How to figure how my server is able to be used to send malicious emails?

classic Classic list List threaded Threaded
43 messages Options
123
Reply | Threaded
Open this post in threaded view
|

How to figure how my server is able to be used to send malicious emails?

gregfreemyer
All,

I have VM on the internet that for the last day or so is sending out
10's of thousands of malicious emails.

openSUSE 42.2

Fully updated with security patches.  I know I need to update to 42.3,
but at least for now it is still getting security patches.

I assume the bad guys are somehow using it as a relay site, but I'm
not sure.  The server has a GUI on it I think, but I rarely, if ever
use it.  Almost all admin is via ssh.

Troubleshooting advice appreciated.

First all the malicious emails have "Banco" in the content of the
email, so I'm cleaning up all the deferred emails that are now
accumulating via:

   cd /var/spool/postfix/deferred
   grep -l Banco */* | sed -r 's/^.{2}//' | postsuper -d -

I've deleted about 100,000 emails total by running the above a few
times over the last day.

But additional emails show up within several hours.  (I'm not checking
every hour or more.)


The contents of /etc/postfix/relay are:
# for relaying domain
# domain.de OK
IAC-Forensics.com OK

So, I think I only relay emails for that domain, but the malicious
emails are not to or from that domain.

FYI: The server has been RBL Blacklisted.  It's a minor issue that I
assume will clear up in a day or two.  In the meantime, I can ignore
the problem.  This server originates very little email.

Thanks
Greg
--
Greg Freemyer
Advances are made by answering questions. Discoveries are made by
questioning answers.
— Bernard Haisch

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to figure how my server is able to be used to send malicious emails?

John Andersen-2
On 01/07/2018 03:48 PM, Greg Freemyer wrote:
>  In the meantime, I can ignore
> the problem.  This server originates very little email.


You need to google up how not to be an open relay.
There are a few simple but critical steps you can take that will
prevent relaying mail.

Your ISP may well be contacting you, so I would not ignore this problem.

--
After all is said and done, more is said than done.

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to figure how my server is able to be used to send malicious emails?

Carlos E. R.-2
In reply to this post by gregfreemyer
On 2018-01-08 00:48, Greg Freemyer wrote:
> All,
>
> I have VM on the internet that for the last day or so is sending out
> 10's of thousands of malicious emails.

Oh my :-(


> openSUSE 42.2
>
> Fully updated with security patches.  I know I need to update to 42.3,
> but at least for now it is still getting security patches.
>
> I assume the bad guys are somehow using it as a relay site, but I'm
> not sure.  The server has a GUI on it I think, but I rarely, if ever
> use it.  Almost all admin is via ssh.
>
> Troubleshooting advice appreciated.
>
> First all the malicious emails have "Banco" in the content of the
> email, so I'm cleaning up all the deferred emails that are now
> accumulating via:
>
>    cd /var/spool/postfix/deferred
>    grep -l Banco */* | sed -r 's/^.{2}//' | postsuper -d -
>
> I've deleted about 100,000 emails total by running the above a few
> times over the last day.
Goodness!  :-/

>
> But additional emails show up within several hours.  (I'm not checking
> every hour or more.)
>
>
> The contents of /etc/postfix/relay are:
> # for relaying domain
> # domain.de OK
> IAC-Forensics.com OK

That means, I think, that you accept email from them, to relay them to
the outside. Could they fake it? Maybe you need smtp auth.

http://www.postfix.org/SMTPD_ACCESS_README.html

I do not find an authoritative doc for that file. I'm googling for:

"postfix/relay" site:www.postfix.org

but I think you need setting up the "relay_ccerts" file. It says:

# See /usr/share/doc/packages/postfix/samples/sample-tls.cf
# for more details

But I can't find that file either. I have a copy of it dated 2006!


You could look at greylisting.


> So, I think I only relay emails for that domain, but the malicious
> emails are not to or from that domain.

Hum.

>
> FYI: The server has been RBL Blacklisted.  It's a minor issue that I
> assume will clear up in a day or two.  In the meantime, I can ignore
> the problem.  This server originates very little email.

Well, I would start by looking at some of the mail headers for clues,
and at the mail log, to try find out how they are entering, and where
from, and perhaps guess what loophole they use.

Then I would look in detail at the entire /etc/postfix/ config files.

Feel free to email that info to me off list if you wish. I can not
guarantee success, but I can try.



