Hacked?

Question

Hacked?

I have my server set up as a mail server just for our internal emails throughout my department (only 7 email accounts). Today one of the users had over 2300 emails in his inbox, all were bounced back to him saying that he sent it. They were all a typical phishing email, asking the user to click here to update their information for a bank type of scheme. I shut down the mail service, but as soon as I start it back up, the mail.log file starts going crazy. I know very very little about email server type stuff, so I don't really know where to look to find out exaclty what is going on. Here is just a random selection of the mail.log file so you have an idea:

Jan 25 09:37:07 xserve postfix/cleanup[24724]: 3BDBC1A2F3C: message-id=<20070125153530.3BDBC1A2F3C@xserve.edit.oma>
Jan 25 09:37:07 xserve postfix/qmgr[114]: CC6DE1969F3: from=<curt@xserve.edit.oma>, size=1402, nrcpt=1 (queue active)
Jan 25 09:37:07 xserve postfix/pipe[25222]: C3C3718C4CE: to=<curt@xserve.edit.oma>, relay=cyrus, delay=3314, status=sent (xserve.edit.oma)
Jan 25 09:37:07 xserve postfix/qmgr[114]: C3C3718C4CE: removed
Jan 25 09:37:08 xserve postfix/qmgr[114]: 3E8C918C029: removed
Jan 25 09:37:08 xserve postfix/qmgr[114]: 3E128192EB8: removed
Jan 25 09:37:08 xserve postfix/qmgr[114]: CC7671A1E0C: from=<curt@xserve.edit.oma>, size=1405, nrcpt=1 (queue active)
Jan 25 09:37:09 xserve postfix/smtp[15262]: 3DCC9192161: host orngca-01.mgw.rr.com[66.75.160.136] refused to talk to me: 421 #4.4.5 Too many connections to this host.
Jan 25 09:37:09 xserve postfix/qmgr[114]: CC7A518F411: from=<curt@xserve.edit.oma>, size=1397, nrcpt=1 (queue active)
Jan 25 09:37:09 xserve postfix/smtp[20106]: 7A2E9138513: to=<chris.coffin@insightbb.com>, relay=gateway.insightbb.com[74.128.0.19], delay=11175, status=deferred (host gateway.insightbb.com[74.128.0.19] said: 452 Too many recipients received this hour (in reply to RCPT TO command))
Jan 25 09:37:09 xserve postfix/cleanup[24939]: 474961A2F45: message-id=<20070125153707.474961A2F45@xserve.edit.oma>
Jan 25 09:37:09 xserve postfix/cleanup[25254]: 6CFAB1A2F49: message-id=<20070125153709.6CFAB1A2F49@xserve.edit.oma>
Jan 25 09:37:09 xserve postfix/cleanup[25369]: 575D71A2F46: message-id=<20070125153707.575D71A2F46@xserve.edit.oma>
Jan 25 09:37:09 xserve postfix/pipe[25482]: C3C5718A27A: to=<curt@xserve.edit.oma>, relay=cyrus, delay=3632, status=sent (xserve.edit.oma)
Jan 25 09:37:09 xserve postfix/qmgr[114]: CC7EE195660: from=, size=3457, nrcpt=1 (queue active)
Jan 25 09:37:09 xserve postfix/qmgr[114]: 3E91C191519: removed
Jan 25 09:37:09 xserve postfix/pickup[21037]: 61C7E1A2F47: uid=1027 from=<curt>
Jan 25 09:37:09 xserve postfix/cleanup[25032]: 61C7E1A2F47: message-id=<20070125153323.61C7E1A2F47@xserve.edit.oma>
