Mail Server Compromised?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Mail Server Compromised?

asai
Greetings,

In the logs I have been seeing many attempts made to send messages to
gmail which seem like there's spam being sent from my server.  In the
logs I see this:

Dec 24 00:05:11 triata amavis[29729]: (29729-06) Passed CLEAN,
<[hidden email]> -> <[hidden email]>,
Message-ID:
<[hidden email]>, mail_id:
s69xqJA1Kuer, Hits: -2.6, size: 669, queued_as: 9F457FD80A9, 898 ms
Dec 24 00:05:11 triata postfix/smtp[1065]: BF7ACFD8063:
to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024, delay=1,
delays=0.09/0.01/0/0.9, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
9F457FD80A9)

What is a problem is that there is no user named apache@triata... and
this user is sending hundreds of emails out to Gmail.  So it looks like
there's been a compromise.  My question is, how do I begin to plug this
hole?


Reply | Threaded
Open this post in threaded view
|

Re: Mail Server Compromised?

Ralf Hildebrandt
* ASAI <[hidden email]>:

> Greetings,
>
> In the logs I have been seeing many attempts made to send messages to
> gmail which seem like there's spam being sent from my server.  In the
> logs I see this:
>
> Dec 24 00:05:11 triata amavis[29729]: (29729-06) Passed CLEAN,
> <[hidden email]> ->
> <[hidden email]>, Message-ID:
> <[hidden email]>,
> mail_id: s69xqJA1Kuer, Hits: -2.6, size: 669, queued_as: 9F457FD80A9,
> 898 ms
> Dec 24 00:05:11 triata postfix/smtp[1065]: BF7ACFD8063:
> to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024,
> delay=1, delays=0.09/0.01/0/0.9, dsn=2.0.0, status=sent (250 2.0.0
> Ok: queued as 9F457FD80A9)
>
> What is a problem is that there is no user named apache@triata... and
> this user is sending hundreds of emails out to Gmail.  So it looks
> like there's been a compromise.  My question is, how do I begin to
> plug this hole?

stop apache
look further

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  [hidden email] | http://www.charite.de
           
Reply | Threaded
Open this post in threaded view
|

Re: Mail Server Compromised?

Noel Jones-2
In reply to this post by asai
Your web server has a compromised script.  Turn off Apache until you fix the problem.



  -- Noel Jones

"ASAI" <[hidden email]> wrote:

>Greetings,
>
>In the logs I have been seeing many attempts made to send messages to
>gmail which seem like there's spam being sent from my server.  In the
>logs I see this:
>
>Dec 24 00:05:11 triata amavis[29729]: (29729-06) Passed CLEAN,
><[hidden email]> ->
><[hidden email]>,
>Message-ID:
><[hidden email]>,
>mail_id:
>s69xqJA1Kuer, Hits: -2.6, size: 669, queued_as: 9F457FD80A9, 898 ms
>Dec 24 00:05:11 triata postfix/smtp[1065]: BF7ACFD8063:
>to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024,
>delay=1,
>delays=0.09/0.01/0/0.9, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
>
>9F457FD80A9)
>
>What is a problem is that there is no user named apache@triata... and
>this user is sending hundreds of emails out to Gmail.  So it looks like
>
>there's been a compromise.  My question is, how do I begin to plug this
>
>hole?

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server Compromised?

Martin Kellermann
In reply to this post by asai
Am 25.12.2010 19:55, schrieb ASAI:

> Greetings,
>
> In the logs I have been seeing many attempts made to send messages to
> gmail which seem like there's spam being sent from my server.  In the
> logs I see this:
>
> Dec 24 00:05:11 triata amavis[29729]: (29729-06) Passed CLEAN,
> <[hidden email]> ->
> <[hidden email]>, Message-ID:
> <[hidden email]>,
> mail_id: s69xqJA1Kuer, Hits: -2.6, size: 669, queued_as: 9F457FD80A9,
> 898 ms
> Dec 24 00:05:11 triata postfix/smtp[1065]: BF7ACFD8063:
> to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024,
> delay=1, delays=0.09/0.01/0/0.9, dsn=2.0.0, status=sent (250 2.0.0 Ok:
> queued as 9F457FD80A9)
>
> What is a problem is that there is no user named apache@triata... and
> this user is sending hundreds of emails out to Gmail.  So it looks
> like there's been a compromise.  My question is, how do I begin to
> plug this hole?
>
as already told, find the malicious script/form in apache.
maybe start with comparing the apache log timestamps with postfix logs.
you should see a POST at the time when postfix gets the mail from localost.
Reply | Threaded
Open this post in threaded view
|

Re: Mail Server Compromised?

