Compromised email server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Compromised email server

Henry
I am not 100% sure however I suspect my email server has been compromised.

I am using Kolab.

I previously only logged inbound connections to my fw however I have
just tested logging outbound connections and I see multiple repeated
connections to a a few IPs on port 25.

The prime contender is 69.172.201.153 which a google search reveals is
associated with ransomware.
https://ransomwaretracker.abuse.ch/ip/69.172.201.153/

I have checked the /var/log/mail.log file and can see the items being
sent. An example from the log is:

Oct 22 08:41:36 mail imaps[18070]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-SHA384 (256/256 bits reused) no authentication
Oct 22 08:41:36 mail imaps[18070]: client id: "name" "Roundcube/Kolab"
"version" "1.2.3"
Oct 22 08:41:36 mail imaps[18070]: login: localhost [127.0.0.1]
[hidden email] PLAIN+TLS User logged in
SESSIONID=<mail-18070-1508622096-1-863093564849054597>
Oct 22 08:41:36 mail imaps[18070]: USAGE
[hidden email] user: 0.012000 sys: 0.004000
Oct 22 08:41:37 mail postfix/smtp[18131]: 3E56FAD620:
to=<[hidden email]>, relay=arebetter.com[68.178.213.61]:25,
delay=3342, delays=3297/0.07/45/0, dsn=4.4.2, status=deferred (lost
connection with arebetter.com[68.178.213.61] while receiving the
initial server greeting)

Open Relay? I have tested and my server is not an open relay. I have
turned off all inbound connections for the time being however the
emails are still being sent.

My questions are:
a) Does this indicated my server is compromised?
b) How can this happen?
c) What is initiating the sending of these emails?
d) How do I stop is sending?

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: Compromised email server

Wietse Venema
Henry:
> Oct 22 08:41:37 mail postfix/smtp[18131]: 3E56FAD620:
> to=<[hidden email]>, relay=arebetter.com[68.178.213.61]:25,
> delay=3342, delays=3297/0.07/45/0, dsn=4.4.2, status=deferred (lost
> connection with arebetter.com[68.178.213.61] while receiving the
> initial server greeting)

Show output from:

$ grep 3E56FAD620 /the/maillog/file

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Compromised email server

lists@lazygranch.com
In reply to this post by Henry
FWIW, the IP address looks like a legitimate reverse proxy vendor located in Canada. You might want to contact dosarrest security and inform them regarding the behavior of their less than stellar client.


  Original Message  
From: [hidden email]
Sent: October 21, 2017 3:03 PM
To: [hidden email]
Subject: Compromised email server

I am not 100% sure however I suspect my email server has been compromised.

I am using Kolab.

I previously only logged inbound connections to my fw however I have
just tested logging outbound connections and I see multiple repeated
connections to a a few IPs on port 25.

The prime contender is 69.172.201.153 which a google search reveals is
associated with ransomware.
https://ransomwaretracker.abuse.ch/ip/69.172.201.153/

I have checked the /var/log/mail.log file and can see the items being
sent. An example from the log is:

Oct 22 08:41:36 mail imaps[18070]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-SHA384 (256/256 bits reused) no authentication
Oct 22 08:41:36 mail imaps[18070]: client id: "name" "Roundcube/Kolab"
"version" "1.2.3"
Oct 22 08:41:36 mail imaps[18070]: login: localhost [127.0.0.1]
[hidden email] PLAIN+TLS User logged in
SESSIONID=<mail-18070-1508622096-1-863093564849054597>
Oct 22 08:41:36 mail imaps[18070]: USAGE
[hidden email] user: 0.012000 sys: 0.004000
Oct 22 08:41:37 mail postfix/smtp[18131]: 3E56FAD620:
to=<[hidden email]>, relay=arebetter.com[68.178.213.61]:25,
delay=3342, delays=3297/0.07/45/0, dsn=4.4.2, status=deferred (lost
connection with arebetter.com[68.178.213.61] while receiving the
initial server greeting)

Open Relay? I have tested and my server is not an open relay. I have
turned off all inbound connections for the time being however the
emails are still being sent.

