[BlueOnyx:04709] Re: send mail Relay exploit

Hugo Sesma hsesma at gmail.com
Mon Jun 7 19:06:22 -05 2010 

Michael,

I run your instructions and find that one of our clients has a user "info"
that is the one to blame. sadly there was a similar post previos to mine.

We sould get this in a forum.


Thanks for your support.

Regards


H.

On Mon, Jun 7, 2010 at 6:25 PM, Michael Stauber <mstauber at blueonyx.it>wrote:

> Hi Hugo,
>
> > since friday our server has been exploited as a relay for several domains
> > who are spammers
>
> Do you have SMTP-Auth enabled? If not, enable it. But from what I see it in
> your logs it should be on already.  With SMTP-Auth enabled only users
> authenticated with their username and password can send emails through your
> server.
>
> > Here is some logs
>
> >From those log lines only one entry indicates the actual relaying of
> emails
> through your server:
>
> Jun  7 16:23:14 ns1 sendmail[23694]: o57LMj4U023694:
> from=<tbent at wanadoo.co.uk>, size=1509, class=0, nrcpts=50,
> msgid=<201006072122.o57LMj4U023694 at ns1.abaco.net.mx>, proto=ESMTP,
> daemon=MTA,
> relay=adsl1888.4u.com.gh [41.210.18.88]
>
> Someone from the IP [41.210.18.88] sent a 1509 byte large mail to 50
> recipients in one go. The line "proto=ESMTP" indicates that he used
> SMTP-Auth
> to authenticate against Sendmail and that was apparently done with a valid
> username and password.
>
> Then the next snippet shows how four of the 50 generated emails were sent
> out:
>
> Jun  7 16:23:16 ns1 sendmail[23755]: o57LMj4U023694:
> to=<fultonmr at aol.com>,<fultimeslackervb at aol.com>,<fulmoon19 at aol.com>,<
> fulltipz at aol.com>,
> delay=00:00:27, xdelay=00:00:02, mailer=esmtp, pri=1591509,
> relay=mailin-02.mx.aol.com. [205.188.155.110], dsn=2.0.0, stat=Sent (2.0.0
> Ok:
> queued as 3EC3F38000CAD)
>
> This went to some AOL users in one go.
>
> So it appears someone has guessed, sniffed or brute forced the login
> details
> of one of your email users.
>
> How to find out which account that's from?
>
> Check /var/log/maillog and find the entries immediately above this one:
>
> Jun  7 16:23:14 ns1 sendmail[23694]: o57LMj4U023694:
> from=<tbent at wanadoo.co.uk> [...]
>
> There should be a line like this:
>
> Jun  7 16:23:14 ns1 sendmail[XXX]:  AUTH=server, relay=adsl1888.4u.com.gh
> [41.210.18.88], authid=USERNAME, mech=PLAIN, bits=0
>
> That shows "authid=" and the username they used to send the email.
>
> Or you can use cat and grep to search for it like this:
>
> cat /var/log/maillog | grep AUTH=server | grep 41.210.18.88
>
> That searches for "AUTH=server" (which identifies the SMTP-Auth logins) and
> for the IP address of the sender of the email. That will return all
> matching
> log entries and the "authid=" part will reveal the compromised username.
>
> --
> With best regards
>
> Michael Stauber
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20100607/a83f9048/attachment.html>

More information about the Blueonyx mailing list