Hi,
After installing mailman and using it for a few days, I got several complaints from my hosting company for abuse.
After checking the server, it seems that there is a rootkit (Blitz) running with the mailman process.
Has anyone come across this issue? Are there any specific steps to secure the mailman user?
Thank you
*Kyriakos Terzopoulos *Web developer / e-learning expert
*Tel:*+30 211 213 9858
*Mobile:* +30 694 526 4512
- E-mail: *kyriakos.terzopoulos@gmail.com
- Skype:* kyriakos.terzopoulos Find me on Facebook <http://www.facebook.com/cirrus3d> Follow me on Twitter <http://twitter.com/#%21/cirrus3d>
Some more info on the issue after running RKhunter:
[09:47:54] Warning: Network TCP port 47018 is being used by /tmp/.X291-unix/.rsync/c/blitz64. Possible rootkit: Possible Universal Rootkit (URK) component
Warning: Suspicious file types found in /dev: [09:47:58] /dev/shm/PostgreSQL.2417704720: data 10
Rootkit process: mailman 1593549 0.0 0.0 5776 1032 ? S 08:59 0:00 timeout 24h ./blitz -t 515 -f 1 -s 12 -S 8 -p 0 -d 1 p ip mailman 1593550 0.0 0.0 7368 3376 ? S 08:59 0:00 /bin/bash ./blitz -t 515 -f 1 -s 12 -S 8 -p 0 -d 1 p ip mailman 1593554 24.1 0.4 111404 34932 ? Sl 08:59 12:59 /usr/sbin/httpd .rsync/c/blitz64 -t 515 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
*Kyriakos Terzopoulos *Web developer / e-learning expert
*Tel:*+30 211 213 9858
*Mobile:* +30 694 526 4512
- E-mail: *kyriakos.terzopoulos@gmail.com
- Skype:* kyriakos.terzopoulos Find me on Facebook <http://www.facebook.com/cirrus3d> Follow me on Twitter <http://twitter.com/#%21/cirrus3d>
On Tue, 17 Oct 2023 at 10:40, Kyriakos Terzopoulos < kyriakos.terzopoulos@gmail.com> wrote:
Hi,
After installing mailman and using it for a few days, I got several complaints from my hosting company for abuse.
After checking the server, it seems that there is a rootkit (Blitz) running with the mailman process.
Has anyone come across this issue? Are there any specific steps to secure the mailman user?
Thank you
*Kyriakos Terzopoulos *Web developer / e-learning expert
*Tel:*+30 211 213 9858
*Mobile:* +30 694 526 4512
- E-mail: *kyriakos.terzopoulos@gmail.com
- Skype:* kyriakos.terzopoulos Find me on Facebook <http://www.facebook.com/cirrus3d> Follow me on Twitter <http://twitter.com/#%21/cirrus3d>
Hi Kyriakos,
This is very unlikely to be Mailman-related. Most likely you have a weak or default password that was brute-forced, perhaps for your "mailman" account.
I'm not sure there's much direct help we can offer, but you've left out all the important details to give suggestions:
- What OS?
- Versions of OS, Mailman, etc?
- How did you install Mailman?
- Other pertinent details about the environment?
Regards, --Jered
----- On Oct 17, 2023, at 3:40 AM, Kyriakos Terzopoulos kyriakos.terzopoulos@gmail.com wrote:
Hi,
After installing mailman and using it for a few days, I got several complaints from my hosting company for abuse.
After checking the server, it seems that there is a rootkit (Blitz) running with the mailman process.
Has anyone come across this issue? Are there any specific steps to secure the mailman user?
Thank you
*Kyriakos Terzopoulos *Web developer / e-learning expert
*Tel:*+30 211 213 9858
*Mobile:* +30 694 526 4512
- E-mail: *kyriakos.terzopoulos@gmail.com
- Skype:* kyriakos.terzopoulos Find me on Facebook <http://www.facebook.com/cirrus3d> Follow me on Twitter <http://twitter.com/#%21/cirrus3d>
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...
