Thread: Is my postfix is hacked?
View Single Post
  #1  
Old 8th May 2009, 06:50
bzzik bzzik is offline
Member
  
Join Date: Aug 2008
Posts: 67
Thanks: 1
Thanked 2 Times in 2 Posts
Exclamation Is my postfix hacked?
Hi guys! I really need help in my matter!

Yesterday I analyzed mail logs and noticed something really strange. I think my postfix is hacked. We do not use our mail server too much, but maillog is full of unrecognized records. Here is the part of it:

Quote:
May 8 07:32:55 s2 postfix/qmgr[10256]: 7FDF11049C6: to=<hemingway@ctv.es>, relay=none, delay=75981, delays=75981/0/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host inw.wanadoo.es
[62.36.20.20] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 8 07:32:55 s2 postfix/qmgr[10256]: 71C79104A43: from=<info@banesnet.es>, size=2453, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 71C79104A43: to=<davidmorg@mixmail.com>, relay=none, delay=73514, delays=73514/0/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host ing.wanad
oo.es[62.36.20.73] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 8 07:32:55 s2 postfix/qmgr[10256]: 71C79104A43: to=<davidsuescunm@wanadoo.es>, relay=none, delay=73514, delays=73514/0/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host inw.wa
nadoo.es[62.36.20.20] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 8 07:32:55 s2 postfix/qmgr[10256]: 7C1C210479C: from=<info@bancaja.es>, size=2421, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 72A04104B17: from=<>, size=5258, nrcpt=1 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 980FF10483E: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 93DE41049B6: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 93DE41049B6: to=<asoto4@bellsouth.net>, relay=none, delay=76076, delays=76076/0/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host gateway-f1
.isp.att.net[204.127.217.16] refused to talk to me: 550-87.226.13.245 blocked by ldapu=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See http://att.net/blocks)
May 8 07:32:55 s2 postfix/qmgr[10256]: 9CEC21049E1: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 9CEC21049E1: to=<reyamartinez@bellsouth.net>, relay=none, delay=75833, delays=75833/0.01/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host g
ateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-87.226.13.245 blocked by ldapu=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See http://att.net/blocks)
May 8 07:32:55 s2 postfix/qmgr[10256]: 9CEC21049E1: to=<reyangel117@comcast.net>, relay=none, delay=75833, delays=75833/0.01/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx1b
.comcast.net[76.96.62.116] refused to talk to me: 554 IMTA22.westchester.pa.mail.comcast.net comcast 87.226.13.245 Comcast requires that all mail servers must have a PTR record with a valid Reverse DN
S entry. Currently your mail server does not fill that requirement. For more information, refer to: http://help.comcast.net/content/faq/PTR)
May 8 07:32:55 s2 postfix/qmgr[10256]: 9CEC21049E1: to=<reyalice@juno.com>, relay=none, delay=75833, delays=75833/0.02/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.dca.unt
d.com[64.136.44.37] refused to talk to me: 550 Access denied...4f513585c185a9a9616014d901bdb901804d3d59f 0658d50a9b4f050e990904495cdad1090ad6420e100...)
May 8 07:32:55 s2 postfix/qmgr[10256]: 95BDD1049BC: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 9750E1047F7: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 6F4F8104704: from=<oficina@banestnet.es>, size=2466, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 6AA8C1047BD: from=<info@bancaja.es>, size=2421, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 6A0111046F2: from=<oficina@banestnet.es>, size=2466, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 6C3D210492F: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 6C3D210492F: to=<jesussv@wanadoo.es>, relay=none, delay=213500, delays=213500/0.01/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host inw.wan
adoo.es[62.36.20.20] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 8 07:32:55 s2 postfix/qmgr[10256]: 634571047A1: from=<info@bancaja.es>, size=2421, nrcpt=50 (queue active)
May 8 07:32:55 s2 postfix/qmgr[10256]: 634571047A1: to=<keliichang@comcast.net>, relay=none, delay=327123, delays=327123/0/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx1b.c
omcast.net[76.96.62.116] refused to talk to me: 554 IMTA22.westchester.pa.mail.comcast.net comcast 87.226.13.245 Comcast requires that all mail servers must have a PTR record with a valid Reverse DNS
entry. Currently your mail server does not fill that requirement. For more information, refer to: http://help.comcast.net/content/faq/PTR)
May 8 07:32:55 s2 postfix/qmgr[10256]: 634571047A1: to=<keithevan@cox.net>, relay=none, delay=327123, delays=327123/0/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.west.cox
May 8 07:32:56 s2 postfix/qmgr[10256]: 303C410494A: to=<mha@eresmas.com>, relay=none, delay=213333, delays=213332/0.82/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host ine.wanado
o.es[62.36.20.20] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 8 07:32:56 s2 postfix/qmgr[10256]: E3BD71048A3: to=<harppo_nene@eresmas.com>, relay=none, delay=248015, delays=248014/0.69/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host in
e.wanadoo.es[62.36.20.20] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 8 07:32:56 s2 postfix/qmgr[10256]: E1B1310480D: to=<ishtarkmm@eresmas.com>, relay=none, delay=214804, delays=214804/0.67/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host ine.
wanadoo.es[62.36.20.20] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 8 07:32:56 s2 postfix/qmgr[10256]: 08B9E10479B: to=<agfg@eresmas.com>, relay=none, delay=326939, delays=326939/0.64/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host ine.wanad
oo.es[62.36.20.20] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 8 07:32:56 s2 postfix/qmgr[10256]: 08B9E10479B: to=<agnogales@eresmas.com>, relay=none, delay=326939, delays=326939/0.64/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host ine.
wanadoo.es[62.36.20.20] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 8 07:32:56 s2 postfix/smtp[21724]: certificate verification failed for mx.terra.es: num=19:self signed certificate in certificate chain
May 8 07:32:56 s2 postfix/smtp[21724]: certificate verification failed for mx.terra.es: num=24:invalid CA certificate
May 8 07:32:56 s2 postfix/smtp[21724]: certificate verification failed for mx.terra.es: num=26:unsupported certificate purpose
May 8 07:32:56 s2 postfix/smtp[21724]: certificate verification failed for mx.terra.es: num=10:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21724]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21724]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21724]: certificate verification failed for mx.terra.es: num=10:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21724]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21724]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21725]: certificate verification failed for mx.terra.es: num=19:self signed certificate in certificate chain
May 8 07:32:56 s2 postfix/smtp[21725]: certificate verification failed for mx.terra.es: num=24:invalid CA certificate
May 8 07:32:56 s2 postfix/smtp[21725]: certificate verification failed for mx.terra.es: num=26:unsupported certificate purpose
May 8 07:32:56 s2 postfix/smtp[21725]: certificate verification failed for mx.terra.es: num=10:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21725]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21725]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21725]: certificate verification failed for mx.terra.es: num=10:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21725]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21725]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21709]: certificate verification failed for mail.aselegal.com: num=18:self signed certificate
May 8 07:32:56 s2 postfix/smtp[21659]: 1B3CD1048F0: to=<jrsamada@ramonsamada.es>, relay=none, delay=245073, delays=245072/0.12/1/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name ser
vice error for name=ramonsamada.es type=MX: Host not found, try again)
May 8 07:32:56 s2 postfix/smtp[21740]: certificate verification failed for tnetmx.telefonica.net: num=19:self signed certificate in certificate chain
May 8 07:32:56 s2 postfix/smtp[21740]: certificate verification failed for tnetmx.telefonica.net: num=24:invalid CA certificate
May 8 07:32:56 s2 postfix/smtp[21740]: certificate verification failed for tnetmx.telefonica.net: num=26:unsupported certificate purpose
May 8 07:32:56 s2 postfix/smtp[21740]: certificate verification failed for tnetmx.telefonica.net: num=10:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21740]: certificate verification failed for tnetmx.telefonica.net:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21740]: certificate verification failed for tnetmx.telefonica.net:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21740]: certificate verification failed for tnetmx.telefonica.net: num=10:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21740]: certificate verification failed for tnetmx.telefonica.net:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21740]: certificate verification failed for tnetmx.telefonica.net:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21696]: certificate verification failed for mail.envalladolid.com: num=18:self signed certificate
May 8 07:32:56 s2 postfix/smtp[21696]: certificate verification failed for mail.envalladolid.com: num=10:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21696]: certificate verification failed for mail.envalladolid.com:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21696]: certificate verification failed for mail.envalladolid.com:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21691]: 738FC1049C2: host mailin-02.mx.aol.com[205.188.249.91] said: 421 SERVICE NOT AVAILABLE, TEMPORARY DNS FAILURE (in reply to MAIL FROM command)
May 8 07:32:56 s2 postfix/smtp[21741]: certificate verification failed for mx.terra.es: num=19:self signed certificate in certificate chain
May 8 07:32:56 s2 postfix/smtp[21741]: certificate verification failed for mx.terra.es: num=24:invalid CA certificate
May 8 07:32:56 s2 postfix/smtp[21741]: certificate verification failed for mx.terra.es: num=26:unsupported certificate purpose
May 8 07:32:56 s2 postfix/smtp[21741]: certificate verification failed for mx.terra.es: num=10:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21741]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21741]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21741]: certificate verification failed for mx.terra.es: num=10:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21741]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21741]: certificate verification failed for mx.terra.es:certificate has expired
May 8 07:32:56 s2 postfix/smtp[21747]: 980FF10483E: to=<m.marsan@tiscali.it>, relay=imp-1.mail.tiscali.it[213.205.33.248]:25, delay=214747, delays=214746/0.74/0.42/0, dsn=4.0.0, status=deferred (host
imp-1.mail.tiscali.it[213.205.33.248] refused to talk to me: 554 imp-1.mail.tiscali.it ESMTP server not available if you do not have a reverse dns mapping)
May 8 07:32:56 s2 postfix/smtp[21673]: 1FFFF104B60: to=<maite@todoyoga.es>, relay=none, delay=58192, delays=58190/0.24/0.99/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service
error for name=todoyoga.es type=MX: Host not found, try again)
May 8 07:32:56 s2 postfix/smtp[21731]: connect to mail.q8online.com[195.39.142.2]: Connection refused (port 25)
May 8 07:32:56 s2 postfix/smtp[21731]: 7FDF11049C6: to=<helpdesk@q8online.com>, relay=none, delay=75982, delays=75981/0.68/0.5/0, dsn=4.4.1, status=deferred (connect to mail.q8online.com[195.39.142.2
]: Connection refused)
May 8 07:32:56 s2 postfix/smtp[21708]: 754B810452E: to=<pilarm.hoces.sspa@deandalucia.es>, relay=none, delay=246705, delays=246704/0.55/0.65/0, dsn=4.4.3, status=deferred (Host or domain name not fou
nd. Name service error for name=deandalucia.es type=MX: Host not found, try again)
May 8 07:32:56 s2 postfix/smtp[21726]: certificate verification failed for relay.unizar.es: num=19:self signed certificate in certificate chain
May 8 07:32:56 s2 postfix/smtp[21707]: 771BB1047A8: host mailin-02.mx.aol.com[205.188.249.91] said: 421 SERVICE NOT AVAILABLE, TEMPORARY DNS FAILURE (in reply to MAIL FROM command)
Many .es domain names, but our mail server is in .lv zone! And we do not have so much users, to send SO MANY emails!!!

What steps should I take now? Is it trojan horse on my server or something???

P.S.
I am using CentoOS 5.2 (Perfect server install)
Last edited by bzzik; 8th May 2009 at 12:51.
Reply With Quote
Sponsored Links