# Possible trojan (torpig) attack with mail server (Postfix)



## jailed (Sep 6, 2011)

Hello,

We have web service. For the last month, some web-spammers are registered fake accounts on our system. They programmed a robot that automatically create accounts on our website. Registration need mail validation. (I think) they also programmed a robot for Hotmail and Gmail. They automatically create Hotmail accounts and register account with us, then they receive the validation information from mails we sent to their Hotmail address. Because of this robot attack, we start to send about 10.000 mails a day to Hotmail. After I realize the attack, I wrote some code to our website and disabled this attack. They can't open accounts now.

However, (I think because of the bulk validation mails) Hotmail and Yahoo added our IP address to blacklist.

Spamhaus says that we're in CBL. I queried our IP and this message is shown:



> This IP is infected with, or is NATting for a machine infected with Torpig, also known by Symantec as Anserin.
> 
> This was detected by observing this IP attempting to make contact to a Torpig Command and Control server at 91.20.214.119, with contents unique to Torpig C&C command protocols.



Only port 25, 53, 80, 443 is open for our servers.

We have postfix, courrier and cyrus installed.

I searched for Torpig but I couldn't find detailed information. But I think that it's a Windows trojan. I can't find any information for Torpig & FreeBSD.

Wikipedia says Torpig is installed on MBR.

Our mail server is in FreeBSD jail. And don't have a MBR.

All of our ports are up to date.

I'm not sure about whether if our mail server is really infected with Torpig trojan, or the blacklists thought that it's a trojan because of the rise at the mails we sent.

I'm waiting help from you.

If it's not about a trojan, if it's about the bulk mails because of the validation-mails I will be happy.

Thank you for your time.


----------



## SirDice (Sep 6, 2011)

jailed said:
			
		

> I'm not sure about whether if our mail server is really infected with Torpig trojan, or the blacklists thought that it's a trojan because of the rise at the mails we sent.


It's the latter, they're just guessing what the cause might be.


----------



## bes (Sep 6, 2011)

> But I think that it's a Windows trojan.


Exactly


----------



## Anonymous (Sep 6, 2011)

jailed said:
			
		

> Spamhaus says that we're in CBL. I queried our IP and this message is shown:
> 
> 
> > This IP is infected with, or is NATting for a machine infected with Torpig, also known by Symantec as Anserin.
> ...



Is your mail server really the only machine at your IP?

If YES, then simply go to the CBL Lookup AND Removal page.
If NO, then read carefully the above quote of Spamhaus again. They're telling that your IP is affected, and this is different from claiming that your Postfix Mail Server is infected, isn't it. In this case check the Windows machines behind the NAT, and on the firewall close for the whole internal network port 25, except for your Postfix server, of course.


----------



## jailed (Sep 6, 2011)

Hello,

Thank you all for your messages.

@SirDice;
I thought it so. Because I always update the ports on the server. They're always up to date. I searched for possible attacks to the server but can't find anything. However I wanted to be sure about that. I wanted to know if anyone experienced a Torpig attack to their mail server, because it's the first time I've heard Torpig.

@bes,
Thanks 

@rolfheinrich,
My mail server isn't the only machine. WWW, DNS, MAIL and personal computers shared the same IP behind FreeBSD firewall & router.
I've already removed the IP record from CBL. I opened this thread to be sure about the reason of this block.
I have no Windows machine. Even my desktop too is FreeBSD unix. Only mail server have access to port 25.


So, by adding your opinions, we're sure about that's not about a trojan. CBL thinks that it may be about Torpig because of the rise of the mail volume.

This made me relax.

Thank you for your thoughts.

Sincerely.


----------



## Anonymous (Sep 6, 2011)

jailed said:
			
		

> So, by adding your opinions, we're sure about that's not about a trojan. CBL thinks that it may be about Torpig because of the rise of the mail volume.
> 
> This made me relax.



Sorry, but I am not that sure about your conclusion.

Fist of all, CBL does not think, it is an automated system, making block decisions based on real incidents. The claim is, that your IP somehow touched their Torpig honey pot server. I cannot see, how this can by any means be related to a rise of the mail volume.

Three month ago, we had also a CBL case, and we carefully analyzed the CBL record which even gave us an internal IP address, which did the contact. We found out, that this IP belong to a Win XP laptop of an externally chartered accountant, auditing the yearly financial statements of our company. This laptop had some certain access to our internal network in the respective period. 

Note that also machines connected via VPN, appear to the internet as having your public IP.


----------



## SirDice (Sep 6, 2011)

rolfheinrich said:
			
		

> The claim is, that your IP somehow touched their Torpig honey pot server. I cannot see, how this can by any means be related to a rise of the mail volume.


They don't have a 'torpig honeypot'. Torpig is a trojan, it does NOT propagate by itself. The ONLY thing it does is send massive amounts of email. It's also a popular infection and since 90% of the internet users use Windows it's more likely to be an 'educated guess' then anything else.


----------



## jailed (Sep 6, 2011)

@rolfheinrich

Hello,

If a Postfix & Courrier-Imap server on FreeBSD can be infected by Torpig, I will format and reinstall the mail server to be sure that this trojan is removed from mail server.

If Torpig can't infect a BSD mail server. I only think about the mail volume. Rising from 1K a day to 10K a day may be a reason.

There is no VPN server in my network.

There is no Windows user.

There is no Wireless connection (only cable allowed, there isn't even a Wireless hardware)

I don't allow any visitor/guest to use internet. Anyone physically reach this because internet access is given to computers by main server.

Please let me know if there is a BSD version of this virus. If so, I will do a format to the mail server.

Thanks


----------



## SirDice (Sep 6, 2011)

jailed said:
			
		

> Please let me know if there is a BSD version of this virus.


There isn't, it's Windows only.

NB It's not a virus, it's a trojan. Trojans don't propagate themselves, viruses and worms do.


----------



## jailed (Sep 6, 2011)

Thanks SirDice.

So it's not Torpig related. It may be about mass mail volume.


----------



## Anonymous (Sep 6, 2011)

SirDice said:
			
		

> They don't have a 'torpig honeypot'. Torpig is a trojan, it does NOT propagate by itself. The ONLY thing it does is send massive amounts of email. It's also a popular infection and since 90% of the internet users use Windows it's more likely to be an 'educated guess' then anything else.



And from where does the trojan receive its commands and e-mails for sending? Doesn't it receive it from a C & C, does it? Can't it be the honey pot C & C at 91.20.214.119, that is operated by the CBL, can it?


----------



## SirDice (Sep 6, 2011)

Since torpig uses 'domain flux' you'd be very very lucky to hit that single IP address. Registering _all_ domains that could be generated would require a couple of million dollars. It's also quite easy for torpig to update/change it's domain generator.

It would also be quite easy to inject fake data into that 'honeypot'.


----------

