Re: Attack on my mailsystem

Tue, 16 Jun 2015 19:44:32 -0700 



On Tue, 16 Jun 2015 19:26:48 -0700, Viktor Dukhovni  
<postfix-us...@dukhovni.org> wrote:



On Tue, Jun 16, 2015 at 07:21:39PM -0700, Jithesh AP wrote:


>This was created locally via the "sendmail" command.  What user
>account has "uid" 5005?  If this is www-data or similar, you likely
>have an insecure PHP script that is being exploited to send spam.
>
>Just look for any other log-entries with the same message-id:
>
>    kflvqedfdosxjjhkebewy...@sfilc.com
>
>but also do quickly run "getent passwd 5005" and report the results.

spamfilter:x:5005:5005::/usr/local/spamassassin:/bin/false


So you're injecting mail for filtering via this filter, now we need
to know where those are coming from.  Which is the message-id search
is critical.

Also post your master.cf file.




Grep for the message-id in maillog just gives this, should i search in  
some other location

grep kflvqedfdosxjjhkebewy...@sfilc.com /var/maillog-2015 | head

Jun 16 13:21:48 ml postfix/cleanup[22906]: 6CB5841627:  
message-id=<kflvqedfdosxjjhkebewy...@sfilc.com>
Jun 16 13:21:49 ml postfix/cleanup[20077]: 0C9B14166A:  
message-id=<kflvqedfdosxjjhkebewy...@sfilc.com>




---------Master.cf---------

smtp      inet  n       -       n       -       -       smtpd -o  
content_filter=spamassassin

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
        -o syslog_name=postfix/smtps
        -o smtpd_tls_wrappermode=yes
        -o smtpd_sasl_auth_enable=yes



spamassassin unix -     n       n       -       -       pipe  
user=spamfilter argv=/usr/bin/spamc -f -e  /usr/sbin/sendmail.postfix -oi  
-f ${sender} ${recipient}

pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

dovecot unix - n n - - pipe flags=DRhu user=virmail:virmail  
argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}


------------------------------------------

--
Using Opera's mail client: http://www.opera.com/mail/





























					Reply via email to