Topic: Rogers High Speed is now blocking port 25

[cyberlair]

Hello

Having a strange problem with Qmail and it may be as a result of a system compromize? SME 6. I checked the logs and there is a long list of login attempts with a word list. I checked my rootkit detector and it appears as though everything is OK?

I cannot send or receive email through the server. When I try and send email it sits in the queue. If I delete the message from the webpage queue manager it says : Qmail isn't running... no need to stop it.
Qmail wasn't running when qmHandle was started, so it won't be restarted.
If I type service qmail status it says (pid 4525) 1048 seconds, normally down. I can start the service and it says OK? I've tried rebooting no difference.

I am unsure of where to go from here? Help!!!

[byte]

Hi,

First of I would change title of this post...all system compromizes should go to

security AT lists.contribs.org

What's your /var/log/smtpfront-XXX say look in file current...

Have you changed anything? i.e added any contribs?

[CharlieBrady]

Having a strange problem with Qmail and it may be as a result of a system compromize? SME 6. I checked the logs and there is a long list of login attempts with a word list.

Every Internet connected system running ssh has the same logs. Connection attempts which are rejected are not evidence of compromise.

As 'byte' says, if you seriously suspect a system compromise, the security alert email address is the place to report it.

[cyberlair]

Thanks for the replies.

This is what made me think the system may have been compromised because a word list has been used here to try and login with a username and password. There are several long logs like this over several weeks.

Feb  8 06:41:41 mailgate sshd[18221]: Did not receive identification string from 62.15.230.129
Feb  8 06:45:12 mailgate sshd[18328]: Invalid user anonymous from 62.15.230.129
Feb  8 06:45:12 mailgate sshd[18328]: error: Could not get shadow information for NOUSER
Feb  8 06:45:12 mailgate sshd[18328]: Failed password for invalid user anonymous from 62.15.230.129 port 43707 ssh2
Feb  8 06:45:14 mailgate sshd[18331]: Invalid user passwd from 62.15.230.129
Feb  8 06:45:14 mailgate sshd[18331]: error: Could not get shadow information for NOUSER
Feb  8 06:45:14 mailgate sshd[18331]: Failed password for invalid user passwd from 62.15.230.129 port 43736 ssh2
Feb  8 06:45:16 mailgate sshd[18333]: Invalid user chuck from 62.15.230.129
Feb  8 06:45:16 mailgate sshd[18333]: error: Could not get shadow information for NOUSER
Feb  8 06:45:16 mailgate sshd[18333]: Failed password for invalid user chuck from 62.15.230.129 port 43756 ssh2
Feb  8 06:45:18 mailgate sshd[18335]: Invalid user darkman from 62.15.230.129
Feb  8 06:45:18 mailgate sshd[18335]: error: Could not get shadow information for NOUSER
Feb  8 06:45:18 mailgate sshd[18335]: Failed password for invalid user darkman from 62.15.230.129 port 43798 ssh2
Feb  8 06:45:19 mailgate sshd[18337]: Invalid user hostmaster from 62.15.230.129
Feb  8 06:45:19 mailgate sshd[18337]: error: Could not get shadow information for NOUSER
Feb  8 06:45:19 mailgate sshd[18337]: Failed password for invalid user hostmaster from 62.15.230.129 port 43826 ssh2
Feb  8 06:45:21 mailgate sshd[18339]: Invalid user jeffrey from 62.15.230.129
Feb  8 06:45:21 mailgate sshd[18339]: error: Could not get shadow information for NOUSER
Feb  8 06:45:21 mailgate sshd[18339]: Failed password for invalid user jeffrey from 62.15.230.129 port 43861 ssh2
Feb  8 06:45:23 mailgate sshd[18341]: Invalid user loverd from 62.15.230.129
Feb  8 06:45:23 mailgate sshd[18341]: error: Could not get shadow information for NOUSER
Feb  8 06:45:23 mailgate sshd[18341]: Failed password for invalid user loverd from 62.15.230.129 port 43900 ssh2
Feb  8 06:45:25 mailgate sshd[18343]: Invalid user eric from 62.15.230.129
Feb  8 06:45:25 mailgate sshd[18343]: error: Could not get shadow information for NOUSER
Feb  8 06:45:25 mailgate sshd[18343]: Failed password for invalid user eric from 62.15.230.129 port 43934 ssh2
Feb  8 06:45:27 mailgate sshd[18345]: Invalid user lauren from 62.15.230.129
Feb  8 06:45:27 mailgate sshd[18345]: error: Could not get shadow information for NOUSER
Feb  8 06:45:27 mailgate sshd[18345]: Failed password for invalid user lauren from 62.15.230.129 port 43976 ssh2
Feb  8 06:45:29 mailgate sshd[18347]: Invalid user mark from 62.15.230.129
Feb  8 06:45:29 mailgate sshd[18347]: error: Could not get shadow information for NOUSER
Feb  8 06:45:29 mailgate sshd[18347]: Failed password for invalid user mark from 62.15.230.129 port 44012 ssh2
Feb  8 06:45:31 mailgate sshd[18349]: Invalid user sin from 62.15.230.129
Feb  8 06:45:31 mailgate sshd[18349]: error: Could not get shadow information for NOUSER
Feb  8 06:45:31 mailgate sshd[18349]: Failed password for invalid user sin from 62.15.230.129 port 44054 ssh2
Feb  8 06:45:33 mailgate sshd[18351]: Invalid user richer from 62.15.230.129
Feb  8 06:45:33 mailgate sshd[18351]: error: Could not get shadow information for NOUSER
Feb  8 06:45:33 mailgate sshd[18351]: Failed password for invalid user richer from 62.15.230.129 port 44087 ssh2
Feb  8 06:45:34 mailgate sshd[18353]: Invalid user fluffy from 62.15.230.129
Feb  8 06:45:34 mailgate sshd[18353]: error: Could not get shadow information for NOUSER
Feb  8 06:45:34 mailgate sshd[18353]: Failed password for invalid user fluffy from 62.15.230.129 port 44125 ssh2
Feb  8 06:45:36 mailgate sshd[18355]: Invalid user gold from 62.15.230.129
Feb  8 06:45:36 mailgate sshd[18355]: error: Could not get shadow information for NOUSER
Feb  8 06:45:36 mailgate sshd[18355]: Failed password for invalid user gold from 62.15.230.129 port 44159 ssh2
Feb  8 06:45:38 mailgate sshd[18357]: Invalid user tomcat from 62.15.230.129
Feb  8 06:45:38 mailgate sshd[18357]: error: Could not get shadow information for NOUSER
Feb  8 06:45:38 mailgate sshd[18357]: Failed password for invalid user tomcat from 62.15.230.129 port 44195 ssh2
Feb  8 06:45:40 mailgate sshd[18359]: Invalid user cosinus from 62.15.230.129
