Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 24 Nov 2012 10:08:16 -0800
From:      trafdev <trafdev@mail.ru>
To:        freebsd-hackers@freebsd.org
Subject:   postfix mail server infected ?
Message-ID:  <50B10D10.80209@mail.ru>

next in thread | raw e-mail | index | archive | help
Hi. I've a dedicated stand-alone FreeBSD server:
 > uname -a
FreeBSD trafd-website-freebsd 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: 
Tue Jun 12 02:52:29 UTC 2012 
root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

Server has one external interface (re0) with IP 206.239.112.241 and 
postfix service installed on 25 port.

Yesterday I've noticed huge amount of emails sending out:

Nov 24 00:00:37 trafd-website-freebsd postfix/smtpd[37230]: connect from 
f116.sd.com[206.239.112.241]
Nov 24 00:00:37 trafd-website-freebsd postfix/qmgr[40324]: 73F7D1365D: 
from=<wkktxh@f116.sd.com>, size=1211, nrcpt=10 (queue active)
Nov 24 00:00:37 trafd-website-freebsd postfix/error[37366]: 75ECA134F2: 
to=<reco.motos@yahoo.com.br>, relay=none, delay=25715, 
delays=25715/0.02/0/0.12, dsn=4.7.0, status=deferred (delivery 
temporarily suspended: host mta7.am0.yahoodns.net[66.94.236.34] refused 
to talk to me: 421 4.7.0 [TS01] Messages from 206.239.112.241 
temporarily deferred due to user complaints - 4.16.55.1; see 
http://postmaster.yahoo.com/421-ts01.html)
Nov 24 00:00:37 trafd-website-freebsd postfix/error[37368]: 794A911711: 
to=<tayd@yahoo.com.br>, relay=none, delay=29716, 
delays=29716/0.05/0/0.05, dsn=4.7.0, status=deferred (delivery 
temporarily suspended: host mta7.am0.yahoodns.net[66.94.236.34] refused 
to talk to me: 421 4.7.0 [TS01] Messages from 206.239.112.241 
temporarily deferred due to user complaints - 4.16.55.1; see 
http://postmaster.yahoo.com/421-ts01.html)
Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36699]: E559512F49: 
to=<luziarodrigues757@terra.com.br>, 
relay=vip-us-br-mx.terra.com[208.84.244.133]:25, delay=26077, 
delays=26075/1/0.59/0.31, dsn=4.7.1, status=deferred (host 
vip-us-br-mx.terra.com[208.84.244.133] said: 450 4.7.1 You've exceeded 
your sending limit to this domain. (in reply to end of DATA command))
Nov 24 00:00:37 trafd-website-freebsd postfix/error[37370]: 7C45D18E5D: 
to=<a925er@yahoo.com.br>, relay=none, delay=6984, 
delays=6984/0.02/0/0.04, dsn=4.7.0, status=deferred (delivery 
temporarily suspended: host mta7.am0.yahoodns.net[66.94.236.34] refused 
to talk to me: 421 4.7.0 [TS01] Messages from 206.239.112.241 
temporarily deferred due to user complaints - 4.16.55.1; see 
http://postmaster.yahoo.com/421-ts01.html)
Nov 24 00:00:37 trafd-website-freebsd postfix/qmgr[40324]: 73E8118E53: 
from=<t9zir@f116.sd.com>, size=1143, nrcpt=10 (queue active)
Nov 24 00:00:37 trafd-website-freebsd postfix/smtpd[37153]: 93E1020413: 
client=f116.sd.com[206.239.112.241]
Nov 24 00:00:37 trafd-website-freebsd postfix/error[37367]: 74A511A5BF: 
to=<duscherer1@yahoo.com.br>, relay=none, delay=5587, 
delays=5587/0/0/0.18, dsn=4.7.0, status=deferred (delivery temporarily 
suspended: host mta7.am0.yahoodns.net[66.94.236.34] refused to talk to 
me: 421 4.7.0 [TS01] Messages from 206.239.112.241 temporarily deferred 
due to user complaints - 4.16.55.1; see 
http://postmaster.yahoo.com/421-ts01.html)
Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36698]: E7898134D0: 
to=<gvfg@terra.com.br>, relay=vip-us-br-mx.terra.com[208.84.244.133]:25, 
conn_use=4, delay=25728, delays=25726/1.1/0.06/0.4, dsn=4.7.1, 
status=deferred (host vip-us-br-mx.terra.com[208.84.244.133] said: 450 
4.7.1 You've exceeded your sending limit to this domain. (in reply to 
end of DATA command))
Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36226]: 7BE421F989: 
to=<elc.moura@bol.com.br>, relay=mx3.bol.com.br[200.147.36.13]:25, 
delay=339, delays=339/0/0.49/0.24, dsn=4.7.1, status=deferred (host 
mx3.bol.com.br[200.147.36.13] said: 450 4.7.1 <elc.moura@bol.com.br>: 
Recipient address rejected: MX-BOL-04 - Too many messages, try again 
later. (in reply to RCPT TO command))

Where f116.sd.com[206.239.112.241] is an IP and host assigned for 
external interface (re0).

Due to "permit_mynetworks" policy enabled in postfix conf mail was 
sending out without authentication. However all externally connected 
clients were rejected which is proper and expected behavior:

Nov 24 19:31:04 trafd-website-freebsd postfix/smtpd[65618]: connect from 
a2-starfury4.uol.com.br[200.147.33.227]
Nov 24 19:31:05 trafd-website-freebsd postfix/smtpd[65618]: NOQUEUE: 
reject: RCPT from a2-starfury4.uol.com.br[200.147.33.227]: 550 5.1.1 
<pehw@f116.sd.com>: Recipient address rejected: User unknown in virtual 
mailbox table; from=<> to=<pehw@f116.sd.com> proto=ESMTP 
helo=<mx.uol.com.br>
Nov 24 19:31:05 trafd-website-freebsd postfix/smtpd[65618]: disconnect 
from a2-starfury4.uol.com.br[200.147.33.227]

Then, I've tried:

$cmd 001 deny all from any to me dst-port 25 in via re0
$cmd 002 deny all from any to me dst-port 25 out via re0

and cleaned local mail queue with
postsuper -d ALL

This didn't changed anything - server continued to send huge amount of 
emails.

However restrictions on lo0:
$cmd 001 deny all from any to me dst-port 25 in via lo0
$cmd 002 deny all from any to me dst-port 25 out via lo0

did the trick - emailing had stopped. So by fact - problem solved, but 
the real reason wasn't not found.

I've launched clamav and f-prot scans - nothing suspicious found.

The main question I have - how it's possible on stand-alone dedicated 
server - who and how is connecting on behalf of it's own ext ip and uses 
local interface to send emails? Is this possible to do from outside, or 
server was infected from inside?




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50B10D10.80209>