Re: [CentOS-es] Ayuda con Servidor Comprometido

[Jorge Sanchez]

No pude ver el principio de la conversacion, por alguna razon me llego empezada.

Capas que repito.

Personalmente cuando configuro, uso todos los checker que pueda.

http://mxtoolbox.com/diagnostic.aspx

Capas que eso, realmente quita la duda de la mala configuracion o no.

Saludos.

El día 4 de mayo de 2015, 15:15, Salvador - Salman PSL
<listascor...@salman.net> escribió:
>
>    *::Para mi que tienes el servidor de correo muy mal configurado.
>
>    Tienes un exceso de informacion en el log, que no te deja ver claro.
>
>    Si tuvieses bien configurado todo, sabrias cual es el origen del correo.
>
>    Una cosa que no entiendo es que envies un correo de rechazo por un
>    HELO rechazado, estas comprobandolo despues de haber recibido el
>    correo, y eso tienes que comprobarlo antes de recibir todo el correo.
>
>    Lo dicho, para mi que ese Postfix, no esta bien configurado.
>
>    *
>
>>>>>>>>>>>>>>> ******* Fin del mensaje ******* <<<<<<<<<<<<<<
> ------------------------------------------------------------------------
> Saludos
> Salvador Guzman
> Salman PSL
> Vigo, Galicia, España
>    +34 986.21.30.27
>    +34 679-725-626
> Salman.EU <http://salman.es/>
> El 04/05/2015 a las 15:59, David González Romero escribió:
>>
>> Hola Lista!!
>>
>> Una vez mas el tema del SPAM me tienen en jaque mate...
>>
>> Esta vez la verdad es que no tiene ni pies, ni cabezas. Es posible que
>> tenga pueda ser una PC de mi red o que sea mi servidor, yo mi inclino
>> por la segunda opción.
>>
>> La configuración de Postfix está lo más restricta posible para
>> enviar-recibir. Pero lo cierto es que estoy teniendo cada fin de
>> semana un problema serio con los SPAM ya que llego y tengo miles de
>> mail en cola que no se despachan porque los servidores receptores no
>> permiten y me bloquean como SPAM.
>>
>> Tengo también las herramientas para buscar rootkit en el server, lo
>> mismo el Clamav que no encuentra virus. También configuré Fail2ban,
>> para la mayoría de los servicios que tengo. Sin embargo viendo los log
>> de correo hay algunas cosas raras.
>>
>> Les transfiero un parte del log que considero extraño:
>>
>> ----------------------------------------------------------------------------------------
>> Amavis-new
>>
>>   **Unmatched Entries**
>>      INFO: truncating long header field (len=1318): X-Envelope-To:
>> <c...@163.com>, <c043...@amco.co.kr>, <c...@bpr.gov.my>,
>> <c02_...@ccc.ae>, <c02_r05@ccc(28594-06) Passed SPAM, [196.46.245.153]
>> [196.46.245.153] <authenticat...@stellawalker.co.uk> ->
>>
>> <c...@163.com>,<c043...@amco.co.kr>,<c...@bpr.gov.my>,<c02_...@ccc.ae>,<c02_...@ccc.ae>,<c02_...@ccc.ae>,<c02_...@ccc.ae>,<c02_...@ccc.ae>,<c02_...@ccc.ae>,<c05_...@ccc.com.om>,<c05_...@ccc.com.om>,<c05_...@ccc.com.om>,<c04_...@ccc.com.qa>,<c04_...@ccc.com.qa>,<c03_...@ccc.com.sa>,<c03_...@ccc.com.sa>,<c03_...@ccc.com.sa>,<c03_...@ccc.com.sa>,<c...@chsteel.com.tw>,<c0...@dmu.ac.uk>,<c0218...@dongbuchem.com>,<c12...@email.mot.com>,<c13...@email.mot.com>,<c14...@email.mot.com>,<c14...@email.mot.com>,<c14...@email.mot.com>,<c00lw...@gmail.com>,<c15...@gscaltex.co.kr>,<c00l...@hotmail.com>,<c0...@manhorope.com>,<"\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232olivia.chen"@molcn.com.cn>,<"\347\256\261\357\274\232celian.huang"@m
