Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 14th February 2007, 01:07
kyriakos kyriakos is offline
Member
 
Join Date: Feb 2006
Posts: 34
Thanks: 3
Thanked 0 Times in 0 Posts
Default smtp connections to nameservers IP

Hello,
The last two days I noticed an unusual trafic to my server.
Can someone tell me what is all these connections to 88.218.110.178?
88.218.110.178 is only set as an A record for ns1. How smtp connections is possible?

My IP addresses are:
88.218.110.178 - 179 for ns1 & ns2 nameservers
88.218.110.180 for mail server and mydomain
88.218.110.181 is a shared IP for some other domains

Thank you

Code:
[root@host1 ~]# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 *:mysql                     *:*                         LISTEN      2285/mysqld
tcp        0      0 *:sunrpc                    *:*                         LISTEN      2003/portmap
tcp        0      0 *:ndmp                      *:*                         LISTEN      13551/perl
tcp        0      0 *:hosts2-ns                 *:*                         LISTEN      2632/ispconfig_http
tcp        0      0 88.218.110.181:domain       *:*                         LISTEN      21949/named
tcp        0      0 host1.vfxhost.gr:domain     *:*                         LISTEN      21949/named
tcp        0      0 88.218.110.179:domain       *:*                         LISTEN      21949/named
tcp        0      0 88.218.110.178:domain       *:*                         LISTEN      21949/named
tcp        0      0 localhost.localdomai:domain *:*                         LISTEN      21949/named
tcp        0      0 *:squid                     *:*                         LISTEN      332/(squid)
tcp        0      0 *:smtp                      *:*                         LISTEN      32609/master
tcp        0      0 localhost.localdomain:rndc  *:*                         LISTEN      21949/named
tcp        0      0 88.218.110.178:40928        mx1-1.vip.spray.net:smtp    TIME_WAIT   -
tcp        0      0 88.218.110.178:35004        mx2-1.vip.spray.net:smtp    TIME_WAIT   -
tcp        0      0 88.218.110.178:55854        12.102.252.75:smtp          ESTABLISHED 1765/smtp
tcp        0      1 88.218.110.178:37728        webhosting.mminternet.:smtp SYN_SENT    -
tcp        0      1 88.218.110.178:37317        136.sabela.pl:smtp          SYN_SENT    1538/smtp
tcp        0      1 88.218.110.178:35058        smtp1.sandisk.com:smtp      SYN_SENT    1492/smtp
tcp        0      1 88.218.110.178:35004        smtp1.sandisk.com:smtp      SYN_SENT    1867/smtp
tcp        0      0 88.218.110.178:32817        63.137.9.204.srv.globa:smtp TIME_WAIT   -
tcp        0      0 88.218.110.178:34896        mta-v9.mail.vip.mud.ya:smtp ESTABLISHED 1954/smtp
tcp        0      0 88.218.110.178:34889        mta-v9.mail.vip.mud.ya:smtp ESTABLISHED 852/smtp
tcp        0      0 88.218.110.178:45566        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45516        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45520        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45750        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45753        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45796        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0     36 88.218.110.178:45800        mail-3.mminternet.com:smtp  ESTABLISHED 1607/scache
tcp        0      0 88.218.110.178:45789        mail-3.mminternet.com:smtp  ESTABLISHED 1500/smtp
tcp        0      0 88.218.110.178:45621        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45626        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45624        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45598        mail-3.mminternet.com:smtp  TIME_WAIT   -  
tcp        0      0 88.218.110.178:45599        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45686        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45690        mail-3.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:45991        mail-3.mminternet.com:smtp  ESTABLISHED 1759/smtp
tcp        0      0 88.218.110.178:46006        mail-3.mminternet.com:smtp  ESTABLISHED 1539/smtp
tcp        0      0 88.218.110.178:45974        mail-3.mminternet.com:smtp  ESTABLISHED 2007/smtp
tcp        0      0 88.218.110.178:45858        mail-3.mminternet.com:smtp  ESTABLISHED 1545/smtp
tcp        0      0 88.218.110.178:45891        mail-3.mminternet.com:smtp  ESTABLISHED 1494/smtp
tcp        0      1 88.218.110.178:53032        243.54.62.200.hosts.if:smtp SYN_SENT    1533/smtp
tcp        0      1 88.218.110.178:53018        243.54.62.200.hosts.if:smtp SYN_SENT    1501/smtp
tcp        0      0 88.218.110.178:33744        mta-v9.mail.vip.mud.ya:smtp TIME_WAIT   -
