Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 26th August 2006, 15:09
Hagforce Hagforce is offline
Senior Member
 
Join Date: Feb 2006
Posts: 210
Thanks: 37
Thanked 1 Time in 1 Post
Default System attack message from logcheck

Hello...

I got this suspeckt message from logcheck.
Can anybody tell my what has been going on on my server?.

Code:
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Aug 26 00:10:52 www postfix/smtp[28270]: C2E9623E0B4A: to=<asemia@cloudcity.com>, relay=smtp.secureserver.net[64.202.166.12], delay=5, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
Aug 26 00:27:49 www postfix/smtp[28487]: E7DB623E0CC3: to=<a216nb45@aaron-wright.com>, relay=mail.aaron-wright.com[67.19.105.202], delay=5, status=bounced (host mail.aaron-wright.com[67.19.105.202] said: 550 Appears to be a dictionary attack (in reply to RCPT TO command))
Aug 26 00:40:45 www postfix/smtp[28978]: AD22E23E0CD3: to=<atell@cloudcity.com>, relay=smtp.secureserver.net[64.202.166.12], delay=3, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
Aug 26 01:10:34 www postfix/smtp[30031]: 8B0B823E0CFF: to=<avari@mikhaela.com>, relay=smtp.secureserver.net[64.202.166.12], delay=3, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
Aug 26 01:10:44 www postfix/smtp[30019]: 08B6523E0CED: to=<avasis@cloudcity.com>, relay=smtp.secureserver.net[64.202.166.12], delay=2, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:174:Type=ASN1_PRINTABLE:
Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=value, Type=X509_NAME_ENTRY:
Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:542:
Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:542:
Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=issuer, Type=X509_CINF:
Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=cert_info, Type=X509:
Aug 26 01:28:51 www postfix/smtp[30607]: B686923E0BAD: to=<ayano@unidot.com>, relay=smtp.secureserver.net[64.202.166.12], delay=3, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
Aug 26 01:32:39 www postfix/smtp[30566]: 8105223E0C58: to=<ayoung@cloudcity.com>, relay=smtp.secureserver.net[64.202.166.12], delay=2, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
Aug 26 01:52:42 www postfix/smtp[31498]: 564D623E0A13: to=<babicz@unidot.com>, relay=smtp.secureserver.net[64.202.166.12], delay=4, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
Aug 26 02:17:03 www postfix/smtp[32197]: 33A3123E02E1: to=<bakker@unidot.com>, relay=smtp.secureserver.net[64.202.166.12], delay=26, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
Aug 26 02:37:46 www postfix/smtp[413]: 0CB9123E074D: to=<banman@cloudcity.com>, relay=smtp.secureserver.net[64.202.166.12], delay=13, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:174:Type=ASN1_PRINTABLE:
Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=value, Type=X509_NAME_ENTRY:
Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:542:
Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:542:
Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=issuer, Type=X509_CINF:
Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=cert_info, Type=X509:
My server is 85.222.100.138 (well it is`nt I`ve changed it for this post).

Thank you for any information on what happend here.
Reply With Quote
Sponsored Links
  #2  
Old 27th August 2006, 18:03
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

Your server seems to be blacklisted. Please make sure it isn't an open relay. Do you see lots of activity in your mail log?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 27th August 2006, 22:24
Hagforce Hagforce is offline
Senior Member
 
Join Date: Feb 2006
Posts: 210
Thanks: 37
Thanked 1 Time in 1 Post
Default

Hi Falco

Thank you for replying.

My server is not open for relay, you have to give user name and password to send e-mail.

Could it be that someone has broken a user password.

How do I check if my server is used for spam, or have been compromised?.
Reply With Quote
  #4  
Old 28th August 2006, 12:02
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

Please check the known blacklist, like sorbs.net.

What's the output of
Code:
postconf -n | grep mynetworks
and
Code:
postconf -d | grep mynetworks
?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 29th August 2006, 14:04
Hagforce Hagforce is offline
Senior Member
 
Join Date: Feb 2006
Posts: 210
Thanks: 37
Thanked 1 Time in 1 Post
Default

Output of "postconf -n | grep mynetworks"

Code:
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,rejec                                                                                                                               t_unauth_destination

Output of "postconf -d | grep mynetworks"

Code:
mynetworks = 127.0.0.0/8 85.222.100.0/24
mynetworks_style = subnet
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
Reply With Quote
  #6  
Old 29th August 2006, 23:56
pablito pablito is offline
Junior Member
 
Join Date: Jan 2006
Location: Great White North, eh
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Are you authorized to use securenet for SMTP? I'd check their FAQ for what they mean by the error.
Is "85.222.100.0/24" representing your internal net and *not* your public IP?

.You could be over quota for outbound SMTP at securenet.
. If you are doing SASL/TLS to the outbound you might have problems with the postfix setup.
. Can you send via another outbound server or directly?
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Maximim message size HackerJL Installation/Configuration 2 19th August 2006 11:17
Query on email system mphayesuk General 8 26th June 2006 13:17
MySQL time differs from system arsen.gushin Server Operation 7 23rd June 2006 20:33
Updating of the SUSE 9.3 system bogdinator Installation/Configuration 1 7th March 2006 14:45
ISPConfig system stoped johnking Installation/Configuration 7 27th October 2005 03:37


All times are GMT +2. The time now is 13:07.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.