>>
>> olcn.com.cn>,<"\347\256\261\357\274\232hr"@molcn.com.cn>,<c06_...@morganti.com.jo>,<c14...@motorola.com>,<c14...@motorola.com>,<c15...@motorola.com>,<c17...@motorola.com>,<c058...@narwhal.cc.metu.edu.tr>,<c107...@narwhal.cc.metu.edu.tr>,<c12hockg...@nexgen.com.my>,<c015...@pc.jaring.my>,<c10...@qq.com>,<c...@tm.net.my>,<c...@tm.net.my>,<c...@tm.net.my>,<c00lw...@yahoo.com>,<c0untry...@yahoo.com>,<c16...@yahoo.com.hk>,
>> Message-ID: <20150502214852.043e95768...@mail.timbo.com.py>, mail_id:
>> dN-ces7fv0ZT, Hits: 40.253, queued_as: E0AE257688D7, 224 ms: 1 Time(s)
>>      WARN: address modified (recip):
>>
>> <\344\274\232\350\256\241\346\226\207\345\221\230\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232ivy....@molcn.com.cn>
>> ->
>> <"\344\274\232\350\256\241\346\226\207\345\221\230\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232ivy.guo"@molcn.com.cn>:
>> 1 Time(s)
>>      WARN: address modified (recip):
>>
>> <\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232celian.hu...@molcn.com.cn>
>> ->
>> <"\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232celian.huang"@molcn.com.cn>:
>> 1 Time(s)
>>      WARN: address modified (recip):
>> <\347\256\261\357\274\23...@molcn.com.cn> ->
>> <"\347\256\261\357\274\232hr"@molcn.com.cn>: 1 Time(s)
>>      INFO: truncating long header field (len=2242): X-Envelope-To:
>> =?iso-8859-1?Q?=3C=22=E7=94=B5=E5=AD=90=E9=82=AE=E7=AE=B1=EF=BC=9Ahr=22?=
>> =?iso-8859-(28518-11) Passed SPAM, [196.46.245.152] [196.46.245.152]
>> <authenticat...@stellawalker.co.uk> ->
>>
>> <"\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232hr"@51job.com>,<c_paul_dehusijar...@bankmandiri.co.id>,<c_paul_pehusijar...@bankmandiri.co.id>,<c_paul_tehusijar...@bankmandiri.co.id>,<c_sakam...@botlfp.com>,<c_w...@buckman.com>,<c_taspasc...@bworldonline.com>,<c_s_...@colpal.com>,<c_sanit...@cvdgroup.com>,<c_pei...@hotmail.com>,<c_prajakw...@hotmail.com>,<c_pras...@hotmail.com>,<c_ram...@hotmail.com>,<c_sarun...@hotmail.com>,<c_senthilvelmuru...@hotmail.com>,<c_sim...@hotmail.com>,<c_sp...@hotmail.com>,<c_ta...@hotmail.com>,<c_te...@hotmail.com>,<c_var...@hotmail.com>,<c_w_sutherl...@hotmail.com>,<c_went...@hotmail.com>,<c_...@hotmail.com>,<c_yl2...@hotmail.com>,<c_yuan_m...@hotmail.com>,<c_y...@hotmail.com>,<"\347\224
>>
>> \265\345\255\220\351\202\256\347\256\261\357\274\232lee.liang"@molasia.com>,<"\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232celian.huang"@molcn.com.cn>,<"\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232catherine.huang"@molocb.com>,<c_somc...@nawarat.co.th>,<c_ram...@qp.com.qa>,<c_pa...@rediffmail.com>,<c_rom...@statefarm.com>,<c_vi...@streamyx.com>,<c_s...@tm.net.my>,<c...@tm.net.my>,<c_pigz...@yahoo.com>,<c_pod...@yahoo.com>,<c_q...@yahoo.com>,<c_raffyx_ventur...@yahoo.com>,<c_ram...@yahoo.com>,<c_ro...@yahoo.com>,<c_sah...@yahoo.com>,<c...@yahoo.com>,<c_t_c...@yahoo.com>,<c_t...@yahoo.com>,<c_wa...@yahoo.com>,<c_yoke...@yahoo.com>,<c_y...@yahoo.com>,
>> Message-ID: <20150502214849.4ad1b5768...@mail.timbo.com.py>, mail_id:
>> XBbs+KM6FQwt, Hits: 40.253, queued_as: 0FD6857688D6, 218 ms: 1 Time(s)
>>      WARN: address modified (recip):
>>
>> <\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232olivia.c...@molcn.com.cn>
>> ->
>> <"\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232olivia.chen"@molcn.com.cn>:
>> 1 Time(s)
>>      WARN: address modified (recip):
>> <\347\224\265\345\255\220\351\202\256\347\256\261\357\274\23...@51job.com>
>> ->
>> <"\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232hr"@51job.com>:
>> 1 Time(s)
>>      WARN: address modified (recip):
>>
>> <\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232catherine.hu...@molocb.com>
>> ->
>> <"\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232catherine.huang"@molocb.com>:
>> 1 Time(s)
>>      WARN: address modified (recip):
>> <\347\256\261\357\274\232celian.hu...@molcn.com.cn> ->
>> <"\347\256\261\357\274\232celian.huang"@molcn.com.cn>: 1 Time(s)
>>      INFO: truncating long header field (len=1254): X-Envelope-To:
>> <a...@bpr.gov.my>, <a058...@cht.com.tw>, <a...@cht.com.tw>,
>> <a...@cych.org.tw>, <a17830(11858-17) Passed SPAM, [196.46.246.183]
>> [196.46.246.183] <we...@mail.ymps.ntpc.edu.tw> ->
>>
>> <a...@bpr.gov.my>,<a058...@cht.com.tw>,<a...@cht.com.tw>,<a...@cych.org.tw>,<a1783...@dgb.co.kr>,<a10...@email.mot.com>,<a10...@email.mot.com>,<a11...@email.mot.com>,<a11...@email.mot.com>,<a13...@email.mot.com>,<a16...@email.mot.com>,<a17...@email.mot.com>,<a18...@email.mot.com>,<a19...@email.mot.com>,<a19...@email.mot.com>,<a21...@email.mot.com>,<a19...@freescale.com>,<a09...@gmail.com>,<a1an...@gmail.com>,<a20...@gmail.com>,<a...@hotmail.com>,<a...@hotmail.com>,<"\344\274\232\350\256\241\346\226\207\345\221\230\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232ivy.guo"@molcn.com.cn>,<a12...@motorola.com>,<a16...@motorola.com>,<a17...@motorola.com>,<a17...@motorola.com>,<a17...@motorola.com>,<a19...@motorola.com>,<a20581@motorola
>>
>> .com>,<a22...@motorola.com>,<a22...@motorola.com>,<a20...@motorolla.com>,<a1780...@ms24.hinet.net>,<a1790...@ms24.hinet.net>,<a15....@msa.hinet.net>,<a1943.a1...@msa.hinet.net>,<a2...@n-koei.co.jp>,<a12...@tm.com.my>,<a12...@tm.com.my>,<a13...@tm.com.my>,<a15...@tm.com.my>,<a1582...@tm.com.my>,<a16...@tm.com.my>,<a12s...@um.edu.my>,<a1-m2...@yahoo.com>,<a1alaqu...@yahoo.com>,<a178...@yahoo.com.tw>,
>> Message-ID: <20150502134124.2c1681ce0...@mail.timbo.com.py>, mail_id:
>> yQPSPzzglZ-5, Hits: 35.918, queued_as: 895771CE0358, 213 ms: 1 Time(s)
>>      WARN: address modified (recip):
>>
>> <\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232lee.li...@molasia.com>
>> ->
>> <"\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232lee.liang"@molasia.com>:
>> 1 Time(s)
>>
>> ----------------------------------------------------------------------------------------
>> Postfix
>> (De estas lineas hay cientos iguales)
>>   Unrecognized warning:
>>       TLS library problem: 13238:error:14077410:SSL
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>> failure:s23_clnt.c:586: : 1 Time(s)
>>       TLS library problem: 13256:error:14077410:SSL
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>> failure:s23_clnt.c:586: : 1 Time(s)
>>       TLS library problem: 13334:error:14077410:SSL
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>> failure:s23_clnt.c:586: : 1 Time(s)
>> .......
>> host 0.0.0.0[0.0.0.0]:25 replied to HELO/EHLO with my own hostname
>> mail.timbo.com.py : 9 Time(s)
>>       host akerkvaener.com[127.0.0.4]:25 replied to HELO/EHLO with my
>> own hostname mail.timbo.com.py : 1 Time(s)
>>       host blackhole.superlink.net[127.0.0.3]:25 replied to HELO/EHLO
>> with my own hostname mail.timbo.com.py : 1 Time(s)
>>       host blackhole.theglobe.com[127.0.0.2]:25 replied to HELO/EHLO
>> with my own hostname mail.timbo.com.py : 2 Time(s)
>>       host fch.in[0.0.0.0]:25 replied to HELO/EHLO with my own hostname
>> mail.timbo.com.py : 1 Time(s)
>>       host mail.airport.com[127.0.0.6]:25 replied to HELO/EHLO with my
>> own hostname mail.timbo.com.py : 1 Time(s)
>>       host your-dns-needs-immediate-attention.sony[127.0.53.53]:25
>> replied to HELO/EHLO with my own hostname mail.timbo.com.py : 1
>> Time(s)
>>       network_biopair_interop: error reading 5 bytes from the network:
>> Connection reset by peer : 36 Time(s)
>>       network_biopair_interop: error reading 7 bytes from the network:
>> Connection reset by peer : 6 Time(s)
>>       network_biopair_interop: error writing 37 bytes to the network:
>> Broken pipe : 4 Time(s)
>>       network_biopair_interop: error writing 37 bytes to the network:
>> Connection reset by peer : 5 Time(s)
>>       no MX host for 265.com has a valid address record : 1 Time(s)
>>       no MX host for 3com.com has a valid address record : 8 Time(s)
>>       no MX host for aboutvoyeur.com has a valid address record : 1
>> Time(s)
>>       no MX host for accu-find.com has a valid address record : 1 Time(s)
>>       no MX host for amd.com.sg has a valid address record : 1 Time(s)
>>       no MX host for ap.altria.com has a valid address record : 1 Time(s)
>>       no MX host for apm-automotive.com.my has a valid address record : 1
>> Time(s)
>>       no MX host for arabianbemco.com has a valid address record : 1
>> Time(s)
>>       no MX host for arcsight.com has a valid address record : 2 Time(s)
>>       no MX host for arrow-dynamic.com has a valid address record : 1
>> Time(s)
>>       no MX host for asiabrandscorp.com has a valid address record : 4
>> Time(s)
>>       no MX host for asiapulppaper.com has a valid address record : 1
>> Time(s)
>>       no MX host for astral.ro has a valid address record : 4 Time(s)
>>       no MX host for banco.com.sv has a valid address record : 1 Time(s)
>>       no MX host for baoshan.sh.cn has a valid address record : 1 Time(s)
>> .............
>> Aqui empieza la parte del SPAM:
>>
>> NOQUEUE: reject: RCPT from
>> 118-161-241-219.dynamic.hinet.net[118.161.241.219]: 554 5.7.1
>> <201.217.51.105>: Helo command rejected: Access denied;
>> from=<z200...@yahoo.com.tw> to=<vkihw...@yahoo.com.tw> proto=SMTP
>> helo=<201.217.51.105>
>>   A5E641CE0188: to=<braimahs...@gmail.com>,
>> relay=gmail-smtp-in.l.google.com[74.125.21.26]:25, delay=8.1,
>> delays=0.05/0.01/1.4/6.6, dsn=5.7.1, status=bounced (host
>> gmail-smtp-in.l.google.com[74.125.21.26] said: 550-5.7.1
>> [201.217.51.105      12] Our system has detected that this message is
>> 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent
>> to Gmail, 550-5.7.1 this message has been blocked. Please visit
>> 550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131
>> for 550 5.7.1 more information. f67si4365709yho.125 - gsmtp (in reply
>> to end of DATA command))
>>   A5E641CE0188: sender non-delivery notification: BBD821CE018E
>>   09F8F1CE0171: reject: RCPT from unknown[41.138.175.226]: 554 5.1.2
>> <da...@damex.com.br>: Recipient address rejected: Domain not found;
>> from=<frederickfer...@yahoo.co.uk> to=<da...@damex.com.br> proto=ESMTP
>> helo=<User>
>>   0DD601CE0171: host gateway-f2.isp.att.net[207.115.11.16] refused to
>> talk to me: 550-201.217.51.105 blocked by ldap:ou=rblmx,dc=att,dc=net
>> 550 Error - Blocked for abuse. See http://att.net/blocks
>>   E9A9A1CE0188: to=<dame...@itelefonica.com.br>,
>> relay=vip-us-br-mx.terra.com[208.84.244.133]:25, delay=1.3,
>> delays=0.06/0.03/1/0.16, dsn=5.2.1, status=bounced (host
>> vip-us-br-mx.terra.com[208.84.244.133] said: 550 5.2.1 Mailbox
>> disabled for this recipient (in reply to RCPT TO command))
>>   0DD601CE0171: host mx1.comcast.net[96.114.157.80] refused to talk to
>> me: 554 resimta-po-04v.sys.comcast.net comcast 201.217.51.105 Comcast
>> block for spam.  Please see
>> http://postmaster.comcast.net/smtp-error-codes.php#BL000000
>>
>>
>> ----------------------------------------------------------------------------------------
>> Y así como ese miles de líneas iguales.
>> Pero hice una búsqueda más exaustiva en el log y veo esto en
>> diferentes momentos del log que tuve que seguir por le ID del correo
>>
>> Apr 18 01:08:10 mail postfix/qmgr[23567]: CC59E1CE0171:
>> from=<i...@treasury.gov>, size=3120, nrcpt=1 (queue acti
>> ve)
>> Apr 18 01:08:15 mail postfix/qmgr[23567]: 75DCF1CE0188:
>> from=<i...@treasury.gov>, size=3589, nrcpt=1 (queue active)
>> Apr 18 01:08:15 mail postfix/smtpd[31026]: disconnect from
>> mail.timbo.com.py[127.0.0.1]
>> Apr 18 01:08:15 mail amavis[27844]: (27844-05) Passed SPAM,
>> [68.15.32.120] [68.15.32.120] <i...@treasury.gov> ->
>> <harrisonworld2l...@yahoo.co.uk>, Message-ID:
>> <20150418050809.cc59e1ce0...@mail.timbo.com.py>, mail_id:
>> 9bkgsnbCoNNP, Hits: 28.805, queued_as: 75DCF1CE0188, 5061 ms
>> Apr 18 01:08:15 mail postfix/lmtp[31023]: CC59E1CE0171:
>> to=<harrisonworld2l...@yahoo.co.uk>, relay=127.0.0.1[127.0.0.1]:10024,
>> delay=5.9, delays=0.85/0.01/0/5.1, dsn=2.6.0, status=sent (250 2.6.0
>> Ok, id=27844-05, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
>> 75DCF1CE0188)
>> Apr 18 01:08:15 mail postfix/qmgr[23567]: CC59E1CE0171: removed
>> Apr 18 01:08:16 mail postfix/smtp[31027]: certificate verification
>> failed for mx-eu.mail.am0.yahoodns.net: num=20:unable to get local
>> issuer certificate
>> Apr 18 01:08:16 mail postfix/smtp[31027]: certificate verification
>> failed for mx-eu.mail.am0.yahoodns.net: num=27:certificate not trusted
>> Apr 18 01:08:19 mail postfix/smtp[31027]: 75DCF1CE0188:
>> to=<harrisonworld2l...@yahoo.co.uk>,
>> relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=3.9,
>> delays=0.04/0.01/1.9/1.9, dsn=2.0.0, status=sent (250 ok dirdel)
>> Apr 18 01:08:19 mail postfix/qmgr[23567]: 75DCF1CE0188: removed
>>
>> Como ven aquí es donde mi problema entra.
>> El From: es claro que no es mio y el To: tampoco; sin embargo pasa por
>> mi servidor como perro por su casa. Lo que me deja que pensar en dos
>> posibles opciones:
>> 1- Una cuenta real del sistema está comprometida
>> 2- En el server hay un bot.
>>
>> La primera voy a resolver de a poco; quizá tengo una pequeña sospecha.
>> Pero necesitaría ayuda para verificar la dos. Ya he corrido rkhunter
>> varias veces y no me da problemas salvo que uso el puerto 465 para
>> SASL y tengo activo un rsync para sincronizar archivos compartidos con
>> el NAS, pero es todo local. Entonces precisaría alguna idea de como
>> buscar este posible bots o algun otro soft que esté haciendo de las
>> suyas.
>>
>> Existe algun metodo de búsqueda más intensivo que no sea solo con
>> rkhunter?
>>
>> Saludos,
>> David
>> _______________________________________________
>> CentOS-es mailing list
>> CentOS-es@centos.org
>> http://lists.centos.org/mailman/listinfo/centos-es
>>
>
>
> _______________________________________________
> CentOS-es mailing list
> CentOS-es@centos.org
> http://lists.centos.org/mailman/listinfo/centos-es
_______________________________________________
CentOS-es mailing list
CentOS-es@centos.org
http://lists.centos.org/mailman/listinfo/centos-es