SMTU AUTH e utente compromesso

Question

SMTU AUTH e utente compromesso

#1 da (1 voti)

0

Recentemente ho impostato due sendmail abilitati all'autenticazione SMTP, e in una settimana e un mese sono stati utilizzati entrambi per inviare posta non richiesta utilizzando SMTP AUTH. Gli aggressori agivano da IP diversi e utilizzano utenti diversi, ma solo un utente per ciascun server. Per prima cosa ho pensato che alcuni malware hanno scansionato il disco della vittima e ottenuto la sua password, ma quando è successo per la seconda volta ho pensato che ora è improbabile - perché l'utente interessato è stato ritirato molto tempo fa, la sua cassetta postale è caduta, gli archivi di posta sono probabilmente inesistenti o memorizzato su alcuni dischi abbandonati e / o accantonati - esisteva solo nel DB sasl2.

Ho abbandonato l'utente compromesso. Ho provato a inviare una mail usando SMTP AUTH e un telnet - e sembra che il server non trasmetta la posta con SMTP AUTH vuoto o improprio. Ho cercato qualsiasi CVE di sendmail o libsasl2 - entrambi hanno più, ma nessuno di recente, entrambi i sistemi avevano sendmail e libsasl2 rattoppati al momento della violazione.

Quindi, ci sono altre possibilità di inviare posta di cui non sono a conoscenza? L'IP di uno dei server è 128.127.144.4, quindi puoi provarlo nel caso tu abbia un'idea. Sì, probabilmente è una cattiva idea esporre un server affetto da qualche difetto di sicurezza in una comunità, ma gli aggressori lo hanno già trovato e sto ancora guardando i suoi log.

Ecco una tipica sessione SMTP:

