Eric,
Thanks for the response.
The Anti-Virus I am using is removing the files, as they are detected, so
it's a bit hard to tell. They are actioned late at night, so we are not
looking then, however, something must be setting them there.
There is one text file still in the "/tmp/" directory, that is infected and
this is owned by apache. So is this a Webmail item?
-rw-r--r-- 1 apache apache 28026 Apr 9 22:18 dude.txt
Trying to "cat" the file brought back information from our AV
cat: dude.txt: Operation not permitted
[root@msrverpd tmp]#
********************** Sophos Anti-Virus Alert ***********************
Virus "Mal/PerlBot-A" detected in file
"/tmp/dude.txt".
Access to the file has been denied
Please contact your IT department.
**********************************************************************
At least we know we are protected.
As for the AV on the mailboxes, are you talking about the server side or the
client side? We run Sophos AV on all clients.
Cheers
-----Original Message-----
From: Eric Shubert [mailto:e...@shubes.net]
Sent: Tuesday, 12 April 2011 12:46 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: [qmailtoaster] Re: Perl Bot
I don't know the answer to your question off hand. The owner of the file
would probably give a clue. Given that it's in the /tmp directory, I
think that webmail would be a good guess.
Are you running your anti-virus program on mailboxes? Looking inside of
archive file type attachments (.zip, etc)?
--
-Eric 'shubes'
On 04/10/2011 06:00 PM, Mike Canty wrote:
> To All,
> This is more of a general question in regards to attack against one
> of our servers.
>
> We have found that one server is continually being hit by Perl Bots.
> Initially this machine was compromised, so we rebuilt from scratch and
> altered any access via SSH, made sure the firewall was appropriate, etc.,
> but we are still seeing instances of attack. To combat these attacks we
> have an Anti-Virus program running and it returns errors like to
following.
>
> A virus classified as 'Mal/PerlBot-A' was detected in the file '/tmp/dude'
> when closing it at Sun Apr 10 03:08:29 2011 EST +2100 (2011-04-09 17:08:29
> UTC).
>
> What I want to know, is where these Bots come from. Are they launched
from
> an Email when it is accessed via Webmail? Or can they get to the server
> through an IMAP account.
>
> This machine is not running a web proxy, and the only we requirement is
> Webmail (and Qmail Toaster management), so where are these coming from.
>
> Any information would be appreciated.
>
> Cheers
> Mike Canty
>
>
>
----------------------------------------------------------------------------
-----
> Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
> Vickers Consulting Group offers Qmailtoaster support and
installations.
> If you need professional help with your setup, contact them today!
----------------------------------------------------------------------------
-----
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
----------------------------------------------------------------------------
-----
Please visit qmailtoaster.com for the latest news, updates, and
packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