--
Cheers / Saludos,

                Carlos E. R.
                (from 42.2 x86_64 "Malachite" at Telcontar)


signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How to figure how my server is able to be used to send malicious emails?

Per Jessen
In reply to this post by gregfreemyer
Greg Freemyer wrote:

> All,
>
> I have VM on the internet that for the last day or so is sending out
> 10's of thousands of malicious emails.
>
> openSUSE 42.2
>
> Fully updated with security patches.  I know I need to update to 42.3,
> but at least for now it is still getting security patches.
>
> I assume the bad guys are somehow using it as a relay site, but I'm
> not sure.  The server has a GUI on it I think, but I rarely, if ever
> use it.  Almost all admin is via ssh.

Check the mail logs, Greg. /var/log/mail will tell you everything.

> The contents of /etc/postfix/relay are:
> # for relaying domain
> # domain.de OK
> IAC-Forensics.com OK

And contents of /etc/postfix/main.cf ?  Is that file used?  What are
your smtp recipient restrictions?  

> FYI: The server has been RBL Blacklisted.  It's a minor issue that I
> assume will clear up in a day or two.  In the meantime, I can ignore
> the problem.  This server originates very little email.

As long as your server continues to send spam, it will likely remain on
various blacklists.



--
Per Jessen, Zürich (2.2°C)
http://www.hostsuisse.com/ - dedicated server rental in Switzerland.


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to figure how my server is able to be used to send malicious emails?

gregfreemyer
In reply to this post by John Andersen-2
On Sun, Jan 7, 2018 at 9:16 PM, John Andersen <[hidden email]> wrote:
> On 01/07/2018 03:48 PM, Greg Freemyer wrote:
>>  In the meantime, I can ignore
>> the problem.  This server originates very little email.
>
>
> You need to google up how not to be an open relay.
> There are a few simple but critical steps you can take that will
> prevent relaying mail.

As far as I know, I'm not an open relay.  This server has been in
place for 5 years.  This is the first occurance I'm aware of with it
being used to send out large amounts of malicious email.

> Your ISP may well be contacting you, so I would not ignore this problem.

I'm only ignoring me being blacklisted.  I want to figure out the
malicious email issue.

Greg

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to figure how my server is able to be used to send malicious emails?

gregfreemyer
In reply to this post by Carlos E. R.-2
On Sun, Jan 7, 2018 at 9:33 PM, Carlos E. R.
<[hidden email]> wrote:

> On 2018-01-08 00:48, Greg Freemyer wrote:
>> All,
>>
>> I have VM on the internet that for the last day or so is sending out
>> 10's of thousands of malicious emails.
>
> Oh my :-(
>
>
>> openSUSE 42.2
>>
>> Fully updated with security patches.  I know I need to update to 42.3,
>> but at least for now it is still getting security patches.
>>
>> I assume the bad guys are somehow using it as a relay site, but I'm
>> not sure.  The server has a GUI on it I think, but I rarely, if ever
>> use it.  Almost all admin is via ssh.
>>
>> Troubleshooting advice appreciated.
>>
>> First all the malicious emails have "Banco" in the content of the
>> email, so I'm cleaning up all the deferred emails that are now
>> accumulating via:
>>
>>    cd /var/spool/postfix/deferred
>>    grep -l Banco */* | sed -r 's/^.{2}//' | postsuper -d -
>>
>> I've deleted about 100,000 emails total by running the above a few
>> times over the last day.
>
> Goodness!  :-/

No massive emails sent in the last 12 hours.

>> But additional emails show up within several hours.  (I'm not checking
>> every hour or more.)
>>
>>
>> The contents of /etc/postfix/relay are:
>> # for relaying domain
>> # domain.de OK
>> IAC-Forensics.com OK
>
> That means, I think, that you accept email from them, to relay them to
> the outside. Could they fake it? Maybe you need smtp auth.

It should show up in the headers, right.  I didn't see that.

I've deleted all the malicious emails, so I don't have any to look at
until more appear.

> http://www.postfix.org/SMTPD_ACCESS_README.html
>
> I do not find an authoritative doc for that file. I'm googling for:
>
> "postfix/relay" site:www.postfix.org
>
> but I think you need setting up the "relay_ccerts" file. It says:
>
> # See /usr/share/doc/packages/postfix/samples/sample-tls.cf
> # for more details
>
> But I can't find that file either. I have a copy of it dated 2006!
>
>
> You could look at greylisting.
>
>
>> So, I think I only relay emails for that domain, but the malicious
>> emails are not to or from that domain.
>
> Hum.

