qmail, hacked

Postfix, QMail, Sendmail, Dovecot, Cyrus, Courier, Anti-Spam
Anonymous

qmail, hacked

Post by Anonymous » 2007-07-31 12:12

Ja ich werd hier grad schön auf dem root mit spammails geflooded. Sprich: Irgendwo ist nen Passwort leck o.ä. und nun schickt natürlich nen Bot schön Spammails über meinen server.

smtp ist schon runtergefahren und ich versuche grad die logs zu analysieren. jedoch spucken die logs von /var/log/mail schlichtweg nur unnützliches aus wie z.b.:
Jul 31 11:54:30 h693607 qmail: 1185875670.790529 delivery 43: success: did_0+0+1/
Jul 31 11:54:30 h693607 qmail: 1185875670.790840 status: local 0/10 remote 0/20
Jul 31 11:54:30 h693607 qmail: 1185875670.790877 end msg 8800126
Jul 31 11:54:39 h693607 qmail: 1185875679.813376 starting delivery 44: msg 8799675 to remote ijen@symmakia.com
Jul 31 11:54:39 h693607 qmail: 1185875679.813647 status: local 0/10 remote 1/20
Jul 31 11:54:42 h693607 qmail: 1185875682.865509 delivery 44: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
Jul 31 11:54:42 h693607 qmail: 1185875682.865698 status: local 0/10 remote 0/20
Jul 31 11:55:01 h693607 qmail: 1185875701.867576 new msg 8798344
Jul 31 11:55:01 h693607 qmail: 1185875701.867855 info msg 8798344: bytes 514 from <anonymous@h693607.serverkompetenz.net> qp 8650 uid 0
Jul 31 11:55:02 h693607 qmail: 1185875702.068158 starting delivery 45: msg 8798344 to local h693607.serverkompetenz.net-root@h693607.serverkompetenz.net
Jul 31 11:55:02 h693607 qmail: 1185875702.068490 status: local 1/10 remote 0/20
Jul 31 11:55:02 h693607 qmail: 1185875702.138843 new msg 8799700
Jul 31 11:55:02 h693607 qmail: 1185875702.139164 info msg 8799700: bytes 728 from <anonymous@h693607.serverkompetenz.net> qp 8664 uid 0
Jul 31 11:55:02 h693607 qmail: 1185875702.270590 starting delivery 46: msg 8799700 to local h693607.serverkompetenz.net-root@h693607.serverkompetenz.net
Jul 31 11:55:02 h693607 qmail: 1185875702.270861 status: local 2/10 remote 0/20
Jul 31 11:55:02 h693607 qmail: 1185875702.274967 delivery 45: success: did_0+0+1/
Jul 31 11:55:02 h693607 qmail: 1185875702.275429 status: local 1/10 remote 0/20
Jul 31 11:55:02 h693607 qmail: 1185875702.275617 end msg 8798344
Jul 31 11:55:02 h693607 qmail: 1185875702.341598 delivery 46: success: did_0+0+1/
Jul 31 11:55:02 h693607 qmail: 1185875702.341677 status: local 0/10 remote 0/20
Jul 31 11:55:02 h693607 qmail: 1185875702.341699 end msg 8799700
Jul 31 11:56:01 h693607 qmail: 1185875761.346055 new msg 8799699
Jul 31 11:56:01 h693607 qmail: 1185875761.346458 info msg 8799699: bytes 514 from <anonymous@h693607.serverkompetenz.net> qp 8702 uid 0
