From owner-freebsd-hackers@FreeBSD.ORG  Sat Nov 24 18:25:31 2012
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id C0653F9A
 for <freebsd-hackers@freebsd.org>; Sat, 24 Nov 2012 18:25:31 +0000 (UTC)
 (envelope-from yerenkow@gmail.com)
Received: from mail-oa0-f54.google.com (mail-oa0-f54.google.com
 [209.85.219.54])
 by mx1.freebsd.org (Postfix) with ESMTP id 76C5A8FC17
 for <freebsd-hackers@freebsd.org>; Sat, 24 Nov 2012 18:25:31 +0000 (UTC)
Received: by mail-oa0-f54.google.com with SMTP id n9so12513661oag.13
 for <freebsd-hackers@freebsd.org>; Sat, 24 Nov 2012 10:25:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=8xyC1jtmLxa7ha1/jzkn7oDe1nIeKH+X2fA+FzIH3vs=;
 b=RVoLL+GNdG45zfqXU4QTOdnix45qUHGVE8dxcyDBHAyyvVDw0w2KZJSHVGI3K7OsLi
 qs5+VvjXWFIn1y/qp877ezBP95SryPtQGjv7tM9t1VkMHOuze86RfmKsZUQgJED5b+6I
 ObwwoYmKZuRMYA476wH85wAmaIwZtp1F5+xVJgpzEKTe6vTW0cBPXrN2VUUzJ5Zca7wK
 MLPnHO6OSvJ7/oJVuejQgkVs/g8LUh+Lc+KBu6swGOIFk2NyF59VOIKFN1IoRlMLzJ5o
 BMppkSQyU1OocpCl8FE9eAqzqBjz2ktQdc2YEsQdOR6h1kgfvCSp3Gtgp+fQgZZ7Dhq7
 whdA==
MIME-Version: 1.0
Received: by 10.60.172.229 with SMTP id bf5mr5532034oec.81.1353781530406; Sat,
 24 Nov 2012 10:25:30 -0800 (PST)
Received: by 10.60.132.50 with HTTP; Sat, 24 Nov 2012 10:25:30 -0800 (PST)
Received: by 10.60.132.50 with HTTP; Sat, 24 Nov 2012 10:25:30 -0800 (PST)
In-Reply-To: <50B10D10.80209@mail.ru>
References: <50B10D10.80209@mail.ru>
Date: Sat, 24 Nov 2012 20:25:30 +0200
Message-ID: <CAPJF9wm-88LkPLx4GkJGnxdNoMHG6G6v15cO=CqUPTm-joKYSg@mail.gmail.com>
Subject: Re: postfix mail server infected ?
From: Alexander Yerenkow <yerenkow@gmail.com>
To: trafdev <trafdev@mail.ru>
Content-Type: text/plain; charset=KOI8-R
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.14
Cc: freebsd-hackers@freebsd.org
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Nov 2012 18:25:31 -0000

Would be better if you include pkg info / pkg_info output, as well `who`,
and try to monitor and record via netstat all programs trying to connect to
25 port.
Also, what portaudit telling you?

Regards, Alexander Yerenkow
24.11.2012 20:08 =D0=CF=CC=D8=DA=CF=D7=C1=D4=C5=CC=D8 "trafdev" <trafdev@ma=
il.ru> =CE=C1=D0=C9=D3=C1=CC:

> Hi. I've a dedicated stand-alone FreeBSD server:
> > uname -a
> FreeBSD trafd-website-freebsd 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0:
> Tue Jun 12 02:52:29 UTC 2012 root@amd64-builder.**daemonology.net:
> /usr/obj/usr/**src/sys/GENERIC  amd64
>
> Server has one external interface (re0) with IP 206.239.112.241 and
> postfix service installed on 25 port.
>
> Yesterday I've noticed huge amount of emails sending out:
>
> Nov 24 00:00:37 trafd-website-freebsd postfix/smtpd[37230]: connect from
> f116.sd.com[206.239.112.241]
> Nov 24 00:00:37 trafd-website-freebsd postfix/qmgr[40324]: 73F7D1365D:
> from=3D<wkktxh@f116.sd.com>, size=3D1211, nrcpt=3D10 (queue active)
> Nov 24 00:00:37 trafd-website-freebsd postfix/error[37366]: 75ECA134F2:
> to=3D<reco.motos@yahoo.com.br>, relay=3Dnone, delay=3D25715,
> delays=3D25715/0.02/0/0.12, dsn=3D4.7.0, status=3Ddeferred (delivery temp=
orarily
> suspended: host mta7.am0.yahoodns.net[66.94.**236.34] refused to talk to
> me: 421 4.7.0 [TS01] Messages from 206.239.112.241 temporarily deferred d=
ue
> to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/**
> 421-ts01.html <http://postmaster.yahoo.com/421-ts01.html>)
> Nov 24 00:00:37 trafd-website-freebsd postfix/error[37368]: 794A911711:
> to=3D<tayd@yahoo.com.br>, relay=3Dnone, delay=3D29716,
> delays=3D29716/0.05/0/0.05, dsn=3D4.7.0, status=3Ddeferred (delivery temp=
orarily
> suspended: host mta7.am0.yahoodns.net[66.94.**236.34] refused to talk to
> me: 421 4.7.0 [TS01] Messages from 206.239.112.241 temporarily deferred d=
ue
> to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/**
> 421-ts01.html <http://postmaster.yahoo.com/421-ts01.html>)
> Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36699]: E559512F49: to=
=3D<
> luziarodrigues757@terra.**com.br <luziarodrigues757@terra.com.br>>, relay=
=3D
> vip-us-br-mx.terra.com[**208.84.244.133]:25, delay=3D26077,
> delays=3D26075/1/0.59/0.31, dsn=3D4.7.1, status=3Ddeferred (host
> vip-us-br-mx.terra.com[208.84.**244.133] said: 450 4.7.1 You've exceeded
> your sending limit to this domain. (in reply to end of DATA command))
> Nov 24 00:00:37 trafd-website-freebsd postfix/error[37370]: 7C45D18E5D:
> to=3D<a925er@yahoo.com.br>, relay=3Dnone, delay=3D6984,
> delays=3D6984/0.02/0/0.04, dsn=3D4.7.0, status=3Ddeferred (delivery tempo=
rarily
> suspended: host mta7.am0.yahoodns.net[66.94.**236.34] refused to talk to
> me: 421 4.7.0 [TS01] Messages from 206.239.112.241 temporarily deferred d=
ue
> to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/**
> 421-ts01.html <http://postmaster.yahoo.com/421-ts01.html>)
> Nov 24 00:00:37 trafd-website-freebsd postfix/qmgr[40324]: 73E8118E53:
> from=3D<t9zir@f116.sd.com>, size=3D1143, nrcpt=3D10 (queue active)
> Nov 24 00:00:37 trafd-website-freebsd postfix/smtpd[37153]: 93E1020413:
> client=3Df116.sd.com[206.239.**112.241]
> Nov 24 00:00:37 trafd-website-freebsd postfix/error[37367]: 74A511A5BF:
> to=3D<duscherer1@yahoo.com.br>, relay=3Dnone, delay=3D5587,
> delays=3D5587/0/0/0.18, dsn=3D4.7.0, status=3Ddeferred (delivery temporar=
ily
> suspended: host mta7.am0.yahoodns.net[66.94.**236.34] refused to talk to
> me: 421 4.7.0 [TS01] Messages from 206.239.112.241 temporarily deferred d=
ue
> to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/**
> 421-ts01.html <http://postmaster.yahoo.com/421-ts01.html>)
> Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36698]: E7898134D0: to=
=3D<
> gvfg@terra.com.br>, relay=3Dvip-us-br-mx.terra.com[**208.84.244.133]:25,
> conn_use=3D4, delay=3D25728, delays=3D25726/1.1/0.06/0.4, dsn=3D4.7.1,
> status=3Ddeferred (host vip-us-br-mx.terra.com[208.84.**244.133] said: 45=
0
> 4.7.1 You've exceeded your sending limit to this domain. (in reply to end
> of DATA command))
> Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36226]: 7BE421F989: to=
=3D<
> elc.moura@bol.com.br>, relay=3Dmx3.bol.com.br[200.147.**36.13]:25,
> delay=3D339, delays=3D339/0/0.49/0.24, dsn=3D4.7.1, status=3Ddeferred (ho=
st
> mx3.bol.com.br[200.147.36.13] said: 450 4.7.1 <elc.moura@bol.com.br>:
> Recipient address rejected: MX-BOL-04 - Too many messages, try again late=
r.
> (in reply to RCPT TO command))
>
> Where f116.sd.com[206.239.112.241] is an IP and host assigned for
> external interface (re0).
>
> Due to "permit_mynetworks" policy enabled in postfix conf mail was sendin=
g
> out without authentication. However all externally connected clients were
> rejected which is proper and expected behavior:
>
> Nov 24 19:31:04 trafd-website-freebsd postfix/smtpd[65618]: connect from
> a2-starfury4.uol.com.br[200.**147.33.227]
> Nov 24 19:31:05 trafd-website-freebsd postfix/smtpd[65618]: NOQUEUE:
> reject: RCPT from a2-starfury4.uol.com.br[200.**147.33.227]: 550 5.1.1 <
> pehw@f116.sd.com>: Recipient address rejected: User unknown in virtual
> mailbox table; from=3D<> to=3D<pehw@f116.sd.com> proto=3DESMTP helo=3D<
> mx.uol.com.br>
> Nov 24 19:31:05 trafd-website-freebsd postfix/smtpd[65618]: disconnect
> from a2-starfury4.uol.com.br[200.**147.33.227]
>
> Then, I've tried:
>
> $cmd 001 deny all from any to me dst-port 25 in via re0
> $cmd 002 deny all from any to me dst-port 25 out via re0
>
> and cleaned local mail queue with
> postsuper -d ALL
>
> This didn't changed anything - server continued to send huge amount of
> emails.
>
> However restrictions on lo0:
> $cmd 001 deny all from any to me dst-port 25 in via lo0
> $cmd 002 deny all from any to me dst-port 25 out via lo0
>
> did the trick - emailing had stopped. So by fact - problem solved, but th=
e
> real reason wasn't not found.
>
> I've launched clamav and f-prot scans - nothing suspicious found.
>
> The main question I have - how it's possible on stand-alone dedicated
> server - who and how is connecting on behalf of it's own ext ip and uses
> local interface to send emails? Is this possible to do from outside, or
> server was infected from inside?
>
> ______________________________**_________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/**mailman/listinfo/freebsd-**hackers<http://list=
s.freebsd.org/mailman/listinfo/freebsd-hackers>
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@**
> freebsd.org <freebsd-hackers-unsubscribe@freebsd.org>"
>