HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   System attack message from logcheck (http://www.howtoforge.com/forums/showthread.php?t=6465)

Hagforce 26th August 2006 14:09

System attack message from logcheck
 
Hello...

I got this suspeckt message from logcheck.
Can anybody tell my what has been going on on my server?.

Code:

Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Aug 26 00:10:52 www postfix/smtp[28270]: C2E9623E0B4A: to=<asemia@cloudcity.com>, relay=smtp.secureserver.net[64.202.166.12], delay=5, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
Aug 26 00:27:49 www postfix/smtp[28487]: E7DB623E0CC3: to=<a216nb45@aaron-wright.com>, relay=mail.aaron-wright.com[67.19.105.202], delay=5, status=bounced (host mail.aaron-wright.com[67.19.105.202] said: 550 Appears to be a dictionary attack (in reply to RCPT TO command))
Aug 26 00:40:45 www postfix/smtp[28978]: AD22E23E0CD3: to=<atell@cloudcity.com>, relay=smtp.secureserver.net[64.202.166.12], delay=3, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
Aug 26 01:10:34 www postfix/smtp[30031]: 8B0B823E0CFF: to=<avari@mikhaela.com>, relay=smtp.secureserver.net[64.202.166.12], delay=3, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
Aug 26 01:10:44 www postfix/smtp[30019]: 08B6523E0CED: to=<avasis@cloudcity.com>, relay=smtp.secureserver.net[64.202.166.12], delay=2, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:174:Type=ASN1_PRINTABLE:
Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=value, Type=X509_NAME_ENTRY:
Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:542:
Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:542:
Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=issuer, Type=X509_CINF:
Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=cert_info, Type=X509:
Aug 26 01:28:51 www postfix/smtp[30607]: B686923E0BAD: to=<ayano@unidot.com>, relay=smtp.secureserver.net[64.202.166.12], delay=3, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
Aug 26 01:32:39 www postfix/smtp[30566]: 8105223E0C58: to=<ayoung@cloudcity.com>, relay=smtp.secureserver.net[64.202.166.12], delay=2, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
Aug 26 01:52:42 www postfix/smtp[31498]: 564D623E0A13: to=<babicz@unidot.com>, relay=smtp.secureserver.net[64.202.166.12], delay=4, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
Aug 26 02:17:03 www postfix/smtp[32197]: 33A3123E02E1: to=<bakker@unidot.com>, relay=smtp.secureserver.net[64.202.166.12], delay=26, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
Aug 26 02:37:46 www postfix/smtp[413]: 0CB9123E074D: to=<banman@cloudcity.com>, relay=smtp.secureserver.net[64.202.166.12], delay=13, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:174:Type=ASN1_PRINTABLE:
Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=value, Type=X509_NAME_ENTRY:
Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:542:
Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:542:
Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=issuer, Type=X509_CINF:
Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=cert_info, Type=X509:

My server is 85.222.100.138 (well it is`nt I`ve changed it for this post).

Thank you for any information on what happend here.

falko 27th August 2006 17:03

Your server seems to be blacklisted. Please make sure it isn't an open relay. Do you see lots of activity in your mail log?

Hagforce 27th August 2006 21:24

Hi Falco

Thank you for replying.

My server is not open for relay, you have to give user name and password to send e-mail.

Could it be that someone has broken a user password.

How do I check if my server is used for spam, or have been compromised?.

falko 28th August 2006 11:02

Please check the known blacklist, like sorbs.net.

What's the output of
Code:

postconf -n | grep mynetworks
and
Code:

postconf -d | grep mynetworks
?

Hagforce 29th August 2006 13:04

Output of "postconf -n | grep mynetworks"

Code:

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,rejec                                                                                                                              t_unauth_destination

Output of "postconf -d | grep mynetworks"

Code:

mynetworks = 127.0.0.0/8 85.222.100.0/24
mynetworks_style = subnet
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination


pablito 29th August 2006 22:56

Are you authorized to use securenet for SMTP? I'd check their FAQ for what they mean by the error.
Is "85.222.100.0/24" representing your internal net and *not* your public IP?

.You could be over quota for outbound SMTP at securenet.
. If you are doing SASL/TLS to the outbound you might have problems with the postfix setup.
. Can you send via another outbound server or directly?

falko 30th August 2006 16:07

Please run
Code:

postconf -e 'mynetworks = 127.0.0.0/8'
and restart Postfix, otherwise anybody from the 85.222.100.0 subnet can abuse your server for spamming.


All times are GMT +2. The time now is 13:58.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.