Yes, but how is this USER attaching to your server in order to send these emails. They must have obtained access in order to use the sendmail application.
You need to see how they are getting onto your server, there is no magic in sending out the emails. The magic is gaining access to your server. From: [email protected] [mailto:[email protected]] On Behalf Of Noah Mehl Sent: Thursday, November 15, 2012 9:57 AM To: Discussion list for users of sipXecs software Subject: Re: [sipx-users] Hacked SipXecs 4.4 I'm using "hacked" because as far as I can tell, this is not an smtp relay issue. Therefore something on the system is open, and therefore been "hacked". Here is some spam log entries in the maillog: Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: from=<[email protected]>, size=349, class=0, nrcpts=1, msgid=<[email protected]>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Nov 14 20:38:28 sipx1 sendmail[31880]: qAF1cSLn031880: to=<[email protected]>, delay=00:00:00, mailer=relay, pri=30349, dsn=4.4.3, stat=queued Nov 14 20:38:34 sipx1 sendmail[32547]: qAF1cSLn031880: to=<[email protected]>, delay=00:00:06, xdelay=00:00:01, mailer=relay, pri=120349, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 0F7351C0B53) Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: from=<[email protected]>, size=358, class=0, nrcpts=1, msgid=<[email protected]>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Nov 14 20:39:57 sipx1 sendmail[31945]: qAF1dufN031945: to=<[email protected]>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued Nov 14 20:39:59 sipx1 sendmail[32547]: qAF1dufN031945: to=<[email protected]>, delay=00:00:02, xdelay=00:00:00, mailer=relay, pri=120358, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 644861C0B57) Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: from=<[email protected]>, size=358, class=0, nrcpts=1, msgid=<[email protected]>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Nov 14 20:40:04 sipx1 sendmail[31953]: qAF1e3Ao031953: to=<[email protected]>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued Nov 14 20:40:15 sipx1 sendmail[32547]: qAF1e3Ao031953: to=<[email protected]>, delay=00:00:11, xdelay=00:00:01, mailer=relay, pri=120358, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as ABC431C0B5B) Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: from=<[email protected]>, size=358, class=0, nrcpts=1, msgid=<[email protected]>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Nov 14 20:42:23 sipx1 sendmail[32050]: qAF1gMNl032050: to=<[email protected]>, delay=00:00:00, mailer=relay, pri=30358, dsn=4.4.3, stat=queued Nov 14 20:42:26 sipx1 sendmail[32547]: qAF1gMNl032050: to=<[email protected]>, delay=00:00:03, xdelay=00:00:01, mailer=relay, pri=120358, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 488DE1C0B67) Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: from=<[email protected]>, size=361, class=0, nrcpts=2, msgid=<[email protected]>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<[email protected]>, delay=00:00:00, mailer=relay, pri=60361, dsn=4.4.3, stat=queued Nov 14 21:08:02 sipx1 sendmail[32545]: qAF280Fd032545: to=<[email protected]>, delay=00:00:00, mailer=relay, pri=60361, dsn=4.4.3, stat=queued Nov 14 21:08:08 sipx1 sendmail[32547]: qAF280Fd032545: to=<[email protected]>,<[email protected]>, delay=00:00:06, xdelay=00:00:01, mailer=relay, pri=150361, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 1FAFD1BFD89) Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: from=<[email protected]>, size=361, class=0, nrcpts=2, msgid=<[email protected]>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<[email protected]>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued Nov 14 21:08:12 sipx1 sendmail[32549]: qAF28A1h032549: to=<[email protected]>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued Nov 14 21:08:23 sipx1 sendmail[32547]: qAF28A1h032549: to=<[email protected]>,<[email protected]>, delay=00:00:12, xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 4A9911BFD9F) Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: from=<[email protected]>, size=361, class=0, nrcpts=2, msgid=<[email protected]>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<[email protected]>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued Nov 14 21:08:37 sipx1 sendmail[32559]: qAF28Z2x032559: to=<[email protected]>, delay=00:00:01, mailer=relay, pri=60361, dsn=4.4.3, stat=queued Nov 14 21:08:39 sipx1 sendmail[32547]: qAF28Z2x032559: to=<[email protected]>,<[email protected]>, delay=00:00:03, xdelay=00:00:00, mailer=relay, pri=150361, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 