3

I just got the following "undelivered message" to my postmaster@mydomain.com

Does this mean someone might have tried to (or succeeded in) hacking me?

(I replaced certain parts in the below for privacy purpose, it's not exactly 100% the original I received here.)

This is the mail system at host mydomain.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<ubahreasons@yahoo.com>: host mta7.am0.yahoodns.net[98.138.112.35] said: 554
    delivery error: dd Sorry your message to ubahreasons@yahoo.com cannot be
    delivered. This account has been disabled or discontinued [#102]. -
    mta1303.mail.ne1.yahoo.com (in reply to end of DATA command)



Reporting-MTA: dns; mydomain.com
X-Postfix-Queue-ID: 684A933780CC
X-Postfix-Sender: rfc822; root@mydomain.com
Arrival-Date: Tue, 14 Oct 2014 21:16:56 +0200 (CEST)

Final-Recipient: rfc822; ubahreasons@yahoo.com
Original-Recipient: rfc822;ubahreasons@yahoo.com
Action: failed
Status: 5.0.0
Remote-MTA: dns; mta7.am0.yahoodns.net
Diagnostic-Code: smtp; 554 delivery error: dd Sorry your message to
    ubahreasons@yahoo.com cannot be delivered. This account has been disabled
    or discontinued [#102]. - mta1303.mail.ne1.yahoo.com


ForwardedMessage.eml
Subject:
TESTING - 2012
From:
root@mydomain.com (root)
Date:
10/14/2014 9:16 PM
To:
ubahreasons@yahoo.com

#############################iNFOS#############################
#############################FOR YOU#############################
Linux servername 2.6.18-164.el5 #1 SMP Thu Sep 3 03:33:56 EDT 2009 i686 i686 i386 GNU/Linux
uid=0(root) gid=0(root) context=system_u:system_r:initrc_t

#############################SSH iNFOS#############################
#############################FOR YOU#############################
#UsePAM no
UsePAM yes
PermitRootLogin 
#GatewayPorts no
#ListenAddress 0.0.0.0
#ListenAddress ::
#############################SHADOWFILE#############################
#############################SHADOWFILE#############################
root:$1$H4zwKrgL$NA37jPGoTCiPA0mrq/OKq/:15231:0:99999:7:::
bin:*:15431:0:99999:7:::
daemon:*:15431:0:99999:7:::
info:$1$dO1pvRG.$DZUXjGeS4NgDpGNCwX.0b0:14241:0:99999:7::::::
postmaster:$1$gW7jPsgB$dh09VlQ/W0FALpPlR1fPt/:16127:0:99999:7:::
... more stuff like that

#############################iPS#############################
#############################iPS#############################
          inet addr:111.11.111.11  Bcast:111.11.111.11  Mask:255.255.255.0
          inet6 addr: ff11::11ff:11ff:ffff:1111/64 Scope:Link
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
#############################USERS WITH SHELL#############################
#############################USERS WITH SHELL#############################
root:x:0:0:root:/root:/bin/bash
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
... some more stuff like the first three lines

I am not the most experienced, so if anyone can give me suggestions on what this means and what to do next... thanks!

Update:

At the time of the breach I have the following in my httpd log file:

80.65.51.220 - - [14/Oct/2014:21:56:52 +0200] "POST http://80.65.51.219:6667/ HTTP/1.0" 302 225 "-" "-"
80.65.51.220 - - [14/Oct/2014:21:56:52 +0200] "CONNECT 80.65.51.219:6667 HTTP/1.0" 302 225 "-" "-"
80.65.51.220 - - [14/Oct/2014:21:56:52 +0200] "PUT http://80.65.51.219:6667/ HTTP/1.0" 302 225 "-" "-"

Otherwise I couldn't find anything suspicious.

Any further suggestions on anyone having seen something like this before, leave a comment or an answer. Thanks!

Kolja
  • 189
  • 1
  • 2
  • 10

1 Answers1

7

Did anyone using your server intentionally send email to ubahreasons@yahoo.com? If so, then this is just a NDR - non-delivery report.

If not, then you probably got hacked.

/Edit Aha - for some reason I read the lower contents of this email as diagnostic info from your local mailer. Now I see that it is more likely the contents of the unsuccessful email that was bounced - yup, you've been pwned. Burn it to the ground and start over.

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • I am, as far as I know, the only person using this server to send out emails. I don't know this email address `ubahreasons@yahoo.com`. for right now I changed all passwords, just to be sure. I guess I have to do some more work and find out where this comes from / came from. – Kolja Oct 14 '14 at 20:20
  • 8
    Considering the content of the email, I'd go with "Compromised, nuke it" (shadow file, net info, ssh conf, things usually not readable / not for everyone on the net). – NaeiKinDus Oct 14 '14 at 20:20
  • Edited - you're right. – mfinni Oct 14 '14 at 20:26
  • 7
    Yep. Pwnage. Don't reuse that root password, either-- your hash is sitting here for all to see (and Google has already indexed it). – Evan Anderson Oct 14 '14 at 20:27
  • 1
    @EvanAnderson Thanks. I modified the hash values in the above, so it is not the one for my original root password. But yes, I agree. I won't use the same again! – Kolja Oct 14 '14 at 20:38
  • 5
    Before nuking it, I would disconnect it from the Internet to take a look on everything I could, to see what lead to the pwnage. Otherwise they could do the same again. Get all software versions, all logs, all modification dates and times, and check for everything strange. – ThoriumBR Oct 14 '14 at 21:30
  • What part of this made you think it was not just a Joe Job? http://en.wikipedia.org/wiki/Joe_job – Ben Jackson Oct 15 '14 at 00:17
  • 1
    Because it came from his own server, not Yahoo delivering an NDR – mfinni Oct 15 '14 at 00:18