Spammails - Server kompromittiert

Moonraker136 · May 23rd 2018

Hallo ihr Lieben, könnt ihr mir wohl helfen? Ich denke mein Server wurde gehackt, aber ich weiß nicht so ganz wie und was ich jetzt machen kann.

Debian 8

mail.log:

Code

May 20 17:36:07 server1 postfix/smtpd[13786]: connect from ds7478.dedicated.turbodns.co.uk[94.136.53.87]
May 20 17:36:09 server1 postfix/smtpd[13786]: warning: ds7478.dedicated.turbodns.co.uk[94.136.53.87]: SASL LOGIN authentication failed: UGFzc3
May 20 17:36:09 server1 postfix/smtpd[13786]: lost connection after AUTH from ds7478.dedicated.turbodns.co.uk[94.136.53.87]
May 20 17:36:09 server1 postfix/smtpd[13786]: disconnect from ds7478.dedicated.turbodns.co.uk[94.136.53.87]
May 20 17:36:49 server1 postfix/smtpd[13786]: connect from unknown[195.22.125.28]
May 20 17:36:52 server1 postfix/smtpd[13786]: warning: unknown[195.22.125.28]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 20 17:36:52 server1 postfix/smtpd[13786]: disconnect from unknown[195.22.125.28]
May 20 17:40:12 server1 postfix/anvil[13787]: statistics: max connection rate 1/60s for (smtp:94.136.53.87) at May 20 17:36:07
May 20 17:40:12 server1 postfix/anvil[13787]: statistics: max connection count 1 for (smtp:94.136.53.87) at May 20 17:36:07
May 20 17:40:12 server1 postfix/anvil[13787]: statistics: max cache size 2 at May 20 17:36:49
May 20 17:51:56 server1 dovecot: imap-login: Login: user=<info@axxxx.de>, method=PLAIN, rip=80.187.102.170, lip=46.38.235.184, mpid=1384
May 20 17:57:23 server1 postfix/smtpd[13845]: connect from ds7478.dedicated.turbodns.co.uk[94.136.53.87]
May 20 17:57:26 server1 postfix/smtpd[13845]: warning: ds7478.dedicated.turbodns.co.uk[94.136.53.87]: SASL LOGIN authentication failed: UGFzc3
May 20 17:57:26 server1 postfix/smtpd[13845]: lost connection after AUTH from ds7478.dedicated.turbodns.co.uk[94.136.53.87]
May 20 17:57:26 server1 postfix/smtpd[13845]: disconnect from ds7478.dedicated.turbodns.co.uk[94.136.53.87]
May 20 18:00:34 server1 postfix/smtpd[13921]: warning: hostname server2.axxxx.de does not resolve to address 173.212.226.117
May 20 18:00:34 server1 postfix/smtpd[13921]: connect from unknown[173.212.226.117]
May 20 18:00:34 server1 postfix/smtpd[13921]: CD72D60C41: client=unknown[173.212.226.117]
May 20 18:00:34 server1 postfix/cleanup[13925]: CD72D60C41: message-id=<20180520160034.8F8861140B5D@server2.axxx.de>
May 20 18:00:34 server1 postfix/qmgr[21149]: CD72D60C41: from=<fail2ban@server2.axxxx.de>, size=12103, nrcpt=1 (queue active)
May 20 18:00:34 server1 postfix/smtpd[13921]: disconnect from unknown[173.212.226.117]
May 20 18:00:34 server1 dovecot: lda(fail@axxxxx.de): msgid=<20180520160034.8F8861140B5D@server2.axxxx.de>: saved mail to INBOX
May 20 18:00:34 server1 postfix/pipe[13926]: CD72D60C41: to=<fail@axxxxx.de>, relay=dovecot, delay=0.12, delays=0.03/0.01/0/0.07, dsn=2.0
