Mail Server Hacker Attack SMTP Relay Mail Queue Overload Paypal Phishing

Question

Mail Server Hacker Attack SMTP Relay Mail Queue Overload Paypal Phishing

Help!

I've been doing everything I can think of over the last 48 hours to try to stop a Mail Server attack against a malicious hacker / cracker who has found a way load up thousands of eBay & Paypal Phishing emails into my Mail Queue with successful execution of hundreds of them before I caught the attack.

Luckily, I have a backup server for incidents like this, but I would much rather use my main server as my Mail Sever. I have completely turned off Mail Service on this one for the time being until I found out how to stop my Mail Queue being loaded up from 2a.m. to 6a.m. with this crap.

How can the hacker execute sending mail through a www user? I have every encryption possible loaded up into the Mail Server, including...
No SMTP Relay
CRAM-MD5 SMTP Authentication

How can these messages be going out through an unauthenticated www user?

I have read all of the related threads:
http://discussions.apple.com/thread.jspa?messageID=1486643&#1486643

I've searched my /var/tmp folder, however I don't see any suspicious files that would make me believe there is a trojan on my server.

Here is an SMTP log example:

Mar 21 13:12:57 www postfix/smtpd[2197]: connect from localhost[127.0.0.1]
Mar 21 13:12:57 www postfix/pickup[4873]: 0AFA7761FB2: uid=70 from=<www>
Mar 21 13:12:57 www postfix/cleanup[4562]: 0AFA7761FB2: message-id=<1307466449.1525@ebay.com>?
Mar 21 13:12:57 www postfix/qmgr[79]: 0AFA7761FB2: from=<www@www.MYSERVER.com>, size=37567, nrcpt=1 (queue active)
Mar 21 13:12:57 www postfix/pickup[4873]: 0F82A761FB3: uid=70 from=<www>
Mar 21 13:12:57 www postfix/cleanup[4942]: 0F82A761FB3: message-id=<1307466449.1511@ebay.com>?
Mar 21 13:12:57 www postfix/qmgr[79]: 0F82A761FB3: from=<www@www.MYSERVER.com>, size=37564, nrcpt=1 (queue active)

From this, they have loaded up the Mail Queue, and then go on to execute:
(earlier in the morning when the mails were actually being executed before I caught it)

Mar 21 07:01:27 www postfix/smtpd[21912]: 1CAAC74A7F7: client=omr-m06.mx.aol.com[64.12.138.18]
Mar 21 07:01:27 www postfix/smtp[21838]: 38F9D713AA9: to=<olav@eggendata.no>, relay=127.0.0.1[127.0.0.1], delay=14389, status=sent (250 2.6.0 Ok, id=21896-03, from MTA: 250 Ok: queued as E4F0674A7F3)
Mar 21 07:01:27 www postfix/qmgr[26107]: 38F9D713AA9: removed
Mar 21 07:01:27 www postfix/smtpd[21819]: connect from omr-m09.mx.aol.com[64.12.138.21]
Mar 21 07:01:27 www postfix/smtp[17655]: 7D17A6FD15A: to=<kekepania71@aol.com>, relay=mailin-04.mx.aol.com[64.12.138.152], delay=17174, status=sent (250 OK)
Mar 21 07:01:27 www postfix/qmgr[26107]: 7D17A6FD15A: removed
Mar 21 07:01:27 www postfix/smtpd[21819]: 4D04974A7F8: client=omr-m09.mx.aol.com[64.12.138.21]
Mar 21 07:01:27 www postfix/cleanup[21843]: 1CAAC74A7F7: message-id=<200603211301.IAC15100@rly-xm02.mx.aol.com>
Mar 21 07:01:27 www postfix/qmgr[26107]: 1CAAC74A7F7: from=, size=3994, nrcpt=1 (queue active)
Mar 21 07:01:27 www postfix/smtp[21710]: 7CC9873C83E: to=<ofcweb@netscape.net>, relay=mailin-03.mx.netscape.net[205.188.158.25], delay=3231, status=sent (250 OK)
Mar 21 07:01:27 www postfix/smtpd[21912]: disconnect from omr-m06.mx.aol.com[64.12.138.18]
Mar 21 07:01:27 www postfix/qmgr[26107]: 7CC9873C83E: removed

How is this guy able to relay through my localhost [127.0.0.1] without authenticating through the CRAM-MD5 process?

Am I missing something totally simple here?? I won't be offended.

Thanks for any help in advance.

G5 Dual 2Ghz Mac OS X (10.4.5) OSX Server

Posted on Mar 22, 2006 12:18 AM

Reply

Answer 1

pterobyte

Level 6

11,104 points

Mar 22, 2006 12:51 AM in response to Justin Spence

Possible reasons:
-Any user account that has been compromised (as in password known to the outside)
-Any unsafe CGI script residing on your machine (AWStats pre-6.4 comes to mind).
-A Windows PC user infected with a Worm
-Somebody from the inside
-And probably a few more.