tcp        0      0 88.218.110.178:47537        mail.cccusa.net:smtp        TIME_WAIT   -
tcp        0      0 88.218.110.178:42737        mail-1.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:42743        mail-1.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:42745        mail-1.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:42727        mail-1.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:42729        mail-1.mminternet.com:smtp  TIME_WAIT   -
tcp        0     35 88.218.110.178:42925        mail-1.mminternet.com:smtp  ESTABLISHED 1521/smtp
tcp        0      0 88.218.110.178:42996        mail-1.mminternet.com:smtp  ESTABLISHED 1518/smtp
tcp        0      0 88.218.110.178:42975        mail-1.mminternet.com:smtp  ESTABLISHED 1866/smtp
tcp        0      0 88.218.110.178:42800        mail-1.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:42868        mail-1.mminternet.com:smtp  TIME_WAIT   -
tcp        0     34 88.218.110.178:42856        mail-1.mminternet.com:smtp  ESTABLISHED 1515/smtp
tcp        0      0 88.218.110.178:42863        mail-1.mminternet.com:smtp  ESTABLISHED 1467/smtp
tcp        0      0 88.218.110.178:42846        mail-1.mminternet.com:smtp  TIME_WAIT   -
tcp        0      0 88.218.110.178:55800        194.158.121.25:smtp         TIME_WAIT   -
tcp        0      0 88.218.110.178:43011        mail-1.mminternet.com:smtp  ESTABLISHED 1536/smtp
tcp        0      0 88.218.110.178:43009        mail-1.mminternet.com:smtp  ESTABLISHED 1468/smtp
tcp        0      0 88.218.110.178:42399        smtp-in.orange.fr:smtp      TIME_WAIT   -
tcp        0      0 88.218.110.178:34524        indignant.cnc.net:smtp      TIME_WAIT   -
tcp        0      0 88.218.110.178:34973        barracuda2.viawest.net:smtp TIME_WAIT   -
tcp        0      0 host1.vfxhost.gr:hosts2-ns  ppp34-141.adsl.forthn:64053 ESTABLISHED 2639/ispconfig_http
tcp        0      0 88.218.110.178:39752        mta-v2.mail.vip.re3.ya:smtp ESTABLISHED 1529/smtp
tcp        0      1 88.218.110.178:49753        venus.dreamam.com:smtp      SYN_SENT    1519/smtp
tcp        0      0 88.218.110.178:43725        ftp.access-bank.com:smtp    TIME_WAIT   -
tcp        0      0 88.218.110.178:43949        ftp.access-bank.com:smtp    TIME_WAIT   -
tcp        0      1 88.218.110.178:51353        mail-2.mminternet.com:smtp  SYN_SENT    -
tcp        0      1 88.218.110.178:51343        mail-2.mminternet.com:smtp  SYN_SENT    -
tcp        0      1 88.218.110.178:51388        mail-2.mminternet.com:smtp  SYN_SENT    -
tcp        0      1 88.218.110.178:51385        mail-2.mminternet.com:smtp  SYN_SENT    -
tcp        0      1 88.218.110.178:51376        mail-2.mminternet.com:smtp  SYN_SENT    -                         
tcp        0      1 88.218.110.178:51375        mail-2.mminternet.com:smtp  SYN_SENT    -
tcp        0      1 88.218.110.178:51363        mail-2.mminternet.com:smtp  SYN_SENT    -
tcp        0      1 88.218.110.178:51295        mail-2.mminternet.com:smtp  SYN_SENT    1762/smtp
tcp        0      1 88.218.110.178:51265        mail-2.mminternet.com:smtp  SYN_SENT    1527/smtp
tcp        0      1 88.218.110.178:51250        mail-2.mminternet.com:smtp  SYN_SENT    1610/smtp
tcp        0      1 88.218.110.178:51242        mail-2.mminternet.com:smtp  SYN_SENT    1513/smtp
tcp        0      0 88.218.110.178:39845        mx3.earthlink.net:smtp      ESTABLISHED -
.
.
.
tcp        0      0 *:imaps                     *:*                         LISTEN      2308/dovecot
tcp        0      0 *:pop3s                     *:*                         LISTEN      2308/dovecot
tcp        0      0 *:pop3                      *:*                         LISTEN      2308/dovecot
tcp        0      0 *:imap                      *:*                         LISTEN      2308/dovecot
tcp        0      0 *:http                      *:*                         LISTEN      27621/httpd
tcp        0      0 *:ftp                       *:*                         LISTEN      18290/proftpd: (acc
tcp        0      0 *:ssh                       *:*                         LISTEN      2176/sshd
tcp        0      0 ::1:rndc                    *:*                         LISTEN      21949/named
tcp        0      0 *:https                     *:*                         LISTEN      27621/httpd
tcp        0      0 ::ffff:88.218.110.181:http  livebot-65-54-188-13.:43408 TIME_WAIT   -
tcp        0    888 host1.vfxhost.gr:ssh        ppp34-141.adsl.forthn:64052 ESTABLISHED 2427/2
tcp        0      0 ::ffff:88.218.110.181:http  livebot-65-54-188-13.:43598 TIME_WAIT   -
Reply With Quote
Sponsored Links
  #2  
Old 14th February 2007, 08:31
martinfst martinfst is offline
Senior Member
 
Join Date: Dec 2006
Location: Hilversum, The Netherlands
Posts: 880
Thanks: 1
Thanked 18 Times in 17 Posts
Send a message via MSN to martinfst Send a message via Skype™ to martinfst
Default

Looks like somebody is trying to mail bomb you. If the sending IP address/domain is not delivering valid emails, I'd consider firewalling the *.mminternet.com addresses. It's now using your resources. mminternet.com is an (a)DSL provider and I guess they have a zombie botnet in their address space. You can consider contacting them.
Reply With Quote
  #3  
Old 14th February 2007, 15:19
kyriakos kyriakos is offline
Member
 
Join Date: Feb 2006
Posts: 34
Thanks: 3
Thanked 0 Times in 0 Posts
Default

I retrive a rejected mail today.
It say that my IP address 88.218.110.178 is black listed.
How can this happened? My mail server is not open rellay and I have do everything I know to protect it. Is this isue relayted to mminternet.com?

this is my etc/postfix/main.cf (for mail.v f x h o s t.gr)
Can I do something more here to improve security?
Code:
smtpd_helo_required = yes
disable_vrfy_command = yes

command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.2.8/samples
readme_directory = /usr/share/doc/postfix-2.2.8/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
mailbox_command = 

virtual_maps = hash:/etc/postfix/virtusertable

mydestination = /etc/postfix/local-host-names
maximal_queue_lifetime = 2d
Reply With Quote
  #4  
Old 14th February 2007, 20:10
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Please run
Code:
postconf -e 'mynetworks = 127.0.0.0/8'
/etc/init.d/postfix restart
to make sure that only localhost can send without authentication.
Then check if your server is an open relay. If it isn't contact the maintainer of the blacklist and ask him to be removed.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 14th February 2007, 22:48
kyriakos kyriakos is offline
Member
 
Join Date: Feb 2006
Posts: 34
Thanks: 3
Thanked 0 Times in 0 Posts
Default

Hello falko,
I edited the configuration for mynetworks but the problem remain.
To many smtp connections from diferent hosts.

I checked the relay here:
http://www.antispam-ufrj.pads.ufrj.b...88.218.110.180

Any good server security how-to?
Thank you
Reply With Quote
  #6  
Old 14th February 2007, 23:36
kyriakos kyriakos is offline
Member
 
Join Date: Feb 2006
Posts: 34
Thanks: 3
Thanked 0 Times in 0 Posts
Default

This is a part of my logs. What is going on?
I am not a spammer!!

Quote:
Feb 15 00:29:25 host1 postfix/qmgr[32746]: 4C9194D08C6: to=<*ddie_villanuevarl@*rols.com>, relay=none, delay=60595, status=deferred (delivery temporarily suspended: connect to mx.lnh.mail.rcn.net[207.172.157.50]: server refused to talk to me: 450 Too many invalid recipients )
Feb 15 00:29:25 host1 postfix/qmgr[32746]: 4275E4ABD9: from=<>, size=3116, nrcpt=1 (queue active)
Feb 15 00:29:25 host1 postfix/smtp[1502]: 4024B4BF5F: host nb-mx-vip1.prodigy.net[207.115.36.20] said: 451 4.7.7 Excessive userid unknowns from 88.218.110.180 (in reply to MAIL FROM command)
Feb 15 00:29:25 host1 postfix/qmgr[32746]: 4275E4ABD9: to=<*hyllis_anovakil@*63.net>, relay=none, delay=70289, status=deferred (delivery temporarily suspended: connect to 163mx.cdn.163.net[202.108.255.224]: server refused to talk to me: 550 Too many invalid recipients )
Feb 15 00:29:25 host1 postfix/qmgr[32746]: 46CB6491A4: from=<>, size=3256, nrcpt=1 (queue active)
Feb 15 00:29:25 host1 postfix/qmgr[32746]: 46CB6491A4: to=<*.sylvester_ig@*b.infoweb.ne.jp>, relay=none, delay=48699, status=deferred (delivery temporarily suspended: connect to mf.infoweb.ne.jp[202.248.238.14]: server refused to talk to me: 421 server busy, please try later )
Feb 15 00:29:25 host1 postfix/qmgr[32746]: 467EF50202A: from=<>, size=3044, nrcpt=1 (queue active)
Feb 15 00:29:25 host1 postfix/qmgr[32746]: 467EF50202A: to=<*artmanhe@*mx.net>, relay=none, delay=71269, status=deferred (delivery temporarily suspended: connect to mx0.gmx.net[213.165.64.100]: server refused to talk to me: 421-4.3.2 {mx068} Too many bad recipients. Are you an address harvester? Try again in 22 hour(s) 3 minute(s) 421 4.3.2 and see( http://www.gmx.net/serverrules ) )
Feb 15 00:29:25 host1 postfix/qmgr[32746]: 4D12B49CF5: from=<>, size=4841, nrcpt=1 (queue active)

EDIT --- I had to shut down postfix until solve the problem

Last edited by kyriakos; 15th February 2007 at 00:05.
Reply With Quote
  #7  
Old 15th February 2007, 18:56
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Is it possible that one or more of your users have weak passwords that got cracked by spammers?
I think it's a good idea to change all passwords.

The test is ok.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #8  
Old 15th February 2007, 19:21
kyriakos kyriakos is offline
Member
 
Join Date: Feb 2006
Posts: 34
Thanks: 3
Thanked 0 Times in 0 Posts
Default

Quote:
Is it possible that one or more of your users have weak passwords that got cracked by spammers?
I think it's a good idea to change all passwords.
I'm afraid changing all passwords is not possible. Is there any way to find which accound is spamming?

Looking at postfix users from webmin I found "shutdown, ftp, apache, daemon..." Is it possible this accouns to be used by hackers?


What is this?
Quote:
Feb 15 20:17:32 host1 postfix/qmgr[20412]: AA9A749FFF: from=<>, size=5748, nrcpt=1 (queue active)
Feb 15 20:17:32 host1 postfix/qmgr[20412]: A26C44C3DB: from=<>, size=5801, nrcpt=1 (queue active)
Feb 15 20:17:32 host1 postfix/qmgr[20412]: AF3FB4A4AB: from=<>, size=4841, nrcpt=1 (queue active)
Feb 15 20:17:32 host1 postfix/qmgr[20412]: A4A6750082E: from=<>, size=2962, nrcpt=1 (queue active)
Feb 15 20:17:32 host1 postfix/qmgr[20412]: A8FEE4B087: from=<>, size=3112, nrcpt=1 (queue active)

Last edited by kyriakos; 15th February 2007 at 19:30.
Reply With Quote
  #9  
Old 15th February 2007, 19:32
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Quote:
Originally Posted by kyriakos
I'm afraid changing all passwords is not possible. Is there any way to find which accound is spamming?
Only by looking at the mail log.

Quote:
Originally Posted by kyriakos
Looking at postfix users from webmin I found "shutdown, ftp, apache, daemon..." Is it possible this accouns to be used by hackers?
Please check if your server got hacked: http://www.howtoforge.com/faq/1_38_en.html
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #10  
Old 15th February 2007, 20:22
kyriakos kyriakos is offline
Member
 
Join Date: Feb 2006
Posts: 34
Thanks: 3
Thanked 0 Times in 0 Posts
 
Default

Thanks falko,
No infections found.


Quote:
Only by looking at the mail log.
logs look like this
Quote:
Feb 15 21:08:15 host1 postfix/qmgr[22987]: 2B07C49EF5: from=<>, size=4682, nrcpt=1 (queue active)
Feb 15 21:08:15 host1 postfix/smtp[30441]: connect to mx0.gmx.de[213.165.64.100]: server refused to talk to me: 421-4.3.2 {mx096} Too many bad recipients. Are you an address harvester? Try again in 1 hour(s) 16 minute(s) 421 4.3.2 and see( http://www.gmx.net/serverrules ) (port 25)
What is "from=<>"
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
sending e-mail using mail() function linuxuser1 HOWTO-Related Questions 38 21st April 2009 12:20
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 15:47
Can't send External Mail AndyF Installation/Configuration 7 8th August 2006 21:53
Postfix refusing smtp connections chrisc Installation/Configuration 4 17th July 2006 15:53
webmail problem mphayesuk General 26 27th April 2006 12:46


All times are GMT +2. The time now is 08:18.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.