Subsonic Forum

[daniell]

I'm been informed several times now, from my ISP provider that my computer is member of a botnet, and
the computer is sending out spam and other uncontrollable stuff/communication outside my LAN.

The situation is that i'm running CentOs 5.5 x64, with subsonic 4.0.1, jetty-6.1.x, java 1.6.0_0.
I have no other http server (apache) or ftp server running. All other ports (except subsonic) are closed.

So my question is! Is it posible that i can have a infected system running the jetty / java server for the subsonic ??
I have been running different antispy/virus programs, but still i get these alerts from my ISP provider.

Anybody who have this experiance with a linux server..??

Appreciate all help..

Thnks.

[burjast]

It is possible but I just don't believe it. Linux is a security risk if you don't know it and running services opened to the world. If you spam "around the world" the problem could be misconfigured sendmail server, allowing others to relay mail thorough your server...

[daniell]

Well, since botnet/ddos attack mainly hit webservers and or IRC client, despute Windows, Linux, Unix, or Mac Os system. Try google, and you will find thousands of hits regard this subject for Linux boxes. So yes, Linux is indeed a target. My server do not run any kind of mailserver, http server, except (with subsonic 4.0.1, jetty-6.1.x, java 1.6.0_0. ), irc client, neither is any the mentiond services running.

So the question again.. Is it possible that i can have a infected system running the jetty / java server for the subsonic ??

[burjast]

I already answered in the first 3 words or my reply. Please read it again.

You cannot send spam without sendmail or something like that service in linux.

Conclusion: You may be hacked thorough any service on linux. If you don't know linux you better stick with windows.

[daniell]

Ok..
Anybody else who have experience botnet/ddos attack, regards to jetty webserver 6, and java 1.6.0_0.. ??

Thnks

[baaldemon]

Ask them for the specifics about what has triggered them to send you this warning? They should be able to give you examples of the traffic so you can track down if you actually have an infection an what it might be.

Have you looked through your running processes and looked for anything out of the ordinary, check your system logs as well for any entries that may seem out of the norm. Yes good botnets wont be that obvious, but fortunately most of them arent that good. Do you have firewalls setup, locally on the machine or on your router? I would suggest setting up iptables rules that would block everything outbound except for what services you are actually running.

But really you need more information from the ISP about details of the traffic before you can really speculate on whats going on.

[daniell]

Here is one of the attachments i reived from my ISP. (lyse.net)

bot 10.07.2010 03:37 my.ip.adress.29695 0 42.79-160-130.customer.lyse.net 194.109.20.90 3265 6667 Diemen.NL.EU.Undernet.Org
bot 11.07.2010 13:46 my.ip.adress. 29695 0 42.79-160-130.customer.lyse.net 208.83.20.130 30217 6667 Tampa.FL.US.Undernet.org

I do have a firewall setup in CentOs, all ports are closed, except for the running subsonic at port 4040+ samba ports.
Same goes for the router D-Link 650
I can't fine any service running who look suspicious for me..

Thanks..

[Sporkman]

You may already have done this, but here's a few things you can do. These work in Ubuntu, but should also have equivalents in CentOs:

Run these as root:

To list listening services:

netstat -tlp

To list active connections:

lsof -i -n -P

To log outgoing connections, add this to your iptables rules:

iptables -A OUTPUT ! -o lo -m state --state NEW -j LOG

This adds entries to your /var/log/messages (or CentOs equivalent) logfile for each new outbound connection.

To do a general analysis of your system logs, which may reveal illicit activity, install logwatch & do (to analyze over the last day):

logwatch --detail high --range '-1 days'

[Pathduck]

bot 10.07.2010 03:37 my.ip.adress.29695 0 42.79-160-130.customer.lyse.net 194.109.20.90 3265 6667 Diemen.NL.EU.Undernet.Org
bot 11.07.2010 13:46 my.ip.adress. 29695 0 42.79-160-130.customer.lyse.net 208.83.20.130 30217 6667 Tampa.FL.US.Undernet.org

Those do indeed look like bots, running on port 29695 on your machine and connecting to IRC servers in the Netherlands and US (Florida) on port 6667. Botnets are known to use IRC for comms. Unless you are yourself using IRC?

I doubt its related to Subsonic, but they might have exploited a vulnerability in it or in your webserver to get it running.

Like Sporkman says, to find which process is using the port on your macine:
netstat -tlp | grep 29695

[daniell]

Thanks.
No, i don't use any kind of IRC on the server. I will try these sugestions later and see what' happend.
How is this possible when all my ports is closed by firewall on the server and the router..?

Thank all of you for the help and suggestions.

[Sporkman]

Thanks.
No, i don't use any kind of IRC on the server. I will try these sugestions later and see what' happend.
How is this possible when all my ports is closed by firewall on the server and the router..?

Are you sure the firewall is operating properly? You can do a scan for open ports using nmap to make sure.

Also: Have you installed anything from untrusted sources (i.e. not from the CentOs repositories using yum) other than subsonic?

Finally: I once installed CentOs in a virtual machine to try it out, and I noticed that when you select the "server" installation option, it installs a bunch of stuff you didn't explicitly ask for, such as Apache. Maybe a service you didn't account for got installed & created a vulnerability..?

[daniell]

Thnks.
I will do a scan with nmap and check it out.
Really.. !! YES, i did the server installation with the selected option..
I'll better check this out to then..

Thank you..

[daniell]

I just ran these tests, but i can't find any suspicious port open like the one i got from my ISP..

lsof -i -n -P
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 2358 root 3u IPv6 7696 TCP *:xxxx (LISTEN)
java 2376 root 64u IPv6 8518 TCP *:4040 (LISTEN)
java 2376 root 65u IPv6 8528 TCP *:9412 (LISTEN)
java 2376 root 66u IPv6 8529 TCP *:37848 (LISTEN)
smbd 2438 root 20u IPv4 7974 TCP *:445 (LISTEN)
smbd 2438 root 21u IPv4 7975 TCP *:139 (LISTEN)
nmbd 2441 root 6u IPv4 7888 UDP *:137
nmbd 2441 root 7u IPv4 7889 UDP *:138
nmbd 2441 root 8u IPv4 7891 UDP 192.168.0.10:137
nmbd 2441 root 9u IPv4 7892 UDP 192.168.0.10:138
avahi-dae 2491 avahi 13u IPv4 8028 UDP *:5353
avahi-dae 2491 avahi 14u IPv6 8029 UDP *:5353
avahi-dae 2491 avahi 15u IPv4 8030 UDP *:33664
avahi-dae 2491 avahi 16u IPv6 8031 UDP *:48093
sshd 8829 root 3u IPv6 29461 TCP
192.168.0.10:xxxx->79.160.195.222:2245 (ESTABLISHED)
sshd 8845 root 3u IPv6 29524 TCP
192.168.0.10:xxxx->79.160.195.222:1576 (ESTABLISHED)


# netstat -tlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 *:netbios-ssn *:* LISTEN 2438/smbd
tcp 0 0 *:microsoft-ds *:* LISTEN 2438/smbd
tcp 0 0 *:9412 *:* LISTEN 2376/java
tcp 0 0 *:vrtl-vmf-ds *:* LISTEN 2358/sshd
tcp 0 0 *:yo-main *:* LISTEN 2376/java
tcp 0 0 *:37848 *:* LISTEN 2376/java


Ipv6, i thought was unabled..

Anybody sees something suspicious here ??

[roozbeh]

I got hacked two times since I installed subsonic and I am guessing (not 100% sure of course) that this is due to subsonic.

After the first time, I re-installed OS, and only opened port 4040 and one for ssh (not 22). I got hacked in less than two weeks. someone installed an iroffer server on my machine.

[ccandreva]

One of the best things you can do is have Subsonic run as it's own user. I don't know how the Ubuntu install works, but the default Fedora RPM setup runs it as root.

I posted how to have Subsonic run as it's own user on Fedora here:
http://forum.subsonic.org/forum/viewtopic.php?t=3438