Feb  8 06:45:40 mailgate sshd[18359]: error: Could not get shadow information for NOUSER
Feb  8 06:45:40 mailgate sshd[18359]: Failed password for invalid user cosinus from 62.15.230.129 port 44235 ssh2
Feb  8 06:45:42 mailgate sshd[18361]: Invalid user httpd from 62.15.230.129
Feb  8 06:45:42 mailgate sshd[18361]: error: Could not get shadow information for NOUSER
Feb  8 06:45:42 mailgate sshd[18361]: Failed password for invalid user httpd from 62.15.230.129 port 44265 ssh2
Feb  8 06:45:44 mailgate sshd[18363]: Invalid user squirrelmail from 62.15.230.129
Feb  8 06:45:44 mailgate sshd[18363]: error: Could not get shadow information for NOUSER
Feb  8 06:45:44 mailgate sshd[18363]: Failed password for invalid user squirrelmail from 62.15.230.129 port 44304 ssh2
Feb  8 06:45:45 mailgate sshd[18365]: Invalid user trash from 62.15.230.129
Feb  8 06:45:45 mailgate sshd[18365]: error: Could not get shadow information for NOUSER
Feb  8 06:45:45 mailgate sshd[18365]: Failed password for invalid user trash from 62.15.230.129 port 44343 ssh2
Feb  8 06:45:47 mailgate sshd[18367]: Invalid user kent from 62.15.230.129
Feb  8 06:45:47 mailgate sshd[18367]: error: Could not get shadow information for NOUSER
Feb  8 06:45:47 mailgate sshd[18367]: Failed password for invalid user kent from 62.15.230.129 port 44381 ssh2
Feb  8 06:45:49 mailgate sshd[18369]: Invalid user ace from 62.15.230.129
Feb  8 06:45:49 mailgate sshd[18369]: error: Could not get shadow information for NOUSER
Feb  8 06:45:49 mailgate sshd[18369]: Failed password for invalid user ace from 62.15.230.129 port 44417 ssh2
Feb  8 06:45:50 mailgate sshd[18371]: Invalid user backup from 62.15.230.129
Feb  8 06:45:50 mailgate sshd[18371]: error: Could not get shadow information for NOUSER
Feb  8 06:45:50 mailgate sshd[18371]: Failed password for invalid user backup from 62.15.230.129 port 44451 ssh2
Feb  8 06:45:52 mailgate sshd[18373]: Invalid user fish from 62.15.230.129
Feb  8 06:45:52 mailgate sshd[18373]: error: Could not get shadow information for NOUSER
Feb  8 06:45:52 mailgate sshd[18373]: Failed password for invalid user fish from 62.15.230.129 port 44490 ssh2
Feb  8 06:45:54 mailgate sshd[18375]: Invalid user java from 62.15.230.129
Feb  8 06:45:54 mailgate sshd[18375]: error: Could not get shadow information for NOUSER
Feb  8 06:45:54 mailgate sshd[18375]: Failed password for invalid user java from 62.15.230.129 port 44529 ssh2
Feb  8 06:45:55 mailgate sshd[18377]: Invalid user master from 62.15.230.129
Feb  8 06:45:55 mailgate sshd[18377]: error: Could not get shadow information for NOUSER
Feb  8 06:45:55 mailgate sshd[18377]: Failed password for invalid user master from 62.15.230.129 port 44564 ssh2
Feb  8 06:45:57 mailgate sshd[18379]: Failed password for mysql from 62.15.230.129 port 44603 ssh2
Feb  8 06:45:59 mailgate sshd[18381]: Invalid user oracle from 62.15.230.129
Feb  8 06:45:59 mailgate sshd[18381]: error: Could not get shadow information for NOUSER
Feb  8 06:45:59 mailgate sshd[18381]: Failed password for invalid user oracle from 62.15.230.129 port 44642 ssh2
Feb  8 06:46:01 mailgate sshd[18383]: Invalid user seongjin from 62.15.230.129
Feb  8 06:46:01 mailgate sshd[18383]: error: Could not get shadow information for NOUSER
Feb  8 06:46:01 mailgate sshd[18383]: Failed password for invalid user seongjin from 62.15.230.129 port 44678 ssh2
Feb  8 06:46:02 mailgate sshd[18403]: Invalid user sun from 62.15.230.129
Feb  8 06:46:02 mailgate sshd[18403]: error: Could not get shadow information for NOUSER
Feb  8 06:46:02 mailgate sshd[18403]: Failed password for invalid user sun from 62.15.230.129 port 44716 ssh2
Feb  8 06:46:04 mailgate sshd[18405]: Invalid user susan from 62.15.230.129
Feb  8 06:46:04 mailgate sshd[18405]: error: Could not get shadow information for NOUSER
Feb  8 06:46:04 mailgate sshd[18405]: Failed password for invalid user susan from 62.15.230.129 port 44760 ssh2
Feb  8 06:46:06 mailgate sshd[18407]: Invalid user temp from 62.15.230.129
Feb  8 06:46:06 mailgate sshd[18407]: error: Could not get shadow information for NOUSER
Feb  8 06:46:06 mailgate sshd[18407]: Failed password for invalid user temp from 62.15.230.129 port 44791 ssh2
Feb  8 06:46:07 mailgate sshd[18409]: Invalid user town from 62.15.230.129
Feb  8 06:46:07 mailgate sshd[18409]: error: Could not get shadow information for NOUSER
