My webserver is running Debian Etch and up until last February, I've always done every single security update available (and applicable) for my server. But Etch is no longer maintained and I haven't upgraded to Lenny yet because I
was afraid to do so.
But today I received a strange email (all admin mails from the webserver are redirected to my mailbox on the webserver). Actually, I had received a few weird emails earlier but more on that later.
Anyway, today I received this mail (I replaced the true domain name for obvious reasons, everything I changed is in grey):
Code:
From - Sun Oct 17 15:35:47 2010
X-Account-Key: account1
X-UIDL: UID56456-1181516889
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Mozilla-Keys:
Return-Path: <www-data@hostname.mydomain.com>
X-Original-To: webmaster@localhost
Delivered-To: webmaster@localhost.mydomain.com
Received: by hostname.mydomain.com (Postfix, from userid 33)
id 78F6F228E2; Sun, 17 Oct 2010 12:53:16 +0200 (CEST)
To: webmaster@localhost.mydomain.com
Subject: does it work
From: webmaster@localhost.domain.com
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="==Multipart_Boundary_xaf23c604bd337ad9848be828c3ca04ffx"
Message-Id: <20101017105316.78F6F228E2@hostname.mydomain.com>
Date: Sun, 17 Oct 2010 12:53:16 +0200 (CEST)
This is a multi-part message in MIME format.
--==Multipart_Boundary_xaf23c604bd337ad9848be828c3ca04ffx
Content-Type:text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
yes
--==Multipart_Boundary_xaf23c604bd337ad9848be828c3ca04ffx
Content-Type: application/octet-stream;
name="example.php"
Content-Transfer-Encoding: base64
PD8KaW5jbHVkZSgibWFpbGVyLmNsYXNzLnBocCIpOwokbWFpbGVyPW5ldyBtYWlsZXIoIndlYm1h
c3RlckBsb2NhbGhvc3QiLCJkb2VzIGl0IHdvcmsiLCJ5ZXMiLCJGcm9tOiB3ZWJtYXN0ZXJAbG9j
YWxob3N0Iik7CiRtYWlsZXItPmZpbGUoImV4YW1wbGUucGhwIik7CiRtYWlsZXItPmF0dGFjaCgi
dGV4dC9wbGFpbiIsInNlZS50eHQiLCJ0YWRhIDIgYXR0YWNobWVudHMiKTsKJHRlc3Q9JG1haWxl
ci0+c2VuZCgpOwplY2hvICR0ZXN0PyJzZW50IjoiZXJyb3IiOwo/Pg==
--==Multipart_Boundary_xaf23c604bd337ad9848be828c3ca04ffx
--==Multipart_Boundary_xaf23c604bd337ad9848be828c3ca04ffx
Content-Type: text/plain;
name="see.txt"
Content-Transfer-Encoding: base64
dGFkYSAyIGF0dGFjaG1lbnRz
--==Multipart_Boundary_xaf23c604bd337ad9848be828c3ca04ffx
It looks like it's mail sent from my own webserver (I have postfix running on it). It has two attachement, one attachment is "example.php", the other "see.txt". My mail client displayes the first as the text "Yes", and the second as "tada 2 attachments".
If I look in my mail log, I find this:
Code:
Oct 17 12:53:16 hostname postfix/cleanup[24036]: 78F6F228E2: message-id=<20101017105316.78F6F228E2@hostname.mydomain.com>
Oct 17 12:53:16 hostname postfix/qmgr[23530]: 78F6F228E2: from=<www-data@hostname.mydomain.com>, size=1469, nrcpt=1 (queue
active)
Oct 17 12:53:16 hostname postfix/local[24038]: 78F6F228E2: to=<myname@hostname.mydomain.com>, orig_to=<webmaster@localhost>,
relay=local, delay=0.13, delays=0.04/0/0/0.09, dsn=2.0.0, status=sent (delivered to maildir)
Oct 17 12:53:16 hostname postfix/qmgr[23530]: 78F6F228E2: removed
So what's up? My mailserver isn't an open relay but apparently someone has found a way in. What can I do to find out what's going on?