possible compromised system
When I connect to my Postfix server using ssh from a remote location, postings show up as something like (suitably modified for security): Jul 27 15:50:35 winston postfix/smtpd[28303]: connect from localhost[127.0.0.1] Jul 27 15:50:36 winston postfix/smtpd[28303]: 57A5A220BA: client=localhost[127.0.0.1] Jul 27 15:50:36 winston postfix/cleanup[28315]: 57A5A220BA: message-id=<1311799778.2531.33.camel@progbox> Jul 27 15:50:36 winston postfix/qmgr[3964]: 57A5A220BA: from=, size=517, nrcpt=1 (queue active) Jul 27 15:50:37 winston postfix/smtpd[28303]: disconnect from localhost[127.0.0.1] Jul 27 15:50:37 winston postfix/smtp[28319]: 57A5A220BA: to=, relay=mail.example2.org[aaa.bb.cc.ddd]:25, delay=1.7, delays=0.53/0.04/0.67/0.45, dsn=2.0.0, status=sent (250 2.0.0 Ok: qu eued as D5F07162B43) Jul 27 15:50:37 winston postfix/qmgr[3964]: 57A5A220BA: removed All that is good, works fine. The point to note is the: "connect from localhost[127.0.0.1]" part. Is there any other legitimate situation in which "connect from localhost[127.0.0.1]" is legitimate? I suspect my system is compromised (as opposed to my simply not having appropriate spam protections, etc in place). Here's an example of a "connect from localhost..." that I cannot justify or explain: Jul 27 15:46:54 winston postfix/smtpd[28230]: connect from localhost[127.0.0.1] Jul 27 15:46:54 winston postfix/smtpd[28230]: warning: Illegal address syntax from localhost[127.0.0.1] in MAIL command: https://app.cheetahmail.com/m/mailers/mailinail.anntaylorloft.com> Jul 27 15:46:55 winston postfix/smtpd[28230]: disconnect from localhost[127.0.0.1] I confess I'm running Suse 9.1 and Postfix 2.5.5, so I'm looking for a justification to tear the system down and rebuild from scratch (as if I needed it), but a compromised system is much more serious. Thanks, Julian.
Re: possible compromised system
On 2011-07-27 23:10, Julian Opificius wrote: When I connect to my Postfix server using ssh from a remote location, postings show up as something like (suitably modified for security): Jul 27 15:50:35 winston postfix/smtpd[28303]: connect from localhost[127.0.0.1] Jul 27 15:50:36 winston postfix/smtpd[28303]: 57A5A220BA: client=localhost[127.0.0.1] Jul 27 15:50:36 winston postfix/cleanup[28315]: 57A5A220BA: message-id=<1311799778.2531.33.camel@progbox> Jul 27 15:50:36 winston postfix/qmgr[3964]: 57A5A220BA: from=, size=517, nrcpt=1 (queue active) Jul 27 15:50:37 winston postfix/smtpd[28303]: disconnect from localhost[127.0.0.1] Jul 27 15:50:37 winston postfix/smtp[28319]: 57A5A220BA: to=, relay=mail.example2.org[aaa.bb.cc.ddd]:25, delay=1.7, delays=0.53/0.04/0.67/0.45, dsn=2.0.0, status=sent (250 2.0.0 Ok: qu eued as D5F07162B43) Jul 27 15:50:37 winston postfix/qmgr[3964]: 57A5A220BA: removed All that is good, works fine. The point to note is the: "connect from localhost[127.0.0.1]" part. Is there any other legitimate situation in which "connect from localhost[127.0.0.1]" is legitimate? I suspect my system is compromised (as opposed to my simply not having appropriate spam protections, etc in place). Here's an example of a "connect from localhost..." that I cannot justify or explain: Jul 27 15:46:54 winston postfix/smtpd[28230]: connect from localhost[127.0.0.1] Jul 27 15:46:54 winston postfix/smtpd[28230]: warning: Illegal address syntax from localhost[127.0.0.1] in MAIL command: https://app.cheetahmail.com/m/mailers/mailinail.anntaylorloft.com> Jul 27 15:46:55 winston postfix/smtpd[28230]: disconnect from localhost[127.0.0.1] SENDING SMTP mail to port 25 is not a privileged operation, so it could be any user on the system running any kind of malware. That said, it is most often HTTP+PHP and/or FTP accounts that are exploited to upload malicious code and run it locally; check your system and daemon logs carefully! For example, exploited apache/PHP apps often leave tracks of executed code in the apache error log (because they just don't care, and that's where stdout goes) - that might give you a hint. On the other hand, if somebody compromised the system via SSH you should audit the auth log for breakin attempts. I would strongly advise you to disconnect this system from the internet until you can verify that you're not sending out spam - or worse. I confess I'm running Suse 9.1 and Postfix 2.5.5, so I'm looking for a justification to tear the system down and rebuild from scratch (as if I needed it), but a compromised system is much more serious. Thanks, Julian. -- J.
