-1

My email server is attempting to send out a great deal of spam. I'm using Postfix & Dovecot.

I'm trying to diagnose the problem and figure out how this is being sent. My guess right now is that it's using an insecure port 25 to send the email. Does this seem consistent with the logs? How can I fix this?

Dec 29 01:29:22 balloonindustries postfix/smtpd[25536]: connect from m69-77.mailgun.net[166.78.69.77]
Dec 29 01:29:22 balloonindustries postfix/smtpd[25536]: SSL_accept error from m69-77.mailgun.net[166.78.69.77]: 0
Dec 29 01:29:22 balloonindustries postfix/smtpd[25536]: warning: TLS library problem: 25536:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1260:SSL alert number 42:
Dec 29 01:29:22 balloonindustries postfix/smtpd[25536]: lost connection after STARTTLS from m69-77.mailgun.net[166.78.69.77]
Dec 29 01:29:22 balloonindustries postfix/smtpd[25536]: disconnect from m69-77.mailgun.net[166.78.69.77]
Dec 29 01:29:22 balloonindustries postfix/smtpd[25536]: connect from m69-77.mailgun.net[166.78.69.77]
Dec 29 01:29:22 balloonindustries postfix/trivial-rewrite[24327]: warning: do not list domain balloonindustries.com in BOTH mydestination and virtual_mailbox_domains
Dec 29 01:29:22 balloonindustries postfix/smtpd[25536]: CCC67125A9B: client=m69-77.mailgun.net[166.78.69.77]
Dec 29 01:29:22 balloonindustries postfix/cleanup[25295]: CCC67125A9B: message-id=<54a0ae516fbff_21b41d6ee0bf6b43374775a8@ns5000775.ip-142-4-219.net.mail>
Dec 29 01:29:23 balloonindustries postfix/qmgr[1537]: CCC67125A9B: from=<bounce+6f434a.b125-andy=balloonindustries.com@mxtoolbox.com>, size=19403, nrcpt=1 (queue active)
Dec 29 01:29:23 balloonindustries postfix/trivial-rewrite[24327]: warning: do not list domain balloonindustries.com in BOTH mydestination and virtual_mailbox_domains
Dec 29 01:29:24 balloonindustries postfix/pipe[25144]: CCC67125A9B: to=<andy@balloonindustries.com>, relay=dovecot, delay=1.3, delays=1.2/0/0/0.07, dsn=2.0.0, status=sent (delivered via dovecot service)
Dec 29 01:29:24 balloonindustries postfix/qmgr[1537]: CCC67125A9B: removed
Dec 29 01:29:28 balloonindustries postfix/smtp[23862]: connect to mx2.hotmail.com[207.46.8.199]:25: Connection timed out
Dec 29 01:29:28 balloonindustries postfix/smtp[20637]: connect to aello.beerta.net[88.198.205.195]:25: Connection timed out
Dec 29 01:29:28 balloonindustries postfix/smtp[20637]: 64DED127F9A: to=<ddfbusty@claus.beerta.net>, relay=none, delay=8868, delays=8830/8.1/30/0, dsn=4.4.1, status=deferred (connect to aello.beerta.net[88.198.205.195]:25: Connection timed out)
Dec 29 01:29:30 balloonindustries postfix/smtp[23884]: connect to mta6.am0.yahoodns.net[98.138.112.35]:25: Connection timed out
Dec 29 01:29:30 balloonindustries postfix/smtp[23856]: connect to mta5.am0.yahoodns.net[63.250.192.45]:25: Connection timed out
Dec 29 01:29:34 balloonindustries postfix/smtp[23881]: connect to mx3.hotmail.com[65.55.37.104]:25: Connection timed out
Dec 29 01:29:34 balloonindustries postfix/smtp[20381]: connect to smtp-telenet.telenet-ops.be[195.130.132.55]:25: Connection timed out
Dec 29 01:29:40 balloonindustries postfix/pickup[25262]: 1123E126462: uid=33 from=<tonya_dalton@andrewjalexander.com>
Dec 29 01:29:40 balloonindustries postfix/cleanup[25295]: 1123E126462: message-id=<20141229012940.1123E126462@balloonindustries.com>
Dec 29 01:29:40 balloonindustries postfix/qmgr[1537]: 1123E126462: from=<tonya_dalton@andrewjalexander.com>, size=776, nrcpt=1 (queue active)
Dec 29 01:29:40 balloonindustries postfix/error[25449]: 1123E126462: to=<ragnarok156@hotmail.com>, relay=none, delay=0.03, delays=0.02/0/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx2.hotmail.com[65.55.33.135]:25: Connection timed out)
Dec 29 01:29:40 balloonindustries postfix/pickup[25262]: 174E112646E: uid=33 from=<tonya_dalton@andrewjalexander.com>
Dec 29 01:29:40 balloonindustries postfix/cleanup[25295]: 174E112646E: message-id=<20141229012940.174E112646E@balloonindustries.com>
Dec 29 01:29:40 balloonindustries postfix/qmgr[1537]: 174E112646E: from=<tonya_dalton@andrewjalexander.com>, size=782, nrcpt=1 (queue active)
Dec 29 01:29:40 balloonindustries postfix/pickup[25262]: 1BCA1126477: uid=33 from=<tonya_dalton@andrewjalexander.com>
