Postfix problems on redhat

plejboj · 09-01-2014, 01:23 AM

Hey.

I have a problem with CBL spamhaus list. They are listing me for:

Quote:

IP Address 91.198.74.9 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

Problem is, that i can't see anything bad in maillog. I did what they said on webpage:
some iptables rules,

Quote:

Match Group psacln
AllowAgentForwarding no
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp

I also changed port and configuration of SSH, but im still getting listed. I find, that its always at night (10PM-3AM). Can You help me with this problem?

P.S. I changed file main.cf of postfix (added new e-mail alias) and i think problem can be there.

P.S.S. Sorry for my English, I know it's not best.

Best Regards,
Wojciech

business_kid · 09-01-2014, 06:18 AM

First of all, I would run rkhunter on it.

Spamhaus are considered by some to be trigger happy. I would up your logging level and look at what goes in and out, inserting another box to simply pass through traffic if necessary.

Postfix can be a problem in the domain. There is a reverse dns lookup done in receiving mail. 91.198.74.9 is eurodental.pl. If your postfix does not announce as eurodental.pl, it may appear as an open relay or hacked, because you are sending mail for name.com through eurodental.pl.

Habitual · 09-01-2014, 07:55 AM

Shared server?

plejboj · 09-01-2014, 08:03 AM

Thanks for reply.

I did rkhunter check. I think everything is fine, and problem is in postfix main.cf file but, to be honest I don't know where. Only change i made in last 2 years was adding one e-mail alias to existing (hmm, about 15) aliases. We use this server only for e-mail and apache services, it's shared between some our domains (only i can manage it). I added rkhunter log and my main.cf file (name changed to main.txt).

main.txt

rkhunter.log

Thanks for help guys.

Habitual · 09-01-2014, 09:34 AM

http://www.spamhaus.org/query/ip/91.198.74.9
says your IP is clean.
Do you have more than one IP assigned to the w3.eurodental.pl?
and that is the correct rDNS for the 91.198.74.9 IP?

plejboj · 09-02-2014, 01:26 AM

Thanks for reply.

It wasn't listed because I'm delisting it every morning (about 6 AM GMT) - users needs to use their mail. I'm getting listed again and again mostly at night: 20 PM - 03 AM GMT. w3.eurodental.pl it's correct DNS record for 91.198.74.9, and 91.198.74.9 is the only IP adress assigned.

Today i had to delist my IP adress again, here is a screen:

Click image for larger version

Name: 111.png
Views: 26
Size: 98.3 KB
ID: 16292

business_kid · 09-02-2014, 03:30 AM

Looking at the main.cf, you don't seem to be announcing your domain. you have it tacked onto your hostname, but I don't know if that's ok. A number of things you should have set are commented out.

Are you running sshd?

plejboj · 09-02-2014, 04:54 AM

Hey, thanks for reply.

Ok, I did some changes to my main.cf file. I found this:

Quote:

NEVER list a virtual alias domain name as a mydestination domain!

I also changed mydomain. Yes, I'm running sshd. Since I have spamhaus problem I changed ssh port and added this lines to sshd_config file (like spamhaus site said):

AllowAgentForwarding no
AllowTCPForwarding no

main.txt

business_kid · 09-02-2014, 11:22 AM

OK, let's wait & see. I would also delist unnecessary users. I had sshd open through a router here once on a box, and I found long lists of standard and windows type username guesses had been made by hackers - John, Bill, admin, Fred, user, root, etc. My ssh user was simple, but not obvious. Boy did I change that!

plejboj · 09-03-2014, 01:52 AM

Hey, thanks for reply.

Quote:

I found long lists of standard and windows type username guesses had been made by hackers - John, Bill, admin, Fred, user, root, etc.

Yes, I know that, saw this about 2-3 years ago. Truth is, that there is many connections like that in ssh log but not even single one is accepted. My changes didn't help, I had to delist my IP again today. I'll check the shh log and maillog again, but i think i won't find something strange. Here is the spamhaus screen:

Click image for larger version

Name: 222.png
Views: 35
Size: 142.0 KB
ID: 16298

Edit.

I have 3 iptables rules for ssh:
one accepting ssh connections from local company subnet (x.x.x.x/24)
one accepting ssh connections from VPN subnet
last one rejecting all other ssh connections

Edit2. Ok guys now I know that I'm sending spam. I'll delete unused accounts and force change password on others. One of company members get strange e-mail. Did you met something like that before?

