[BlueOnyx:04708] Re: send mail Relay exploit

Mon Jun 7 18:49:11 -05 2010

And while you're at it - block their further attempts to find/exploit another username/password.

The easiest way to do it - block it with IP Tables.  Use this to block that oneI IP:
/sbin/iptables -I acctin 1 -d 41.210.18.88/32 -j DROP

But since changing their IP is easy, I'd recommend blocking at least the whole /24 network they are on.  Use
/sbin/iptables -I acctin 1 -d 41.210.18.0/24 -j DROP

In my own case, I couldn't care less about e-mails from Ghana.  I'd lock out the entire block of IPs assigned to that country with
/sbin/iptables -I acctin 1 -d 41.210.0.0/16 -j DROP

Any of these rules will block further traffic from that IP or their networks.  But remember - this is temporary.  The next time you boot the server, or create a website - IP Tables are reloaded and your temp rule is gone.  Then they're back at your server.  Making the rule permanent is a bit more involved.

Chuck

---------- Original Message -----------
From: Michael Stauber <mstauber at blueonyx.it> 
To: BlueOnyx General Mailing List <blueonyx at blueonyx.it> 
Sent: Tue, 8 Jun 2010 01:25:00 +0200 
Subject: [BlueOnyx:04707] Re: send mail Relay exploit

> Hi Hugo, 
> 
> > since friday our server has been exploited as a relay for several domains 
> > who are spammers 
> 
> Do you have SMTP-Auth enabled? If not, enable it. But from what I see it in 
> your logs it should be on already.  With SMTP-Auth enabled only users 
> authenticated with their username and password can send emails through your 
> server. 
> 
> > Here is some logs 
> 
> >From those log lines only one entry indicates the actual relaying of emails 
> through your server: 
> 
> Jun  7 16:23:14 ns1 sendmail[23694]: o57LMj4U023694: 
> from=<tbent at wanadoo.co.uk>, size=1509, class=0, nrcpts=50, 
> msgid=<201006072122.o57LMj4U023694 at ns1.abaco.net.mx>, proto=ESMTP, daemon=MTA, 
> relay=adsl1888.4u.com.gh [41.210.18.88] 
> 
> Someone from the IP [41.210.18.88] sent a 1509 byte large mail to 50 
> recipients in one go. The line "proto=ESMTP" indicates that he used SMTP-Auth 
> to authenticate against Sendmail and that was apparently done with a valid 
> username and password. 
> 
> Then the next snippet shows how four of the 50 generated emails were sent out: 
> 
> Jun  7 16:23:16 ns1 sendmail[23755]: o57LMj4U023694: 
> to=<fultonmr at aol.com>,<fultimeslackervb at aol.com>,<fulmoon19 at aol.com>,<fulltipz at aol.com>, 
> delay=00:00:27, xdelay=00:00:02, mailer=esmtp, pri=1591509, 
> relay=mailin-02.mx.aol.com. [205.188.155.110], dsn=2.0.0, stat=Sent (2.0.0 Ok: 
> queued as 3EC3F38000CAD) 
> 
> This went to some AOL users in one go. 
> 
> So it appears someone has guessed, sniffed or brute forced the login details 
> of one of your email users. 
> 
> How to find out which account that's from? 
> 
> Check /var/log/maillog and find the entries immediately above this one: 
> 
> Jun  7 16:23:14 ns1 sendmail[23694]: o57LMj4U023694: 
> from=<tbent at wanadoo.co.uk> [...] 
> 
> There should be a line like this: 
> 
> Jun  7 16:23:14 ns1 sendmail[XXX]:  AUTH=server, relay=adsl1888.4u.com.gh 
> [41.210.18.88], authid=USERNAME, mech=PLAIN, bits=0 
> 
> That shows "authid=" and the username they used to send the email. 
> 
> Or you can use cat and grep to search for it like this: 
> 
> cat /var/log/maillog | grep AUTH=server | grep 41.210.18.88 
> 
> That searches for "AUTH=server" (which identifies the SMTP-Auth logins) and 
> for the IP address of the sender of the email. That will return all matching 
> log entries and the "authid=" part will reveal the compromised username. 
> 
> -- 
> With best regards 
> 
> Michael Stauber 
> 
> _______________________________________________ 
> Blueonyx mailing list 
> Blueonyx at blueonyx.it 
> http://www.blueonyx.it/mailman/listinfo/blueonyx 
------- End of Original Message -------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20100607/ae046194/attachment.html>