To tell you whether your security settings are OK, you need to post the unmodified output of postconf -n

Alex

Reply

Answer 2

David_x

Level 4

3,011 points

Mar 22, 2006 3:09 AM in response to Justin Spence

Is SSH enabled through your firewall? Have a look in your secure.logs for brute force attempts to find simple passwords. If attempted, there will be screeds of automated attempts for all sorts of common user names. You may have to change the pemissions on the secure.log files to read them in the console.

Similarly, the mail.logs should show attempts to do brute force hacks on your SMTP authentication although the SSH gate seems to be preferred.

-david

Reply

Answer 3

Mar 22, 2006 3:37 AM in response to Justin Spence

"-Any user account that has been compromised (as in password known to the outside)"

We did just fire an individual from our company, but we deleted his entire account on the server and he has no way of getting in. And I haven't seen any suspicious activity of him trying to log in anywhere. PLUS, a few of the hacker's Phishing emails were returned to me due to bad email addresses. I followed the link to where Paypal phishing email is directing its victims:

http://gillian-rolton.com/www.paypal.com/cgi-bin/webscr.php?cmd=_login-run

Looks like these guys have already caught the abuse.

"-A Windows PC user infected with a Worm"
We don't have any PC's on our Network. Mac only.

"Is SSH enabled through your firewall?"

SSH is not enabled in the firewall. It's not enabled at all for the server, nor for any clients on the network. I'm stumped.

Yes, I was hovering over my mail.log all day yesterday, actually watching the ******* load up my Mail Queue while I had the "Hold Outgoing Mail" option enforced. He was loading 1,000 emails a second to my Mail Queue while I sat there and watched him and tried to catch it from every log available. He is totally hidden from the system.log, mail.log, fw.log - couldn't find him. Had to delete over 30,000 emails in my Mail Queue.

Need some help Apple. I really don't want to do a reinstall. I completely loathe having to reload software.

Reply

Answer 4

pterobyte

Level 6

11,104 points

Mar 22, 2006 3:57 AM in response to Justin Spence

What about webserver and cgi scripts?
Or any unsecured squirrelmail plug-ins (like one for changing passwords)?

Try to find all .php pages on your server and see if there is anything suspicious.

Alex

P.S. As I said, to check you security, you need to post your configuration.

Reply

Answer 5

davidh

Level 4

1,896 points

Mar 22, 2006 4:12 AM in response to Justin Spence

Please note: If you want help from an Apple employee, you need to get on the phone with them. I only say this so that you understand what will and can happen here. "Apple Discussions is a user-to-user support forum"
http://discussions.apple.com/help.jspa

Having said that, Pterobyte has already covered the likely avenues of attack.
Please do post your postfix config (postconf -n) as asked.

Reply

Answer 6

Mar 22, 2006 11:18 AM in response to Justin Spence

I'm in the process of scrubbing my php sites. I have a few set up, like phpBB2, gallery, & phpMyAdmin. My cofig.php files are secure, but now you're making me feel like they might have been jeopardized with access to MySQL password.

Don't have any cgi scripts set up. Is there something in the regular OS installation I should be worried about?

No user has the ability to change their password in squirrelmail.

postconf:

command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug peerlevel = 2
enable serveroptions = yes
html_directory = no
inet_interfaces = localhost
local recipientmaps =
luser_relay = admin
mail_owner = postfix
mailbox sizelimit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps rbldomains =
message sizelimit = 20971520
mydestination = $myhostname,localhost.$mydomain,www.volitionstudios.com,mail.volitionstudios.co m,volitionstudios.com,www.justinspence.com,mail.justinspence.com,justinspence.co m,www.droptosellit.com,mail.droptosellit.com,droptosellit.com,www.volition.tv,ma il.volition.tv,volition.tv
mydomain = volitionstudios.com
mydomain_fallback = localhost
myhostname = www.volitionstudios.com
mynetworks = 127.0.0.0/8
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd clientrestrictions = hash:/etc/postfix/smtpdreject permit_mynetworks reject rblclient sbl-xbl.spamhaus.org permit
smtpd enforcetls = no
smtpd pw_server_securityoptions = login
smtpd recipientrestrictions = permit sasl_authenticated,permit_mynetworks,reject_unauthdestination,permit
smtpd sasl_authenable = yes
smtpd tls_certfile = /etc/certificates/Default.crt
smtpd tls_keyfile = /etc/certificates/Default.key
smtpd use_pwserver = yes
smtpd usetls = no
unknown local_recipient_rejectcode = 550

G5 Dual 2Ghz Mac OS X (10.4.5) Server

Reply

Answer 7

pterobyte

Level 6

11,104 points

Mar 22, 2006 11:40 AM in response to Justin Spence

I'm in the process of scrubbing my php sites. I have
a few set up, like phpBB2, gallery, & phpMyAdmin.

phpBB2 had lots of security issues. Check your version against security bulletins and the phpBB site.
phpMyAdmin shoud be at least behind an http realm (actually any kind of admin only application shouldn't rely only on mySQL login, but on http access control as well).