Exactly

>> FYI: The server has been RBL Blacklisted.  It's a minor issue that I
>> assume will clear up in a day or two.  In the meantime, I can ignore
>> the problem.  This server originates very little email.
>
> Well, I would start by looking at some of the mail headers for clues,
> and at the mail log, to try find out how they are entering, and where
> from, and perhaps guess what loophole they use.
>
> Then I would look in detail at the entire /etc/postfix/ config files.
>
> Feel free to email that info to me off list if you wish. I can not
> guarantee success, but I can try.

I sent you a copy of the /etc/postfix directory.

More in my reply to Per. (soon to be written).

Greg

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to figure how my server is able to be used to send malicious emails?

gregfreemyer
In reply to this post by Per Jessen
On Mon, Jan 8, 2018 at 1:46 AM, Per Jessen <[hidden email]> wrote:

> Greg Freemyer wrote:
>
>> All,
>>
>> I have VM on the internet that for the last day or so is sending out
>> 10's of thousands of malicious emails.
>>
>> openSUSE 42.2
>>
>> Fully updated with security patches.  I know I need to update to 42.3,
>> but at least for now it is still getting security patches.
>>
>> I assume the bad guys are somehow using it as a relay site, but I'm
>> not sure.  The server has a GUI on it I think, but I rarely, if ever
>> use it.  Almost all admin is via ssh.
>
> Check the mail logs, Greg. /var/log/mail will tell you everything.

Agreed, but they are huge as of the last couple days.  I need some
hints of what to look for.

The first "large" log file is Jan 5. I'll start with that one and
maybe I can see the emails coming into the system.

I note in the last 12 hours my server has sent several emails from
"wwwrun" to [hidden email].

Maybe I have a penetration of my webserver?  My webserver should be
very vanilla and I can turn off PHP support, etc. if it is currently
active.

>> The contents of /etc/postfix/relay are:
>> # for relaying domain
>> # domain.de OK
>> IAC-Forensics.com OK
>
> And contents of /etc/postfix/main.cf ?  Is that file used?  What are
> your smtp recipient restrictions?

I don't think I have any smtp recipient restrictions?

I think my main.cf is very vanilla:

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
mail_owner = postfix

mydomain = intelligentavatar.net
myorigin = $mydomain
unknown_local_recipient_reject_code = 550

mynetworks = <redacted>/32

home_mailbox = Maildir/
header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks

debug_peer_level = 1
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = maildrop
html_directory = /usr/share/doc/packages/postfix-doc/html

manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/packages/postfix-doc/samples
readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES
biff = no
content_filter =
delay_warning_time = 1h
disable_dns_lookups = no
disable_mime_output_conversion = no
inet_interfaces = all
inet_protocols = ipv4
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
mydestination = $myhostname, localhost.$mydomain
myhostname = <redacted>
mynetworks_style = subnet

alias_maps = hash:/etc/aliases
canonical_maps = hash:/etc/postfix/canonical
relocated_maps = hash:/etc/postfix/relocated
sender_canonical_maps = hash:/etc/postfix/sender_canonical
transport_maps = hash:/etc/postfix/transport
mail_spool_directory = /var/mail
message_strip_characters = \0
defer_transports =
mailbox_command =
mailbox_transport =
mailbox_size_limit = 0
message_size_limit = 0
strict_8bitmime = no
strict_rfc821_envelopes = no
smtpd_helo_required = no

smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
smtp_sasl_auth_enable = no
smtp_sasl_security_options =
smtp_sasl_password_maps =
smtpd_sasl_auth_enable = no
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhontname
relay_clientcerts =

smtp_use_tls = no
smtp_enforce_tls = no
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_cert_file =
smtp_tls_key_file =
smtp_tls_session_cache_database =

smtpd_use_tls = no
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_cert_file =
smtpd_tls_key_file =
smtpd_tls_ask_ccert = no
smtpd_tls_received_header = no
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual

virtual_mailbox_domains = intelligentavatar.net iac-forensics.com
virtual_mailbox_base = /srv/maildirs
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 1000
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_mailbox_limit = 0
virtual_mailbox_limit_inbox = no

disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_banner = $myhostname ESMTP

>> FYI: The server has been RBL Blacklisted.  It's a minor issue that I
>> assume will clear up in a day or two.  In the meantime, I can ignore
>> the problem.  This server originates very little email.
>
> As long as your server continues to send spam, it will likely remain on
> various blacklists.

Agreed.  I definitely want to kill the spam activity.

Greg

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to figure how my server is able to be used to send malicious emails?

gregfreemyer
> I note in the last 12 hours my server has sent several emails from
> "wwwrun" to [hidden email].
>
> Maybe I have a penetration of my webserver?  My webserver should be
> very vanilla and I can turn off PHP support, etc. if it is currently
> active.

For all: the server in question is NOT a repository of confidential
data.  I encrypt confidential data before uploading files to it.

== back to investigating

Whatever zobugtel is, it seems related, but not the source of 10's of
thousands of emails:

 # xzgrep -c zobugtel mail-* mail
mail-20170117.xz:0
mail-20170201.xz:0
mail-20170215.xz:0
mail-20170227.xz:0
mail-20170310.xz:0
mail-20170320.xz:0
mail-20170329.xz:0
mail-20170410.xz:0
mail-20170420.xz:0
mail-20170429.xz:0
mail-20170516.xz:0
mail-20170529.xz:0
mail-20170609.xz:0
mail-20170619.xz:0
mail-20170624.xz:0
mail-20170703.xz:0
mail-20170715.xz:0
mail-20170803.xz:0
mail-20170817.xz:0
mail-20170821.xz:0
mail-20170822.xz:0
mail-20170831.xz:0
mail-20170911.xz:0
mail-20170922.xz:0
mail-20171002.xz:0
mail-20171018.xz:0
mail-20171102.xz:0
mail-20171120.xz:0
mail-20171204.xz:0
mail-20171215.xz:0
mail-20171230.xz:226
mail-20180105.xz:37
mail-20180106.xz:0
mail-20180107.xz:3
mail:7

Greg

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to figure how my server is able to be used to send malicious emails?

jdd@dodin.org
In reply to this post by gregfreemyer
Le 08/01/2018 à 17:38, Greg Freemyer a écrit :

> I'm only ignoring me being blacklisted.  I want to figure out the
> malicious email issue.
>

nobody local could touch it? or internal computer be compromised?

jdd


--
http://dodin.org

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to figure how my server is able to be used to send malicious emails?

gregfreemyer
In reply to this post by gregfreemyer
>> And contents of /etc/postfix/main.cf ?  Is that file used?  What are
>> your smtp recipient restrictions?
>
> I don't think I have any smtp recipient restrictions?

I found copies of some of the original emails, and I was wrong.

They have my domain in the header, so I need a way to block smtp
connections except from authorized servers / senders.

A month ago relays were being blocked:

/var/log/mail-20171204.xz:2017-11-24T05:42:32.548951-05:00 cloud1
postfix/smtpd[1427]: NOQUEUE: reject: RCPT from
hwsrv-201020.hostwindsdns.com[23.254.203.84]: 454 4.7.1
<[hidden email]>: Relay access denied;
from=<[hidden email]> to=<[hidden email]>
proto=ESMTP helo=<hwsrv-201020.hostwindsdns.com>


[hidden email] is a legit alias on my server.  I don't
know what rule blocked the relay, but something did a month ago.

This weekend I apparently had 100,000+ emails relayed for that same alias.

I would like to continue to accept email with a to: address of
"admin....", but I can safely refuse to relay email for that address.

Blocking that relay will be my immediate fix.  I've added:

[hidden email]     DISCARD

to my /etc/postfix/access file and run postmap access.

Should that do the job?

Thanks
Greg



Greg

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to figure how my server is able to be used to send malicious emails?

Andrei Borzenkov
In reply to this post by gregfreemyer
08.01.2018 20:06, Greg Freemyer пишет:
...

>
> smtpd_client_restrictions =
> smtpd_helo_restrictions =
> smtpd_sender_restrictions = hash:/etc/postfix/access
> smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination

Normally this should prevent delivery to destinations for which this
postfix instance is not final.

> smtp_sasl_auth_enable = no
> smtp_sasl_security_options =
> smtp_sasl_password_maps =
> smtpd_sasl_auth_enable = no
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_local_domain = $myhontname
> relay_clientcerts =
>
> smtp_use_tls = no
> smtp_enforce_tls = no
> smtp_tls_CAfile =
> smtp_tls_CApath =
> smtp_tls_cert_file =
> smtp_tls_key_file =
> smtp_tls_session_cache_database =
>
> smtpd_use_tls = no
> smtpd_tls_CAfile =
> smtpd_tls_CApath =
> smtpd_tls_cert_file =
> smtpd_tls_key_file =
> smtpd_tls_ask_ccert = no
> smtpd_tls_received_header = no
> virtual_alias_domains = hash:/etc/postfix/virtual
> virtual_alias_maps = hash:/etc/postfix/virtual
>

Are you sure these have not been tampered with?

