System attack message from logcheck

Discussion in 'Server Operation' started by Hagforce, Aug 26, 2006.

  1. Hagforce

    Hagforce New Member

    Hello...

    I got this suspeckt message from logcheck.
    Can anybody tell my what has been going on on my server?.

    Code:
    Active System Attack Alerts
    =-=-=-=-=-=-=-=-=-=-=-=-=-=
    Aug 26 00:10:52 www postfix/smtp[28270]: C2E9623E0B4A: to=<asemia@cloudcity.com>, relay=smtp.secureserver.net[64.202.166.12], delay=5, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
    Aug 26 00:27:49 www postfix/smtp[28487]: E7DB623E0CC3: to=<a216nb45@aaron-wright.com>, relay=mail.aaron-wright.com[67.19.105.202], delay=5, status=bounced (host mail.aaron-wright.com[67.19.105.202] said: 550 Appears to be a dictionary attack (in reply to RCPT TO command))
    Aug 26 00:40:45 www postfix/smtp[28978]: AD22E23E0CD3: to=<atell@cloudcity.com>, relay=smtp.secureserver.net[64.202.166.12], delay=3, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
    Aug 26 01:10:34 www postfix/smtp[30031]: 8B0B823E0CFF: to=<avari@mikhaela.com>, relay=smtp.secureserver.net[64.202.166.12], delay=3, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
    Aug 26 01:10:44 www postfix/smtp[30019]: 08B6523E0CED: to=<avasis@cloudcity.com>, relay=smtp.secureserver.net[64.202.166.12], delay=2, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
    Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:174:Type=ASN1_PRINTABLE:
    Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=value, Type=X509_NAME_ENTRY:
    Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:542:
    Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:542:
    Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=issuer, Type=X509_CINF:
    Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=cert_info, Type=X509:
    Aug 26 01:28:51 www postfix/smtp[30607]: B686923E0BAD: to=<ayano@unidot.com>, relay=smtp.secureserver.net[64.202.166.12], delay=3, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
    Aug 26 01:32:39 www postfix/smtp[30566]: 8105223E0C58: to=<ayoung@cloudcity.com>, relay=smtp.secureserver.net[64.202.166.12], delay=2, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
    Aug 26 01:52:42 www postfix/smtp[31498]: 564D623E0A13: to=<babicz@unidot.com>, relay=smtp.secureserver.net[64.202.166.12], delay=4, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
    Aug 26 02:17:03 www postfix/smtp[32197]: 33A3123E02E1: to=<bakker@unidot.com>, relay=smtp.secureserver.net[64.202.166.12], delay=26, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
    Aug 26 02:37:46 www postfix/smtp[413]: 0CB9123E074D: to=<banman@cloudcity.com>, relay=smtp.secureserver.net[64.202.166.12], delay=13, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command))
    Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:174:Type=ASN1_PRINTABLE:
    Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=value, Type=X509_NAME_ENTRY:
    Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:542:
    Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:542:
    Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=issuer, Type=X509_CINF:
    Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=cert_info, Type=X509:
    
    My server is 85.222.100.138 (well it is`nt I`ve changed it for this post).

    Thank you for any information on what happend here.
     
  2. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Your server seems to be blacklisted. Please make sure it isn't an open relay. Do you see lots of activity in your mail log?
     
  3. Hagforce

    Hagforce New Member

    Hi Falco

    Thank you for replying.

    My server is not open for relay, you have to give user name and password to send e-mail.

    Could it be that someone has broken a user password.

    How do I check if my server is used for spam, or have been compromised?.
     
  4. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Please check the known blacklist, like sorbs.net.

    What's the output of
    Code:
    postconf -n | grep mynetworks
    and
    Code:
    postconf -d | grep mynetworks
    ?
     
  5. Hagforce

    Hagforce New Member

    Output of "postconf -n | grep mynetworks"

    Code:
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,rejec                                                                                                                               t_unauth_destination

    Output of "postconf -d | grep mynetworks"

    Code:
    mynetworks = 127.0.0.0/8 85.222.100.0/24
    mynetworks_style = subnet
    parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
    smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
    smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
    
     
  6. pablito

    pablito New Member

    Are you authorized to use securenet for SMTP? I'd check their FAQ for what they mean by the error.
    Is "85.222.100.0/24" representing your internal net and *not* your public IP?

    .You could be over quota for outbound SMTP at securenet.
    . If you are doing SASL/TLS to the outbound you might have problems with the postfix setup.
    . Can you send via another outbound server or directly?
     
  7. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Please run
    Code:
    postconf -e 'mynetworks = 127.0.0.0/8'
    and restart Postfix, otherwise anybody from the 85.222.100.0 subnet can abuse your server for spamming.
     

Share This Page