May 20 18:00:34 server1 postfix/qmgr[21149]: CD72D60C41: removed
May 20 18:01:22 server1 postfix/smtpd[13921]: warning: hostname server2.axxxxx.de does not resolve to address 173.212.226.117
May 20 18:01:22 server1 postfix/smtpd[13921]: connect from unknown[173.212.226.117]
May 20 18:01:22 server1 postfix/smtpd[13921]: C84F460C41: client=unknown[173.212.226.117]
May 20 18:01:22 server1 postfix/cleanup[13925]: C84F460C41: message-id=<20180520160122.B74E71140B5D@server2.axxxxx.de>
May 20 18:01:22 server1 postfix/qmgr[21149]: C84F460C41: from=<fail2ban@server2.axxxx.de>, size=14437, nrcpt=1 (queue active)
May 20 18:01:22 server1 postfix/smtpd[13921]: disconnect from unknown[173.212.226.117]
May 20 18:01:22 server1 dovecot: lda(fail@axxxx.de): msgid=<20180520160122.B74E71140B5D@server2.axxxx.de>: saved mail to INBOX
May 20 18:01:22 server1 postfix/pipe[13926]: C84F460C41: to=<fail@axxx.de>, relay=dovecot, delay=0.14, delays=0.03/0/0/0.11, dsn=2.0.0,
May 20 18:01:22 server1 postfix/qmgr[21149]: C84F460C41: removed
May 20 18:04:43 server1 postfix/anvil[13846]: statistics: max connection rate 2/60s for (smtp:173.212.226.117) at May 20 18:01:22
May 20 18:04:43 server1 postfix/anvil[13846]: statistics: max connection count 1 for (smtp:94.136.53.87) at May 20 17:57:23
May 20 18:04:43 server1 postfix/anvil[13846]: statistics: max cache size 1 at May 20 17:57:23
May 20 18:17:38 server1 postfix/sendmail[13987]: fatal: usage: sendmail [options]
May 20 18:18:47 server1 postfix/smtpd[13988]: connect from ds7478.dedicated.turbodns.co.uk[94.136.53.87]
May 20 18:18:49 server1 postfix/smtpd[13988]: warning: ds7478.dedicated.turbodns.co.uk[94.136.53.87]: SASL LOGIN authentication failed: UGFzc3
May 20 18:18:49 server1 postfix/smtpd[13988]: disconnect from ds7478.dedicated.turbodns.co.uk[94.136.53.87]
May 20 18:20:23 server1 dovecot: imap(info@xxx): Disconnected: Logged out in=3071 out=5687
May 20 18:20:23 server1 dovecot: imap(info@xxx.de): Disconnected: Logged out in=9841 out=28250
May 20 18:20:23 server1 dovecot: imap(info@xxx.de): Disconnected: Logged out in=150 out=836
May 20 18:20:40 server1 dovecot: imap-login: Login: user=<info@axxx.de>, method=PLAIN, rip=80.187.102.170, lip=46.38.235.184, mpid=1399
May 20 18:22:09 server1 postfix/anvil[13989]: statistics: max connection rate 1/60s for (smtp:94.136.53.87) at May 20 18:18:47
May 20 18:22:09 server1 postfix/anvil[13989]: statistics: max connection count 1 for (smtp:94.136.53.87) at May 20 18:18:47
May 20 18:22:09 server1 postfix/anvil[13989]: statistics: max cache size 1 at May 20 18:18:47
May 20 18:22:10 server1 dovecot: imap-login: Login: user=<info@axxxs.de>, method=PLAIN, rip=80.187.102.170, lip=46.38.235.184, mpid=1400
May 20 18:23:33 server1 dovecot: imap(info@axxxx.de): Disconnected: Logged out in=1524 out=4982
May 20 18:23:33 server1 dovecot: imap(info@axxxx.de): Disconnected: Logged out in=382 out=1490