> virtual_mailbox_domains = intelligentavatar.net iac-forensics.com
> virtual_mailbox_base = /srv/maildirs
> virtual_mailbox_maps = hash:/etc/postfix/vmailbox

Or this?

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to figure how my server is able to be used to send malicious emails?

gregfreemyer
On Mon, Jan 8, 2018 at 1:21 PM, Andrei Borzenkov <[hidden email]> wrote:

> 08.01.2018 20:06, Greg Freemyer пишет:
> ...
>
>>
>> smtpd_client_restrictions =
>> smtpd_helo_restrictions =
>> smtpd_sender_restrictions = hash:/etc/postfix/access
>> smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
>
> Normally this should prevent delivery to destinations for which this
> postfix instance is not final.
>

My "access" file was effectively empty (comments only).

I have just added:

[hidden email]    DISCARD

which I hope will silently discard email relay attempts for that from address.

Maybe I should use REJECT instead?

>>
>
> Are you sure these have not been tampered with?
>
>> virtual_mailbox_domains = intelligentavatar.net iac-forensics.com
>> virtual_mailbox_base = /srv/maildirs
>> virtual_mailbox_maps = hash:/etc/postfix/vmailbox
>
> Or this?

I don't know if something was tampered with, but a month ago email
relaying for [hidden email] was rejected and this weekend
it was allowed.

That is a legit alias on my server so I don't know why it was rejected
in the past, and I don't know why relay started working at some point
in the last month.

Greg

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to figure how my server is able to be used to send malicious emails?

Per Jessen
In reply to this post by gregfreemyer
Greg Freemyer wrote:

> On Mon, Jan 8, 2018 at 1:46 AM, Per Jessen <[hidden email]> wrote:
>> Greg Freemyer wrote:
>>
>>> All,
>>>
>>> I have VM on the internet that for the last day or so is sending out
>>> 10's of thousands of malicious emails.
>>>
>>> openSUSE 42.2
>>>
>>> Fully updated with security patches.  I know I need to update to
>>> 42.3, but at least for now it is still getting security patches.
>>>
>>> I assume the bad guys are somehow using it as a relay site, but I'm
>>> not sure.  The server has a GUI on it I think, but I rarely, if ever
>>> use it.  Almost all admin is via ssh.
>>
>> Check the mail logs, Greg. /var/log/mail will tell you everything.
>
> Agreed, but they are huge as of the last couple days.  I need some
> hints of what to look for.

Look for e.g. "smtpd.*connect" to see servers connecting to deliver
mails.  If you see lots of unknown ones, you have identified the
source.

> I note in the last 12 hours my server has sent several emails from
> "wwwrun" to [hidden email].

wwwrun is almost certainly your apache server, any chance some
application has been compromised?

> Maybe I have a penetration of my webserver?  My webserver should be
> very vanilla and I can turn off PHP support, etc. if it is currently
> active.

If you're not using it, I would suggest just stopping it.
 
>>> The contents of /etc/postfix/relay are:
>>> # for relaying domain
>>> # domain.de OK
>>> IAC-Forensics.com OK
>>
>> And contents of /etc/postfix/main.cf ?  Is that file used?  What are
>> your smtp recipient restrictions?
>
> I don't think I have any smtp recipient restrictions?

You ought to have at least 'reject_unauth_destination'.

>
> I think my main.cf is very vanilla:

Depending on what you need it for, I would suggest getting rid of a lot
of the vanilla stuff.  It often just gets in the way and only obscures
the picture.

> smtpd_recipient_restrictions =
> permit_mynetworks,reject_unauth_destination

That looks good - assuming you also have

relay_domains = hash:/etc/postfix/relay,

and you've postmap'ed /etc/postfix/relay, I don't think your postfix is
open. (I'll be happy to test that for you, if you want).


Hope this helps,
Per


--
Per Jessen, Zürich (4.5°C)
http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland.