Feb  8 06:46:07 mailgate sshd[18409]: Failed password for invalid user town from 62.15.230.129 port 44826 ssh2
Feb  8 06:46:09 mailgate sshd[18411]: Invalid user lady from 62.15.230.129
Feb  8 06:46:09 mailgate sshd[18411]: error: Could not get shadow information for NOUSER
Feb  8 06:46:09 mailgate sshd[18411]: Failed password for invalid user lady from 62.15.230.129 port 44866 ssh2
Feb  8 06:46:11 mailgate sshd[18413]: Invalid user water from 62.15.230.129
Feb  8 06:46:11 mailgate sshd[18413]: error: Could not get shadow information for NOUSER
Feb  8 06:46:11 mailgate sshd[18413]: Failed password for invalid user water from 62.15.230.129 port 44901 ssh2
Feb  8 06:46:12 mailgate sshd[18415]: Invalid user webrun from 62.15.230.129
Feb  8 06:46:12 mailgate sshd[18415]: error: Could not get shadow information for NOUSER
Feb  8 06:46:12 mailgate sshd[18415]: Failed password for invalid user webrun from 62.15.230.129 port 44938 ssh2
Feb  8 06:46:14 mailgate sshd[18417]: Invalid user callhome from 62.15.230.129
Feb  8 06:46:14 mailgate sshd[18417]: error: Could not get shadow information for NOUSER
Feb  8 06:46:14 mailgate sshd[18417]: Failed password for invalid user callhome from 62.15.230.129 port 44975 ssh2
Feb  8 06:46:16 mailgate sshd[18419]: Invalid user foobar from 62.15.230.129
Feb  8 06:46:16 mailgate sshd[18419]: error: Could not get shadow information for NOUSER
Feb  8 06:46:16 mailgate sshd[18419]: Failed password for invalid user foobar from 62.15.230.129 port 45014 ssh2
Feb  8 06:46:18 mailgate sshd[18421]: Invalid user ircd from 62.15.230.129
Feb  8 06:46:18 mailgate sshd[18421]: error: Could not get shadow information for NOUSER
Feb  8 06:46:18 mailgate sshd[18421]: Failed password for invalid user ircd from 62.15.230.129 port 45053 ssh2
Feb  8 06:46:19 mailgate sshd[18423]: Invalid user jeni from 62.15.230.129
Feb  8 06:46:19 mailgate sshd[18423]: error: Could not get shadow information for NOUSER
Feb  8 06:46:19 mailgate sshd[18423]: Failed password for invalid user jeni from 62.15.230.129 port 45092 ssh2
Feb  8 06:46:21 mailgate sshd[18425]: Invalid user nick from 62.15.230.129
Feb  8 06:46:21 mailgate sshd[18425]: error: Could not get shadow information for NOUSER
Feb  8 06:46:21 mailgate sshd[18425]: Failed password for invalid user nick from 62.15.230.129 port 45131 ssh2
Feb  8 06:46:23 mailgate sshd[18427]: Invalid user webster from 62.15.230.129
Feb  8 06:46:23 mailgate sshd[18427]: error: Could not get shadow information for NOUSER
Feb  8 06:46:23 mailgate sshd[18427]: Failed password for invalid user webster from 62.15.230.129 port 45164 ssh2
Feb  8 06:46:24 mailgate sshd[18429]: Invalid user staff from 62.15.230.129
Feb  8 06:46:24 mailgate sshd[18429]: error: Could not get shadow information for NOUSER
Feb  8 06:46:24 mailgate sshd[18429]: Failed password for invalid user staff from 62.15.230.129 port 45198 ssh2
Feb  8 06:46:26 mailgate sshd[18431]: Invalid user saito from 62.15.230.129
Feb  8 06:46:26 mailgate sshd[18431]: error: Could not get shadow information for NOUSER
Feb  8 06:46:26 mailgate sshd[18431]: Failed password for invalid user saito from 62.15.230.129 port 45241 ssh2
Feb  8 06:46:28 mailgate sshd[18433]: Failed password for support from 62.15.230.129 port 45275 ssh2
Feb  8 06:46:29 mailgate sshd[18435]: Invalid user x from 62.15.230.129
Feb  8 06:46:29 mailgate sshd[18435]: error: Could not get shadow information for NOUSER
Feb  8 06:46:29 mailgate sshd[18435]: Failed password for invalid user x from 62.15.230.129 port 45315 ssh2
Feb  8 06:46:31 mailgate sshd[18437]: Invalid user bula from 62.15.230.129
Feb  8 06:46:31 mailgate sshd[18437]: error: Could not get shadow information for NOUSER
Feb  8 06:46:31 mailgate sshd[18437]: Failed password for invalid user bula from 62.15.230.129 port 45352 ssh2
Feb  8 06:46:33 mailgate sshd[18439]: Invalid user felix from 62.15.230.129
Feb  8 06:46:33 mailgate sshd[18439]: error: Could not get shadow information for NOUSER
Feb  8 06:46:33 mailgate sshd[18439]: Failed password for invalid user felix from 62.15.230.129 port 45390 ssh2
Feb  8 06:46:34 mailgate sshd[18441]: Invalid user lead from 62.15.230.129
Feb  8 06:46:34 mailgate sshd[18441]: error: Could not get shadow information for NOUSER
Feb  8 06:46:34 mailgate sshd[18441]: Failed password for invalid user lead from 62.15.230.129 port 45431 ssh2
Feb  8 06:46:36 mailgate sshd[18443]: Invalid user romeo from 62.15.230.129