/dev/rob0
On Sun, Dec 26, 2010 at 07:28:11PM +0100, Martin Kellermann wrote:

> Am 25.12.2010 19:55, schrieb ASAI:
>> In the logs I have been seeing many attempts made to send messages
>> to gmail which seem like there's spam being sent from my server.  
>> In the logs I see this:
>>
>> Dec 24 00:05:11 triata amavis[29729]: (29729-06) Passed CLEAN,
>> <[hidden email]> ->
>> <[hidden email]>, Message-ID:
>> <[hidden email]>,
>> mail_id: s69xqJA1Kuer, Hits: -2.6, size: 669, queued_as:
>> 9F457FD80A9, 898 ms
>> Dec 24 00:05:11 triata postfix/smtp[1065]: BF7ACFD8063:  
>> to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024,  
>> delay=1, delays=0.09/0.01/0/0.9, dsn=2.0.0, status=sent (250 2.0.0
>> Ok: queued as 9F457FD80A9)
>>
>> What is a problem is that there is no user named apache@triata...
>> and this user is sending hundreds of emails out to Gmail.  So it
>> looks like there's been a compromise.  My question is, how do I
>> begin to plug this hole?
>>
> as already told, find the malicious script/form in apache.

Another step not yet mentioned was "postfix stop". Don't continue
sending these.

> maybe start with comparing the apache log timestamps with postfix
> logs. you should see a POST at the time when postfix gets the mail
> from localost.

Or, more likely, pickup(8). And it's also worth mentioning that the
most significant log entries were omitted from this post. Of highest
interest are the logging which shows the mail originally coming into
Postfix. We'd want to see all logging pertaining to BF7ACFD8063, as
well as the initial connection, if it arrived via smtpd(8).
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|

Re: Mail Server Compromised?

Benny Pedersen
In reply to this post by asai
On lør 25 dec 2010 19:55:10 CET, ASAI wrote

> What is a problem is that there is no user named apache@triata...  
> and this user is sending hundreds of emails out to Gmail.  So it  
> looks like there's been a compromise.  My question is, how do I  
> begin to plug this hole?

remove apache unix user from alias, and make sure any webapp use fqdn sender

reject non fqdn sender before accept anything rule before permit mynetworks

--
xpoint

Reply | Threaded
Open this post in threaded view
|

Re: Web sscript compromised? (Was: Mail Server Compromised?)

mouss-4
In reply to this post by asai
Le 25/12/2010 19:55, ASAI a écrit :

> Greetings,
>
> In the logs I have been seeing many attempts made to send messages to
> gmail which seem like there's spam being sent from my server.  In the
> logs I see this:
>
> Dec 24 00:05:11 triata amavis[29729]: (29729-06) Passed CLEAN,
> <[hidden email]> -> <[hidden email]>,
> Message-ID:
> <[hidden email]>, mail_id:
> s69xqJA1Kuer, Hits: -2.6, size: 669, queued_as: 9F457FD80A9, 898 ms
> Dec 24 00:05:11 triata postfix/smtp[1065]: BF7ACFD8063:
> to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024, delay=1,
> delays=0.09/0.01/0/0.9, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
> 9F457FD80A9)
>

next time, show logs of postfix/smtpd (with a trailing 'd') and/or
postfix/pickup. This will tell if the message was received via smtp or
with the sendmail command.

> What is a problem is that there is no user named apache@triata... and
> this user is sending hundreds of emails out to Gmail.  So it looks like
> there's been a compromise.  My question is, how do I begin to plug this
> hole?
>
>


1) create /etc/postfix/hold_sender and edit it to add:

[hidden email] HOLD


2) edit main.cf and add
postfilter_sender_restrictions =
        check_sender_access pcre:/etc/postfix/hold_sender.pcre


3) edit master.cf, find the line that defines the 10024 smtpd listener,
and there set
        -o smtpd_sender_restrictions=${postfilter_sender_restrictions}

4) run 'postfix reload'

now, mail from apache@*.globalchangemultimedia.net will be held in
postfix queue. you can then use postcat to look inside. This should help
getting more infos. things to look for are

- if the message is a mailing list confirmation/notification, with no
"spam text", then either the list is very successfull or it is abused.
if it is abused from a single IP or an IP range, you can block that
range in your Apache configuration. or you may use something like
mod_doesevasive...

- if the message contains spam text, then you will need to find which
script was used to send it. the script may be vulnerable to one of the
so many web application attacks. most probably an injection attack.

- check all your web scripts that send mail. writing scripts that send
mail from a web page is not simple. do not invent yours unless you are
well versed in web application security (and as a corollary: do not hire
a newbie to write one).


Reply | Threaded
Open this post in threaded view
|

Re: Web script compromised? (Was: Mail Server Compromised?)

asai
Thanks to everyone for the priceless advice.