[SOLVED] Hacked postfix..

bzzika · 02-18-2012, 04:59 AM

It's my first time dealing with mail servers and I really can't figure out what is happening..

Code:

postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
inet_interfaces = all
mailbox_size_limit = 0
message_size_limit = 10240000000000
mydestination =
myhostname = server.domain.com
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
readme_directory = no
receive_override_options = no_address_mappings
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = hash:/etc/postfix/access,       check_client_access hash:/etc/postfix/rbl-whitelist,       permit_mynetworks,       reject_unauth_pipelining,       reject_rbl_client zen.spamhaus.org,       permit
smtpd_delay_reject = yes
smtpd_recipient_restrictions = reject_unauth_pipelining,       permit_mynetworks,       permit_sasl_authenticated,       reject_non_fqdn_recipient,       reject_unauth_destination,       reject_invalid_hostname,       reject_non_fqdn_hostname,       reject_non_fqdn_sender,       reject_unknown_recipient_domain,       reject_unauth_pipelining,       reject_rbl_client zen.spamhaus.org,        reject_rbl_client bl.spamcop.net,       permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated,       permit_mynetworks,       reject_non_fqdn_sender,       reject_unknown_sender_domain,       hash:/etc/postfix/access-sender,       reject_unauth_pipelining,       permit
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 10240000000000
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 5000
virtual_transport = virtual
virtual_uid_maps = static:5000

part of the logs

Code:

Feb 18 07:09:34 server postfix/qmgr[4795]: C996CBBE335: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: C609DBBE3E1: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: CFAFDBBE52B: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: C8A93BBE56C: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: 3A449BBE334: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: 33DB4BBE5D4: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: 579BBBBE3A8: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: 552B3BBE5BB: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: 5A08EBBE30D: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: 57B33BBE5FD: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: AFDECBBE57E: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: A0C9FBBE3A6: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: A722FBBE39F: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: ABA88BBE2E9: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: A764ABBE3EF: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: 66C35BBE323: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: 89D90BBE42F: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: DBB7FBBE3A2: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/error[1768]: 26CD6BBE3D4: to=<chi.chang@longandfoster.com>, relay=none, delay=102333, delays=102333/0.01/0/0.08, dsn=4.0.0, s$
Feb 18 07:09:34 server postfix/smtp[1789]: connect to monarda.com[208.87.35.103]:25: Connection refused
Feb 18 07:09:34 server postfix/smtp[1789]: 75598BBE5FB: to=<info@monarda.com>, relay=none, delay=96862, delays=96862/0.06/0.24/0, dsn=4.4.1, status=deferred$
Feb 18 07:09:34 server postfix/smtp[1853]: connect to schwartzcooper.com[69.73.172.201]:25: Connection refused
Feb 18 07:09:34 server postfix/smtp[1854]: connect to mail.triton.net[209.172.0.15]:25: Connection refused
Feb 18 07:09:34 server postfix/smtp[1821]: 90699BBE5E6: host mx.fakemx.net[176.9.24.81] said: 451 Try again later (in reply to RCPT TO command)
Feb 18 07:09:34 server postfix/smtp[1812]: connect to ggpelawfirm.inbound10.symantecmail.com[208.65.144.22]:25: Connection refused
Feb 18 07:09:34 server postfix/smtp[1853]: 4A1AEBBE420: to=<dainger@schwartzcooper.com>, relay=none, delay=101131, delays=101131/0.16/0.15/0, dsn=4.4.1, sta$
Feb 18 07:09:34 server postfix/smtp[1775]: 74D1FBBE433: host gateway-f2.isp.att.net[207.115.11.16] refused to talk to me: 550-ip-addr blocked by ldap:$
Feb 18 07:09:34 server postfix/smtp[1794]: ECE56BBE571: host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-ip-addr blocked by ldap$
Feb 18 07:09:34 server postfix/smtp[1796]: connect to lvestates.com[208.87.35.103]:25: Connection refused
Feb 18 07:09:34 server postfix/smtp[1849]: 4A1AEBBE420: host mailin-03.mx.aol.com[64.12.90.33] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster$
Feb 18 07:09:34 server postfix/smtp[1803]: connect to lamiera.com[174.137.125.49]:25: Connection refused
Feb 18 07:09:34 server postfix/smtp[1825]: 92B09BBE398: host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-ip-addr blocked by ldap$
Feb 18 07:09:34 server postfix/smtp[1779]: 74D1FBBE433: host mx1.comcast.net[76.96.62.116] refused to talk to me: 554 imta18.westchester.pa.mail.comcast.net$
Feb 18 07:09:34 server postfix/smtp[1864]: connect to jamesmhellerdmd.com[74.54.88.180]:25: Connection refused
Feb 18 07:09:34 server postfix/smtp[1796]: ECE56BBE571: to=<dusty@lvestates.com>, relay=none, delay=99089, delays=99088/0.07/0.41/0, dsn=4.4.1, status=defer$
Feb 18 07:09:34 server postfix/smtp[1836]: F257BBBE336: host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-ip-addr blocked by ldap$
Feb 18 07:09:34 server postfix/smtp[1837]: 4EAC3BBE45E: host gateway-f2.isp.att.net[207.115.11.16] refused to talk to me: 550-ip-addr blocked by ldap:$
Feb 18 07:09:34 server postfix/smtp[1843]: connect to aceofhearts.com[208.87.35.103]:25: Connection refused