This message sent to jered@convivian.com
Hi,
- Ubuntu 22.04
- Mailman 3 latest version (vemv setup)
- Server has HestiaCP installed
After installing all recent upgrades I will try and completely reinstall mailman and see if this happens again.
One thing that bothers me is that in the documentation I have not seen anywhere setting a password for the mailman user. Is there a default somewhere?
I will also disallow bash login for the mailman user since it seems that one could login via SSH.
Thanks for your feedback.
On Tue, 17 Oct 2023, 18:31 Jered Floyd, <jered@convivian.com> wrote:
Hi Kyriakos,
This is very unlikely to be Mailman-related. Most likely you have a weak or default password that was brute-forced, perhaps for your "mailman" account.
I'm not sure there's much direct help we can offer, but you've left out all the important details to give suggestions:
- What OS?
- Versions of OS, Mailman, etc?
- How did you install Mailman?
- Other pertinent details about the environment?
Regards, --Jered
----- On Oct 17, 2023, at 3:40 AM, Kyriakos Terzopoulos kyriakos.terzopoulos@gmail.com wrote:
Hi,
After installing mailman and using it for a few days, I got several complaints from my hosting company for abuse.
After checking the server, it seems that there is a rootkit (Blitz) running with the mailman process.
Has anyone come across this issue? Are there any specific steps to secure the mailman user?
Thank you
*Kyriakos Terzopoulos *Web developer / e-learning expert
*Tel:*+30 211 213 9858
*Mobile:* +30 694 526 4512
- E-mail: *kyriakos.terzopoulos@gmail.com
- Skype:* kyriakos.terzopoulos Find me on Facebook <http://www.facebook.com/cirrus3d> Follow me on Twitter <http://twitter.com/#%21/cirrus3d>
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at:
https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...
This message sent to jered@convivian.com
On 10/17/23 08:55, Kyriakos Terzopoulos wrote:
One thing that bothers me is that in the documentation I have not seen anywhere setting a password for the mailman user. Is there a default somewhere?
Ideally, the Mailman user will not have a password so password login is
not possible. The instructions at
https://docs.mailman3.org/en/latest/install/virtualenv.html#setup-mailman-us...
will create the mailman user without a password.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Some more info on the issue after running RKhunter: [09:47:54] Warning: Network TCP port 47018 is being used by /tmp/.X291-unix/.rsync/c/blitz64. Possible rootkit: Possible Universal Rootkit (URK) component
You need to remove the rootkit. Someone has hacked into your system. This has nothing to do with Mailman3 as such.
If you do a ps axfu | grep blitz64
you should be able to find which uid is being used (first column of output). You'll then be able to find the bits of the rootkit by looking at that user's processes and open files, and delete them.
And then you can fix that user's permissions/password so it's less likely to be compromised again, or delete the user entirely if the user isn't being used for anything else.
-- Peter C
Hi Peter,
The rootkit had already been removed up to that point. The user of the Blitz process was the mailman user.
Taking steps to secure the server more now.
On Tue, 17 Oct 2023, 22:23 , <peter@chubb.wattle.id.au> wrote:
Some more info on the issue after running RKhunter: [09:47:54] Warning: Network TCP port 47018 is being used by /tmp/.X291-unix/.rsync/c/blitz64. Possible rootkit: Possible Universal Rootkit (URK) component
You need to remove the rootkit. Someone has hacked into your system. This has nothing to do with Mailman3 as such.
If you do a ps axfu | grep blitz64
you should be able to find which uid is being used (first column of output). You'll then be able to find the bits of the rootkit by looking at that user's processes and open files, and delete them.
And then you can fix that user's permissions/password so it's less likely to be compromised again, or delete the user entirely if the user isn't being used for anything else.
-- Peter C
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...
This message sent to kyriakos.terzopoulos@gmail.com
If you followed the instructions at [ https://docs.mailman3.org/en/latest/install/virtualenv.html | https://docs.mailman3.org/en/latest/install/virtualenv.html ] then the "useradd" invocation should create a mailman user that cannot log in with a password, so this should be fine. If you created the mailman user by some other means, this could be an issue.