62A2D1BFDAB) Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: from=<[email protected]>, size=5874, class=0, nrcpts=1, msgid=<[email protected]>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Nov 14 22:34:23 sipx1 sendmail[1047]: qAF3YKuO001047: to=<[email protected]>, delay=00:00:01, mailer=relay, pri=35874, dsn=4.4.3, stat=queued Nov 14 22:34:25 sipx1 sendmail[32547]: qAF3YKuO001047: to=<[email protected]>, delay=00:00:03, xdelay=00:00:02, mailer=relay, pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 479D81C0BDE) Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: from=<[email protected]>, size=5874, class=0, nrcpts=1, msgid=<[email protected]>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Nov 15 01:50:09 sipx1 sendmail[3176]: qAF6o7o5003176: to=<[email protected]>, delay=00:00:01, mailer=relay, pri=35874, dsn=4.4.3, stat=queued Nov 15 01:50:14 sipx1 sendmail[32547]: qAF6o7o5003176: to=<[email protected]>, delay=00:00:06, xdelay=00:00:03, mailer=relay, pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 309221C0F12) Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: from=<[email protected]>, size=5874, class=0, nrcpts=1, msgid=<[email protected]>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Nov 15 03:19:19 sipx1 sendmail[4123]: qAF8JHpS004123: to=<[email protected]>, delay=00:00:00, mailer=relay, pri=35874, dsn=4.4.3, stat=queued Nov 15 03:19:23 sipx1 sendmail[32547]: qAF8JHpS004123: to=<[email protected]>, delay=00:00:04, xdelay=00:00:01, mailer=relay, pri=125874, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 6B4E11C0F51) Nov 15 03:26:33 sipx1 sendmail[4210]: qAF8Q78r004210: from=<[email protected]>, size=5925, class=0, nrcpts=50, msgid=<[email protected]>, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] As opposed to a normal entry: Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: from=<postmaster@localhost>, size=335352, class=0, nrcpts=1, msgid=<1578812003.338.1352991743551.javamail.sipxcha...@sipx1.sip.tranet.net >, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Nov 15 10:02:23 sipx1 sendmail[11170]: qAFF2NI4011170: to=<[email protected]>, delay=00:00:00, mailer=relay, pri=365352, dsn=4.4.3, stat=queued Nov 15 10:02:40 sipx1 sendmail[10780]: qAFF2NI4011170: to=<[email protected]>, delay=00:00:17, xdelay=00:00:14, mailer=relay, pri=455352, relay=sentinel1.tranet.net. [74.203.219.99], dsn=2.0.0, stat=Sent (Ok: queued as 501B41C1CBE) So, they are being generated locally, as far as I can tell. ~Noah On Nov 15, 2012, at 12:42 PM, Todd Hodgen <[email protected]> wrote: +1 From: [email protected] [mailto:[email protected]]On Behalf Of Michael Picher Sent: Thursday, November 15, 2012 7:49 AM To: Discussion list for users of sipXecs software Subject: Re: [sipx-users] Hacked SipXecs 4.4 yes, and using the word hacked as your subject is not particularly... helpful... On Thu, Nov 15, 2012 at 3:32 PM, Tony Graziano < <mailto:[email protected]> [email protected]> wrote: you really need to look at the mail log to see where the mail is coming from regardless of your firewall settings. It can actually come from inside you see. On Thu, Nov 15, 2012 at 9:29 AM, Noah Mehl < <mailto:[email protected]> [email protected]> wrote: I am seeing more spam in my mail queue. I have iptables installed, and here are my rules: Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:xmpp-client ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5223 ACCEPT all -- <http://192.168.0.0/16> 192.168.0.0/16 anywhere ACCEPT udp -- anywhere anywhere state NEW udp dpt:sip ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip-tls ACCEPT udp -- <http://sip02.gafachi.com> sip02.gafachi.com anywhere state NEW udp dpts:sip:5080 ACCEPT udp -- <http://204.11.192.0/22> 204.11.192.0/22 anywhere state NEW udp dpts:sip:5080 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited As far as I can tell, no one should be able to use port 25 from the world. Also, sendmail is only configured to allow relay from localhost: [root@sipx1 ~]# cat /etc/mail/access # Check the /usr/share/doc/sendmail/README.cf file for a description # of the format of this file. (search for access_db in that file) # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package. # # by default we allow relaying from localhost... Connect:localhost.localdomain RELAY Connect:localhost RELAY Connect:127.0.0.1 RELAY Can someone please help me figure out where this spam is coming from? Thanks. ~Noah On Oct 13, 2012, at 10:17 AM, Noah Mehl < <mailto:[email protected]> [email protected]> wrote: > I did not change the configuration of anything related to the PlcmSpIp user. It does however make me feel better that it is