On Mon, Jan 8, 2018 at 2:01 PM, Per Jessen <per@computer.org> wrote:
Greg Freemyer wrote:
On Mon, Jan 8, 2018 at 1:46 AM, Per Jessen <per@computer.org> wrote:
Greg Freemyer wrote:
All,
I have VM on the internet that for the last day or so is sending out 10's of thousands of malicious emails.
openSUSE 42.2
Fully updated with security patches. I know I need to update to 42.3, but at least for now it is still getting security patches.
I assume the bad guys are somehow using it as a relay site, but I'm not sure. The server has a GUI on it I think, but I rarely, if ever use it. Almost all admin is via ssh.
Check the mail logs, Greg. /var/log/mail will tell you everything.
Agreed, but they are huge as of the last couple days. I need some hints of what to look for.
Look for e.g. "smtpd.*connect" to see servers connecting to deliver mails. If you see lots of unknown ones, you have identified the source.
As noted in other emails, I think I found the method of relay used. Any I made an effort to block it.
I note in the last 12 hours my server has sent several emails from "wwwrun" to zobugtel@gmail.com.
wwwrun is almost certainly your apache server, any chance some application has been compromised?
Whatever it is, it seems unrelated, so I will attack that problem separately. I mostly have just a few static pages on this server. a Where do you get it's unrelated. I've seen dozens of occasions where outdated Joomla/Wordpress/Drupal etc. sites got hacked, a simple php mailer got installed and off the spammers went. Leaving traces in the CMS's logs, not in
Op maandag 8 januari 2018 20:09:34 CET schreef Greg Freemyer: the OS's mail logs. IMNSHO it's the first place to look when suddenly receiving emails from wwwrun. Do you have a webserver running ? If so, does it serve some kind of CMS ?
Maybe I have a penetration of my webserver? My webserver should be very vanilla and I can turn off PHP support, etc. if it is currently active.
If you're not using it, I would suggest just stopping it.
Agreed
The contents of /etc/postfix/relay are: # for relaying domain # domain.de OK IAC-Forensics.com OK
And contents of /etc/postfix/main.cf ? Is that file used? What are your smtp recipient restrictions?
I don't think I have any smtp recipient restrictions?
You ought to have at least 'reject_unauth_destination'.
I do
I think my main.cf is very vanilla: Depending on what you need it for, I would suggest getting rid of a lot of the vanilla stuff. It often just gets in the way and only obscures the picture.
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
That looks good - assuming you also have
relay_domains = hash:/etc/postfix/relay,
Hmm.. I have: #relay_domains = $mydestination, hash:/etc/postfix/relay
Note it is commented out!
Is it the default?
and you've postmap'ed /etc/postfix/relay, I don't think your postfix is open. (I'll be happy to test that for you, if you want).
I had an online website test it. It's not fully open, but the bad guys still found a way.
Looks like 500,000+ emails went through the server in the last 72 hours.
Hope this helps, Per
Thanks Much Greg
-- Gertjan Lettink, a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org