Jul 31 11:56:01 h693607 qmail: 1185875761.523980 starting delivery 47: msg 8799699 to local h693607.serverkompetenz.net-root@h693607.serverkompetenz.net
Jul 31 11:56:01 h693607 qmail: 1185875761.524300 status: local 1/10 remote 0/20
Jul 31 11:56:01 h693607 qmail: 1185875761.598123 new msg 8799800
Jul 31 11:56:01 h693607 qmail: 1185875761.598498 info msg 8799800: bytes 728 from <anonymous@h693607.serverkompetenz.net> qp 8716 uid 0
Jul 31 11:56:01 h693607 qmail: 1185875761.734091 starting delivery 48: msg 8799800 to local h693607.serverkompetenz.net-root@h693607.serverkompetenz.net
Jul 31 11:56:01 h693607 qmail: 1185875761.734349 status: local 2/10 remote 0/20
Jul 31 11:56:01 h693607 qmail: 1185875761.738381 delivery 47: success: did_0+0+1/
Jul 31 11:56:01 h693607 qmail: 1185875761.738855 status: local 1/10 remote 0/20
Jul 31 11:56:01 h693607 qmail: 1185875761.739043 end msg 8799699
Jul 31 11:56:01 h693607 qmail: 1185875761.809399 delivery 48: success: did_0+0+1/
Jul 31 11:56:01 h693607 qmail: 1185875761.809494 status: local 0/10 remote 0/20
Jul 31 11:56:01 h693607 qmail: 1185875761.809517 end msg 8799800
Jul 31 11:57:01 h693607 qmail: 1185875821.856431 new msg 8799699
Jul 31 11:57:01 h693607 qmail: 1185875821.856709 info msg 8799699: bytes 514 from <anonymous@h693607.serverkompetenz.net> qp 8748 uid 0
Jul 31 11:57:02 h693607 qmail: 1185875822.046903 starting delivery 49: msg 8799699 to local h693607.serverkompetenz.net-root@h693607.serverkompetenz.net
Jul 31 11:57:02 h693607 qmail: 1185875822.047186 status: local 1/10 remote 0/20
Jul 31 11:57:02 h693607 qmail: 1185875822.115017 new msg 8799800
Jul 31 11:57:02 h693607 qmail: 1185875822.115368 info msg 8799800: bytes 728 from <anonymous@h693607.serverkompetenz.net> qp 8766 uid 0
Jul 31 11:57:02 h693607 qmail: 1185875822.249275 starting delivery 50: msg 8799800 to local h693607.serverkompetenz.net-root@h693607.serverkompetenz.net
Jul 31 11:57:02 h693607 qmail: 1185875822.249569 status: local 2/10 remote 0/20
Jul 31 11:57:02 h693607 qmail: 1185875822.253677 delivery 49: success: did_0+0+1/
Jul 31 11:57:02 h693607 qmail: 1185875822.254102 status: local 1/10 remote 0/20
Jul 31 11:57:02 h693607 qmail: 1185875822.254284 end msg 8799699
Jul 31 11:57:02 h693607 qmail: 1185875822.319964 delivery 50: success: did_0+0+1/
Jul 31 11:57:02 h693607 qmail: 1185875822.320042 status: local 0/10 remote 0/20
Jul 31 11:57:02 h693607 qmail: 1185875822.320064 end msg 8799800
Jul 31 11:57:12 h693607 qmail: 1185875832.891161 status: exiting
so... wie/wo kann man denn die benutzten accounts auslesen die zum versenden der mails benutzt wurden?

