Detect malicious script or reason creating lots of smtp connection

Question

My VPS was suspended due to lots of SMTP connection(over 2000) per hour. But I am pretty sure none of my script was sending mail. I am using google apps and live service for mail. I have blocked my port 25 using Fuser as mentioned in a SF thread as well as in iptable. I have added a php wrapper to detect php scripts sending mail. But til now I can't detect any.

The log entry look like:

Sep 10 19:24:52 myservername postfix/error[31297]: 698105A75F9F: to=<georgina_taylor@oneofmydomain.com>, relay=none, delay=71958, delays=71958/0.01/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with cfxxx603c2d730000000fb12eaf.pamx1.hotmail.com[65.54.188.78] while sending RCPT TO)

Note I don't have any user called georgina_taylor and there are lots of similar entry with different recipient having @oneofmydomain.com.

All log entries associated with 69810575F9F is as below:

Sep  9 23:25:34 myservername postfix/cleanup[29650]: 698105A75F9F: message-id=<20130909192534.698105A75F9F@myserverhostname>
Sep  9 23:25:34 myservername postfix/bounce[31209]: 0D1495A74808: sender non-delivery notification: 698105A75F9F
Sep  9 23:25:34 myservername postfix/error[31205]: 698105A75F9F: to=<georgina_taylor@oneofmydomain.com>, relay=none, delay=0.1, delays=0.06/0.04/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with cf5ff603c2d73d459329de7fb12eaf.pamx1.hotmail.com[65.54.188.109] while sending RCPT TO)
Sep  9 23:34:51 myservername postfix/error[32597]: 698105A75F9F: to=<georgina_taylor@oneofmydomain.com>, relay=none, delay=557, delays=557/0/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with cf5ff603c2d73d459329de7fb12eaf.pamx1.hotmail.com[65.54.188.78] while sending RCPT TO)
Sep  9 23:44:48 myservername postfix/qmgr[1179]: 698105A75F9F: from=<>, size=3681, nrcpt=1 (queue active)
Sep  9 23:44:48 myservername postfix/smtp[2008]: 698105A75F9F: host cf5ff603c2d73d459329de7fb12eaf.pamx1.hotmail.com[65.54.188.78] said: 421 RP-001 (BAY0-PAMC1-F7) Unfortunately, some messages from myip weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL FROM command)
Sep  9 23:44:48 myservername postfix/smtp[2008]: 698105A75F9F: lost connection with cf5ff603c2d73d459329de7fb12eaf.pamx1.hotmail.com[65.54.188.78] while sending RCPT TO
Sep  9 23:44:48 myservername postfix/smtp[2008]: 698105A75F9F: to=<georgina_taylor@oneofmydomain.com>, relay=cf5ff603c2d73d459329de7fb12eaf.pamx1.hotmail.com[65.54.188.109]:25, delay=1154, delays=1154/0.02/0.15/0.01, dsn=4.0.0, status=deferred (host cf5ff603c2d73d459329de7fb12eaf.pamx1.hotmail.com[65.54.188.109] said: 421 RP-001 (BAY0-PAMC2-F8) Unfortunately, some messages from my ip weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL FROM command))
Sep 10 00:04:55 myservername postfix/qmgr[1179]: 698105A75F9F: from=<>, size=3681, nrcpt=1 (queue active)
Sep 10 00:04:55 myservername postfix/error[2961]: 698105A75F9F: to=<georgina_taylor@oneofmydomain.com>, relay=none, delay=2361, delays=2361/0/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with cf5ff603c2d73d459329de7fb12eaf.pamx1.hotmail.com[65.54.188.109] while sending RCPT TO)

All log entries associated with 0D1495A74808

Sep  8 01:13:36 myserver postfix/qmgr[1177]: 0D1495A74808: from=<georgina_taylor@oneofmydomain>, size=1640, nrcpt=1 (queue active)
Sep  8 01:16:07 myserver postfix/smtp[20152]: 0D1495A74808: to=<miles316@gateway.net>, relay=none, delay=266989, delays=266839/0.12/150/0, dsn=4.4.1, status=deferred (connect to gateway.net[64.12.89.186]:25: Connection timed out)
Sep  8 02:23:58 myserver postfix/qmgr[1177]: 0D1495A74808: from=<georgina_taylor@oneofmydomain>, size=1640, nrcpt=1 (queue active)
Sep  8 02:24:56 myserver postfix/error[1322]: 0D1495A74808: to=<miles316@gateway.net>, relay=none, delay=271119, delays=271061/58/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to gateway.net[64.12.79.57]:25: Connection timed out)
Sep  8 03:32:32 myserver postfix/qmgr[1177]: 0D1495A74808: from=<georgina_taylor@oneofmydomain>, size=1640, nrcpt=1 (queue active)
Sep  8 03:34:33 myserver postfix/error[14116]: 0D1495A74808: to=<miles316@gateway.net>, relay=none, delay=275295, delays=275174/121/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to gateway.net[205.188.101.58]:25: Connection timed out)
Sep  8 04:44:13 myserver postfix/smtp[18671]: 0D1495A74808: to=<miles316@gateway.net>, relay=none, delay=279476, delays=279326/0.02/150/0, dsn=4.4.1, status=deferred (connect to gateway.net[205.188.101.58]:25: Connection timed out)
Sep  8 05:52:11 myserver postfix/qmgr[1177]: 0D1495A74808: from=<georgina_taylor@oneofmydomain>, size=1640, nrcpt=1 (queue active)
Sep  8 05:54:41 myserver postfix/smtp[25035]: 0D1495A74808: to=<miles316@gateway.net>, relay=none, delay=283704, delays=283554/0.02/150/0, dsn=4.4.1, status=deferred (connect to gateway.net[64.12.79.57]:25: Connection timed out)
Sep  8 07:03:55 myserver postfix/smtp[31497]: 0D1495A74808: to=<miles316@gateway.net>, relay=none, delay=287857, delays=287707/0.03/150/0, dsn=4.4.1, status=deferred (connect to gateway.net[64.12.89.186]:25: Connection timed out)

Could you post **ALL** log entries with `698105A75F9F`? [especially lof entries before first external delivery attempt] — AnFi, Sep 11 '13 at 18:12
It's taking a lot of time - I am using this command tail -f maillog | grep 698105A75F9F . Is there any other way to get it. — biztiger, Sep 11 '13 at 19:02
Could you post log entries regarding `0D1495A74808`? `698105A75F9F` seems to be a bounce message triggered by `0D1495A74808`. — AnFi, Sep 12 '13 at 00:34

Daniel Widrick · Answer 1 · 2013-09-12T17:09:56.923

0

The 'last' command will show you recent logins to your server with associated ip addresses. My guess is that someone compromised your password and is running a script to send spam. ps -ef should show a list of running processes on the vps. perhaps there is something that does not belong?

The other common suspect is an insecure mail form on a webpage you host. If your wrapper for mail is working as expected this should be caught with that mechanism.

edited Sep 12 '13 at 17:09

answered Sep 11 '13 at 18:24

Daniel Widrick

3,488
2
13
27

I can't find any other user except me. I can't find any abnormal processes also. Is it safe to post running process in this forum, if yes I will post those. Also note I have now suspended oneofmydomain.com, removed associated live mail service and move all files in a separate directory as a quick temporary measure. – biztiger Sep 11 '13 at 19:08

score 0 · Answer 2 · answered Sep 12 '13 at 07:38

0

I have seen automated PERL scripts running under /tmp doing that kind of damage. See if you can find anything suspicious running under /tmp including files starting with a dot that contain code

answered Sep 12 '13 at 07:38

Angelos Karageorgiou

70
2

No perl script in /tmp. I've checked it. – biztiger Sep 12 '13 at 10:58

Detect malicious script or reason creating lots of smtp connection

2 Answers2