The forgotten part – Mailgate as your mail server firewall.

Email file transfer is a natural part of modern communication and we can no longer imagine everyday life without it. However, emails frequently also transport viruses or unwanted programs. Many of these viruses/unwanted programs were conceived especially to attack Windows operating systems. But it must be considered that there is also a danger for Open Source systems, because UNIX mail servers also transport malware. This offers an easy opportunity for cyber-attackers to penetrate your network. Windows clients can be infected, and thus computers of their messaging partners can also be affected. Business users increasingly rely on UNIX.

However, with free software entering companies and institutes, the alternative operating systems are increasingly targeted by virus programmers. Therefore, virus protection on UNIX will still be needed in the future.

Mailgate scans all incoming and outgoing emails (including attachment) on your mail server. Most tailgate can operate on a variety of MTA (Mail Transport Agents), such as sendmail, postfix, exam, Qmail and other programs. More info at: avira mailgate (


The life cycle of firewall rules

On enterprise firewall management and operation, there a lot of changes raised by the users, applications provides and the management itself for some purpose. Every changes must through few procedures before its can be apply to the network.

However, when there are so many firewall rules to serves the enterprise, some of it will change to unused rules. This turned to unused policy when application change, network change or user leave.

These unused or “stale” rules are a hidden menace to your firewall policy rulebase. First of all, they slow down performance – since the firewall has to scan all of the rules from the top for every traffic request. Second, they are a threat to security – they may leave access open to an unwanted visitor – Reuven Harrison – CTO

More info:

Kippo: Intruder caught in action

From the video, I can see the attacker’s goal was to implement the downloaded tools. Package called flood.tgz has been downloaded and decompressed to local drive.

The attacker tried to executed one of the tools called “httpd”. However it failed. After realized the hacked server do not have enough capability to run the tool, the attacker have executed rm -rf to the folder.

To get more further in my analysis, I have ran Zerowine ( to analyze the program called “httpd” form the attacker. I have only use strings feature on zerowine to see whats inside the “httpd”.

From the video you can see a strings came from the “httpd”. Its so obvious the attacker wants to run some sort of bot. The bot will connect to the selected server and will get control from the master once the bot successfully propagated.