My questions are:
a) Does this indicated my server is compromised?
b) How can this happen?
c) What is initiating the sending of these emails?
d) How do I stop is sending?

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: Compromised email server

Henry
In reply to this post by Wietse Venema
On Sun, Oct 22, 2017 at 10:22 AM, Wietse Venema <[hidden email]> wrote:

> Henry:
>> Oct 22 08:41:37 mail postfix/smtp[18131]: 3E56FAD620:
>> to=<[hidden email]>, relay=arebetter.com[68.178.213.61]:25,
>> delay=3342, delays=3297/0.07/45/0, dsn=4.4.2, status=deferred (lost
>> connection with arebetter.com[68.178.213.61] while receiving the
>> initial server greeting)
>
> Show output from:
>
> $ grep 3E56FAD620 /the/maillog/file
>
>         Wietse


A complete example:

root@mail:/var/log# grep 69.172.201.153 mail.log
Oct 22 12:11:17 mail imaps[20929]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-SHA384 (256/256 bits reused) no authentication
Oct 22 12:11:17 mail imaps[20929]: client id: "name" "Roundcube/Kolab"
"version" "1.2.3"
Oct 22 12:11:17 mail imaps[20929]: login: localhost [127.0.0.1]
[hidden email] plaintext+TLS User logged in
SESSIONID=<mail-20929-1508634677-1-10700452927489881596>
Oct 22 12:11:17 mail imaps[20929]: USAGE
[hidden email] user: 0.016000 sys: 0.000000
Oct 22 12:11:19 mail imaps[21024]: inittls: Loading hard-coded DH parameters
Oct 22 12:11:19 mail imaps[21024]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-SHA384 (256/256 bits reused) no authentication
Oct 22 12:11:19 mail imaps[21024]: client id: "name" "Roundcube/Kolab"
"version" "1.2.3"
Oct 22 12:11:19 mail imaps[21024]: login: localhost [127.0.0.1]
[hidden email] plaintext+TLS User logged in
SESSIONID=<mail-21024-1508634679-1-10353724356212792360>
Oct 22 12:11:19 mail imaps[21024]: USAGE
[hidden email] user: 0.028000 sys: 0.004000
Oct 22 12:11:21 mail postfix/smtp[21038]: connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out
Oct 22 12:11:21 mail postfix/smtp[21038]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=199749,
delays=199719/0.05/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)

