Site Navigation

Date:      Sat, 24 Nov 2012 20:25:30 +0200
From:      Alexander Yerenkow <yerenkow@gmail.com>
To:        trafdev <trafdev@mail.ru>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: postfix mail server infected ?
Message-ID:  <CAPJF9wm-88LkPLx4GkJGnxdNoMHG6G6v15cO=CqUPTm-joKYSg@mail.gmail.com>
In-Reply-To: <50B10D10.80209@mail.ru>
References:  <50B10D10.80209@mail.ru>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Would be better if you include pkg info / pkg_info output, as well `who`,
and try to monitor and record via netstat all programs trying to connect to
25 port.
Also, what portaudit telling you?

Regards, Alexander Yerenkow
24.11.2012 20:08 =D0=CF=CC=D8=DA=CF=D7=C1=D4=C5=CC=D8 "trafdev" <trafdev@ma=
il.ru> =CE=C1=D0=C9=D3=C1=CC:

> Hi. I've a dedicated stand-alone FreeBSD server:
> > uname -a
> FreeBSD trafd-website-freebsd 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0:
> Tue Jun 12 02:52:29 UTC 2012 root@amd64-builder.**daemonology.net:
> /usr/obj/usr/**src/sys/GENERIC  amd64
>
> Server has one external interface (re0) with IP 206.239.112.241 and
> postfix service installed on 25 port.
>
> Yesterday I've noticed huge amount of emails sending out:
>
> Nov 24 00:00:37 trafd-website-freebsd postfix/smtpd[37230]: connect from
> f116.sd.com[206.239.112.241]
> Nov 24 00:00:37 trafd-website-freebsd postfix/qmgr[40324]: 73F7D1365D:
> from=3D<wkktxh@f116.sd.com>, size=3D1211, nrcpt=3D10 (queue active)
> Nov 24 00:00:37 trafd-website-freebsd postfix/error[37366]: 75ECA134F2:
> to=3D<reco.motos@yahoo.com.br>, relay=3Dnone, delay=3D25715,
> delays=3D25715/0.02/0/0.12, dsn=3D4.7.0, status=3Ddeferred (delivery temp=
orarily
> suspended: host mta7.am0.yahoodns.net[66.94.**236.34] refused to talk to
> me: 421 4.7.0 [TS01] Messages from 206.239.112.241 temporarily deferred d=
ue
> to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/**
> 421-ts01.html <http://postmaster.yahoo.com/421-ts01.html>)
> Nov 24 00:00:37 trafd-website-freebsd postfix/error[37368]: 794A911711:
> to=3D<tayd@yahoo.com.br>, relay=3Dnone, delay=3D29716,
> delays=3D29716/0.05/0/0.05, dsn=3D4.7.0, status=3Ddeferred (delivery temp=
orarily
> suspended: host mta7.am0.yahoodns.net[66.94.**236.34] refused to talk to
> me: 421 4.7.0 [TS01] Messages from 206.239.112.241 temporarily deferred d=
ue
> to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/**
> 421-ts01.html <http://postmaster.yahoo.com/421-ts01.html>)
> Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36699]: E559512F49: to=
=3D<
> luziarodrigues757@terra.**com.br <luziarodrigues757@terra.com.br>>, relay=
=3D
> vip-us-br-mx.terra.com[**208.84.244.133]:25, delay=3D26077,
> delays=3D26075/1/0.59/0.31, dsn=3D4.7.1, status=3Ddeferred (host
> vip-us-br-mx.terra.com[208.84.**244.133] said: 450 4.7.1 You've exceeded
> your sending limit to this domain. (in reply to end of DATA command))
> Nov 24 00:00:37 trafd-website-freebsd postfix/error[37370]: 7C45D18E5D:
> to=3D<a925er@yahoo.com.br>, relay=3Dnone, delay=3D6984,
> delays=3D6984/0.02/0/0.04, dsn=3D4.7.0, status=3Ddeferred (delivery tempo=
rarily
> suspended: host mta7.am0.yahoodns.net[66.94.**236.34] refused to talk to
> me: 421 4.7.0 [TS01] Messages from 206.239.112.241 temporarily deferred d=
ue
> to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/**
> 421-ts01.html <http://postmaster.yahoo.com/421-ts01.html>)
> Nov 24 00:00:37 trafd-website-freebsd postfix/qmgr[40324]: 73E8118E53:
> from=3D<t9zir@f116.sd.com>, size=3D1143, nrcpt=3D10 (queue active)
> Nov 24 00:00:37 trafd-website-freebsd postfix/smtpd[37153]: 93E1020413:
