[plug] Possible Crack

[Nikhil Jogia]

skribe productions wrote:
> Hey folks:
>
> I think my mailserver has been cracked.  It's on a fully updated 
> Debian Sarge running Postfix.
>
> I woke up this morning to find this:
>
> Mar  6 07:56:47 caliban postfix/smtp[7632]: C3B4C42607: to=
> <anatoliy at zlat.dp.ua>, relay=webhoster.dp.ua[195.24.144.32 <http://195.24.144.32>], delay=9, status=deferred (host webhoster.dp.ua[
> 195.24.144.32 <http://195.24.144.32>] refused to talk to me: 421 4.4.5 Directory harvest attack detected)
>
> Now my mail queue is full of:
>
> Mar  6 12:10:12 caliban postfix/smtp[12294]: 7362B42DCC: to=
> <bvsuxar at of.racial.attack.com>, relay=of.racial.attack.com[67.107.40.9 <http://67.107.40.9>], delay=1705, status=deferred (host of.racial.attack.com[67.107.40.9 <http://67.107.40.9>] refused to talk to me: 554 
> 5.7.1 chifw001.inforte.com <http://chifw001.inforte.com> Connection not authorized)
> Mar  6 12:13:53 caliban postfix/smtp[12239]: 8AACB43170: to=
> <job at novattack.com.ua>, relay=omega.uar.net[194.44.214.39 <http://194.44.214.39>], delay=145, status=bounced (host omega.uar.net[194.44.214.39 <http://194.44.214.39>] said: 554 5.7.1 Dynamic address 
> dsl-58-6-5-170.wa.westnet.com.au <http://dsl-58-6-5-170.wa.westnet.com.au> [58.6.5.170 <http://58.6.5.170>] , use your provider's SMTP-server (in reply to RCPT TO command))
> Mar  6 12:16:50 caliban postfix/qmgr[11082]: 64ED34316E: from=
> <sb at art.attack.com>, size=5678, nrcpt=4 (queue active)
>   
>
> Suggestions?
>
> skribe
> -- 
> One dog said to the other -
>
> http://onedogsaid.blogspot.com
> ------------------------------------------------------------------------
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
>   
My money's on an mail header injection attack. Are you running a web 
server on the same machine?