Chuk,<br><br>thanks for your info I'm checking to use it with webmin and see if they are permanet<br><br>Regards<br><br><div class="gmail_quote">On Mon, Jun 7, 2010 at 6:49 PM, Chuck Tetlow <span dir="ltr"><<a href="mailto:chuck@tetlow.net">chuck@tetlow.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div bgcolor="#ffffff">
<font size="2">And while you're at it - block their further attempts to find/exploit another username/password.
<br>
<br>The easiest way to do it - block it with IP Tables. Use this to block that oneI IP:
<br>/sbin/iptables -I acctin 1 -d <a href="http://41.210.18.88/32" target="_blank">41.210.18.88/32</a> -j DROP
<br>
<br>But since changing their IP is easy, I'd recommend blocking at least the whole /24 network they are on. Use
<br>/sbin/iptables -I acctin 1 -d <a href="http://41.210.18.0/24" target="_blank">41.210.18.0/24</a> -j DROP
<br>
<br>In my own case, I couldn't care less about e-mails from Ghana. I'd lock out the entire block of IPs assigned to that country with
<br>/sbin/iptables -I acctin 1 -d <a href="http://41.210.0.0/16" target="_blank">41.210.0.0/16</a> -j DROP
<br>
<br>Any of these rules will block further traffic from that IP or their networks. But remember - this is temporary. The next time you boot the server, or create a website - IP Tables are reloaded and your temp rule is gone. Then they're back at your server. Making the rule permanent is a bit more involved.
<br>
<br>
<br>
<br>Chuck
<br>
<br>
<br>
<br></font><font size="2"><div><div></div><div class="h5">
<br><b>---------- Original Message
-----------</b>
<br>
From: Michael Stauber <<a href="mailto:mstauber@blueonyx.it" target="_blank">mstauber@blueonyx.it</a>>
<br>
To: BlueOnyx General Mailing List <<a href="mailto:blueonyx@blueonyx.it" target="_blank">blueonyx@blueonyx.it</a>>
<br>
Sent: Tue, 8 Jun 2010 01:25:00 +0200
<br>
Subject: [BlueOnyx:04707] Re: send mail Relay exploit
<br>
<br>> Hi Hugo,
<br>>
<br>>
> since friday our server has been exploited as a relay for several domains
<br>>
> who are spammers
<br>>
<br>>
Do you have SMTP-Auth enabled? If not, enable it. But from what I see it in
<br>>
your logs it should be on already. With SMTP-Auth enabled only users
<br>>
authenticated with their username and password can send emails through your
<br>>
server.
<br>>
<br>>
> Here is some logs
<br>>
<br>>
>From those log lines only one entry indicates the actual relaying of emails
<br>>
through your server:
<br>>
<br>>
Jun 7 16:23:14 ns1 sendmail[23694]: o57LMj4U023694:
<br>>
from=<<a href="mailto:tbent@wanadoo.co.uk" target="_blank">tbent@wanadoo.co.uk</a>>, size=1509, class=0, nrcpts=50,
<br>>
msgid=<<a href="mailto:201006072122.o57LMj4U023694@ns1.abaco.net.mx" target="_blank">201006072122.o57LMj4U023694@ns1.abaco.net.mx</a>>, proto=ESMTP,
daemon=MTA,
<br>>
relay=<a href="http://adsl1888.4u.com.gh" target="_blank">adsl1888.4u.com.gh</a> [41.210.18.88]
<br>>
<br>>
Someone from the IP [41.210.18.88] sent a 1509 byte large mail to 50
<br>>
recipients in one go. The line "proto=ESMTP" indicates that he used
SMTP-Auth
<br>>
to authenticate against Sendmail and that was apparently done with a valid
<br>>
username and password.
<br>>
<br>>
Then the next snippet shows how four of the 50 generated emails were sent out:
<br>>
<br>>
Jun 7 16:23:16 ns1 sendmail[23755]: o57LMj4U023694:
<br>>
to=<<a href="mailto:fultonmr@aol.com" target="_blank">fultonmr@aol.com</a>>,<<a href="mailto:fultimeslackervb@aol.com" target="_blank">fultimeslackervb@aol.com</a>>,<<a href="mailto:fulmoon19@aol.com" target="_blank">fulmoon19@aol.com</a>>,<<a href="mailto:fulltipz@aol.com" target="_blank">fulltipz@aol.com</a>>,
<br>>
delay=00:00:27, xdelay=00:00:02, mailer=esmtp, pri=1591509,
<br>>
relay=<a href="http://mailin-02.mx.aol.com" target="_blank">mailin-02.mx.aol.com</a>. [205.188.155.110], dsn=2.0.0, stat=Sent (2.0.0 Ok:
<br>>
queued as 3EC3F38000CAD)
<br>>
<br>>
This went to some AOL users in one go.
<br>>
<br>>
So it appears someone has guessed, sniffed or brute forced the login details
<br>>
of one of your email users.
<br>>
<br>>
How to find out which account that's from?
<br>>
<br>>
Check /var/log/maillog and find the entries immediately above this one:
<br>>
<br>>
Jun 7 16:23:14 ns1 sendmail[23694]: o57LMj4U023694:
<br>>
from=<<a href="mailto:tbent@wanadoo.co.uk" target="_blank">tbent@wanadoo.co.uk</a>> [...]
<br>>
<br>>
There should be a line like this:
<br>>
<br>>
Jun 7 16:23:14 ns1 sendmail[XXX]: AUTH=server,
relay=<a href="http://adsl1888.4u.com.gh" target="_blank">adsl1888.4u.com.gh</a>
<br>>
[41.210.18.88], authid=USERNAME, mech=PLAIN, bits=0
<br>>
<br>>
That shows "authid=" and the username they used to send the email.
<br>>
<br>>
Or you can use cat and grep to search for it like this:
<br>>
<br>>
cat /var/log/maillog | grep AUTH=server | grep 41.210.18.88
<br>>
<br>>
That searches for "AUTH=server" (which identifies the SMTP-Auth
logins) and
<br>>
for the IP address of the sender of the email. That will return all matching
<br>>
log entries and the "authid=" part will reveal the compromised
username.
<br>>
<br>>
--
<br>>
With best regards
<br>>
<br>>
Michael Stauber
<br>>
<br>>
_______________________________________________
<br>>
Blueonyx mailing list
<br>>
<a href="mailto:Blueonyx@blueonyx.it" target="_blank">Blueonyx@blueonyx.it</a>
<br>>
<a href="http://www.blueonyx.it/mailman/listinfo/blueonyx" target="_blank">http://www.blueonyx.it/mailman/listinfo/blueonyx</a>
<br></div></div><b>------- End of Original Message
-------</b>
<br>
</font>
</div>
<br>_______________________________________________<br>
Blueonyx mailing list<br>
<a href="mailto:Blueonyx@blueonyx.it">Blueonyx@blueonyx.it</a><br>
<a href="http://www.blueonyx.it/mailman/listinfo/blueonyx" target="_blank">http://www.blueonyx.it/mailman/listinfo/blueonyx</a><br>
<br></blockquote></div><br>