[qmailtoaster] Re: Attack?

Tue, 22 Jun 2010 11:43:35 -0700 

I'm guessing then that they call came from a single submission. ?
What are the rest of the messages in the smtp log right after that one?
# qmlog -lc anonym...@metalservice smtp
will take you right to it in the smtp log.
Also, they came from 127.0.0.2. That looks suspicious. Perhaps your apache server has been cracked. 

I would get rid of the 127.: line in /etc/tcprules.d/tcp.smtp, then
# qmailctl cdb
Then, in order for squirrelmail to be able to submit, change SM configuration to use authentication by adding this to your /etc/squirrelmail/config_local.php file: 
$smtpServerAddress  = 'localhost';
$smtpPort           = 587;
$smtp_auth_mech     = 'login';

then restart apache:
# service httpd restart

--
-Eric 'shubes'


Rafael Andrade wrote:
[r...@net ~]# qmlog -nl -g anonym...@metalservice smtp | grep "CHKUSER accepted sender" 06-22 14:57:16 CHKUSER accepted sender: from <anonym...@metalservice.ind.br::> remote <mail.metalservice.ind.br:unknown:127.0.0.2> rcpt <> : sender accepted 

Only show one entry. :(


Eric Shubert escreveu:

Rafael Andrade wrote:

[r...@net metalservice.ind.br]# qmailctl queue | wc -l
86325 :(

[r...@net metalservice.ind.br]# qmailctl queue | head -n 50
messages in queue: 40591
messages in queue but not yet preprocessed: 15
22 Jun 2010 15:46:19 GMT #2467164 1456 <anonym...@metalservice.ind.br> 
       remote  mat...@mikrus.com.br
22 Jun 2010 15:09:18 GMT #3087267 1459 <anonym...@metalservice.ind.br> 
       remote  robertajard...@yahoo.com.br
22 Jun 2010 15:37:38 GMT #2461644 1463 <anonym...@metalservice.ind.br> 
       remote  mate...@cetesbnet.sp.gov.br
22 Jun 2010 15:45:28 GMT #2447016 1457 <anonym...@metalservice.ind.br> 
       remote  mati...@joinet.com.br
22 Jun 2010 15:49:08 GMT #3069258 1461 <anonym...@metalservice.ind.br> 
       remote  mattaro...@psibo.unibo.it
22 Jun 2010 15:38:28 GMT  #2462288  2835  <#...@[]>
       remote  postmas...@net
22 Jun 2010 15:44:16 GMT #2465807 1455 <anonym...@metalservice.ind.br> 
       remote  mati...@is-koeln.de
22 Jun 2010 15:28:35 GMT #2455112 1451 <anonym...@metalservice.ind.br> 
       remote  rodolfo...@uol.com.br
22 Jun 2010 15:46:45 GMT #2467555 1454 <anonym...@metalservice.ind.br> 
       remote  matildene...@msn.com
22 Jun 2010 15:02:44 GMT #3069603 1454 <anonym...@metalservice.ind.br> 
       remote  roberto.come...@bol.com.br
22 Jun 2010 15:42:13 GMT #2464565 1460 <anonym...@metalservice.ind.br> 
       remote  matoso.sona...@gmail.com
22 Jun 2010 15:34:11 GMT  #2443198  2872  <#...@[]>
       remote  postmas...@net
22 Jun 2010 15:50:15 GMT #2470591 1459 <anonym...@metalservice.ind.br> 
       remote  mat...@sum.desktop.com.br
22 Jun 2010 15:53:22 GMT #2450535 1465 <anonym...@metalservice.ind.br> 
       local   metalservice.ind.br-audito...@metalservice.ind.br
       remote  matilhaproduc...@terra.com.br
22 Jun 2010 15:56:32 GMT #2506264 1452 <anonym...@metalservice.ind.br> 
       local   metalservice.ind.br-audito...@metalservice.ind.br
       remote  matr...@uol.com.br
22 Jun 2010 15:53:25 GMT #2448971 1457 <anonym...@metalservice.ind.br> 
       local   metalservice.ind.br-audito...@metalservice.ind.br
       remote  matle...@terra.com.br
22 Jun 2010 15:43:26 GMT #2465278 1458 <anonym...@metalservice.ind.br> 
       remote  mat...@infraero.gov.br
22 Jun 2010 15:38:51 GMT #2462702 1459 <anonym...@metalservice.ind.br> 
       remote  mat...@dequi.eel.usp.br
As i can delete all msgs to anonym...@metalservice.ind.br using qmail-remove ( syntax ? ) 

Thanks so much again




I think that
# qmHandle -tf "anonym...@metalservice.ind.br"
will clean them out. I think you should do
# qmailctl stop
first, then start qmail back up when qmHandle completes.

Then you need to find out which account is being used to authenticate.

# qmlog -nl -g anonym...@metalservice smtp \
> | grep "CHKUSER accepted sender" | head -n10
This will show you the first 10 occurrences of messages that were submitted with that user id. You should see something like: 06-07 02:58:23 CHKUSER accepted sender: from <anonym...@metalservice.ind.br:??...@???????:> ...
The ??...@??????? part is the account name that was used to authenticate. Change that password, and you should no longer get more spam messages from this spammer.
Then re-do the qmHandle command again to clean out any messages that came in since the first time you ran it.
I'm presuming here that you have only one account/pw that's been compromised. You might want to do something like 
# qmlog -nl -g anonym...@metalservice smtp \
> | grep "CHKUSER accepted sender" | grep -v "??...@???????"
That will spit out any other account names that might have been used. If there was only one compromised account, this command will return nothing.
--------------------------------------------------------------------------------- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) 
   Vickers Consulting Group offers Qmailtoaster support and installations.
     If you need professional help with your setup, contact them today!



---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
     If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
    Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
    For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to