-----Original Message-----
From: postoffice@w3.eurodental.pl [mailto

ostoffice@w3.eurodental.pl]
Sent: Wednesday, September 03, 2014 3:00 AM
To: Marilu
Subject: Returned mail: User unknown

The original message was received at 2014-09-03 11:07:28 +1000 from
postoffice.(null) [10.0.0.1]

----- The following addresses had permanent fatal errors -----
<trace@tjdesigns.net.au>

-----Transcript of session follows ----- ... while talking to
postoffice.(null).:
>>> RCPT To:<trace@tjdesigns.net.au>
<<< 550 5.1.1 unknown or illegal alias: trace@tjdesigns.net.au
550 <trace@tjdesigns.net.au>... User unknown

details.txt

Reporting-MTA: dns; postoffice.(null)
Received-From-MTA: DNS; postoffice.(null)
Arrival-Date: 2014-09-03 11:07:28 +1000

Final-Recipient: RFC822; trace@tjdesigns.net.au
Action: failed
Status: 5.1.1
Remote-MTA: DNS; postoffice.(null)
Diagnostic-Code: SMTP;550 5.1.1 unknown or illegal alias: trace@tjdesigns.net.au
Last-Attempt-Date: 2014-09-03 11:07:28 +1000

Hello, my dear!.eml <------ email send from my server

Temat:
Hello, my dear!
Nadawca:
"Marilu" <m.sicinski@eurodental.pl>
Data:
02-09-2014 20:16
Adresat:
"Leo" <trace@tjdesigns.net.au>

Good day my friend
I am merry, responsible and friendly person with positive like outlook.
I like outdoor activities and long walk along beachside http://bit.yt/587227
I am looking for tender and brave man who likes children and knows how
to enjoy life to the fullest.
I would love to hear from you
Marilu

business_kid · 09-03-2014, 07:22 AM

You have an exact time there on the spamhaus page. Check every log about then, as somebody/something is obviously doing automatic reporting.
And before you go home, close off sshd. Will you be fired if it's off for one night? In short-medium term, I would look at sandboxing or virtualboxing the hacker target programs.

plejboj · 09-05-2014, 06:11 AM

Hey, thanks for reply.

I checked maillog and secure log, but it looks ok for me (checked spamhaus time and that spam-mail time). Problem is, that server isn't at our company place (but only we can access it) and I'm connecting it remotly by SSH. If I'll turn it off, I could have problems with connecting server next day. I did command:

find / -type f -name ".php" | xargs grep -l 'mail' | xargs grep -in 'mail' > ~/mail.scripts.log

but file was empty. Spamhaus said, that we got listed at 2:00AM our time (+-30 minutes). I'm adding secure and maillog from 1:00AM to 3:00AM, and I'll try to stop SSH today. I think it's spambot (because I can't find anything bad in logs), but i have no idea how to find it. Cron checked.

maillog.txt

securelog1.txt

securelog2.txt

Habitual · 09-05-2014, 07:32 AM

try this from the root of the virtualhosts directory, be it /var/www/html/ or someplace else:

Code:

find `pwd` . -type f -iname "*.php" -exec grep -i mail {} \; >  ~/mail.scripts.log

then examine ~/mail.scripts.log and report back. These will be the file names.php files that have the word "mail" in them. Some will be of no value, (legitimate), and the rest will be (or should be) suspect.

Look in /tmp also, you can also try running it in /tmp, but use it with append to ~/mail.scripts.log with

Code:

find `pwd` . -type f -iname "*.php" -exec grep -i mail {} \; >> ~/mail.scripts.log

Run it in /home/ (with append).

If it's empty, say so, if it not, post the file as an attachment, if the file is too big to post (I don't recall the limit), use pastebin or something similar.

If this has been posted elsewhere in the topic, I do apologize, but the use of

Code:

xargs grep -l 'mail' | xargs grep -in 'mail'

just seemed 'off'

Blocking robots is a topic for another post.
Robots aren't mailing stuff from your server.

Thank you.

Edit: It should also be said that .cgi scripts have been notorious for mailing from webserving hosts
Search engine "darkmailer" if you're curious.
Also check the apache logs for the time frame involved.

unSpawn · 09-05-2014, 08:28 AM

Quote:

Originally Posted by plejboj

I did command:

Code:

find / -type f -name ".php" | xargs grep -l 'mail' | xargs grep -in 'mail' > ~/mail.scripts.log

but file was empty.

That command shows you are aware that there may be a problem in your web stack. The first thing would be to block outbound TCP/25 until you fix this. (That's not "nice" to authorized mail users but de-listing every day without solving the problem is worse.) Next check what your web server offers and if any software (CMS, forum, shopping cart, photo gallery, themes, plugins, etc, etc) runs the current version. Fix (or have your client(s) fix) those problems (if any) and you have a less untrustworthy base to work on. FWIW, the only relatively up to date application I'm aware of you should use for finding such PHP-based malware is LMD, short for Linux Malware Detect, which basically is a (inotify-based) "wrapper" for a couple of ClamAV databases holding hashes and signatures.

Note trying to "fix" things by deleting foreign objects may be tempting but that's addressing symptoms, not combating the cause.