Il mio sendmail ha iniziato a inviare spam; cosa sta causando a farlo? [chiuso]

3

Oggi il mio servizio sendmail ha iniziato a inviare e-mail a vari indirizzi.

/ var / spool / mail:

From [email protected]  Fri Jan 30 22:15:30 2015
Return-Path: <[email protected]>
Received: from localhost (localhost)
    by noxcommunity.com (8.13.8/8.13.8) id t0ULFUje031918;
    Fri, 30 Jan 2015 22:15:30 +0100
Date: Fri, 30 Jan 2015 22:15:30 +0100
From: Mail Delivery Subsystem <[email protected]>
Message-Id: <[email protected]>
To: [email protected]
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
    boundary="t0ULFUje031918.1422652530/noxcommunity.com"
Subject: Postmaster notify: see transcript for details
Auto-Submitted: auto-generated (postmaster-notification)

This is a MIME-encapsulated message

--t0ULFUje031918.1422652530/noxcommunity.com

The original message was received at Fri, 30 Jan 2015 22:15:30 +0100
from localhost.localdomain [127.0.0.1]
with id t0ULFUje031916

   ----- The following addresses had permanent fatal errors -----
<s@s>
    (reason: 550 Host unknown)

   ----- Transcript of session follows -----
550 5.1.2 <s@s>... Host unknown (Name server: s: host not found)
550 5.1.1 <[email protected]>... User unknown

--t0ULFUje031918.1422652530/noxcommunity.com
Content-Type: message/delivery-status

Reporting-MTA: dns; noxcommunity.com
Received-From-MTA: DNS; localhost.localdomain
Arrival-Date: Fri, 30 Jan 2015 22:15:30 +0100

Final-Recipient: RFC822; s@s
Action: failed
Status: 5.1.2
Remote-MTA: DNS; s
Diagnostic-Code: SMTP; 550 Host unknown
Last-Attempt-Date: Fri, 30 Jan 2015 22:15:30 +0100

--t0ULFUje031918.1422652530/noxcommunity.com
Content-Type: message/rfc822

Return-Path: <[email protected]>
Received: from noxcommunity.com (localhost.localdomain [127.0.0.1])
    by noxcommunity.com (8.13.8/8.13.8) with ESMTP id t0ULFUje031916
    for <s@s>; Fri, 30 Jan 2015 22:15:30 +0100
Received: (from root@localhost)
    by noxcommunity.com (8.13.8/8.13.8/Submit) id t0ULFUNT031915;
    Fri, 30 Jan 2015 22:15:30 +0100
Date: Fri, 30 Jan 2015 22:15:30 +0100
Message-Id: <[email protected]>
To: s@s
Subject: Facebook
X-PHP-Originating-Script: 0:eb.php
From: "[email protected]" <[email protected]>
Content-Type: text/html