> client=3Df116.sd.com[206.239.**112.241]
> Nov 24 00:00:37 trafd-website-freebsd postfix/error[37367]: 74A511A5BF:
> to=3D<duscherer1@yahoo.com.br>, relay=3Dnone, delay=3D5587,
> delays=3D5587/0/0/0.18, dsn=3D4.7.0, status=3Ddeferred (delivery temporar=
ily
> suspended: host mta7.am0.yahoodns.net[66.94.**236.34] refused to talk to
> me: 421 4.7.0 [TS01] Messages from 206.239.112.241 temporarily deferred d=
ue
> to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/**
> 421-ts01.html <http://postmaster.yahoo.com/421-ts01.html>)
> Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36698]: E7898134D0: to=
=3D<
> gvfg@terra.com.br>, relay=3Dvip-us-br-mx.terra.com[**208.84.244.133]:25,
> conn_use=3D4, delay=3D25728, delays=3D25726/1.1/0.06/0.4, dsn=3D4.7.1,
> status=3Ddeferred (host vip-us-br-mx.terra.com[208.84.**244.133] said: 45=
0
> 4.7.1 You've exceeded your sending limit to this domain. (in reply to end
> of DATA command))
> Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36226]: 7BE421F989: to=
=3D<
> elc.moura@bol.com.br>, relay=3Dmx3.bol.com.br[200.147.**36.13]:25,
> delay=3D339, delays=3D339/0/0.49/0.24, dsn=3D4.7.1, status=3Ddeferred (ho=
st
> mx3.bol.com.br[200.147.36.13] said: 450 4.7.1 <elc.moura@bol.com.br>:
> Recipient address rejected: MX-BOL-04 - Too many messages, try again late=
r.
> (in reply to RCPT TO command))
>
> Where f116.sd.com[206.239.112.241] is an IP and host assigned for
> external interface (re0).
>
> Due to "permit_mynetworks" policy enabled in postfix conf mail was sendin=
g
> out without authentication. However all externally connected clients were
> rejected which is proper and expected behavior:
>
> Nov 24 19:31:04 trafd-website-freebsd postfix/smtpd[65618]: connect from
> a2-starfury4.uol.com.br[200.**147.33.227]
> Nov 24 19:31:05 trafd-website-freebsd postfix/smtpd[65618]: NOQUEUE:
> reject: RCPT from a2-starfury4.uol.com.br[200.**147.33.227]: 550 5.1.1 <
> pehw@f116.sd.com>: Recipient address rejected: User unknown in virtual
> mailbox table; from=3D<> to=3D<pehw@f116.sd.com> proto=3DESMTP helo=3D<
> mx.uol.com.br>
> Nov 24 19:31:05 trafd-website-freebsd postfix/smtpd[65618]: disconnect
> from a2-starfury4.uol.com.br[200.**147.33.227]
>
> Then, I've tried:
>
> $cmd 001 deny all from any to me dst-port 25 in via re0
> $cmd 002 deny all from any to me dst-port 25 out via re0
>
> and cleaned local mail queue with
> postsuper -d ALL
>
> This didn't changed anything - server continued to send huge amount of
> emails.
>
> However restrictions on lo0:
> $cmd 001 deny all from any to me dst-port 25 in via lo0
> $cmd 002 deny all from any to me dst-port 25 out via lo0
>
> did the trick - emailing had stopped. So by fact - problem solved, but th=
e
> real reason wasn't not found.
>
> I've launched clamav and f-prot scans - nothing suspicious found.
>
> The main question I have - how it's possible on stand-alone dedicated
> server - who and how is connecting on behalf of it's own ext ip and uses
> local interface to send emails? Is this possible to do from outside, or
> server was infected from inside?
>
> ______________________________**_________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/**mailman/listinfo/freebsd-**hackers<http://list=
s.freebsd.org/mailman/listinfo/freebsd-hackers>
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@**
> freebsd.org <freebsd-hackers-unsubscribe@freebsd.org>"
>

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPJF9wm-88LkPLx4GkJGnxdNoMHG6G6v15cO=CqUPTm-joKYSg>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact