On 2018-Jun-03 17:06, Bill Cole wrote: > Your system has been compromised. The most common vectors are vulnerable web > applications (e.g. carelessly-written PHP or CGI scripts) but there are many > other possible modes of attack.
It's most likely our own script, the one that have these credentials in it. How it is exploited I still don't know, but not likely that it's possible to send after I have disabled this account. > Obfuscating IP addresses and hostnames in email log snippets here is > pointless and removes any value these log lines might have had in analyzing > your problem. Not sure why. Care to elaborate? According to http://www.postfix.org/DEBUG_README.html#mail it's the way to go. You just need to use same substitutions. So DD.DDD.DD.DDD is always the one and same real world IP. Different IP would get different value. > Also, those log lines are NOT from a session similar to the purported SMTP > chat you included above. If Postfix logs that it sent a 550 5.1.1 reply, it > did NOT send a 451 4.3.0 reply as in the SMTP chat. Probably not. Handshake is sent to postmaster@me from MAILER-DAEMON. That's how I noticed the problem. I'm just not sure what is the value for spammer in sending to the user@mydomain. It would make more sense to send to some outside victims. > > My postconf -n (Postfix 2.6.6) is in the attachment. > > Why are you using obsolete software? 2.6.6 was released over 8 years ago. > The last 2.6.x support release was 2.6.19, over 5 years ago. > > If this is generally how software on your system is maintained, it is > unsurprising that it has been taken over by a spammer. I assume you are using some bleeding edge distro, but for us using production servers, it makes more sense to use long supported distro with regular security patches. Like CentOS 6. I'm confident that CentOS security team does a good job providing latest security patches RedHat releases including those related to Postfix. > > How can I find out from where these emails are coming? > > You've already said it: they are coming from your own broken system. > > > If they are really from > > localhost, what program/script? > > That's not a question that can be answered from the outside. > > > If from outside how to prevent IP spoofing? > > Even a system so old that it is running Postfix 2.6.6 is extremely unlikely > to be vulnerable to an external attacker spoofing a local IP address for a > TCP-based protocol like SMTP. Functional IP spoofing generally is a UDP or > ICMP trick, not TCP (at least not in THIS millennieum...) > > > Seing that it tries several passwords and succeed make me worried even > > more. > > That's common for spammers. Hm, now that I took a closer look, it actually don't try several passwords. It's just base64 for username, password, actual username and actual password. > Again: A spammer has taken over your server, either in a limited way through > a vulnerable web inteerface of some sort or possibly in an unlimited way, > restricted only by the risk of discovery. > > Unmunged log entries and output from postconf -n and postconf -M might help > us to help you make this easier to analyze but there is a very strong > possibility that the first step towards an actaul fix is to wipe the system > clean and reinstall everything from the ground up (hopefuly in non-obsolete > versions.) You probably know that there is no postconf -M on my ancient Postfix, so you're just pulling my leg, right?