related to the vsftpd service and the polycom phones. > >> From /etc/passwd: > > PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/ nologin > > So, that user cannot ssh to a shell. So I don't think it was that. > > ~Noah > > On Oct 12, 2012, at 9:05 AM, Tony Graziano < <mailto:[email protected]> [email protected]> wrote: > >> ... more -- its a user that does not have login to the OS itself, just >> vsftpd, which is restricted to certain commands and must present a >> request for its mac address in order to get a configuration file. It >> is not logging into linux unless someone changed the rights of the >> user. >> >> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae < <mailto:[email protected]> [email protected]> wrote: >>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano >>> < <mailto:[email protected]> [email protected]> wrote: >>>> this is not a valid system user unless you have manually added it to the >>>> system. I do think the logs would show more if access was granted. Why are >>>> you exposing sshd to the outside world with an acl or by protecting it at >>>> your firewall? >>>> >>> >>> PlcmSpIp is the user used by polycom phones for fetching config from server >>> >>> George >>> _______________________________________________ >>> sipx-users mailing list >>> <mailto:[email protected]> [email protected] >>> List Archive: <http://list.sipfoundry.org/archive/sipx-users/> http://list.sipfoundry.org/archive/sipx-users/ >> >> >> >> -- >> ~~~~~~~~~~~~~~~~~~ >> Tony Graziano, Manager >> Telephone: <tel:434.984.8430> 434.984.8430 >> sip: <mailto:[email protected]> [email protected] >> Fax: <tel:434.465.6833> 434.465.6833 >> ~~~~~~~~~~~~~~~~~~ >> Linked-In Profile: >> <http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 >> Ask about our Internet Fax services! >> ~~~~~~~~~~~~~~~~~~ >> >> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013! >> >> -- >> LAN/Telephony/Security and Control Systems Helpdesk: >> Telephone: <tel:434.984.8426> 434.984.8426 >> sip: <mailto:[email protected]> [email protected] >> >> Helpdesk Customers: <http://myhelp.myitdepartment.net> http://myhelp.myitdepartment.net >> Blog: <http://blog.myitdepartment.net> http://blog.myitdepartment.net >> _______________________________________________ >> sipx-users mailing list >> <mailto:[email protected]> [email protected] >> List Archive: <http://list.sipfoundry.org/archive/sipx-users/> http://list.sipfoundry.org/archive/sipx-users/ > > > Scanned for viruses and content by the Tranet Spam Sentinel service. > _______________________________________________ > sipx-users mailing list > <mailto:[email protected]> [email protected] > List Archive: <http://list.sipfoundry.org/archive/sipx-users/> http://list.sipfoundry.org/archive/sipx-users/ _______________________________________________ sipx-users mailing list <mailto:[email protected]> [email protected] List Archive: <http://list.sipfoundry.org/archive/sipx-users/> http://list.sipfoundry.org/archive/sipx-users/ -- ~~~~~~~~~~~~~~~~~~ Tony Graziano, Manager Telephone: <tel:434.984.8430> 434.984.8430 sip: <mailto:[email protected]> [email protected] Fax: <tel:434.465.6833> 434.465.6833 ~~~~~~~~~~~~~~~~~~ Linked-In Profile: <http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 Ask about our Internet Fax services! ~~~~~~~~~~~~~~~~~~ <http://sipxcolab2013.eventbrite.com/?discount=tony2013> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013! <http://sipxcolab2013.eventbrite.com/?discount=tony2013> LAN/Telephony/Security and Control Systems Helpdesk: Telephone: <tel:434.984.8426> 434.984.8426 sip: <mailto:[email protected]> [email protected] Helpdesk Customers: <http://myhelp.myitdepartment.net> http://myhelp.myitdepartment.net Blog: <http://blog.myitdepartment.net> http://blog.myitdepartment.net _______________________________________________ sipx-users mailing list <mailto:[email protected]> [email protected] List Archive: <http://list.sipfoundry.org/archive/sipx-users/> http://list.sipfoundry.org/archive/sipx-users/ -- Michael Picher, Director of Technical Services eZuce, Inc. 300 Brickstone Square Suite 201 Andover, MA. 01810 O.978-296-1005 X2015 M.207-956-0262 @mpicher < <http://twitter.com/mpicher> http://twitter.com/mpicher> <http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro> linkedin <http://www.ezuce.com> www.ezuce.com ---------------------------------------------------------------------------- -------------------------------- There are 10 kinds of people in the world, those who understand binary and those who don't. _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/ --
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