I don't have experience with the venv install, but surely others on the list will have familiarity.
--Jered
----- On Oct 17, 2023, at 11:55 AM, Kyriakos Terzopoulos <kyriakos.terzopoulos@gmail.com> wrote:
Hi,
- Ubuntu 22.04
- Mailman 3 latest version (vemv setup)
- Server has HestiaCP installed
After installing all recent upgrades I will try and completely reinstall mailman and see if this happens again.
One thing that bothers me is that in the documentation I have not seen anywhere setting a password for the mailman user. Is there a default somewhere?
I will also disallow bash login for the mailman user since it seems that one could login via SSH.
Thanks for your feedback.
On Tue, 17 Oct 2023, 18:31 Jered Floyd, < [ mailto:jered@convivian.com | jered@convivian.com ] > wrote:
Hi Kyriakos,
This is very unlikely to be Mailman-related. Most likely you have a weak or default password that was brute-forced, perhaps for your "mailman" account.
I'm not sure there's much direct help we can offer, but you've left out all the important details to give suggestions:
- What OS?
- Versions of OS, Mailman, etc?
- How did you install Mailman?
- Other pertinent details about the environment?
Regards, --Jered
----- On Oct 17, 2023, at 3:40 AM, Kyriakos Terzopoulos [ mailto:kyriakos.terzopoulos@gmail.com | kyriakos.terzopoulos@gmail.com ] wrote:
Hi,
After installing mailman and using it for a few days, I got several complaints from my hosting company for abuse.
After checking the server, it seems that there is a rootkit (Blitz) running with the mailman process.
Has anyone come across this issue? Are there any specific steps to secure the mailman user?
Thank you
*Kyriakos Terzopoulos *Web developer / e-learning expert
*Tel:*+30 211 213 9858
*Mobile:* +30 694 526 4512
- E-mail: * [ mailto:kyriakos.terzopoulos@gmail.com | kyriakos.terzopoulos@gmail.com ]
- Skype:* kyriakos.terzopoulos Find me on Facebook < [ http://www.facebook.com/cirrus3d | http://www.facebook.com/cirrus3d ] > Follow me on Twitter < [ http://twitter.com/#%21/cirrus3d | http://twitter.com/#%21/cirrus3d ] >
Mailman-users mailing list -- [ mailto:mailman-users@mailman3.org | mailman-users@mailman3.org ] To unsubscribe send an email to [ mailto:mailman-users-leave@mailman3.org | mailman-users-leave@mailman3.org ] [ https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ | https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ ] Archived at: [ https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/... | https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/... ]
This message sent to [ mailto:jered@convivian.com | jered@convivian.com ]
On Tue, Oct 17, 2023 at 7:31 PM Jered Floyd <jered@convivian.com> wrote:
If you followed the instructions at [ https://docs.mailman3.org/en/latest/install/virtualenv.html | https://docs.mailman3.org/en/latest/install/virtualenv.html ] then the "useradd" invocation should create a mailman user that cannot log in with a password, so this should be fine. If you created the mailman user by some other means, this could be an issue.
I don't have experience with the venv install, but surely others on the list will have familiarity.
It's the one you referred to :-)
It's the de facto install method and very secure.
However, the security of the DB backend and everything else should relly be upon the sysadmin.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
Odhiambo Washington writes:
It's the de facto install method and very secure.
I don't consider anything related to email secure. :-)
How did Mailman get involved? My guess is that the rootkit did a ps, discovered that the 'mailman' user runs a lot of long-lived daemon processes, and sudo'd its own daemon with that user to hide among them.
The rootkit author is probably smarter than this, but if you're lucky they did suid in process and "ps -o euser,ruser" will give you the effective user (mailman) and the real user (a compromised account).
Don't assume only one account was compromised. If they had root (implied), they probably have /etc/passwd and /etc/shadow, and have run a password cracker on them.
participants (6)
-
Jered Floyd -
Kyriakos Terzopoulos -
Mark Sapiro -
Odhiambo Washington -
peter@chubb.wattle.id.au -
Stephen J. Turnbull