<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
<meta http-equiv="Content-Type" content="text/html; charset=unicode">
<meta name="Generator" content="Microsoft SafeHTML"><title>Message body</title><bgsound src="http://email_open_log_pic.php?mid=424e194G221be96cG696b3afG2f&amp;s=a"></bgsound><tablewidth="98%" border="0" cellspacing="0" cellpadding="40"><tbody><tr><td bgcolor="#f7f7f7" width="100%" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif"><table cellpadding="0" cellspacing="0" border="0" width="620"><tbody><tr><td style="background:#3b5998;color:#FFFFFF;font-weight:bold;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:4px 8px;vertical-align:middle;font-size:16px;letter-spacing:-0.03em;text-align:left"><a style="color:#FFFFFF;text-decoration:none" href="http://goo.gl/QdWtIJ" target="_blank"><span style="color:#FFFFFF">facebook</span></a></td><td style="background:#3b5998;color:#FFFFFF;font-weight:bold;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:4px 8px;vertical-align:middle;font-size:11px;text-align:right"></td></tr><tr><td colspan="2" style="background-color:#FFFFFF;border-bottom:1px solid #3b5998;border-left:1px solid #CCCCCC;border-right:1px solid #CCCCCC;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:15px" valign="top"><table width="100%"><tbody><tr><td width="470px" style="font-size:12px" valign="top" align="left"><div style="margin-bottom:15px;font-size:12px"></div><div style="margin-bottom:15px"><span style="color:#111111;font-size:14px;font-weight:bold;">A friend tagged you in a photo</span></div><div style="margin-bottom:15px"><div style="border-bottom:1px solid #ccc;line-height:5px">&nbsp;</div><br><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td style="padding:5px"></td></tr><tr><td width="150" style="font-size:11px;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:0px 5px 10px 0px"><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td valign="top" style="padding-right:5px"><a href="http://goo.gl/QdWtIJ" style="col!
 or:#3b59
98;text-decoration:none" target="_blank"><img style="border:0px none" alt="Chris Thomas" src="https://fbstatic-a.akamaihd.net/rsrc.php/v2/yo/r/UlIqmHJn-SK.gif"width="50" height="50"></a></td><td valign="top"><span style="font-size:11px;color:#999;padding:0px 0px 10px 0px"><span style="font-size:11px;color:#3B5998;font-weight:bold"><a href="http://goo.gl/QdWtIJ" style="color:#3B5998;text-decoration:none;font-size:11px" target="_blank">Chris Thomas</a></span><br></span></td></tr></tbody></table></td></tr></tbody></table><div style="border-bottom:1px solid #ccc;line-height:5px">&nbsp;</div><br></div><div style="margin-bottom:15px">Thanks,<br>
The Facebook Team</div></td><td valign="top" width="150" style="padding-left:15px" align="left"><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td style="padding:10px;background-color:#fff9d7;border-left:1px solid #e2c822;border-right:1px solid #e2c822;border-top:1px solid #e2c822;border-bottom:1px solid #e2c822"><div style="margin-bottom:15px;font-size:12px"></div><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td style="border-width:1px;border-style:solid;border-color:#3b6e22 #3b6e22 #2c5115;background-color:#69a74e"><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td style="font-size:11px;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:4px 10px 5px;border-top:1px solid #95bf82"><a href="http://goo.gl/QdWtIJ" style="color:#fff;text-decoration:none;font-weight:bold;font-size:13px" target="_blank">View photo</a></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table><br><table cellspacing="0" cellpadding="0" style="border-collapse:collapse;width:100%"><tbody><tr><td style="padding:10px;background-color:#fff9d7;border-left:1px solid #e2c822;border-right:1px solid #e2c822;border-top:1px solid #e2c822;border-bottom:1px solid #e2c822"><div style="font-weight:bold;margin-bottom:2px;font-size:11px">To view this friend profile photo, go to:</div><a href="http://goo.gl/QdWtIJ" style="color:#3b5998;text-decoration:none;font-size:11px" target="_blank">http://www.facebook.com/n/?reqs.php&amp;mid=424e194G221be96cG696b3afG2f&amp;bcode=M6l2wBWw&amp;[email protected]</a></td></tr></tbody></table><span style=""><img src="http://www.facebook.com/email_open_log_pic.php?mid=424e194G221be96cG696b3afG2f"style="border:0;width:1px;height:1px"><bgsound src="http://www.facebook.com/email_open_log_pic.php?mid=424e194G221be96cG696b3afG2f&amp;s=a"></bgsound></span></td></tr><tr><tdcolspan="2" style="color:#999999;padding:10px;font-size:12p!
 x;font-f
amily:'lucida grande', tahoma, verdana, arial, sans-serif">If you don't want to receive these emails from Facebook in the future, please follow the link below to unsubscribe.
http://www.facebook.com/o.php?k=7042bb&amp;u=572254572&amp;mid=424e194G221be96cG696b3afG2f
Facebook, Inc. P.O. Box 10005, Palo Alto, CA 94303</td></tr></tbody></table></td></tr></tbody></table>                    </body>
</html>

maillog:

Jan 30 22:15:30 vm2745 sendmail[31911]: t0ULFTv1031911: [email protected], delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=35539, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (t0ULFTVJ031912 Message accepted for delivery)
Jan 30 22:15:30 vm2745 sendmail[31915]: t0ULFUNT031915: [email protected], size=5525, class=0, nrcpts=1, msgid=<[email protected]>, relay=root@localhost
Jan 30 22:15:30 vm2745 sendmail[31916]: t0ULFUje031916: from=<[email protected]>, size=5760, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Jan 30 22:15:30 vm2745 sendmail[31915]: t0ULFUNT031915: to=s@s, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=35525, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (t0ULFUje031916 Message accepted for delivery)
Jan 30 22:15:30 vm2745 sendmail[31918]: t0ULFUje031916: to=<s@s>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=125760, relay=s, dsn=5.1.2, stat=Host unknown (Name server: s: host not found)
Jan 30 22:15:30 vm2745 sendmail[31918]: t0ULFUje031916: to=<[email protected]>, delay=00:00:00, mailer=local, pri=125760, dsn=5.1.1, stat=User unknown
Jan 30 22:15:30 vm2745 sendmail[31918]: t0ULFUje031916: t0ULFUje031918: postmaster notify: User unknown
Jan 30 22:15:30 vm2745 sendmail[31914]: STARTTLS=client, relay=gmail-smtp-in.l.google.com., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128
Jan 30 22:15:30 vm2745 sendmail[31918]: t0ULFUje031918: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=36970, dsn=2.0.0, stat=Sent
Jan 30 22:15:30 vm2745 sendmail[31919]: t0ULFUFv031919: [email protected], size=5525, class=0, nrcpts=1, msgid=<[email protected]>, relay=root@localhost
Jan 30 22:15:30 vm2745 sendmail[31914]: t0ULFTVJ031912: to=<[email protected]>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=125774, relay=gmail-smtp-in.l.google.com. [74.125.136.26], dsn=5.0.0, stat=Service unavailable
Jan 30 22:15:30 vm2745 sendmail[31914]: t0ULFTVJ031912: to=<[email protected]>, delay=00:00:00, mailer=local, pri=125774, dsn=5.1.1, stat=User unknown
Jan 30 22:15:30 vm2745 sendmail[31914]: t0ULFTVJ031912: t0ULFUVJ031914: postmaster notify: User unknown
Jan 30 22:15:30 vm2745 sendmail[31910]: STARTTLS=client, relay=mta5.am0.yahoodns.net., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128
Jan 30 22:15:30 vm2745 sendmail[31921]: t0ULFUrk031921: from=<[email protected]>, size=5760, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Jan 30 22:15:31 vm2745 sendmail[31914]: t0ULFUVJ031914: to=root, delay=00:00:01, xdelay=00:00:00, mailer=local, pri=36998, dsn=2.0.0, stat=Sent
Jan 30 22:15:31 vm2745 sendmail[31919]: t0ULFUFv031919: to=s@s, delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=35525, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (t0ULFUrk031921 Message accepted for delivery)
Jan 30 22:15:31 vm2745 sendmail[31924]: t0ULFUrk031921: to=<s@s>, delay=00:00:01, xdelay=00:00:00, mailer=esmtp, pri=125760, relay=s, dsn=5.1.2, stat=Host unknown (Name server: s: host not found)
Jan 30 22:15:31 vm2745 sendmail[31924]: t0ULFUrk031921: to=<[email protected]>, delay=00:00:01, mailer=local, pri=125760, dsn=5.1.1, stat=User unknown
Jan 30 22:15:31 vm2745 sendmail[31924]: t0ULFUrk031921: t0ULFVrk031924: postmaster notify: User unknown
Jan 30 22:15:31 vm2745 sendmail[31924]: t0ULFVrk031924: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=36970, dsn=2.0.0, stat=Sent
Jan 30 22:15:33 vm2745 sendmail[31910]: t0ULFT2n031908: to=<[email protected]>, delay=00:00:04, xdelay=00:00:04, mailer=esmtp, pri=125778, relay=mta5.am0.yahoodns.net. [98.138.112.38], dsn=5.0.0, stat=Service unavailable
Jan 30 22:15:33 vm2745 sendmail[31910]: t0ULFT2n031908: to=<[email protected]>, delay=00:00:04, mailer=local, pri=125778, dsn=5.1.1, stat=User unknown
Jan 30 22:15:33 vm2745 sendmail[31910]: t0ULFT2n031908: t0ULFX2n031910: postmaster notify: User unknown
Jan 30 22:15:33 vm2745 sendmail[31910]: t0ULFX2n031910: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=37006, dsn=2.0.0, stat=Sent

E e-mail simili si succedono quasi ogni secondo.

Sono totalmente sconcertato da questo, che cosa sta causando?

    
posta IllidanS4 31.01.2015 - 14:27
fonte

1 risposta

3

Sembra che il tuo server sia stato violato, possibilmente attraverso un server web con software PHP. L'intestazione di sendmail contiene la seguente riga incriminante:

X-PHP-Originating-Script: 0:eb.php

che indica che l'email viene generata utilizzando uno script PHP con nome file eb.php . Il 0 indica che lo script viene eseguito dall'utente root, il che potrebbe significare che viene eseguito un processo cron per avviare lo script ogni minuto.

Il contenuto dell'e-mail è una parodia della notifica di Facebook:

Sepassiilmousesullink,verràvisualizzatounURLabbreviatoospitatodaGooglecheprobabilmentereindirizzeràchiunqueabbiaricevutoun'emaildaltuoserveraunsitocheospitamalwareophishingperidettaglidiaccessoaFacebook.

Aggiornamento:

Poichél'hackerhagiàottenutol'accessocomerootaltuoserver,l'eliminazionedelloscriptancheseriesciatrovarlanonsarebbedigrandeaiutoperché:

  1. unabackdoorpotrebbeesseregiàstatainstallataaffinchél'hackertorniindietroeannullil'operazionedirecupero
  2. Iprocessi
  3. potrebberoesseremodificatiperostacolarelosforzodicacciareimalintenzionatiscriptchevengonocreatiedistruttialvolo
  4. nonc'èmododiesseresicuricheiltuoserversiadisinfettatoal100%

Quellochedovrestifareèreinstallareilserverallaversionepiùrecenteeripristinareilcontenutodall'ultimobackupvalido.Puoitrovareulterioriinformazionisucomegestireunservercompromesso qui .

    
risposta data 31.01.2015 - 18:01
fonte

Leggi altre domande sui tag