root@mail:/var/log# grep 1613DAE169 mail.log
Oct 20 04:42:12 mail postfix/cleanup[23726]: 1613DAE169:
message-id=<[hidden email]>
Oct 20 04:42:12 mail postfix/bounce[23745]: EEA9AA65A2: sender
non-delivery notification: 1613DAE169
Oct 20 04:42:12 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 20 04:42:45 mail postfix/smtp[23915]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=33,
delays=0.02/0.17/33/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 20 04:52:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 20 04:52:34 mail postfix/smtp[24122]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=623,
delays=592/0.19/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 20 05:07:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 20 05:07:34 mail postfix/smtp[24412]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=1523,
delays=1493/0.22/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 20 05:37:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 20 05:37:34 mail postfix/smtp[25154]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=3322,
delays=3292/0.09/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 20 06:37:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 20 06:37:34 mail postfix/smtp[27393]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=6923,
delays=6893/0.27/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 20 07:47:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 20 07:47:34 mail postfix/smtp[30047]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=11123,
delays=11093/0.16/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 20 08:57:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 20 08:57:34 mail postfix/smtp[32484]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=15323,
delays=15292/0.26/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 20 10:07:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 20 10:07:34 mail postfix/smtp[2368]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=19523,
delays=19493/0.29/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 20 11:17:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 20 11:17:34 mail postfix/smtp[4660]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=23722,
delays=23692/0.39/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 20 12:27:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 20 12:27:34 mail postfix/smtp[6447]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=27922,
delays=27892/0.31/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 20 13:37:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 20 13:37:34 mail postfix/smtp[8228]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=32123,
delays=32092/0.41/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 20 14:47:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 20 14:47:34 mail postfix/smtp[10187]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=36322,
delays=36292/0.38/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 20 15:57:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 20 15:57:34 mail postfix/smtp[12050]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=40523,
delays=40492/0.31/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 20 17:07:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 20 17:07:35 mail postfix/smtp[14026]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=44723,
delays=44692/0.45/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 20 18:17:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 20 18:17:35 mail postfix/smtp[15837]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=48923,
delays=48893/0.27/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 20 19:27:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 20 19:27:34 mail postfix/smtp[17435]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=53122,
delays=53092/0.45/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 20 20:37:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 20 20:37:35 mail postfix/smtp[19040]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=57323,
delays=57293/0.4/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 20 21:47:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 20 21:47:34 mail postfix/smtp[21125]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=61522,
delays=61492/0.21/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 20 22:57:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 20 22:57:34 mail postfix/smtp[23022]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=65723,
delays=65692/0.31/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 21 00:07:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 00:07:34 mail postfix/smtp[24927]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=69923,
delays=69892/0.35/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 21 01:17:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 01:17:34 mail postfix/smtp[26937]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=74123,
delays=74092/0.34/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 21 02:27:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 02:27:34 mail postfix/smtp[28860]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=78323,
delays=78292/0.32/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 21 03:37:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 03:37:34 mail postfix/smtp[30789]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=82523,
delays=82492/0.25/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 21 04:47:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 04:47:34 mail postfix/smtp[343]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=86723,
delays=86692/0.32/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 21 05:57:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 05:57:35 mail postfix/smtp[2369]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=90923,
delays=90893/0.45/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 21 07:07:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 07:07:35 mail postfix/smtp[4675]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=95123,
delays=95093/0.23/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 21 08:17:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 08:17:34 mail postfix/smtp[6888]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=99323,
delays=99293/0.11/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 21 09:27:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 09:27:34 mail postfix/smtp[8759]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=103523,
delays=103492/0.22/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 21 10:37:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 10:37:34 mail postfix/smtp[10445]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=107722,
delays=107692/0.28/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 21 11:47:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 11:47:34 mail postfix/smtp[12046]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=111923,
delays=111892/0.16/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 21 12:57:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 12:57:34 mail postfix/smtp[13634]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=116123,
delays=116092/0.33/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 21 14:07:04 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 14:07:34 mail postfix/smtp[15152]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=120323,
delays=120292/0.42/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 21 15:57:41 mail postfix/qmgr[1265]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 15:58:01 mail postfix/error[1335]: 1613DAE169: to=<NEXTRCPT NOT
UPDATED>, orig_to=<[hidden email]>, relay=none,
delay=126949, delays=126929/20/0/0, dsn=4.3.0, status=deferred
(address resolver failure)
Oct 21 17:29:32 mail postfix/qmgr[1245]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 17:29:52 mail postfix/error[1579]: 1613DAE169: to=<NEXTRCPT NOT
UPDATED>, orig_to=<[hidden email]>, relay=none,
delay=132461, delays=132441/20/0/0, dsn=4.3.0, status=deferred
(address resolver failure)
Oct 21 18:41:33 mail postfix/qmgr[1279]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 18:41:53 mail postfix/error[1519]: 1613DAE169: to=<NEXTRCPT NOT
UPDATED>, orig_to=<[hidden email]>, relay=none,
delay=136782, delays=136762/20/0/0.02, dsn=4.3.0, status=deferred
(address resolver failure)
Oct 21 19:50:50 mail postfix/qmgr[1280]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 19:51:23 mail postfix/smtp[2913]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=140951,
delays=140918/0.07/33/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 21 21:00:49 mail postfix/qmgr[1280]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 21:01:19 mail postfix/smtp[5028]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=145147,
delays=145117/0.03/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 21 22:10:49 mail postfix/qmgr[1280]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 22:11:19 mail postfix/smtp[7067]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=149347,
delays=149317/0.05/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 21 23:20:49 mail postfix/qmgr[1280]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 21 23:21:20 mail postfix/smtp[9154]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=153548,
delays=153517/1/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 22 00:30:49 mail postfix/qmgr[1280]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 22 00:31:19 mail postfix/smtp[10398]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=157748,
delays=157718/0.04/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 22 01:40:49 mail postfix/qmgr[1280]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 22 01:41:19 mail postfix/smtp[11493]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=161947,
delays=161917/0.05/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 22 02:50:49 mail postfix/qmgr[1280]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 22 02:51:19 mail postfix/smtp[12493]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=166148,
delays=166118/0.07/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 22 04:00:50 mail postfix/qmgr[1280]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 22 04:01:20 mail postfix/smtp[13541]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=170348,
delays=170318/0.05/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 22 05:10:51 mail postfix/qmgr[1280]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 22 05:11:21 mail postfix/smtp[14546]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=174549,
delays=174519/0.1/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 22 06:20:50 mail postfix/qmgr[1280]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 22 06:21:20 mail postfix/smtp[15489]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=178748,
delays=178718/0.07/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 22 07:30:51 mail postfix/qmgr[1280]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 22 07:31:21 mail postfix/smtp[16727]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=182949,
delays=182919/0.06/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 22 08:40:51 mail postfix/qmgr[1280]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 22 08:41:21 mail postfix/smtp[18127]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=187150,
delays=187120/0.04/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 22 09:50:51 mail postfix/qmgr[1280]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 22 09:51:21 mail postfix/smtp[19448]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=191350,
delays=191320/0.05/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 22 11:00:51 mail postfix/qmgr[1280]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 22 11:01:21 mail postfix/smtp[20197]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=195549,
delays=195519/0.04/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
Oct 22 12:10:51 mail postfix/qmgr[1280]: 1613DAE169: from=<>,
size=12123, nrcpt=1 (queue active)
Oct 22 12:11:21 mail postfix/smtp[21038]: 1613DAE169:
to=<[hidden email]>, relay=none, delay=199749,
delays=199719/0.05/30/0, dsn=4.4.1, status=deferred (connect to
brev.krcnet.com[69.172.201.153]:25: Connection timed out)
root@mail:/var/log#
Reply | Threaded
Open this post in threaded view
|