Display More

**Nuxwin** · May 23rd 2018

What makes you think that you have been hacked?

**TheCry** · May 23rd 2018

Hast Du irgendetwas auf Deinem Server eingerichtet um solche Meldungen zu prüfen

Code

warning: ds7478.dedicated.turbodns.co.uk[94.136.53.87]: SASL LOGIN authentication failed: UGFzc3

Dafür gibt es Fail2Ban..

**Nuxwin** · May 23rd 2018

Quote from TheCry

warning: ds7478.dedicated.turbodns.co.uk[94.136.53.87]: SASL LOGIN authentication failed: UGFzc3

But that doesn't mean that it server has been hacked... That's why I asked him... The problem with people that don't known much about how the services are working is that they are getting stressed each time they see a simple warning. Fail2ban will help mitigate dictionary attacks but this will not help him to understand how the thing is working

Moonraker136 · May 23rd 2018

I do get a lot of "undelivered mail returned to sender"

First I thought it might be a compromised php website and I catched all the phpmails, but they havent been the issue.

Code

20.5. 18:02 was the outgouing mail
Final-Recipient: rfc822; dr.malinka@azet.sk
Original-Recipient: rfc822;dr.malinka@azet.sk
Action: failed
Status: 5.1.1
Remote-MTA: dns; 127.0.0.1
Diagnostic-Code: smtp; 550 5.1.1 <dr.malinka@azet.sk>: Recipient address
rejected: User unknown

it might also be possible that I only get rebounds of the mailservers who doesnt check rdns and think that for example server2.axxx.de is one of my servers

**TheCry** · May 23rd 2018

This is no indiez for hacking your server. Possibly a customer has sent a newsletter and there are so many returns

Moonraker136 · May 23rd 2018

This is the mail content, and there are a few similar mails every day

Code

Witaj! Jak ci mija dzień? Nazywam się Ainagul.
Mam 30 lat. Jestem wolną kobietą. Nie mam dzieci. Mam wyższe wykształcenie.
Chcę znaleźć kogoś, z kim się zrozumiemy i podzielimy się z nami swoimi opiniami.
Chcę poznać wiernego, niezawodnego, kochającego człowieka, który będzie dla zdrowego związku.
Ważne jest, aby człowiek docenił związek i zrozumienie. Był gotowy dla rodziny.
Nie będę grać w gry. Chcę znaleźć poważnego człowieka, który nie będzie się ze mną bawić.
Możesz napisać na mój adres e-mail: paradies.sun02@gmail.com
poczekam na Twoją odpowiedź
Z poważaniem, Ainagul.

Display More

**FISA4** · Jun 1st 2018

Hi @Moonraker136,

ein ähnliches Problem hatte ich im Januar und April.
Da wurde nicht mein Server gehackt, sondern es wurde von vServern eines Mitbewerbers in meinem Namen SPAM verschickt.

Schau Dir den kompletten Quelltext der Mail an und such dort nach dem letzten Received from

BEISPIEL:

Code

This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of
its recipients. This is a permanent error. The following address(es)
failed:
xxxxxx@t-online.de:
SMTP error from remote server for RCPT TO command, host: mx01.t-online.de (1.2.3.7) reason: 550-5.1.1 user unknown
550 5.1.1 Unknown recipient.
--- The header of the original message is following. ---
Received: from [2.2.1.1] ([2.2.1.1]) by mx-ha.web.de (mxweb012
[2.2.1.1]) with ESMTP (Nemesis) id 1MuTjC-1eycFf3lPG-00rYqx for
<xxxxx@t-online.de>; Tue, 30 Jan 2018 15:41:37 +0100
Received: from a.u.de ([1.2.2.1]) by mx-ha.web.de (mxweb012
[2.2.1.1]) with ESMTP (Nemesis) id 1M1XYt-1ejZNK3lIB-0031dS for
<xxxxxx@web.de>; Tue, 30 Jan 2018 15:41:37 +0100
Received: from vps-xxxxxx.xxxxxxx-xxxx.com (vps-xxxxxxxx-xxxxx.xxxxx-xxxxx.com [999.999.999.999])
(Authenticated sender: info@meinedomain.de)
by a.u.de (Postfix) with ESMTPA id 5AEB6C2363
for <xxxxxx@web.de>; Tue, 30 Jan 2018 15:41:37 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.9.2 a.u.de 5AEB6C2363

Display More

Der Bereich:
Received: from vps-xxxxxx.xxxxxxx-xxxx.com (vps-xxxxxxxx-xxxxx.xxxxx-xxxxx.com [999.999.999.999]) <-- NICHT MEIN SERVER
Meiner ist der 1.2.2.1

Nachdem ich mit dem Anbieter gesprochen habe und die den vServer vom Netz genommen haben, war Ruhe.

Schau mal ob das bei Dir auch so ist. Wenn ja, dann such den Anbieter und klopf ihm auf die Finger.

Spammails - Server kompromittiert

Nuxwin Oct 24th 2019

Share

Daily visitors