found in the mac os X system admin list
Just wanted to say thanks to Michael Wise for taking time out today
and providing me with a great set of forensic tools and techniques
for locating message queue IDs, and using postcat on the queue to
view actual messages/headers. Now I can start the real investigation.
Haven’t found the offending script yet, but am getting closer.
Notes from my conversation with Michael, for the archives:
* First, find suspicious looking lines in /var/log/mail.log
* Look for the smtp ID, such as: postfix/smtp[25897]
* Grep for other instances of that ID in the log: grep 25897
mail.log
* From there, youll be able to see postfix queue IDs, such as
159A347C89C
* You can use this queue ID to find deferred messages in the
postfix queue
* cd /var/spool/postfix/
* Find where in the queue directory hierarchy this message
lives: find . -name 159A347C89C
* The messages are stored in a format not easily readable. To
make them readable, use the postcat command, e.g. postcat deferred/E/
E9B8F4F0E7C
* Now you can see the real message, with all of its headers,
which should give you a lot more info about its origins. You can see
whether it came from outside, or if it comes from a process ID, there
should be some indication. If user is www, you know its coming from
a web script.
* To delete a message from the queue, use e.g.: postsuper -d
E9B8F4F0E7C Do not use the path with this command – just the queue ID.
Other tools:
Monitor incoming network connections, filtering out legit traffic on
port 80:
netstat -na | grep EST
netstat -na | grep EST | grep -v ‘.80 ‘
netstat -na | grep EST | grep ‘.25 ‘
To find files or dirs owned by www (that might be illegitimate):
find / -user www -ls
In case attacker named directories with spaces or other weird chars
in them:
find / -user www -ls | cat -vet –
(take your cat to the vet – its sick)
Thanks also to others who responded on this.
Best,
Scot
—
Scot Hacker, Webmaster
Graduate School of Journalism
UC Berkeley