[exim] Hijacked "www" user for sending out spam

Pàgina inicial
Delete this message
Reply to this message
Autor: list1
Data:  
A: exim-users
Assumpte: [exim] Hijacked "www" user for sending out spam
Hello,

It seems like somebody has hijacked "www" user for sending out spam like
there is no tomorrow. You can see a small section of my exim log below or a
little longer at this address: http://www.dnsbureau.com/exim_main.log.txt
I've been looking at various other logs for hours trying to figure out what
was compromised, but there is absolutely no trace of activity like logins
from authenticated or system users via smtp/imap/pop. www is a system
account with no shell access. sshd is shut all the time. I've had some php
forms played with in the past, but that leaves at least one entry in the
http logs accessing the forms in the first place. Email accounts are
authenticated via Mysql wihout exception. www is listed as trusted_users in
exim config. Does that make it inherently unsafe or an open relay? How can
you make a call to a server that leaves no trace anywhere other than exim
log (below). Even log selector set to +all I don't get any extra info that
would reveal how they accessing me. After 2 minutes that I noticed the
activity, I shut the server down and left me with almost 3000 pieces in the
que. The interesting part was that some of the docs were called like
"hdr.21217" instead of the usual "IW9K5R-0008Y1-RA-H" type.





I use some acls to deal with "injections"
------
acl_check_not_smtp

  drop  condition = ${if match {$message_body}\
                        {\N.*\
                        MIME-Version:.*\N}{true}}
        log_message = "Spam MIME-Version: $header_subject: " 


  drop  condition = ${if match {$message_body}\
                        {\N.*\
                        Content-Type:.*\N}{true}}
        log_message = "Spam: Content-Type: $header_subject: "
 ------ 




2006-03-18 10:32:28 IWC664-000E7C-7V <= <> R=IWC664-000E7B-70 U=exim P=local
S=2135
2006-03-18 10:32:28 IWC664-000E7E-8R <= www@??? U=www P=local
S=1484
2006-03-18 10:32:28 IWC664-000E7C-7V ** www@???: Unrouteable
address
2006-03-18 10:32:28 IWC664-000E7C-7V Frozen (delivery error message)
2006-03-18 10:32:28 IWC664-000E7G-9R <= www@??? U=www P=local
S=1468
2006-03-18 10:32:28 IWC664-000E7I-BY <= www@??? U=www P=local
S=1478
2006-03-18 10:32:28 IWC664-000E7K-E4 <= www@??? U=www P=local
S=1458
2006-03-18 10:32:28 IWC664-000E7N-FO <= www@??? U=www P=local
S=1460
2006-03-18 10:32:28 IWC664-000E7P-H4 <= www@??? U=www P=local
S=1480
2006-03-18 10:32:28 IWC664-000E7R-IP <= www@??? U=www P=local
S=1458
2006-03-18 10:32:28 IWC664-000E7T-KA <= www@??? U=www P=local
S=1466
2006-03-18 10:32:28 IWC664-000E7W-ML <= www@??? U=www P=local
S=1456
2006-03-18 10:32:28 IWC664-000E81-OW <= www@??? U=www P=local
S=1466
2006-03-18 10:32:29 IWC665-000E84-02 <= www@??? U=www P=local
S=1446
2006-03-18 10:32:29 IWC665-000E87-26 <= www@??? U=www P=local
S=1490
2006-03-18 10:32:29 IWC665-000E8A-4O <= www@??? U=www P=local
S=1472
2006-03-18 10:32:29 IWC665-000E8C-75 <= www@??? U=www P=local
S=1462
2006-03-18 10:32:29 IWC664-000E7R-IP => 011037p@??? R=dnslookup
T=remote_smtp H=mx3.hotmail.com [65.54.244.72]
2006-03-18 10:32:29 IWC664-000E7R-IP Completed
2006-03-18 10:32:29 IWC665-000E8E-8U <= www@??? U=www P=local
S=1470
2006-03-18 10:32:29 IWC665-000E8C-75 ** 020y@???: Unrouteable
address
2006-03-18 10:32:29 IWC665-000E8I-B5 <= www@??? U=www P=local
S=1472
2006-03-18 10:32:29 IWC665-000E8J-CI <= <> R=IWC665-000E8C-75 U=exim P=local
S=688
2006-03-18 10:32:29 IWC665-000E8C-75 Completed
2006-03-18 10:32:29 IWC665-000E8J-CI ** www@???: Unrouteable
address
2006-03-18 10:32:29 IWC665-000E8J-CI Frozen (delivery error message)
2006-03-18 10:32:29 IWC665-000E8L-EH <= www@??? U=www P=local
S=1458
2006-03-18 10:32:29 IWC665-000E8O-GG <= www@??? U=www P=local
S=1478
2006-03-18 10:32:29 IWC665-000E8R-I2 <= www@??? U=www P=local
S=1472
2006-03-18 10:32:29 IWC665-000E8U-K9 <= www@??? U=www P=local
S=1474
2006-03-18 10:32:29 IWC665-000E8R-I2 ** 0604vifuve@???: Unrouteable
address
2006-03-18 10:32:29 IWC665-000E8W-MB <= www@??? U=www P=local
S=1474
2006-03-18 10:32:29 IWC665-000E8Y-MV <= <> R=IWC665-000E8R-I2 U=exim P=local
S=698
2006-03-18 10:32:29 IWC665-000E8R-I2 Completed
2006-03-18 10:32:29 IWC665-000E91-OE <= www@??? U=www P=local
S=1478
2006-03-18 10:32:29 IWC665-000E8Y-MV ** www@???: Unrouteable
address
2006-03-18 10:32:29 IWC665-000E8Y-MV Frozen (delivery error message)
2006-03-18 10:32:29 IWC665-000E93-PH <= www@??? U=www P=local
S=1460
2006-03-18 10:32:30 IWC665-000E95-RI <= www@??? U=www P=local
S=1462
2006-03-18 10:32:30 IWC666-000E97-1A <= www@??? U=www P=local
S=1458
2006-03-18 10:32:30 IWC665-000E93-PH ** 07g@???: Unrouteable
address
2006-03-18 10:32:30 IWC665-000E95-RI ** 07ubrk@???: an MX or SRV
record indicated no SMTP service
2006-03-18 10:32:30 IWC666-000E9B-2L <= <> R=IWC665-000E95-RI U=exim P=local
S=714
2006-03-18 10:32:30 IWC666-000E9B-2L ** www@???: Unrouteable
address
2006-03-18 10:32:30 IWC666-000E9B-2L Frozen (delivery error message)
2006-03-18 10:32:30 IWC665-000E95-RI Completed