L.P.H. van Belle
2017-Jun-13 08:40 UTC
[Samba] pickup/maildrop being used to spam through my machine.
Looks to me your server is hacked through the webserver of website. Stop apache, flush the postfix queue, are there new mails entering you postfix queue? If not, hunt down the leak, if it does, its not apache2 ;-/ Greetz, Louis> -----Oorspronkelijk bericht----- > Van: HomerWSmith at lightlink.com > [mailto:owner-postfix-users at postfix.org] Namens Homer Wilson Smith > Verzonden: dinsdag 13 juni 2017 10:29 > Aan: postfix-users at postfix.org > Onderwerp: pickup/maildrop being used to spam through my machine. > > > Running postfix 2.3.3 CentOS 5.x > > This is a simple apache 2 web server running postfix for > incoming mail for shell users on the same server. Very low > key, almost no traffic, outside is not allowed to connect to > the postfix on this machine. > > This machine's only handles shell users on the its own > domain, adore.lightlink.com and mail addressed or forward to > it from our other real mail servers that talk to the outside world. > > Suddenly I am find adore's mailq queue filled with > spam, each having a pickup line in the logs, but no > indication where it comes from, probably the web server as > the from username is apache, but so far no corellation > between web logs and time stamp on pickup line. > > This machine is also running an innd news server if it > makes any difference, innd 2.x > > Can someone tell me about possible injection routes into > the maildrop directory and how to stop it if I can't find the > web page doing it. > > Thanks Homer > > Jun 12 05:26:16 adore2 postfix/pickup[14251]: E39582B000C: > uid=48 from=<apache> Jun 12 05:26:17 adore2 > postfix/pickup[14251]: F23D62B000F: uid=48 from=<apache> Jun > 12 05:26:17 adore2 postfix/pickup[14251]: 099E82B0028: uid=48 > from=<apache> Jun 12 05:26:17 adore2 postfix/pickup[14251]: > 2169C2B0038: uid=48 from=<apache> Jun 12 05:26:17 adore2 > postfix/pickup[14251]: 260E32B0065: uid=48 from=<apache> Jun > 12 05:26:17 adore2 postfix/pickup[14251]: 2AB902B007D: uid=48 > from=<apache> Jun 12 05:26:17 adore2 postfix/pickup[14251]: > 325422B0080: uid=48 from=<apache> Jun 12 05:26:17 adore2 > postfix/pickup[14251]: 3AC572B0095: uid=48 from=<apache> Jun > 12 05:26:17 adore2 postfix/pickup[14251]: 3D0A32B00B8: uid=48 > from=<apache> Jun 12 05:26:17 adore2 postfix/pickup[14251]: > 417DD2B00BD: uid=48 from=<apache> Jun 12 05:26:17 adore2 > postfix/pickup[14251]: 4728B2B00CA: uid=48 from=<apache> Jun > 12 05:26:17 adore2 postfix/pickup[14251]: 4FE062B00D2: uid=48 > from=<apache> Jun 12 05:26:17 adore2 postfix/pickup[14251]: > 89BB02B00DD: uid=48 from=<apache> Jun 12 05:26:17 adore2 > postfix/pickup[14251]: A53092B00E3: uid=48 from=<apache> Jun > 12 05:26:17 adore2 postfix/pickup[14251]: BEAB72B00E7: uid=48 > from=<apache> Jun 12 05:26:17 adore2 postfix/pickup[14251]: > CA9F42B00EC: uid=48 from=<apache> ... on and on and on thousands etc. > >
Rowland Penny
2017-Jun-13 09:41 UTC
[Samba] pickup/maildrop being used to spam through my machine.
On Tue, 13 Jun 2017 10:40:55 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Looks to me your server is hacked through the webserver of website. > Stop apache, flush the postfix queue, are there new mails entering > you postfix queue? If not, hunt down the leak, if it does, its not > apache2 ;-/ > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: HomerWSmith at lightlink.com > > [mailto:owner-postfix-users at postfix.org] Namens Homer Wilson Smith > > Verzonden: dinsdag 13 juni 2017 10:29 > > Aan: postfix-users at postfix.org > > Onderwerp: pickup/maildrop being used to spam through my machine.Hi Louis, your holiday doesn't seem to have done you any good what so ever, you have done it again LOL This is not the Postfix mailing list and you might want to point to the OP that Centos 5 is EOL. Rowland
L.P.H. van Belle
2017-Jun-13 09:44 UTC
[Samba] pickup/maildrop being used to spam through my machine.
Oeps.. Yeah, i need a new holiday.. 1 week is just to short. :-/ Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Rowland Penny [mailto:rpenny at samba.org] > Verzonden: dinsdag 13 juni 2017 11:41 > Aan: samba at lists.samba.org > CC: L.P.H. van Belle > Onderwerp: Re: [Samba] pickup/maildrop being used to spam > through my machine. > > On Tue, 13 Jun 2017 10:40:55 +0200 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > Looks to me your server is hacked through the webserver of > website. > > Stop apache, flush the postfix queue, are there new mails > entering you > > postfix queue? If not, hunt down the leak, if it does, its not > > apache2 ;-/ > > > > Greetz, > > > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > > Van: HomerWSmith at lightlink.com > > > [mailto:owner-postfix-users at postfix.org] Namens Homer Wilson Smith > > > Verzonden: dinsdag 13 juni 2017 10:29 > > > Aan: postfix-users at postfix.org > > > Onderwerp: pickup/maildrop being used to spam through my machine. > > Hi Louis, your holiday doesn't seem to have done you any good > what so ever, you have done it again LOL > > This is not the Postfix mailing list and you might want to > point to the OP that Centos 5 is EOL. > > Rowland > >