From owner-freebsd-hackers@FreeBSD.ORG Sat Nov 24 18:08:27 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7AB6AD97 for ; Sat, 24 Nov 2012 18:08:27 +0000 (UTC) (envelope-from trafdev@mail.ru) Received: from smtp5.mail.ru (smtp5.mail.ru [94.100.176.132]) by mx1.freebsd.org (Postfix) with ESMTP id B924C8FC08 for ; Sat, 24 Nov 2012 18:08:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru; s=mail; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=JRgbPj84R1mRgwi5Sv7NZ7TeVILRjeus+60q+k7/V9o=; b=i8HQ/oWOMBXsa4zUqc61Y+iaJ0EfFp3s3+qBFXnA9j+mu1oZGTDklchwpNhk6dm8yOxWompQylJYmFImY3X3ZyEnNYInaW0Yt4upQrvjep21W6VB2GGEn2tHP1sAQItx; Received: from [76.126.253.89] (port=40090 helo=[192.168.1.117]) by smtp5.mail.ru with esmtpa (envelope-from ) id 1TcK9K-00072i-Ni for freebsd-hackers@freebsd.org; Sat, 24 Nov 2012 22:08:19 +0400 Message-ID: <50B10D10.80209@mail.ru> Date: Sat, 24 Nov 2012 10:08:16 -0800 From: trafdev User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:16.0) Gecko/20121110 Thunderbird/16.0.2 MIME-Version: 1.0 To: freebsd-hackers@freebsd.org Subject: postfix mail server infected ? Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam: Not detected X-Mras: Ok X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Nov 2012 18:08:27 -0000 Hi. I've a dedicated stand-alone FreeBSD server: > uname -a FreeBSD trafd-website-freebsd 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jun 12 02:52:29 UTC 2012 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 Server has one external interface (re0) with IP 206.239.112.241 and postfix service installed on 25 port. Yesterday I've noticed huge amount of emails sending out: Nov 24 00:00:37 trafd-website-freebsd postfix/smtpd[37230]: connect from f116.sd.com[206.239.112.241] Nov 24 00:00:37 trafd-website-freebsd postfix/qmgr[40324]: 73F7D1365D: from=, size=1211, nrcpt=10 (queue active) Nov 24 00:00:37 trafd-website-freebsd postfix/error[37366]: 75ECA134F2: to=, relay=none, delay=25715, delays=25715/0.02/0/0.12, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta7.am0.yahoodns.net[66.94.236.34] refused to talk to me: 421 4.7.0 [TS01] Messages from 206.239.112.241 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html) Nov 24 00:00:37 trafd-website-freebsd postfix/error[37368]: 794A911711: to=, relay=none, delay=29716, delays=29716/0.05/0/0.05, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta7.am0.yahoodns.net[66.94.236.34] refused to talk to me: 421 4.7.0 [TS01] Messages from 206.239.112.241 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html) Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36699]: E559512F49: to=, relay=vip-us-br-mx.terra.com[208.84.244.133]:25, delay=26077, delays=26075/1/0.59/0.31, dsn=4.7.1, status=deferred (host vip-us-br-mx.terra.com[208.84.244.133] said: 450 4.7.1 You've exceeded your sending limit to this domain. (in reply to end of DATA command)) Nov 24 00:00:37 trafd-website-freebsd postfix/error[37370]: 7C45D18E5D: to=, relay=none, delay=6984, delays=6984/0.02/0/0.04, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta7.am0.yahoodns.net[66.94.236.34] refused to talk to me: 421 4.7.0 [TS01] Messages from 206.239.112.241 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html) Nov 24 00:00:37 trafd-website-freebsd postfix/qmgr[40324]: 73E8118E53: from=, size=1143, nrcpt=10 (queue active) Nov 24 00:00:37 trafd-website-freebsd postfix/smtpd[37153]: 93E1020413: client=f116.sd.com[206.239.112.241] Nov 24 00:00:37 trafd-website-freebsd postfix/error[37367]: 74A511A5BF: to=, relay=none, delay=5587, delays=5587/0/0/0.18, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta7.am0.yahoodns.net[66.94.236.34] refused to talk to me: 421 4.7.0 [TS01] Messages from 206.239.112.241 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html) Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36698]: E7898134D0: to=, relay=vip-us-br-mx.terra.com[208.84.244.133]:25, conn_use=4, delay=25728, delays=25726/1.1/0.06/0.4, dsn=4.7.1, status=deferred (host vip-us-br-mx.terra.com[208.84.244.133] said: 450 4.7.1 You've exceeded your sending limit to this domain. (in reply to end of DATA command)) Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36226]: 7BE421F989: to=, relay=mx3.bol.com.br[200.147.36.13]:25, delay=339, delays=339/0/0.49/0.24, dsn=4.7.1, status=deferred (host mx3.bol.com.br[200.147.36.13] said: 450 4.7.1 : Recipient address rejected: MX-BOL-04 - Too many messages, try again later. (in reply to RCPT TO command)) Where f116.sd.com[206.239.112.241] is an IP and host assigned for external interface (re0). Due to "permit_mynetworks" policy enabled in postfix conf mail was sending out without authentication. However all externally connected clients were rejected which is proper and expected behavior: Nov 24 19:31:04 trafd-website-freebsd postfix/smtpd[65618]: connect from a2-starfury4.uol.com.br[200.147.33.227] Nov 24 19:31:05 trafd-website-freebsd postfix/smtpd[65618]: NOQUEUE: reject: RCPT from a2-starfury4.uol.com.br[200.147.33.227]: 550 5.1.1 : Recipient address rejected: User unknown in virtual mailbox table; from=<> to= proto=ESMTP helo= Nov 24 19:31:05 trafd-website-freebsd postfix/smtpd[65618]: disconnect from a2-starfury4.uol.com.br[200.147.33.227] Then, I've tried: $cmd 001 deny all from any to me dst-port 25 in via re0 $cmd 002 deny all from any to me dst-port 25 out via re0 and cleaned local mail queue with postsuper -d ALL This didn't changed anything - server continued to send huge amount of emails. However restrictions on lo0: $cmd 001 deny all from any to me dst-port 25 in via lo0 $cmd 002 deny all from any to me dst-port 25 out via lo0 did the trick - emailing had stopped. So by fact - problem solved, but the real reason wasn't not found. I've launched clamav and f-prot scans - nothing suspicious found. The main question I have - how it's possible on stand-alone dedicated server - who and how is connecting on behalf of it's own ext ip and uses local interface to send emails? Is this possible to do from outside, or server was infected from inside?