Now I don't have a /var/smpt log directory I only have a /var/qmail

Any help would be great.

[cyberlair]

Further, it appears that my log files have been deleted since I only have logs for : messages, msql,nmbd,popd and pppoe.

Should this be reported?

Thanks

[cyberlair]

OK Well I discovered why the email is not working. Rogers Yahoo high speed has decided to block port 25 so I am switching ISP's.

[cyberlair]

I discovered that the port was blocked since I could ssh into port 25 from inside my network but could not from outside my network. So I checked my firewall rules and rebooted it to make sure. I also called Rogers to confirm my findings and they said they had in fact closed port 25 globally to prevent spam.

I think they should have notified people before doing this.  I have been with Rogers since high speed was introduced and now I am cancelling them for a local "server friendly" DSL service MAGMA HIGHSPEED.

I am sure they will loose other customers because of this move.

[christian]

hmmm. Are you sure? I'm with Rogers and it is working. I have inbound email. However what I did notice is on the outbound side things tightened up and I had to use their email relay. I noted this around Feb 4/06.

It confused me for a bit because two things happened at the same time. I had switched from Outlook2002 to Thunderbird. Rogers also was also blocking secondary email accounts which were not properly registered through Yahoo. Remember when you did your primary account ages ago? Well it didn't automatically do the secondaries...

All of this happened within hours of each other so wasn't sure what it was at first.

Anyway you may wish to set your smtp-auth-proxy and see if your outbound works...

Here is mine with mods to protect my account:

# /sbin/e-smith/db configuration show smtp-auth-proxy
smtp-auth-proxy=service
    Passwd=mypassword
    Userid=myoutboundaccount@rogers.com
    status=enabled

Note, I created a special secondary email account just for outbound email from SME as Rogers seems to get confused if two clients login to the same account.

-Christian

[cyberlair]

Thanks for the reply. Yes I'm sure Rogers is blocking the port. They may not have blocked it everywhere yet but its coming. I realize a proxy can be used to send email out through a different port and if thats what you have to do then your probably blocked as well. You cannot receive email on your server if port 25 is blocked. Rogers is also blocking torrents as well, so what use is it when you can't do what you want with your own internet?

[christian]

ok. I'll keep an eye out for it. so far I'm still receiving find on port 25.