Re: possible compromised system
Is this machine running a webserver? Look in the access logs. Wietse
Re: possible compromised system
Am 27.07.2011 23:22, schrieb Wietse Venema: > > Is this machine running a webserver? Look in the access logs if this is the reason consider disable smtp on 127.0.0.1 because most of dumb injected scripts are trying this instead the network address! disable php's mail()-function and every function which can excecute shell commands is mandatory (shell_exec, exec, popen...) a this way secured server will not sending blind any mail attempt and in combination with sasl-auth there is no way for the attacker, and even if a allowed script is vulnerable you would see the username in the logs and know who is responsible signature.asc Description: OpenPGP digital signature
Re: possible compromised system
On Wed, 2011-07-27 at 23:21 +0200, Jeroen Geilman wrote: > On 2011-07-27 23:10, Julian Opificius wrote: > > When I connect to my Postfix server using ssh from a remote location, > > postings show up as something like (suitably modified for security): > > > > Jul 27 15:50:35 winston postfix/smtpd[28303]: connect from > > localhost[127.0.0.1] > > Jul 27 15:50:36 winston postfix/smtpd[28303]: 57A5A220BA: > > client=localhost[127.0.0.1] > > Jul 27 15:50:36 winston postfix/cleanup[28315]: 57A5A220BA: > > message-id=<1311799778.2531.33.camel@progbox> > > Jul 27 15:50:36 winston postfix/qmgr[3964]: 57A5A220BA: > > from=, size=517, nrcpt=1 (queue active) > > Jul 27 15:50:37 winston postfix/smtpd[28303]: disconnect from > > localhost[127.0.0.1] > > Jul 27 15:50:37 winston postfix/smtp[28319]: 57A5A220BA: > > to=, > > relay=mail.example2.org[aaa.bb.cc.ddd]:25, delay=1.7, > > delays=0.53/0.04/0.67/0.45, dsn=2.0.0, status=sent (250 2.0.0 Ok: qu > > eued as D5F07162B43) > > Jul 27 15:50:37 winston postfix/qmgr[3964]: 57A5A220BA: removed > > > > All that is good, works fine. > > > > The point to note is the: > > > > "connect from localhost[127.0.0.1]" part. > > > > Is there any other legitimate situation in which "connect from > > localhost[127.0.0.1]" is legitimate? I suspect my system is compromised > > (as opposed to my simply not having appropriate spam protections, etc in > > place). > > > > Here's an example of a "connect from localhost..." that I cannot justify > > or explain: > > > > Jul 27 15:46:54 winston postfix/smtpd[28230]: connect from > > localhost[127.0.0.1] > > Jul 27 15:46:54 winston postfix/smtpd[28230]: warning: Illegal address > > syntax from localhost[127.0.0.1] in MAIL command: > > https://app.cheetahmail.com/m/mailers/mailinail.anntaylorloft.com> > > Jul 27 15:46:55 winston postfix/smtpd[28230]: disconnect from > > localhost[127.0.0.1] > > SENDING SMTP mail to port 25 is not a privileged operation, so it could > be any user on the system running any kind of malware. > > That said, it is most often HTTP+PHP and/or FTP accounts that are > exploited to upload malicious code and run it locally; check your system > and daemon logs carefully! > > For example, exploited apache/PHP apps often leave tracks of executed > code in the apache error log (because they just don't care, and that's > where stdout goes) - that might give you a hint. > > On the other hand, if somebody compromised the system via SSH you should > audit the auth log for breakin attempts. > > I would strongly advise you to disconnect this system from the internet > until you can verify that you're not sending out spam - or worse. > > > > I confess I'm running Suse 9.1 and Postfix 2.5.5, so I'm looking for a > > justification to tear the system down and rebuild from scratch (as if I > > needed it), but a compromised system is much more serious. > > Thanks, that's just the guidance I needed. I'm shutting the system down now until I can get to the bottom of this. Thanks also to Wietse - per your recommendation I'll look into web logs too. Going down for repairs :-( J.
Re: possible compromised system
On 07/27/11 17:41, Reindl Harald wrote: > > > Am 27.07.2011 23:22, schrieb Wietse Venema: >> >> Is this machine running a webserver? Look in the access logs > > if this is the reason consider disable smtp on 127.0.0.1 > because most of dumb injected scripts are trying this instead > the network address! > > disable php's mail()-function and every function > which can excecute shell commands is mandatory > (shell_exec, exec, popen...) You can't really disable mail() on a web host, but PHP recently made it not-impossible to monitor its use: http://www.php.net/manual/en/mail.configuration.php#ini.mail.log
Re: possible compromised system
Am 28.07.2011 15:49, schrieb Michael Orlitzky: > On 07/27/11 17:41, Reindl Harald wrote: >> >> >> Am 27.07.2011 23:22, schrieb Wietse Venema: >>> >>> Is this machine running a webserver? Look in the access logs >> >> if this is the reason consider disable smtp on 127.0.0.1 >> because most of dumb injected scripts are trying this instead >> the network address! >> >> disable php's mail()-function and every function >> which can excecute shell commands is mandatory >> (shell_exec, exec, popen...) > > You can't really disable mail() on a web host, but PHP recently made it > not-impossible to monitor its use: i can and i do on a bundle of hosts for > 500 domains since nearly ten years - if you can't speak not for me! signature.asc Description: OpenPGP digital signature