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to figure how my server is able to be used to send malicious emails?

gregfreemyer
On Mon, Jan 8, 2018 at 2:01 PM, Per Jessen <[hidden email]> wrote:

> Greg Freemyer wrote:
>
>> On Mon, Jan 8, 2018 at 1:46 AM, Per Jessen <[hidden email]> wrote:
>>> Greg Freemyer wrote:
>>>
>>>> All,
>>>>
>>>> I have VM on the internet that for the last day or so is sending out
>>>> 10's of thousands of malicious emails.
>>>>
>>>> openSUSE 42.2
>>>>
>>>> Fully updated with security patches.  I know I need to update to
>>>> 42.3, but at least for now it is still getting security patches.
>>>>
>>>> I assume the bad guys are somehow using it as a relay site, but I'm
>>>> not sure.  The server has a GUI on it I think, but I rarely, if ever
>>>> use it.  Almost all admin is via ssh.
>>>
>>> Check the mail logs, Greg. /var/log/mail will tell you everything.
>>
>> Agreed, but they are huge as of the last couple days.  I need some
>> hints of what to look for.
>
> Look for e.g. "smtpd.*connect" to see servers connecting to deliver
> mails.  If you see lots of unknown ones, you have identified the
> source.

As noted in other emails, I think I found the method of relay used.
Any I made an effort to block it.

>> I note in the last 12 hours my server has sent several emails from
>> "wwwrun" to [hidden email].
>
> wwwrun is almost certainly your apache server, any chance some
> application has been compromised?

Whatever it is, it seems unrelated, so I will attack that problem
separately.  I mostly have just a few static pages on this server.

>> Maybe I have a penetration of my webserver?  My webserver should be
>> very vanilla and I can turn off PHP support, etc. if it is currently
>> active.
>
> If you're not using it, I would suggest just stopping it.

Agreed

>>>> The contents of /etc/postfix/relay are:
>>>> # for relaying domain
>>>> # domain.de OK
>>>> IAC-Forensics.com OK
>>>
>>> And contents of /etc/postfix/main.cf ?  Is that file used?  What are
>>> your smtp recipient restrictions?
>>
>> I don't think I have any smtp recipient restrictions?
>
> You ought to have at least 'reject_unauth_destination'.

I do

>> I think my main.cf is very vanilla:
>
> Depending on what you need it for, I would suggest getting rid of a lot
> of the vanilla stuff.  It often just gets in the way and only obscures
> the picture.
>
>> smtpd_recipient_restrictions =
>> permit_mynetworks,reject_unauth_destination
>
> That looks good - assuming you also have
>
> relay_domains = hash:/etc/postfix/relay,

Hmm.. I have:
#relay_domains = $mydestination, hash:/etc/postfix/relay

Note it is commented out!

Is it the default?

>
> and you've postmap'ed /etc/postfix/relay, I don't think your postfix is
> open. (I'll be happy to test that for you, if you want).

I had an online website test it.  It's not fully open, but the bad
guys still found a way.

Looks like 500,000+ emails went through the server in the last 72 hours.

>
>
> Hope this helps,
> Per

Thanks Much
Greg

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to figure how my server is able to be used to send malicious emails?

Per Jessen
Greg Freemyer wrote:

>>> I think my main.cf is very vanilla:
>>
>> Depending on what you need it for, I would suggest getting rid of a
>> lot
>> of the vanilla stuff.  It often just gets in the way and only
>> obscures the picture.
>>
>>> smtpd_recipient_restrictions =
>>> permit_mynetworks,reject_unauth_destination
>>
>> That looks good - assuming you also have
>>
>> relay_domains = hash:/etc/postfix/relay,
>
> Hmm.. I have:
> #relay_domains = $mydestination, hash:/etc/postfix/relay
>
> Note it is commented out!
>
> Is it the default?

Nope.  I suggest you comment it back in.  Then maybe check for ssh
logins not originating from your IP.  Someone commented that line out.

 


--
Per Jessen, Zürich (4.9°C)
http://www.dns24.ch/ - your free DNS host, made in Switzerland.


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to figure how my server is able to be used to send malicious emails?

