Topic: Removed from Lashback

[mike_mattos]

An SME server hosted domain was recently REMOVED from Lashback unsubscribe list.  I looked at the Lashback site and it showed more unsubscribe events than the server logs for total mail, about ten times as much.  Also showed about five times the 'bad' stuff monday to friday than on weekends.  I wondered if my legitimate sender was being blacklisted somewhere.

The server had email hijack problems in May, but I'm at a loss where to look for the mail that isn't in the log statistics!  How can Lashback say 99 problems yesterday when qmail and mail log analysis show only 10 emails?

[mmccarn]

A compromised PHP web app can send email from your server directly; such email might be logged in /var/log/messages, it might be in an application-specific log of some sort, or it might not be logged anywhere.  It wouldn't appear in the qmail or qpsmtpd log, however.

Also, there was a vulnerability discovered a few months ago with php5 running using cgi-bin (php5 on SME 7.x) (in case you have php5-cgi installed).

[mike_mattos]

php -v shows 4.3.9,  /var/log/messages has 180.213.13.251 ( bad guy in China ) trying to log in as root but failing, and ADDPRINTEREX failures, not much else

dates of php scripts look normal too