Topic: SMTP for internal purpose (Server was used for sending spam? Need help)

[tias_]

Hi, for about 12 hours my server was hit with a mail intruder. It seems like my server has been used to send spam to other places. I'm sure that this mail didn't come from my own network.

The first question is how do I erase all messages that has been placed in the stmp-que. There's over thousand mail pending to be delivered.
It seems like mail is being sent with the user anonymous@mydomain.com, but on my system there isn't any anonymous account.

In my db configuration:

smtp-auth-proxy=service
    Debug=0
    Passwd=
    Userid=
    status=disabled
smtpd=service
    Authentication=disabled
    Instances=40
    InstancesPerIP=5
    MaximumDateOffset=0
    PatternsScan=enabled
    Proxy=enabled
    TCPPort=25
    TCPProxyPort=25
    VirusScan=enabled
    access=public
    status=enabled
    tnef2mime=enabled

ssmtpd=service
    Authentication=enabled
    Instances=10
    TCPPort=465
    access=public
    status=enabled

Is it anything here that makes it possible to connect to mine smtp without authorization? All configuration of the email has been done with the server-manager.

My own personal account is full with bounce messages and my email client refuses to download them (Thunderbird) so I wonder how do I erase all message matching a fixed subject?

Hope for some answers, my server is at the current state down and I hope someone can give me some answers to why my server could be used outside my network without my permission.

Best regards,
Tias

[chebe]

For managing your qmail queue you could use qmHandle latest version is available here :
http://sourceforge.net/project/showfiles.php?group_id=74976

As for the rest, one of my customer was having the same problem has the one you discribed. It was using ssmtp + auth !! - I haven't finished investigating the matter yet.
I turned off the ssmtp auth and thus turning off the smtp from outside LAN.

[chris burnat]

 

Hi, for about 12 hours my server was hit with a mail intruder. It seems like my server has been used to send spam to other places. I'm sure that this mail didn't come from my own network.

Karma,
Given the possible security implications associated with this topic, it would be best opening a Bug report at Bugzilla for consideration by the Developpers, they will know how to handle this matter.  Please do so at the earliest possible time.  May I also suggest that you (and others) do not provide additional information about this issue in the forum at this point in time, for everyone to read...

[tias_]

Could someone tell me where to change so that connections to the smtp and ssmtp only is allowed from the own network?

//Tias


Never mind, managed to flush my que. Don't know how it worked but glad it did.

---

Could be a good point.

But I downloaded the qmhandle and copied to the server. Executed it with './qmhandle -D' which is suppose to flush all que. But the problem I now got is that the qmail refuses to shutdown. I've tried to do it with 'service qmail stop' but it returns FAIL. A restart of it works but will not solve it for qmhandle.

Any suggestions why qmail doesn't shutdown?

[jonic]

It seems to me that you have smtp proxy enabled and one of the local machines got infected with a virus. Check one of the bounce messages, and you should find the ip of the local machine.

As stated above qmHandle will allow you to delete the queued messages.

[tias_]

I have narrowed it down a little and tries to understand how this has happened. But for the good of all SME users, this discussion shouldn't be held in a public thread. The main reason I asked was to get the knowledge how to stop the que.

[raem]

tias_

Executed (qmhandle) with './qmhandle -D' which is suppose to flush all que. But the problem I now got is that the qmail refuses to shutdown. I've tried to do it with 'service qmail stop' but it returns FAIL.

I'm sure you need to stop qmail BEFORE you flush the queue !

It has been said so many times in these forums, for the last three years or so, NOT to use the service command as it does not always do everything that is required in sme server. sme is a bit different to other Linux distros.
sme7.x uses supervised services which will automatically restart if they stop and uses the sv command
ie
to bring down
sv d /service/qmail
to bring up
sv u /service/qmail
to terminate (which forces a restart due to being a supervised service)
sv t /service/qmail

For any non supervised service use
/etc/init.d/servicename restart (or stop or start or status)

See the developer manual for more details

[raem]

tias_

But for the good of all SME users, this discussion shouldn't be held in a public thread.

Did you open a bug as requested ?

[tias_]

Haven't opened any bug because it has come to my attention that SME has nothing with this problem. A badly written script is why the server has been affected. A good tip to everyone else, stay away from poorly written php codes.

[CharlieBrady]

A badly written script is why the server has been affected. A good tip to everyone else, stay away from poorly written php codes.

My personal opinion is to stay away from php code entirely. PHP is a difficult language to write secure programs in, and few php programmers have the knowledge to do it well.

[judgej]

My personal opinion is to stay away from php code entirely. PHP is a difficult language to write secure programs in, and few php programmers have the knowledge to do it well.

It is more the case that PHP is easy to learn, so there are many more people using it, and many really badly written scripts produced by people who would not otherwise have the necessary skills to write a secure application. In the right hands, a decent and secure application can be written.

-- JJ

[tias_]

Must say that I sure like PHP a lot more than ASP. But for now I've got a terrible work because someone has build a script with poor skills.

Could someone please give me a list of which account in /etc/shadow that is normal in a SME installation. Have to go through the machine to make sure that no entrance is left. Sadly I was attacked with a script that seems to give the intruder very much power over the machine (N3tSHELL). If someone has any suggestions where to look for security flaws I would appreciate it. My Primary ibay has been cleaned from suspected .php files, and it was also into this ibay the intruder came, not because of SME and it's security. Will it be possibility for a script to reach another ibay or maybe even the system it self?

[raem]

tias_

Will it be possibility for a script to reach another ibay or maybe even the system it self?

Anything is possible.

You would be best to totally rebuild the server (ie fresh install from CD without a restore from backups), manually reconfigure it & reinstall addons etc, and ONLY restore data that has been checked to ensure that no code was left  behind by the intruder.
If you must use backup data, then you should go back in time to a known good backup (done well before the intrusion) and restore from that. It's possible that the hacker got access earlier but only activated it recently, so check your backups to make sure they do not show signs of prior intrusion.
You are very unwise to continue using that server, there are so many places that some code could be hiding.

[CharlieBrady]

It is more the case that PHP is easy to learn ...

No, that is often said, but it's simply not the case. Yes, it's true that many inexperienced programmers use PHP, but there are important language features either missing (taint checking) or wrong (register_globals) which contribute to PHP's abyssmal security record.

[tias_]

You are very unwise to continue using that server, there are so many places that some code could be hiding.

I was afraid of that answer. Deep inside me I know that I have to take it down hard and start all over but it's gonna take a lot of time. But I'll guess it's the safest way to handle it. No strange behavior has been noticed since I cleaned my Primary ibay. But when I searched info on the scripts I understood that my system can be more "infected", elsewhere. I kind of hoped that SME had some magic defenses for an ibay to touch the system it self, or the other ibays.