LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 09-01-2014, 02:23 AM   #1
plejboj
LQ Newbie
 
Registered: Aug 2014
Posts: 6

Rep: Reputation: Disabled
Postfix problems on redhat - cbl spamhouse listed every day


Hey.

I have a problem with CBL spamhaus list. They are listing me for:
Quote:
IP Address 91.198.74.9 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
Problem is, that i can't see anything bad in maillog. I did what they said on webpage:
some iptables rules,
Quote:
Match Group psacln
AllowAgentForwarding no
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
I also changed port and configuration of SSH, but im still getting listed. I find, that its always at night (10PM-3AM). Can You help me with this problem?

P.S. I changed file main.cf of postfix (added new e-mail alias) and i think problem can be there.

P.S.S. Sorry for my English, I know it's not best.

Best Regards,
Wojciech
 
Old 09-01-2014, 07:18 AM   #2
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 10,655

Rep: Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182
First of all, I would run rkhunter on it.

Spamhaus are considered by some to be trigger happy. I would up your logging level and look at what goes in and out, inserting another box to simply pass through traffic if necessary.

Postfix can be a problem in the domain. There is a reverse dns lookup done in receiving mail. 91.198.74.9 is eurodental.pl. If your postfix does not announce as eurodental.pl, it may appear as an open relay or hacked, because you are sending mail for name.com through eurodental.pl.
 
1 members found this post helpful.
Old 09-01-2014, 08:55 AM   #3
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Shared server?
 
Old 09-01-2014, 09:03 AM   #4
plejboj
LQ Newbie
 
Registered: Aug 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Thanks for reply.

I did rkhunter check. I think everything is fine, and problem is in postfix main.cf file but, to be honest I don't know where. Only change i made in last 2 years was adding one e-mail alias to existing (hmm, about 15) aliases. We use this server only for e-mail and apache services, it's shared between some our domains (only i can manage it). I added rkhunter log and my main.cf file (name changed to main.txt).

main.txt

rkhunter.log

Thanks for help guys.

Last edited by plejboj; 09-01-2014 at 09:05 AM. Reason: new post
 
Old 09-01-2014, 10:34 AM   #5
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
http://www.spamhaus.org/query/ip/91.198.74.9
says your IP is clean.
Do you have more than one IP assigned to the w3.eurodental.pl?
and that is the correct rDNS for the 91.198.74.9 IP?
 
1 members found this post helpful.
Old 09-02-2014, 02:26 AM   #6
plejboj
LQ Newbie
 
Registered: Aug 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Thanks for reply.

It wasn't listed because I'm delisting it every morning (about 6 AM GMT) - users needs to use their mail. I'm getting listed again and again mostly at night: 20 PM - 03 AM GMT. w3.eurodental.pl it's correct DNS record for 91.198.74.9, and 91.198.74.9 is the only IP adress assigned.

Today i had to delist my IP adress again, here is a screen:

Click image for larger version

Name:	111.png
Views:	20
Size:	98.3 KB
ID:	16292

Last edited by plejboj; 09-02-2014 at 04:05 AM. Reason: grammar
 
Old 09-02-2014, 04:30 AM   #7
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 10,655

Rep: Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182
Looking at the main.cf, you don't seem to be announcing your domain. you have it tacked onto your hostname, but I don't know if that's ok. A number of things you should have set are commented out.

Are you running sshd?
 
Old 09-02-2014, 05:54 AM   #8
plejboj
LQ Newbie
 
Registered: Aug 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Hey, thanks for reply.

Ok, I did some changes to my main.cf file. I found this:

Quote:
NEVER list a virtual alias domain name as a mydestination domain!
I also changed mydomain. Yes, I'm running sshd. Since I have spamhaus problem I changed ssh port and added this lines to sshd_config file (like spamhaus site said):

AllowAgentForwarding no
AllowTCPForwarding no

main.txt
 
Old 09-02-2014, 12:22 PM   #9
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 10,655

Rep: Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182
OK, let's wait & see. I would also delist unnecessary users. I had sshd open through a router here once on a box, and I found long lists of standard and windows type username guesses had been made by hackers - John, Bill, admin, Fred, user, root, etc. My ssh user was simple, but not obvious. Boy did I change that!
 
Old 09-03-2014, 02:52 AM   #10
plejboj
LQ Newbie
 
Registered: Aug 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Hey, thanks for reply.

Quote:
I found long lists of standard and windows type username guesses had been made by hackers - John, Bill, admin, Fred, user, root, etc.
Yes, I know that, saw this about 2-3 years ago. Truth is, that there is many connections like that in ssh log but not even single one is accepted. My changes didn't help, I had to delist my IP again today. I'll check the shh log and maillog again, but i think i won't find something strange. Here is the spamhaus screen:

Click image for larger version

Name:	222.png
Views:	19
Size:	142.0 KB
ID:	16298

Edit.

I have 3 iptables rules for ssh:
one accepting ssh connections from local company subnet (x.x.x.x/24)
one accepting ssh connections from VPN subnet
last one rejecting all other ssh connections

Edit2. Ok guys now I know that I'm sending spam. I'll delete unused accounts and force change password on others. One of company members get strange e-mail. Did you met something like that before?