Dec 29 01:29:40 balloonindustries postfix/cleanup[25295]: 1BCA1126477: message-id=<20141229012940.1BCA1126477@balloonindustries.com>
Dec 29 01:29:40 balloonindustries postfix/qmgr[1537]: 1BCA1126477: from=<tonya_dalton@andrewjalexander.com>, size=776, nrcpt=1 (queue active)
Dec 29 01:29:40 balloonindustries postfix/pickup[25262]: 2065712647C: uid=33 from=<tonya_dalton@andrewjalexander.com>
Dec 29 01:29:40 balloonindustries postfix/cleanup[25295]: 2065712647C: message-id=<20141229012940.2065712647C@balloonindustries.com>
Dec 29 01:29:40 balloonindustries postfix/qmgr[1537]: 2065712647C: from=<tonya_dalton@andrewjalexander.com>, size=763, nrcpt=1 (queue active)
Dec 29 01:29:40 balloonindustries postfix/pickup[25262]: 247DD12647E: uid=33 from=<tonya_dalton@andrewjalexander.com>
Dec 29 01:29:40 balloonindustries postfix/cleanup[25295]: 247DD12647E: message-id=<20141229012940.247DD12647E@balloonindustries.com>
Dec 29 01:29:40 balloonindustries postfix/qmgr[1537]: 247DD12647E: from=<tonya_dalton@andrewjalexander.com>, size=777, nrcpt=1 (queue active)
Dec 29 01:29:40 balloonindustries postfix/error[25526]: 247DD12647E: to=<ragnarok_gtr@hotmail.com>, relay=none, delay=0.02, delays=0.01/0/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx2.hotmail.com[65.55.33.135]:25: Connection timed out)
Dec 29 01:29:40 balloonindustries postfix/pickup[25262]: 2A80D126493: uid=33 from=<tonya_dalton@andrewjalexander.com>
Dec 29 01:29:40 balloonindustries postfix/cleanup[25295]: 2A80D126493: message-id=<20141229012940.2A80D126493@balloonindustries.com>
Dec 29 01:29:40 balloonindustries postfix/qmgr[1537]: 2A80D126493: from=<tonya_dalton@andrewjalexander.com>, size=782, nrcpt=1 (queue active)
Dec 29 01:29:40 balloonindustries postfix/error[25451]: 2A80D126493: to=<ragnarokandroll@yahoo.com>, relay=none, delay=0.02, delays=0.01/0/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mta6.am0.yahoodns.net[98.138.112.32]:25: Connection timed out)
Dec 29 01:29:40 balloonindustries postfix/pickup[25262]: 2F7FF12649F: uid=33 from=<tonya_dalton@andrewjalexander.com>
Dec 29 01:29:40 balloonindustries postfix/cleanup[25295]: 2F7FF12649F: message-id=<20141229012940.2F7FF12649F@balloonindustries.com>
Dec 29 01:29:40 balloonindustries postfix/qmgr[1537]: 2F7FF12649F: from=<tonya_dalton@andrewjalexander.com>, size=783, nrcpt=1 (queue active)
Dec 29 01:29:40 balloonindustries postfix/error[25373]: 2F7FF12649F: to=<ragnarokplayer05@gmail.com>, relay=none, delay=0.02, delays=0.01/0.01/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to alt4.gmail-smtp-in.l.google.com[74.125.136.27]:25: Connection timed out)
Dec 29 01:29:40 balloonindustries postfix/pickup[25262]: 3730A1264D1: uid=33 from=<tonya_dalton@andrewjalexander.com>
Dec 29 01:29:40 balloonindustries postfix/cleanup[25295]: 3730A1264D1: message-id=<20141229012940.3730A1264D1@balloonindustries.com>
Dec 29 01:29:40 balloonindustries postfix/qmgr[1537]: 3730A1264D1: from=<tonya_dalton@andrewjalexander.com>, size=776, nrcpt=1 (queue active)
Dec 29 01:29:40 balloonindustries postfix/error[25452]: 3730A1264D1: to=<ragnarpiirson@gmail.com>, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to alt4.gmail-smtp-in.l.google.com[74.125.136.27]:25: Connection timed out)
Dec 29 01:29:40 balloonindustries postfix/pickup[25262]: 3C3CC126554: uid=33 from=<tonya_dalton@andrewjalexander.com>
Andrew Alexander
  • 161
  • 1
  • 10
  • 1
    Those messages came from the user with uid 33. Which user is that? – Michael Hampton Dec 29 '14 at 03:38
  • 1
    www-data, so my guess is that it's a script that had some malicious code added to it. – Andrew Alexander Dec 29 '14 at 03:52
  • 1
    It could simply be a badly written script. You need to find out which; if the server has been compromised, restoring from backups is the best way. But if it's a badly written scripts that is easy to abuse, restoring from backups won't change anything. – Jenny D Dec 29 '14 at 05:12
  • Found two malicious scripts using clamscan. It appears that these are the correct scripts. – Andrew Alexander Dec 29 '14 at 06:12

1 Answers1

8

<blink>Destroy the server and recover from known good backups.</blink>

enter image description here

Wesley
  • 32,320
  • 9
  • 80
  • 116