# How to remove nymaim virus/bot



## captcurrent (Sep 11, 2015)

Spamhaus CBL has my server listed and say I am infected with the s_nymaim bot.

I am running FreeBSD 9.2 on a i386 machine.  Can anyone point me in a direction to deal with this?


----------



## SirDice (Sep 11, 2015)

Look at the output of ps(1) and look for any weird processes. Not guaranteed to work because some malware tries to hide as a 'regular' process (like httpd). Also look in /tmp for any weird scripts, but again, not guaranteed to help as malware tends to remove all traces of itself. Verify the output of `sockstat -46`, look for any process that's listening and shouldn't be there. 

You should also update to 9.3 because 9.2 has been end-of-life since December 2014 and is not supported any more (no security patches!). It probably won't remove the malware but it may help prevent getting infected again. Same goes for all your installed ports/packages, make sure everything is up to date.

Looking into this particular malware I very much doubt it has infected your machine, this malware is specific to Windows and simply cannot run on FreeBSD. It's very likely something else. I assume the server is a mailserver? In that case verify if _all_ the clients that use it are virus free. It may be a Windows machine that's infected which uses your mailserver to spread to the rest of the world.


----------



## captcurrent (Sep 15, 2015)

I Did finish the belated updated and I am now running 9.3

I tried your three suggestions but did not really find anything glaring

It is a mailsever but clients are remote so iI really can't scan but all have up to date Norton.

The cbl.org explanation says this is why the server was blacklisted.

"This was detected by a TCP/IP connection from 209.160.65.133 on port 34178 going to IP address 192.42.116.41 (the sinkhole) on port 80."

So it doesn't seem to be mail related. In my limited view.

I guess I could firewall port 34178 which may self contain the alleged bot.


----------



## SirDice (Sep 16, 2015)

It's an outgoing connection so blocking port 34178 won't help much, it's just a random source port for the connection. But if this is only a mailserver it should not make HTTP connections to port 80. So there's definitely something fishy going on. Has the machine been rebooted in the mean time? That may just have removed any trace of the malware. Is there anything else, besides mail, running on that machine?


----------



## captcurrent (Sep 16, 2015)

I host web pages and email on this server for several businesses.   I have rebooted numerous time.  Can I try to find the activity in a log?


----------



## SirDice (Sep 16, 2015)

My guess is that they came in through one of your websites. I doubt you'll find anything in the logs but it doesn't hurt to look of course. I can't really tell you what to look for, just look for anything that looks out-of-place compared to the regular requests and/or errors. 

Is the website running Apache? If so, what version? PHP version? Wordpress perhaps?


----------



## captcurrent (Sep 16, 2015)

Php5-5.4.38.  Apache 2.2.31 and at least one Wordpress. Have to see what are on other virtual hosts


----------



## SirDice (Sep 16, 2015)

In that case the most likely way they got in is through Wordpress. More specifically Wordpress plugins, their security is rather abysmal and if you don't keep things up to date it's just a matter of time before the site is infected.


----------



## captcurrent (Sep 16, 2015)

Yeah  I understood that.  It's not on a site I manage.  Any ideas on how to fix?   The issue is their content.  I am sure that is where it is hiding.


----------



## SirDice (Sep 16, 2015)

Fixing it means going through all the HTML and PHP files and look for things that are out of place. This stuff usually sticks out like a sore thumb. Specifically look for weird javascript inclusions, sometimes loaded from an external site. But it's hard to say, they obviously try their best to hide the crap. Infections rarely look exactly alike, even if it's the same malware. So anything that looks funny/odd/out-of-place should be investigated. But it helps if you've seen it a few times before, you get to see the patterns and similarities


----------



## captcurrent (Sep 16, 2015)

Arggggggh.   It's time to upgrade my server. As machine is dated but even if I start from fresh when I bring content across it would bring the nasty with it.   Cbl blacklisted me for the first time in September, so it would seem files last changed in this month would be a place to start

When you say look for JavaScript inclusions, excuse my ignorance, but I am not sure what you mean by that.  I know I link such script in html and php pages.  Am I looking for stuff like that?


----------



## junovitch@ (Sep 16, 2015)

The Wordpress plugins are likely the lowest common denominator. Watching security mailing lists there are a non stop stream of issues reported in Wordpress plugins. They are all outside of ports so there's no way to warn the end user on what they install.  

For PHP however, there are just a few issues impacting PHP 5.4.38.
http://www.vuxml.org/freebsd/742563d4-d776-11e4-b595-4061861086c1.html
http://www.vuxml.org/freebsd/1e232a0c-eb57-11e4-b595-4061861086c1.html
http://www.vuxml.org/freebsd/31de2e13-00d2-11e5-a072-d050996490d0.html
http://www.vuxml.org/freebsd/cdff0af2-1492-11e5-a1cf-002590263bf5.html
http://www.vuxml.org/freebsd/af7fbd91-29a1-11e5-86ff-14dae9d210b8.html
http://www.vuxml.org/freebsd/5a1d5d74-29a0-11e5-86ff-14dae9d210b8.html
http://www.vuxml.org/freebsd/3d39e927-29a2-11e5-86ff-14dae9d210b8.html
http://www.vuxml.org/freebsd/8b1f53f3-2da5-11e5-86ff-14dae9d210b8.html
http://www.vuxml.org/freebsd/36bd352d-299b-11e5-86ff-14dae9d210b8.html
http://www.vuxml.org/freebsd/787ef75e-44da-11e5-93ad-002590263bf5.html
http://www.vuxml.org/freebsd/3d675519-5654-11e5-9ad8-14dae9d210b8.html


----------



## captcurrent (Sep 18, 2015)

I appreciate the input as how it got in.   Just was hoping for an easier way to find it.


----------



## captcurrent (Sep 19, 2015)

My latest idea is to access my backup files from a Windows machine and run the Norton power eraser suggested in the cbl notice .   Does anyone have any thoughts on that?


----------



## captcurrent (Sep 21, 2015)

I think I got it fixed with the help tech support from my host

using `sockstat` we found the referenced suspicious activity


```
? ? ? ? tcp4 209.160.65.133:14146 192.229.233.43:80
? ? ? ? tcp4 209.160.65.133:14148 52.20.101.41:80
? ? ? ? tcp4 209.160.65.133:14149 65.39.202.100:80
? ? ? ? tcp4 209.160.65.133:14151 52.5.115.50:80
? ? ? ? tcp4 209.160.65.133:14152 188.226.247.5:80
? ? ? ? tcp4 209.160.65.133:14153 23.21.148.189:80
? ? ? ? tcp4 209.160.65.133:14156 52.7.65.202:80
? ? ? ? tcp4 209.160.65.133:14157 185.29.133.223:80
? ? ? ? tcp4 209.160.65.133:14158 54.236.123.111:80
? ? ? ? tcp4 209.160.65.133:14159 205.185.216.10:80
? ? ? ? tcp4 209.160.65.133:14160 205.185.216.10:80
? ? ? ? tcp4 209.160.65.133:14161 205.185.216.10:80
? ? ? ? tcp4 209.160.65.133:14165 74.209.129.202:80
? ? ? ? tcp4 209.160.65.133:35000 52.21.162.193:80
? ? ? ? tcp4 209.160.65.133:14116 52.21.162.193:80
? ? ? ? tcp4 209.160.65.133:14162 205.185.216.10:80
? ? ? ? stream -> ??
? ? ? ? tcp4 209.160.65.133:19542 198.41.207.129:80
? ? ? ? tcp4 209.160.65.133:14130 52.3.189.203:80
? ? ? ? tcp4 209.160.65.133:35972 198.41.206.129:80
? ? ? ? tcp4 209.160.65.133:31920 95.211.185.149:80
? ? ? ? stream -> ??
? ? ? ? tcp4 209.160.65.133:14111 199.38.164.47:80
? ? ? ? tcp4 209.160.65.133:47873 198.41.207.129:80
? ? ? ? tcp4 209.160.65.133:35857 52.21.159.95:80
? ? ? ? tcp4 209.160.65.133:55202 173.194.63.17:443
? ? ? ? tcp4 209.160.65.133:53538 185.31.128.208:80
? ? ? ? tcp4 209.160.65.133:59470 185.31.19.249:80
? ? ? ? tcp4 209.160.65.133:14164 185.31.128.208:443
? ? ? ? tcp4 209.160.65.133:18332 54.172.102.30:80"
```


further refinement found the existence of a program called dropbear which turns out to be a SSH server    Also found rogue PHP code  as you all predicted ctioVp.php. Peeling back the onion found one of my FTP accounts had been compromised. Removing those I was able to get the system back to normal operations.


----------



## SirDice (Sep 21, 2015)

You may want to install security/sshguard or security/py-fail2ban. Both are able to monitor logins and block an IP address for a period of time if there are too many failed attempts. It's not a fail-safe option but it will limit the amount of tries those brute-force attacks can do. Giving you more time to detect them. Periodically review those logs and the SSH/FTP logins because users tend to pick rather simple passwords. And they only need to find one to get in.


----------