Re: Compromised email server

Henry
In reply to this post by Henry
On Sun, Oct 22, 2017 at 9:03 AM, Henry <[hidden email]> wrote:

> I am not 100% sure however I suspect my email server has been compromised.
>
> I am using Kolab.
>
> I previously only logged inbound connections to my fw however I have
> just tested logging outbound connections and I see multiple repeated
> connections to a a few IPs on port 25.
>
> The prime contender is 69.172.201.153 which a google search reveals is
> associated with ransomware.
> https://ransomwaretracker.abuse.ch/ip/69.172.201.153/
>
> I have checked the /var/log/mail.log file and can see the items being
> sent. An example from the log is:
>
> Oct 22 08:41:36 mail imaps[18070]: starttls: TLSv1.2 with cipher
> ECDHE-RSA-AES256-SHA384 (256/256 bits reused) no authentication
> Oct 22 08:41:36 mail imaps[18070]: client id: "name" "Roundcube/Kolab"
> "version" "1.2.3"
> Oct 22 08:41:36 mail imaps[18070]: login: localhost [127.0.0.1]
> [hidden email] PLAIN+TLS User logged in
> SESSIONID=<mail-18070-1508622096-1-863093564849054597>
> Oct 22 08:41:36 mail imaps[18070]: USAGE
> [hidden email] user: 0.012000 sys: 0.004000
> Oct 22 08:41:37 mail postfix/smtp[18131]: 3E56FAD620:
> to=<[hidden email]>, relay=arebetter.com[68.178.213.61]:25,
> delay=3342, delays=3297/0.07/45/0, dsn=4.4.2, status=deferred (lost
> connection with arebetter.com[68.178.213.61] while receiving the
> initial server greeting)
>
> Open Relay? I have tested and my server is not an open relay. I have
> turned off all inbound connections for the time being however the
> emails are still being sent.
>
> My questions are:
> a) Does this indicated my server is compromised?
> b) How can this happen?
> c) What is initiating the sending of these emails?
> d) How do I stop is sending?
>
> Thanks

Is it possible to determine if this spam is being sent from a client
or from the mail server itself?
Reply | Threaded
Open this post in threaded view
|

Re: Compromised email server

Viktor Dukhovni
In reply to this post by Henry


> On Oct 21, 2017, at 9:23 PM, Henry <[hidden email]> wrote:
>
> # grep 1613DAE169 mail.log
> Oct 20 04:42:12 mail postfix/cleanup[23726]: 1613DAE169:
> message-id=<[hidden email]>
> Oct 20 04:42:12 mail postfix/bounce[23745]: EEA9AA65A2: sender
> non-delivery notification: 1613DAE169

This is a bounce (non-delivery report) for an earlier message
with a queue-id of EEA9AA65A2.  To determine why you're sending
a bounce, search the logs for "EEA9AA65A2".

> Oct 20 04:42:12 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
> size=12123, nrcpt=1 (queue active)
> Oct 20 04:42:45 mail postfix/smtp[23915]: 1613DAE169:
> to=<[hidden email]>, relay=none, delay=33,
> delays=0.02/0.17/33/0, dsn=4.4.1, status=deferred (connect to
> brev.krcnet.com[69.172.201.153]:25: Connection timed out)

The purported sending system is down at present.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Compromised email server

Henry
On Sun, Oct 22, 2017 at 1:27 PM, Viktor Dukhovni
<[hidden email]> wrote:

>
>
>> On Oct 21, 2017, at 9:23 PM, Henry <[hidden email]> wrote:
>>
>> # grep 1613DAE169 mail.log
>> Oct 20 04:42:12 mail postfix/cleanup[23726]: 1613DAE169:
>> message-id=<[hidden email]>
>> Oct 20 04:42:12 mail postfix/bounce[23745]: EEA9AA65A2: sender
>> non-delivery notification: 1613DAE169
>
> This is a bounce (non-delivery report) for an earlier message
> with a queue-id of EEA9AA65A2.  To determine why you're sending
> a bounce, search the logs for "EEA9AA65A2".
>
>> Oct 20 04:42:12 mail postfix/qmgr[1275]: 1613DAE169: from=<>,
>> size=12123, nrcpt=1 (queue active)
>> Oct 20 04:42:45 mail postfix/smtp[23915]: 1613DAE169:
>> to=<[hidden email]>, relay=none, delay=33,
>> delays=0.02/0.17/33/0, dsn=4.4.1, status=deferred (connect to
>> brev.krcnet.com[69.172.201.153]:25: Connection timed out)
>
> The purported sending system is down at present.
>
> --
>         Viktor.
>

Thanks Viktor,

root@mail:/var/log# grep EEA9AA65A2 mail.log
Oct 15 06:32:00 mail postfix/qmgr[1275]: EEA9AA65A2:
from=<[hidden email]>, size=9979, nrcpt=3 (queue active)
Oct 15 06:32:03 mail postfix/lmtp[28970]: EEA9AA65A2:
to=<[hidden email]>,
relay=mail.mydomain.com[/var/lib/imap/socket/lmtp], delay=9250,
delays=9248/2/0.05/0.02, dsn=4.2.2, status=deferred (host
mail.mydomain.com[/var/lib/imap/socket/lmtp] said: 452 4.2.2 Over
quota SESSIONID=<mail-28976-1508009523-1-8051276567117181905> (in
reply to RCPT TO command))

Above repeats 50+  times...

My mail server is making hundreds of outbound connections to
"69.172.201.153" on port 25 even though there are no users on the
system.
Reply | Threaded
Open this post in threaded view
|

Re: Compromised email server

Peter Ajamian
On 22/10/17 17:11, Henry wrote:

> root@mail:/var/log# grep EEA9AA65A2 mail.log
> Oct 15 06:32:00 mail postfix/qmgr[1275]: EEA9AA65A2:
> from=<[hidden email]>, size=9979, nrcpt=3 (queue active)
> Oct 15 06:32:03 mail postfix/lmtp[28970]: EEA9AA65A2:
> to=<[hidden email]>,
> relay=mail.mydomain.com[/var/lib/imap/socket/lmtp], delay=9250,
> delays=9248/2/0.05/0.02, dsn=4.2.2, status=deferred (host
> mail.mydomain.com[/var/lib/imap/socket/lmtp] said: 452 4.2.2 Over
> quota SESSIONID=<mail-28976-1508009523-1-8051276567117181905> (in
> reply to RCPT TO command))

You have a quota system that does not properly reject messages for
over-quota users.  If you're using dovecot for quotas then you should
use their supplied policy daemon which will allow postfix to reject mail
when it hits an over-quota account rather than accept it and then have
to send out a bounce message to that effect.  See
https://wiki2.dovecot.org/Quota for instructions of how to properly
implement it in Postfix.

> My mail server is making hundreds of outbound connections to
> "69.172.201.153" on port 25 even though there are no users on the
> system.

These are bounce messages, so they originate from postfix, not from
individual users on your system.  In order to get rid of them you need
to find out the cause of the bounce and then configure postfix to reject
the message that is causing the bounce instead of accepting it and later
bouncing.  In the specific case of the message you have shown us the
cause is an over-quota mailbox as shown above, and the solution I have
given is dovecot-specific.  If you use another quota system then you'll
need to come up with a similar solution to reject instead of accept then
bounce.

Please note that when you accept mail then bounce your server becomes a
source of backscatter which is almost as bad as being an open relay as
spammers will take advantage of it.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: Compromised email server

Viktor Dukhovni
In reply to this post by Henry


> On Oct 22, 2017, at 12:11 AM, Henry <[hidden email]> wrote:
>
> root@mail:/var/log# grep EEA9AA65A2 mail.log
> Oct 15 06:32:00 mail postfix/qmgr[1275]: EEA9AA65A2:
> from=<[hidden email]>, size=9979, nrcpt=3 (queue active)

You're not looking far enough back in the logs.  This is a retry,
the message did not just materialize on your system, it came in
from somewhere ~9248 seconds prior to 6:32:03AM on Oct 15th.

> Oct 15 06:32:03 mail postfix/lmtp[28970]: EEA9AA65A2:
> to=<[hidden email]>,
> relay=mail.mydomain.com[/var/lib/imap/socket/lmtp], delay=9250,
> delays=9248/2/0.05/0.02, dsn=4.2.2, status=deferred (host
> mail.mydomain.com[/var/lib/imap/socket/lmtp] said: 452 4.2.2 Over
> quota SESSIONID=<mail-28976-1508009523-1-8051276567117181905> (in
> reply to RCPT TO command))
>
> Above repeats 50+  times...

That's because the LMTP server responds with a tempfail 452 code, rather
than a hardfail 552 code.  Configure it to definitively reject over-quota
mail.

And as mentioned by another poster, do try to avoid accepting mail
you're going to bounce.  If you have a quota system, propagate
over-quota status into Postfix access tables in a timely manner,
and of course clear it when the user is again sufficiently under
quota.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Compromised email server

Peter Ajamian
In reply to this post by Peter Ajamian
On 22/10/17 18:25, Henry wrote:
> Does this mean, in the scenario above, that I am receiving a spam
> message

It may or may not be SPAM, I don't have enough evidence to confirm one
way or the other.

> i.e. "[hidden email]" and the mail server is
> bouncing it because it is over quota,

Yes.

> so effectively I am sending a
> reply to the spammer confirming my email address is valid?

No, you are sending a reply to the original envelope sender.  This might
be the actual sender, but if it's SPAM then more than likely it is
spoofed to some innocent person's email address.  So the bounce from
your server is going to someone else entirely.  This is backscatter and
is a very bad thing to be doing as you're basically forwarding the SPAM
or at least sending a message about he SPAM to some innocent 3rd party.

> Ok, found a mailbox at 100% in it's spam folder. Emptied the spam
> folder and not monitoring the outbound. I expect to see a reduction in
> bounced mail now. I was not hacked YEAH :)

That is a good start.

> Next is to fix the my quota system and who it bounces messages incorrectly.

You need to fix it so it rejects instead of bounces.  That is how you
avoid becoming a source of backscatter.


Peter