pickup/maildrop being used to spam through my machine.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

pickup/maildrop being used to spam through my machine.

Homer Wilson Smith-3

     Running postfix 2.3.3 CentOS 5.x

     This is a simple apache 2 web server running postfix for
incoming mail for shell users on the same server.  Very low key,
almost no traffic, outside is not allowed to connect to the
postfix on this machine.

      This machine's only handles shell users on the its own domain,
adore.lightlink.com and mail addressed or forward to it from our other
real mail servers that talk to the outside world.

      Suddenly I am find adore's mailq queue filled with spam, each having
a pickup line in the logs, but no indication where it comes from, probably
the web server as the from username is apache, but so far no corellation
between web logs and time stamp on pickup line.

      This machine is also running an innd news server if it makes
any difference, innd 2.x

     Can someone tell me about possible injection routes into the
maildrop directory and how to stop it if I can't
find the web page doing it.

     Thanks  Homer

Jun 12 05:26:16 adore2 postfix/pickup[14251]: E39582B000C: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: F23D62B000F: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 099E82B0028: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 2169C2B0038: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 260E32B0065: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 2AB902B007D: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 325422B0080: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 3AC572B0095: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 3D0A32B00B8: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 417DD2B00BD: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 4728B2B00CA: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 4FE062B00D2: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 89BB02B00DD: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: A53092B00E3: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: BEAB72B00E7: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: CA9F42B00EC: uid=48 from=<apache>
... on and on and on thousands etc.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: pickup/maildrop being used to spam through my machine.

Christian Kivalo


Am 13. Juni 2017 10:28:39 MESZ schrieb Homer Wilson Smith <[hidden email]>:

>
>     Running postfix 2.3.3 CentOS 5.x
>
>     This is a simple apache 2 web server running postfix for
>incoming mail for shell users on the same server.  Very low key,
>almost no traffic, outside is not allowed to connect to the
>postfix on this machine.
>
>      This machine's only handles shell users on the its own domain,
>adore.lightlink.com and mail addressed or forward to it from our other
>real mail servers that talk to the outside world.
>
>  Suddenly I am find adore's mailq queue filled with spam, each having
>a pickup line in the logs, but no indication where it comes from,
>probably
>the web server as the from username is apache, but so far no
>corellation
>between web logs and time stamp on pickup line.
>
>      This machine is also running an innd news server if it makes
>any difference, innd 2.x
>
>     Can someone tell me about possible injection routes into the
>maildrop directory and how to stop it if I can't
>find the web page doing it.

Start with restricting which users are allowed to locally submit mail authorized_submit_users http://www.postfix.org/postconf.5.html#authorized_submit_users



>     Thanks  Homer
>
>Jun 12 05:26:16 adore2 postfix/pickup[14251]: E39582B000C: uid=48
>from=<apache>
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: F23D62B000F: uid=48
>from=<apache>
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 099E82B0028: uid=48
>from=<apache>
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 2169C2B0038: uid=48
>from=<apache>
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 260E32B0065: uid=48
>from=<apache>
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 2AB902B007D: uid=48
>from=<apache>
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 325422B0080: uid=48
>from=<apache>
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 3AC572B0095: uid=48
>from=<apache>
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 3D0A32B00B8: uid=48
>from=<apache>
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 417DD2B00BD: uid=48
>from=<apache>
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 4728B2B00CA: uid=48
>from=<apache>
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 4FE062B00D2: uid=48
>from=<apache>
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 89BB02B00DD: uid=48
>from=<apache>
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: A53092B00E3: uid=48
>from=<apache>
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: BEAB72B00E7: uid=48
>from=<apache>
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: CA9F42B00EC: uid=48
>from=<apache>
>... on and on and on thousands etc.

--
Christian Kivalo
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: pickup/maildrop being used to spam through my machine.

Philip Paeps
In reply to this post by Homer Wilson Smith-3
On 2017-06-13 04:28:39 (-0400), Homer Wilson Smith <[hidden email]> wrote:
>Suddenly I am find adore's mailq queue filled with spam, each having a
>pickup line in the logs, but no indication where it comes from,
>probably the web server as the from username is apache, but so far no
>corellation between web logs and time stamp on pickup line.

Check for other processes running as the apache user.  Check the crontab
of that user too.

Also firewall off any ports.

I would definitely advise taking a disk image of the machine for
forensic analysis and then doing a clean reinstall.

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information
Loading...