Andrei Borzenkov
In reply to this post by gregfreemyer
08.01.2018 22:01, Greg Freemyer пишет:

> On Mon, Jan 8, 2018 at 1:21 PM, Andrei Borzenkov <[hidden email]> wrote:
>> 08.01.2018 20:06, Greg Freemyer пишет:
>> ...
>>
>>>
>>> smtpd_client_restrictions =
>>> smtpd_helo_restrictions =
>>> smtpd_sender_restrictions = hash:/etc/postfix/access
>>> smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
>>
>> Normally this should prevent delivery to destinations for which this
>> postfix instance is not final.
>>
>
> My "access" file was effectively empty (comments only).
>

I referred to smtpd_recipient_restrictions

> I have just added:
>
> [hidden email]    DISCARD
>
> which I hope will silently discard email relay attempts for that from address.
>
> Maybe I should use REJECT instead?
>
>>>
>>
>> Are you sure these have not been tampered with?
>>
>>> virtual_mailbox_domains = intelligentavatar.net iac-forensics.com
>>> virtual_mailbox_base = /srv/maildirs
>>> virtual_mailbox_maps = hash:/etc/postfix/vmailbox
>>
>> Or this?
>
> I don't know if something was tampered with, but a month ago email
> relaying for [hidden email] was rejected and this weekend
> it was allowed.
>

Postfix primary check is for network range, not MAIL FROM (which can
obviously be forged quite easily). What IP this client connects from? Is
it local subnet? May be something in your hosting provider network
topology changed?

> That is a legit alias on my server so I don't know why it was rejected
> in the past, and I don't know why relay started working at some point
> in the last month.
>
> Greg
>


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to figure how my server is able to be used to send malicious emails?

Knurpht-openSUSE
In reply to this post by gregfreemyer
Op maandag 8 januari 2018 20:09:34 CET schreef Greg Freemyer:

> On Mon, Jan 8, 2018 at 2:01 PM, Per Jessen <[hidden email]> wrote:
> > Greg Freemyer wrote:
> >> On Mon, Jan 8, 2018 at 1:46 AM, Per Jessen <[hidden email]> wrote:
> >>> Greg Freemyer wrote:
> >>>> All,
> >>>>
> >>>> I have VM on the internet that for the last day or so is sending out
> >>>> 10's of thousands of malicious emails.
> >>>>
> >>>> openSUSE 42.2
> >>>>
> >>>> Fully updated with security patches.  I know I need to update to
> >>>> 42.3, but at least for now it is still getting security patches.
> >>>>
> >>>> I assume the bad guys are somehow using it as a relay site, but I'm
> >>>> not sure.  The server has a GUI on it I think, but I rarely, if ever
> >>>> use it.  Almost all admin is via ssh.
> >>>
> >>> Check the mail logs, Greg. /var/log/mail will tell you everything.
> >>
> >> Agreed, but they are huge as of the last couple days.  I need some
> >> hints of what to look for.
> >
> > Look for e.g. "smtpd.*connect" to see servers connecting to deliver
> > mails.  If you see lots of unknown ones, you have identified the
> > source.
>
> As noted in other emails, I think I found the method of relay used.
> Any I made an effort to block it.
>
> >> I note in the last 12 hours my server has sent several emails from
> >> "wwwrun" to [hidden email].
> >
> > wwwrun is almost certainly your apache server, any chance some
> > application has been compromised?
>
> Whatever it is, it seems unrelated, so I will attack that problem
> separately.  I mostly have just a few static pages on this server.
a
Where do you get it's unrelated. I've seen dozens of occasions where outdated
Joomla/Wordpress/Drupal etc. sites got hacked, a simple php mailer got  
installed and off the spammers went. Leaving traces in the CMS's logs, not in
the OS's mail logs.
IMNSHO it's the first place to look when suddenly receiving emails from
wwwrun.

Do you have a webserver running ? If so, does it serve some kind of CMS ?

>
> >> Maybe I have a penetration of my webserver?  My webserver should be
> >> very vanilla and I can turn off PHP support, etc. if it is currently
> >> active.
> >
> > If you're not using it, I would suggest just stopping it.
>
> Agreed
>
> >>>> The contents of /etc/postfix/relay are:
> >>>> # for relaying domain
> >>>> # domain.de OK
> >>>> IAC-Forensics.com OK
> >>>
> >>> And contents of /etc/postfix/main.cf ?  Is that file used?  What are
> >>> your smtp recipient restrictions?
> >>
> >> I don't think I have any smtp recipient restrictions?
> >
> > You ought to have at least 'reject_unauth_destination'.
>
> I do
>
> >> I think my main.cf is very vanilla:
> > Depending on what you need it for, I would suggest getting rid of a lot
> > of the vanilla stuff.  It often just gets in the way and only obscures
> > the picture.
> >
> >> smtpd_recipient_restrictions =
> >> permit_mynetworks,reject_unauth_destination
> >
> > That looks good - assuming you also have
> >
> > relay_domains = hash:/etc/postfix/relay,
>
> Hmm.. I have:
> #relay_domains = $mydestination, hash:/etc/postfix/relay
>
> Note it is commented out!
>
> Is it the default?
>
> > and you've postmap'ed /etc/postfix/relay, I don't think your postfix is
> > open. (I'll be happy to test that for you, if you want).
>
> I had an online website test it.  It's not fully open, but the bad
> guys still found a way.
>
> Looks like 500,000+ emails went through the server in the last 72 hours.
>
> > Hope this helps,
> > Per
>
> Thanks Much
> Greg