And the messaged being send

Code:

CO 80163 5100 50 0 80163T^Q1329440425
169399A^Vcreate_time=1329440425A^Urewrite_context=localS^Lucyu@plm.comA
encoding=7bitA^Ylog_client_name=localhostA^\log_client_address=127.0.0.1A^$
from localhost (localhost [127.0.0.1])N= by server.domain.com
(Postfix) with ESMTP id 296DCBBE419;N& Fri, 17 Feb 2012 03:00:25
+0200 (EET)N1Received: from server.domain.com ([127.0.0.1])NJ by
localhost (server.domain.com [127.0.0.1]) (amavisd-new, port
10024)NB with ESMTP id WEH+49fXMD9K; Fri, 17 Feb 2012 03:00:25
+0200 (EET)N;Received: from User (mail.guildschool.org
[64.122.205.227])N+ (Authenticated sender: mail@domain.com)N> by
server.domain.com (Postfix) with ESMTPA id 326FEBBE41E;N& Fri,
17 Feb 2012 03:00:09 +0200 (EET)N^[From:
"kjojo"<ucyu@plm.com>N%Subject: Dear valued PayPal Customer,N%Date:
Thu, 16 Feb 2012 17:13:34 -0800N^QMIME-Version: 1.0N^^Content-Type:
multipart/mixed;N5
boundary="----=_NextPart_000_009F_01C2A9A6.47E75E62"N X-Priority:
3N^YX-MSMail-Priority: NormalN2X-Mailer: Microsoft Outlook Express
6.00.2600.0000N8X-MimeOLE: Produced By Microsoft MimeOLE
V6.00.2600.0000N=Message-Id:
<20120217010010.326FEBBE41E@server.domain.com>N^\To:
undisclosed-recipients:;N^@N,This is a multi-part message in MIME
format.N^@N+------=_NextPart_000_009F_01C2A9A6.47E75E62N^YContent-Type:
text/plain;N^P charset="utf-8"N^_Content-Transfer-Encoding:
7bitN^@N^\
MAIL TEXT REMOVED
quickN^@N^@N+------=_NextPart_000_009F_01C2A9A6.47E75E62N'Content-Type:
application/octet-stream;N* name="Personal Profile Form -
PayPal.htm"N!Content-Transfer-Encoding: base64N
Content-Disposition: attachment;N. filename="Personal Profile Form
-
PayPal.htm"N^@N<PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMD$

The only thing i figured out is that mailbox mail@domain.com got hacked at the time the spam started. Now it's removed but in the mails there's still

Code:

(Authenticated sender: mail@domain.com)

In mail.log there is not logs about mail@domain.com logging in anymore.

bzzika · 02-19-2012, 04:42 AM

The problem was that before I removed the mailbox there was a lot of queued mails. After clearing the queue everything is fine.

unSpawn · 02-19-2012, 05:21 AM

Thanks for posting your update of the situation.