häng hier schon ne gute stunde und such mich tod...
Top
kenzo
Posts: 526
Joined: 2003-07-15 20:30

Re: qmail, hacked

Post by kenzo » 2007-07-31 14:30

Code: Select all

Jul 31 11:57:02 h693607 qmail: 1185875822.115368 info msg 8799800: bytes 728 from <anonymous@h693607.serverkompetenz.net> qp 8766 uid 0
Steht doch alles da - dein root-Account verschickt den Kram. Also entweder ist dieser kompromittiert oder einer deiner Dienste läuft als root - beides unschön.
Top
Anonymous

Re: qmail, hacked

Post by Anonymous » 2007-07-31 17:28

Jul 31 06:26:37 h693607 sshd[6066]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:26:38 h693607 sshd[6068]: Invalid user dave from ::ffff:190.24.131.42
Jul 31 06:26:38 h693607 sshd[6068]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:26:40 h693607 sshd[6070]: Invalid user dave from ::ffff:190.24.131.42
Jul 31 06:26:40 h693607 sshd[6070]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:26:42 h693607 sshd[6072]: Invalid user dave from ::ffff:190.24.131.42
Jul 31 06:26:42 h693607 sshd[6072]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:26:44 h693607 sshd[6074]: Invalid user dave from ::ffff:190.24.131.42
Jul 31 06:26:44 h693607 sshd[6074]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:26:46 h693607 sshd[6076]: Invalid user dave from ::ffff:190.24.131.42
Jul 31 06:26:46 h693607 sshd[6076]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:26:48 h693607 sshd[6078]: Invalid user dave from ::ffff:190.24.131.42
Jul 31 06:26:48 h693607 sshd[6078]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:26:50 h693607 sshd[6080]: Invalid user dave from ::ffff:190.24.131.42
Jul 31 06:26:50 h693607 sshd[6080]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:26:52 h693607 sshd[6092]: Invalid user david from ::ffff:190.24.131.42
Jul 31 06:26:52 h693607 sshd[6092]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:26:54 h693607 sshd[6094]: Invalid user david from ::ffff:190.24.131.42
Jul 31 06:26:54 h693607 sshd[6094]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:26:56 h693607 sshd[6096]: Invalid user david from ::ffff:190.24.131.42
Jul 31 06:26:56 h693607 sshd[6096]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:26:58 h693607 sshd[6098]: Invalid user david from ::ffff:190.24.131.42
Jul 31 06:26:58 h693607 sshd[6098]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:27:00 h693607 sshd[6100]: Invalid user david from ::ffff:190.24.131.42
Jul 31 06:27:00 h693607 sshd[6100]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:27:01 h693607 /usr/sbin/cron[6105]: (root) CMD (php5 /home/c/clansuite.com/public_html/serverstats/update.php)
Jul 31 06:27:01 h693607 /usr/sbin/cron[6107]: (root) CMD (/srv/makestats > /dev/null)
Jul 31 06:27:01 h693607 /usr/sbin/cron[6109]: (root) CMD (/usr/local/visas/server/visas-event.sh)
Jul 31 06:27:02 h693607 sshd[6102]: Invalid user david from ::ffff:190.24.131.42
Jul 31 06:27:02 h693607 sshd[6102]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:27:04 h693607 sshd[6152]: Invalid user kevin from ::ffff:190.24.131.42
Jul 31 06:27:04 h693607 sshd[6152]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:27:06 h693607 sshd[6154]: Invalid user kevin from ::ffff:190.24.131.42
Jul 31 06:27:06 h693607 sshd[6154]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:27:08 h693607 sshd[6156]: Invalid user kevin from ::ffff:190.24.131.42
Jul 31 06:27:08 h693607 sshd[6156]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:27:10 h693607 sshd[6158]: Invalid user kevin from ::ffff:190.24.131.42
Jul 31 06:27:10 h693607 sshd[6158]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:27:11 h693607 sshd[6160]: Invalid user kevin from ::ffff:190.24.131.42
Jul 31 06:27:11 h693607 sshd[6160]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:27:16 h693607 sshd[6162]: Invalid user kevin from ::ffff:190.24.131.42
Jul 31 06:27:16 h693607 sshd[6162]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:27:18 h693607 sshd[6165]: Invalid user susan from ::ffff:190.24.131.42
Jul 31 06:27:18 h693607 sshd[6165]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:27:20 h693607 sshd[6167]: Invalid user susan from ::ffff:190.24.131.42
Jul 31 06:27:20 h693607 sshd[6167]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:27:22 h693607 sshd[6169]: Invalid user susan from ::ffff:190.24.131.42
Jul 31 06:27:22 h693607 sshd[6169]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:27:24 h693607 sshd[6171]: Invalid user susan from ::ffff:190.24.131.42
Jul 31 06:27:24 h693607 sshd[6171]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:27:26 h693607 sshd[6173]: Invalid user susan from ::ffff:190.24.131.42
Jul 31 06:27:26 h693607 sshd[6173]: reverse mapping checking getaddrinfo for corporativos24131-42.static.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jul 31 06:27:28 h693607 sshd[6175]: Invalid user susan from ::ffff:190.24.131.42
alles klar - komprommitiert

bin dann mal die logs für die polizei zusammenstellen und werd morgen strafanzeige stellen.
danke für die antwort.
Top

Return to “Mailserver”