--
Gertjan Lettink, a.k.a. Knurpht

openSUSE Board Member
openSUSE Forums Team



--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to figure how my server is able to be used to send malicious emails?

Andrei Borzenkov
In reply to this post by Per Jessen
08.01.2018 22:20, Per Jessen пишет:

> Greg Freemyer wrote:
>
>>>> I think my main.cf is very vanilla:
>>>
>>> Depending on what you need it for, I would suggest getting rid of a
>>> lot
>>> of the vanilla stuff.  It often just gets in the way and only
>>> obscures the picture.
>>>
>>>> smtpd_recipient_restrictions =
>>>> permit_mynetworks,reject_unauth_destination
>>>
>>> That looks good - assuming you also have
>>>
>>> relay_domains = hash:/etc/postfix/relay,
>>
>> Hmm.. I have:
>> #relay_domains = $mydestination, hash:/etc/postfix/relay
>>
>> Note it is commented out!
>>
>> Is it the default?
>
> Nope.  I suggest you comment it back in.

Well, no explicit relay_domains should not be worse if it is relevant
for this problem at all. For older postfix it defaults to
$mydestination, so it just restricts it even more.


> Then maybe check for ssh
> logins not originating from your IP.  Someone commented that line out.
>
>  

Which is why I suggested checking for virtual domains whether these got
some unexpected content.

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to figure how my server is able to be used to send malicious emails?

Wol's lists
In reply to this post by Knurpht-openSUSE
On 08/01/18 19:22, Knurpht - Gertjan Lettink wrote:
> Where do you get it's unrelated. I've seen dozens of occasions where outdated
> Joomla/Wordpress/Drupal etc. sites got hacked, a simple php mailer got
> installed and off the spammers went. Leaving traces in the CMS's logs, not in
> the OS's mail logs.
> IMNSHO it's the first place to look when suddenly receiving emails from
> wwwrun.

When I got hacked years ago, my (then clueful) ISP sent me a helpful
"how to secure your mail-server". Only snag is it was for linux, and I
wasn't running any server software on my Windows PC.

It's so easy for an intruder to install a little trojan, that grabs your
mail credentials, and runs in the background spewing emails. So they all
come from your system, and it might throttle itself so you don't notice
any performance impact ... (my trojan swamped my dial-up, iirc, so I was
trying to track down what was wrong for a while, and I ended up doing a
full "format c:, re-install").

Cheers,
Wol

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to figure how my server is able to be used to send malicious emails?

Per Jessen
In reply to this post by Andrei Borzenkov
Andrei Borzenkov wrote:

> 08.01.2018 22:20, Per Jessen пишет:
>> Greg Freemyer wrote:
>>
>>>>> I think my main.cf is very vanilla:
>>>>
>>>> Depending on what you need it for, I would suggest getting rid of a
>>>> lot
>>>> of the vanilla stuff.  It often just gets in the way and only
>>>> obscures the picture.
>>>>
>>>>> smtpd_recipient_restrictions =
>>>>> permit_mynetworks,reject_unauth_destination
>>>>
>>>> That looks good - assuming you also have
>>>>
>>>> relay_domains = hash:/etc/postfix/relay,
>>>
>>> Hmm.. I have:
>>> #relay_domains = $mydestination, hash:/etc/postfix/relay
>>>
>>> Note it is commented out!
>>>
>>> Is it the default?
>>
>> Nope.  I suggest you comment it back in.
>
> Well, no explicit relay_domains should not be worse if it is relevant
> for this problem at all. For older postfix it defaults to
> $mydestination, so it just restricts it even more.

True, I forgot about that.

 

--
Per Jessen, Zürich (5.1°C)
http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland.


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

123