My cofig.php files are secure, but now you're
making me feel like they might have been jeopardized
with access to MySQL password.

If you feel your MySQL password(s) got out you should sure investigate that and immediately change them all. Especially since you use phpMyAdmin as well.

Don't have any cgi scripts set up. Is there
something in the regular OS installation I should be
worried about?

Not in a standard installation. But add-ons like AWstats do.

postconf:

Your postfix configuration is OK-ish (as far as this problem is concerned, but you should read a little more into hardening it).

Don't think your problem is anybody sending from the outside, but rather from "inside" of your server. Localhost (127.0.0.1) is free to send without authentication (which is usually a standard and normal setting). By inside I don't mean any actual user of yours, but rather any kind of malign script sitting on your server (which is "localhost").

Now, without being physically accessing your server it is hard to tell what happened exactly. My gut feeling though is that some script (be it php/cgi/whatever) got planted on your server through either any of your php/cgi apps, ssh or anybody on the inside.

Alex

P.S. If it actually is a script that got planted on your machine, you should try andd locate it, to eradicate it. Since you seem to have gotten bounces, you could try and "grep" files for the information contained in the sent phishing mails.

Reply

Answer 8

Mar 22, 2006 3:09 PM in response to Justin Spence

One thing that sticks out to me is your "mynetworks" variable. This controls what can relay. Your is set to 127.0.0.0/8. It should be, I think, 127.0.0.1/32. This would mean only the server can relay.

Also, is the root user enabled? By default it is, and should normally be, disabled. This is done via NetInfo Manager.

Just a couple of thoughts.

John

Reply

Answer 9

Mar 22, 2006 5:20 PM in response to John Holley NZ

Also, is the root user enabled? By default it is, and
should normally be, disabled. This is done via
NetInfo Manager.

That should of course have read "By default is isn't,". 🙂

Reply

Answer 10

Mar 22, 2006 10:09 PM in response to Justin Spence

This is a recent excerpt from my system.log:

Mar 22 22:14:17 www DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: justin.
Mar 22 22:27:43 www sudo: root : TTY=unknown ; PWD=/ ; USER=cyrusimap ; COMMAND=/usr/bin/cyrus/bin/cyrus-quota -r

It appears as if someone is trying to log into my through my DirectoryService. Is this correct?

"Your postfix configuration is OK-ish (as far as this problem is concerned, but you should read a little more into hardening it)."

I'm in the process of doing this now and learning more on how.

"Localhost (127.0.0.1) is free to send without authentication (which is usually a standard and normal setting). By inside I don't mean any actual user of yours, but rather any kind of malign script sitting on your server (which is "localhost")."

Is there a way to change this? A way to make Localhost 127.0.0.1 have to authenticate like everyone else?

"You could try and "grep" files for the information contained in the sent phishing mails. "

Are you talking about the headers in the email? I searched these over as well, but only came up with information that the emails are being sent from my IP address and my Server name. What is a "grep" file?

"One thing that sticks out to me is your "mynetworks" variable. This controls what can relay. Your is set to 127.0.0.0/8. It should be, I think, 127.0.0.1/32. This would mean only the server can relay. "

I definitely agree that this was worrisome and have narrowed it to 127.0.0.1/32 However, if the hacker or script has access inside to send from localhost - I doubt this was stop the attack - but a good call nonetheless.

Thanks for your help!

Reply

Answer 11

pterobyte

Level 6

11,104 points

Mar 22, 2006 11:25 PM in response to Justin Spence

It appears as if someone is trying to log into my
through my DirectoryService. Is this correct?

Looks like, but could be you just as well (mistyping password while sudoing, etc.)

Is there a way to change this? A way to make
Localhost 127.0.0.1 have to authenticate like
everyone else?

No (well yes, but more hassle than gain), and there should be need if everything else is properly secured.

"You could try and "grep" files for the information

contained in the sent phishing mails. "

Are you talking about the headers in the email? I
searched these over as well, but only came up with
information that the emails are being sent from my IP
address and my Server name. What is a "grep" file?

No. If it actually is coming from a script already on your machine, it will rely on some text file containing the mail addresses to send itself to. So by searching for thos addresses inside files on your machine you may get lucky and find the script.
grep is a program for powerful searches.
Open terminal and type "man grep" for instructions.

"One thing that sticks out to me is your

"mynetworks" variable. This controls what can relay.
Your is set to 127.0.0.0/8. It should be, I think,
127.0.0.1/32. This would mean only the server can
relay. "

Should be /32, but is irrelevant

Reply