protected]
mail to:[email protected]
data
subject:subject goes here
this is my test message
sincerely,
user
quit
.
.

Change out the e-mail addresses with both internal and external addresses to see what it does.

Did you try seeing if you have an Open Relay on that IP address? Here is one SMTP tester that I know of that will let you test for various issues.

 

[timberdoodle]

255.255.255.255 is something I made up so as to not reveal our external IP address here on the forums in public.

Oh right, thought it was weird since some were legit IPs and others weren't. Anyhow, if you are using web tester that checks for open relay, and it finds that your public IP is an open relay.....it's probably any open relay. Another thing you can test is just telnet to your mx record on port 25 and get connected, you are probably an open relay.

My suggestion after going through this, double check your firewall rules to make sure only your exchange server IP can send smtp traffic outbound (unless of course you are using other email relays, spam appliances, etc). This rules out the possibility of any device on your network compromising your reputation - at least limiting the problem to your Exchange server.

Are you seeing Exchange tracking logs of these same messages? If so, modify your exchange receive connector(s) they should be receiving only from the subnets or IPs that you want them to and only anonymous access from known reliable sources (servers, admin computers).

Next step would be to start looking at the traffic either on your firewall or using a packet capture somewhere inline with the internet traffic to sniff port 25 traffic.

 

[Haven]

Another thing you can test is just telnet to your mx record on port 25 and get connected, you are probably an open relay.

All the rest of your message was good troubleshooting ideas, but the above that I quoted is bad information.

If there is a valid mail server somewhere in the network, port 25 has to be open to it. Otherwise how does it receive e-mail? My e-mail servers have port 25 open to the outside world on all of them, but we are not an open relay. If they didn't have port 25 open I would get no e-mail.

Checking to make sure other devices are not able to send out on Port 25 is a great idea though.

 

[timberdoodle]

Oh, do you not have a spam appliance or similar in front of your Exchange server? I guess that is what makes ours not able to connect from the outside world. But yes I do understand that effectively you need to actually check if you can send the email using telnet commands in order to determine if it is truly an open relay. That said, mxtoolbox is just so dang easy why even bother. I was more questioning the integrity of the OP's boss if the OP already tested for an open relay and the result was positive.....

 

[dgingeri]

I'd say a good idea is to turn on debug logging on your DNS server, if you use a local one, to track all incoming lookups for a couple weeks. Check and clear them daily until you find odd lookups for .cn, .ru. .info. or other possibly odd lookups. (I got that idea from here: http://www.pc1news.com/news/0275/how-to-detect-botnets-in-your-network.html Gotta give credit where credit is due.)

 

[calvinj]

Just in my opinion some house keeping might be in order if you haven't already. If you have a firewall in the colo, I might take a long hard look at what is able to send mail back out to the internet. In the past we send all mail in and out through a spam filter of some sorts and that spam filter is the only smtp traffic allowed back out of the firewall. Last place I was at caught a virus and it saved us loads of troubles. Also from the sounds of it despite the fact your boss says it's not an open relay it would seem that it is. Got a syslog server setup? That could be loads of help as well trying to stop whoever is trying to take advantage of your mail server. Sucks to sift through all of that, but it will pay in the end

Again just my two cents

 

[Cerulean]

We have Barracuda appliances for e-mail archiving, anti-spam, etc (we have the full blown suite of Barracuda servers for this). However, our new e-mail system is not live-live yet. Right now the official MX records for the mail.company.com domain point to our old IceWarp server. (But I know that technically this doesn't mean a mail server can't still be taken advantage -- correct me if I am mistaken.)

To my last impression, the Barracuda's are configured and live with Exchange; it is just a matter of private testing before going live-live and decommissioning the old IceWarp server.

Got a syslog server setup? That could be loads of help as well trying to stop whoever is trying to take advantage of your mail server.

We setup a Splunk server just today. Tomorrow I will be attending a webinar to learn more about Splunk and how to use it. My supervisor called the DC to have them enable syslog pointing to our Splunk server. For possibly 6 or so months my supervisor has been seriously considering Splunk as our syslog solution; we will be using it extensively in the future, but for the time being hopefully this will give us some leverage as to where the traffic is coming from.

 

[Dark Shade]

Splunk is an awesome tool. Just be careful about how much you log, it'll complain really fast once you go over the license limit.

 

[nitrobass24]

1. set your firewall to not allow outbound SMTP/POP except from the email server.
2. make sure your mail server does not allow outbound relay

Then, you need to find the problem machine(s). Look at the firewall logs to see which machine(s) are actually trying to do outbound mail and getting blocked. Those machines are infected.

 

[Cerulean]

Did you test port 25 on that IP address by telnetting to it and seeing what you can do? Can you send e-mail through it?



Change out the e-mail addresses with both internal and external addresses to see what it does.

Did you try seeing if you have an Open Relay on that IP address? Here is one SMTP tester that I know of that will let you test for various issues.

When I use that tool, I get "Unable to connect after 15 seconds" and "SMTP Connect" with result "Failed To Connect".

3/20/2013 10:48:34 AM Connection attempt #1 - Unable to connect after 15 seconds. [15.01 sec]

 

[Haven]

Received: from [255.255.255.255] ([255.255.255.255])
by mail.kabis.net
; Fri, 15 Mar 2013 08:48:25 -0700
Received: from apache by cabrioletrepuestos.com.ar with local (Exim 4.67)

The last line indicates that either a web server, or a box named Apache sent e-mail to cabrioletrepuestos.com.ar, but then there doesn't seem to be a connection from there to your IP address.

The next line indicates that an e-mail went from your IP address to mail.kabis.net.

So either we do not have the full headers, or some of the headers were spoofed, or we are chasing down a phantom.

So do you have a web page that can send e-mail? If not, have you checked your web server logs to
make sure one didn't get compromised and something put on it that is sending out e-mails?