egrep '187.111.57.236|w3CJ14gL016656' maillog.0
Apr 13 00:01:04 elf rmilter[1493]: <1002b962b6>; accepted connection from elf.hq.norma.perm.ru; client: 187.111.57.236:40595 ([187.111.57.236])
Apr 13 00:01:07 elf sm-mta[16656]: AUTH=server, relay=[187.111.57.236], authid=alex, mech=PLAIN, bits=0
Apr 13 00:01:10 elf rmilter[1493]: <1002b962b6>; mlfi_data: queue id: <w3CJ14gL016656>
Apr 13 00:01:12 elf opendkim[1961]: w3CJ14gL016656: can't parse From: header value ' alex'
Apr 13 00:01:12 elf sm-mta[16656]: w3CJ14gL016656: from=<alex>, size=334, class=0, nrcpts=1, msgid=<ndshcfz-60v0pd-50@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:01:12 elf rmilter[1493]: <1002b962b6>; msg done: queue_id: <w3CJ14gL016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (1 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:01:14 elf sm-mta[16728]: w3CJ14gL016656: to=<[email protected]>, delay=00:00:05, xdelay=00:00:02, mailer=esmtp, pri=30334, relay=cluster5.eu.messagelabs.com. [85.158.136.83], dsn=5.0.0, stat=Service unavailable
Apr 13 00:01:14 elf sm-mta[16728]: w3CJ14gL016656: w3CJ1EgK016728: DSN: Service unavailable
Apr 13 00:01:18 elf sm-mta[16656]: w3CJ14gN016656: from=<alex>, size=408, class=0, nrcpts=2, msgid=<EDCDCC98-B8B6-F39C-966D-807F6D1EB512@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:01:26 elf rmilter[1493]: <8c0b950267>; msg done: queue_id: <w3CJ14gN016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (2 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:01:32 elf sm-mta[16656]: w3CJ14gP016656: from=<alex>, size=433, class=0, nrcpts=2, msgid=<DF473463.5B8BE96E6707637A@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:01:35 elf rmilter[1493]: <1e60121bd1>; msg done: queue_id: <w3CJ14gP016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (2 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:01:40 elf sm-mta[16656]: w3CJ14gR016656: from=<alex>, size=352, class=0, nrcpts=1, msgid=<5rnocqr-7cbfza-4B@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:01:40 elf rmilter[1493]: <2566fbec9b>; msg done: queue_id: <w3CJ14gR016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (1 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:01:46 elf sm-mta[16656]: w3CJ14gT016656: from=<alex>, size=376, class=0, nrcpts=2, msgid=<nqa3edbggmlregbxzpp6s2gq.1238156633123@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:01:46 elf rmilter[1493]: <424091d28a>; msg done: queue_id: <w3CJ14gT016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (2 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:01:51 elf sm-mta[16656]: w3CJ14gV016656: from=<alex>, size=348, class=0, nrcpts=1, msgid=<g863qm7-nqfvlu-E6@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:01:59 elf rmilter[1493]: <24f70a9e90>; msg done: queue_id: <w3CJ14gV016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (1 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:02:05 elf sm-mta[16656]: w3CJ14gX016656: from=<alex>, size=387, class=0, nrcpts=2, msgid=<6qf0ejm-9zz62l-D9@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:02:05 elf rmilter[1493]: <99ffc4b437>; msg done: queue_id: <w3CJ14gX016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (2 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:02:10 elf sm-mta[16656]: w3CJ14gZ016656: from=<alex>, size=408, class=0, nrcpts=1, msgid=<C6AAC86D.0240677@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:02:10 elf rmilter[1493]: <f77b77d04f>; msg done: queue_id: <w3CJ14gZ016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (1 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:02:15 elf sm-mta[16656]: w3CJ14gb016656: from=<alex>, size=413, class=0, nrcpts=1, msgid=<C51C7275.3715C09DDFEBC27A@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:02:15 elf rmilter[1493]: <a5da79ba76>; msg done: queue_id: <w3CJ14gb016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (1 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:02:20 elf sm-mta[16656]: w3CJ14gd016656: from=<alex>, size=412, class=0, nrcpts=1, msgid=<A219E6DE-C17F-8C8E-2EED-6C11324F4856@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:02:26 elf rmilter[1493]: <d299e12ce5>; msg done: queue_id: <w3CJ14gd016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (1 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:02:32 elf sm-mta[16656]: w3CJ14gf016656: from=<alex>, size=459, class=0, nrcpts=2, msgid=<AC390E75-91F7-0748-98FC-08407D78C8D1@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:02:35 elf rmilter[1493]: <9924362f7a>; msg done: queue_id: <w3CJ14gf016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (2 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:02:41 elf sm-mta[16656]: w3CJ14gh016656: from=<alex>, size=359, class=0, nrcpts=2, msgid=<gxkj6otgb3u7fgog77dl029g.1300223824295@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:02:41 elf rmilter[1493]: <749b441efb>; msg done: queue_id: <w3CJ14gh016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (2 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:02:46 elf sm-mta[16656]: w3CJ14gj016656: from=<alex>, size=386, class=0, nrcpts=2, msgid=<w0dgjl1-yp38y1-B3@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:02:47 elf rmilter[1493]: <e8d8dcc43b>; msg done: queue_id: <w3CJ14gj016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (2 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:02:52 elf sm-mta[16656]: w3CJ14gl016656: from=<alex>, size=432, class=0, nrcpts=2, msgid=<32D7901C-5F09-E45D-42CA-ACF50859F4CA@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:02:56 elf rmilter[1493]: <32f5cc689b>; msg done: queue_id: <w3CJ14gl016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (2 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:03:01 elf sm-mta[16656]: w3CJ14gn016656: from=<alex>, size=390, class=0, nrcpts=1, msgid=<18B59E3D-8DE4-7F11-36C1-2135E903A2FB@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:03:08 elf rmilter[1493]: <d74707f221>; msg done: queue_id: <w3CJ14gn016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (1 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:03:13 elf sm-mta[16656]: w3CJ14gp016656: from=<alex>, size=343, class=0, nrcpts=1, msgid=<fo2xzb80ox1ljkrotbe28j4i.1151459227245@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:03:14 elf rmilter[1493]: <8dfcbdfa8e>; msg done: queue_id: <w3CJ14gp016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (1 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:03:18 elf sm-mta[16656]: w3CJ14gr016656: from=<alex>, size=395, class=0, nrcpts=1, msgid=<A3EB3BE1-8E1A-4345-0E04-CE7600F9B204@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:03:28 elf rmilter[1493]: <7fa30f7963>; msg done: queue_id: <w3CJ14gr016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (1 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:04:41 elf sm-mta[16656]: w3CJ14gt016656: collect: unexpected close on connection from [187.111.57.236], sender=<alex>
Apr 13 00:04:41 elf sm-mta[16656]: w3CJ14gt016656: from=<alex>, size=52, class=0, nrcpts=1, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]

Aggiornamento: era un'installazione roundcube scaduta.

authorization smtp

posta drookie 14.04.2018 - 09:03

fonte

1 risposta

Leggi altre domande sui tag authorization smtp

OWASP ZAP: ciclo di reindirizzamento infinito che aggiunge in modo infinito un valore a un cookie Questo sarebbe abbastanza sicuro? (Modulo ZF3 e Doctrine usando halite)

score 1 · Answer 1

$ telnet 128.127.144.4 smtp
Trying 128.127.144.4...
Connected to 128.127.144.4.
Escape character is '^]'.
220 elf.hq.norma.perm.ru ESMTP Sendmail 8.15.2/8.15.2; Sat, 14 Apr 2018 12:16:42 +0500 (YEKT)
ehlo yue
250-elf.hq.norma.perm.ru Hello ip-xxxxxxxxxx.net [58.xxx.xxx.xxx], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE 100000000
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
quit

Stai offrendo CRAM e DIGEST, il che significa che stai memorizzando le password in chiaro (o l'equivalente) da qualche parte. forse la lista è stata compromessa?

Offri LOGIN e PLAIN su connessioni non protette, forse la password è stata rilevata dall'ispezione dei pacchetti su un router compromesso.

O potrebbero averlo indovinato, vedo un sacco di ipotesi da fare.