[plug] Possible Crack

Ben Jensz plug at jensz.id.au
Tue Mar 6 13:47:22 WST 2007 

Grab one of the messages and postcat it to view the headers:

e.g.

postcat -q C3B4C42607 | less  (as root, or an equivalent user with sudo 
access)

It'll show you where the message originated from (only trust the set of 
headers added by Postfix though, as others are often very convincingly 
forged).  If you're running a web server with any form2mail type 
scripts, it could be possible that this is being used to inject email 
into your local Postfix queues.

Mail me the headers off-list if you need a hand.


/ Ben


skribe productions wrote:
> Hey folks:
>
> I think my mailserver has been cracked.  It's on a fully updated 
> Debian Sarge running Postfix.
>
> I woke up this morning to find this:
>
> Mar  6 07:56:47 caliban postfix/smtp[7632]: C3B4C42607: to=
> <anatoliy at zlat.dp.ua>, relay=webhoster.dp.ua[195.24.144.32 <http://195.24.144.32>], delay=9, status=deferred (host webhoster.dp.ua[
> 195.24.144.32 <http://195.24.144.32>] refused to talk to me: 421 4.4.5 Directory harvest attack detected)
>
> Now my mail queue is full of:
>
> Mar  6 12:10:12 caliban postfix/smtp[12294]: 7362B42DCC: to=
> <bvsuxar at of.racial.attack.com>, relay=of.racial.attack.com[67.107.40.9 <http://67.107.40.9>], delay=1705, status=deferred (host of.racial.attack.com[67.107.40.9 <http://67.107.40.9>] refused to talk to me: 554 
> 5.7.1 chifw001.inforte.com <http://chifw001.inforte.com> Connection not authorized)
> Mar  6 12:13:53 caliban postfix/smtp[12239]: 8AACB43170: to=
> <job at novattack.com.ua>, relay=omega.uar.net[194.44.214.39 <http://194.44.214.39>], delay=145, status=bounced (host omega.uar.net[194.44.214.39 <http://194.44.214.39>] said: 554 5.7.1 Dynamic address 
> dsl-58-6-5-170.wa.westnet.com.au <http://dsl-58-6-5-170.wa.westnet.com.au> [58.6.5.170 <http://58.6.5.170>] , use your provider's SMTP-server (in reply to RCPT TO command))
> Mar  6 12:16:50 caliban postfix/qmgr[11082]: 64ED34316E: from=
> <sb at art.attack.com>, size=5678, nrcpt=4 (queue active)
>   
>
> Suggestions?
>
> skribe
> -- 
> One dog said to the other -
>
> http://onedogsaid.blogspot.com
> ------------------------------------------------------------------------
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
>

More information about the plug mailing list