-----Original Message-----
From: postoffice@w3.eurodental.pl [mailtoostoffice@w3.eurodental.pl]
Sent: Wednesday, September 03, 2014 3:00 AM
To: Marilu
Subject: Returned mail: User unknown

The original message was received at 2014-09-03 11:07:28 +1000 from
postoffice.(null) [10.0.0.1]

----- The following addresses had permanent fatal errors -----
<trace@tjdesigns.net.au>

-----Transcript of session follows ----- ... while talking to
postoffice.(null).:
>>> RCPT To:<trace@tjdesigns.net.au>
<<< 550 5.1.1 unknown or illegal alias: trace@tjdesigns.net.au
550 <trace@tjdesigns.net.au>... User unknown

details.txt

Reporting-MTA: dns; postoffice.(null)
Received-From-MTA: DNS; postoffice.(null)
Arrival-Date: 2014-09-03 11:07:28 +1000

Final-Recipient: RFC822; trace@tjdesigns.net.au
Action: failed
Status: 5.1.1
Remote-MTA: DNS; postoffice.(null)
Diagnostic-Code: SMTP;550 5.1.1 unknown or illegal alias: trace@tjdesigns.net.au
Last-Attempt-Date: 2014-09-03 11:07:28 +1000


Hello, my dear!.eml <------ email send from my server

Temat:
Hello, my dear!
Nadawca:
"Marilu" <m.sicinski@eurodental.pl>
Data:
02-09-2014 20:16
Adresat:
"Leo" <trace@tjdesigns.net.au>

Good day my friend
I am merry, responsible and friendly person with positive like outlook.
I like outdoor activities and long walk along beachside http://bit.yt/587227
I am looking for tender and brave man who likes children and knows how
to enjoy life to the fullest.
I would love to hear from you
Marilu

Last edited by plejboj; 09-03-2014 at 06:30 AM. Reason: in post
 
Old 09-03-2014, 08:22 AM   #11
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 10,655

Rep: Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182Reputation: 1182
You have an exact time there on the spamhaus page. Check every log about then, as somebody/something is obviously doing automatic reporting.
And before you go home, close off sshd. Will you be fired if it's off for one night? In short-medium term, I would look at sandboxing or virtualboxing the hacker target programs.
 
Old 09-05-2014, 07:11 AM   #12
plejboj
LQ Newbie
 
Registered: Aug 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Hey, thanks for reply.

I checked maillog and secure log, but it looks ok for me (checked spamhaus time and that spam-mail time). Problem is, that server isn't at our company place (but only we can access it) and I'm connecting it remotly by SSH. If I'll turn it off, I could have problems with connecting server next day. I did command:

find / -type f -name ".php" | xargs grep -l 'mail' | xargs grep -in 'mail' > ~/mail.scripts.log

but file was empty. Spamhaus said, that we got listed at 2:00AM our time (+-30 minutes). I'm adding secure and maillog from 1:00AM to 3:00AM, and I'll try to stop SSH today. I think it's spambot (because I can't find anything bad in logs), but i have no idea how to find it. Cron checked.

maillog.txt

securelog1.txt

securelog2.txt
 
Old 09-05-2014, 08:32 AM   #13
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
try this from the root of the virtualhosts directory, be it /var/www/html/ or someplace else:
Code:
find `pwd` . -type f -iname "*.php" -exec grep -i mail {} \; >  ~/mail.scripts.log
then examine ~/mail.scripts.log and report back. These will be the file names.php files that have the word "mail" in them. Some will be of no value, (legitimate), and the rest will be (or should be) suspect.

Look in /tmp also, you can also try running it in /tmp, but use it with append to ~/mail.scripts.log with
Code:
find `pwd` . -type f -iname "*.php" -exec grep -i mail {} \; >> ~/mail.scripts.log
Run it in /home/ (with append).

If it's empty, say so, if it not, post the file as an attachment, if the file is too big to post (I don't recall the limit), use pastebin or something similar.

If this has been posted elsewhere in the topic, I do apologize, but the use of
Code:
xargs grep -l 'mail' | xargs grep -in 'mail'
just seemed 'off'

Blocking robots is a topic for another post.
Robots aren't mailing stuff from your server.

Thank you.

Edit: It should also be said that .cgi scripts have been notorious for mailing from webserving hosts
Search engine "darkmailer" if you're curious.
Also check the apache logs for the time frame involved.

Last edited by Habitual; 09-05-2014 at 08:46 AM.
 
Old 09-05-2014, 09:28 AM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by plejboj View Post
I did command:
Code:
find / -type f -name ".php" | xargs grep -l 'mail' | xargs grep -in 'mail' > ~/mail.scripts.log
but file was empty.
That command shows you are aware that there may be a problem in your web stack. The first thing would be to block outbound TCP/25 until you fix this. (That's not "nice" to authorized mail users but de-listing every day without solving the problem is worse.) Next check what your web server offers and if any software (CMS, forum, shopping cart, photo gallery, themes, plugins, etc, etc) runs the current version. Fix (or have your client(s) fix) those problems (if any) and you have a less untrustworthy base to work on. FWIW, the only relatively up to date application I'm aware of you should use for finding such PHP-based malware is LMD, short for Linux Malware Detect, which basically is a (inotify-based) "wrapper" for a couple of ClamAV databases holding hashes and signatures.

Note trying to "fix" things by deleting foreign objects may be tempting but that's addressing symptoms, not combating the cause.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Everyday my site is under CBL Lookup aerolite Linux - Security 10 09-21-2011 04:57 PM
Postfix - Set max number of messages sent per day mangueJOE Linux - Server 1 10-22-2009 08:55 AM
[POSTFIX] Address not listed for hostname warning - can't send email PaperCuts Linux - Software 5 06-04-2009 10:31 PM
spamhaus/cbl keep blocking my ip! efm Linux - Networking 5 01-10-2007 01:40 AM
Listed partition in cfdisk, but not listed in /dev? Erik_the_Red Linux - Newbie 7 08-06-2005 12:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 05:03 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration