Postfix Exploit?

Discussion in 'Server Operation' started by Tastiger, May 13, 2014.

  1. Tastiger

    Tastiger Member

    I am running Ubuntu 12.04 as per the perfect setup found here + webmin, my postfix version is 2.9.6 .

    Yesterday when I was in webmin I noticed a mail queue of some 400 emails as well as some 400+ returned emails to the mailbox web 3.

    web 3 is not an email address that is used - so I'm not certain how mail was sent from that address.

    I have checked web 3 directory and cannot find anything out place in the files and my relay is not open.

    attached message received back :-
    IP address removed

    Delayed Mail Message :-

    /etc/postfix/main.cf :-

    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = /usr/share/doc/postfix
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    myhostname = server1.jones.dhs.org
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination = server1.jones.dhs.org, localhost, localhost.localdomain
    relayhost = 
    mynetworks = 127.0.0.0/8 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains = 
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_tls_security_level = may
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = maildrop
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 0
    inet_protocols = all
    smtp_tls_security_level = may
    
    
    Any insights?
     
    Last edited: May 13, 2014
  2. srijan

    srijan New Member HowtoForge Supporter

    Hi

    Please paste your mail.log file.
     
  3. Tastiger

    Tastiger Member

    I am trying to but keep getting

    "The following errors occurred with your submission:

    The message you have entered is too short. Please lengthen your message to at least 10 characters."
     
  4. srijan

    srijan New Member HowtoForge Supporter

    Please paste output of

     
  5. Tastiger

    Tastiger Member

    try it this way... attached as a text file

    last 600 entries from May 10 when things went haywire

    Perhaps you need more?
     

    Attached Files:

  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Hi,

    This is no postfix exploit, just your website "web3 has been hacked and spam emails are send with php. the php script that is sending the emails is mentioned in the mail headers:

    Code:
    X-PHP-Originating-Script: 5006:send.php
    Delete that script and update the cms in that website to fix the issue.
     
  7. Tastiger

    Tastiger Member

    Many thanks - I did look at the directories but missed 2 files hidden in Images
     

Share This Page