Jan 25 09:37:09 xserve postfix/smtp[18301]: 3E752185856: to=<janet_loeffler@acco.com>, relay=mailgate.acco.com[216.143.30.97], delay=4395, status=bounced (host mailgate.acco.com[216.143.30.97] said: 550 <janet_loeffler@acco.com>: Recipient address rejected: User unknown in relay recipient table (in reply to RCPT TO command))
Jan 25 09:37:09 xserve postfix/qmgr[114]: C3C5718A27A: removed
Jan 25 09:37:09 xserve postfix/qmgr[114]: CC836193B75: from=<curt@xserve.edit.oma>, size=1403, nrcpt=1 (queue active)
Jan 25 09:37:09 xserve postfix/pickup[21037]: CE4151A2F4E: uid=1027 from=<curt>
Jan 25 09:37:10 xserve postfix/cleanup[24724]: CE4151A2F4E: message-id=<20070125153332.CE4151A2F4E@xserve.edit.oma>
Jan 25 09:37:10 xserve postfix/qmgr[114]: 3EA7A19318F: removed
Jan 25 09:37:10 xserve postfix/qmgr[114]: 3DC9318DA40: removed
Jan 25 09:37:10 xserve postfix/smtp[19500]: 3DF511885D4: to=<glen@glentodd.net>, relay=mx1.mailhop.org[63.208.196.176], delay=3992, status=bounced (host mx1.mailhop.org[63.208.196.176] said: 550 Sender verify failed (in reply to MAIL FROM command))
Jan 25 09:37:10 xserve postfix/smtp[11235]: 3EC7C18B9FA: to=<RKCKSYST@aol.com>, relay=mailin-04.mx.aol.com[64.12.138.89], delay=3516, status=bounced (host mailin-04.mx.aol.com[64.12.138.89] said: 550 REQUESTED ACTION NOT TAKEN: DNS FAILURE (in reply to MAIL FROM command))
Jan 25 09:37:10 xserve postfix/cleanup[24939]: 6D3751A2F55: message-id=<20070125153710.6D3751A2F55@xserve.edit.oma>
Jan 25 09:37:10 xserve postfix/qmgr[114]: CC84F18EADE: from=<curt@xserve.edit.oma>, size=1401, nrcpt=1 (queue active)
Jan 25 09:37:10 xserve postfix/qmgr[114]: CC84F18EADE: to=<gregc2@bellsouth.net>, relay=none, delay=3530, status=deferred (delivery temporarily suspended: connect to mx01.mail.bellsouth.net[205.152.58.33]: Connection refused)
Jan 25 09:37:10 xserve postfix/pickup[21037]: 6DFBC1A2F56: uid=1027 from=<curt>
Jan 25 09:37:10 xserve postfix/cleanup[25254]: 6DFBC1A2F56: message-id=<20070125153352.6DFBC1A2F56@xserve.edit.oma>
Jan 25 09:37:10 xserve postfix/smtp[4649]: 7A52216AC5A: to=<dylanjosh@merseymail.com>, relay=mail.merseymail.com[193.110.243.35], delay=6797, status=deferred (host mail.merseymail.com[193.110.243.35] refused to talk to me: 421 argon.connect.org.uk: Too much load; please try again later)
Jan 25 09:37:10 xserve postfix/smtp[20318]: 1B11118DC8E: to=<bradfel@yahoo.com>, relay=d.mx.mail.yahoo.com[216.39.53.2], delay=3282, status=deferred (host d.mx.mail.yahoo.com[216.39.53.2] refused to talk to me: 421 Message from (68.15.230.226) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html)
Jan 25 09:37:10 xserve postfix/qmgr[114]: 3E752185856: removed
Jan 25 09:37:10 xserve postfix/pickup[21037]: C5D871A2F5D: uid=1027 from=<curt>
Jan 25 09:37:10 xserve postfix/cleanup[25369]: C5D871A2F5D: message-id=<20070125153550.C5D871A2F5D@xserve.edit.oma>
Jan 25 09:37:10 xserve postfix/pipe[25222]: C3CCA185DF2: to=<curt@xserve.edit.oma>, relay=cyrus, delay=4214, status=sent (xserve.edit.oma)
Jan 25 09:37:10 xserve postfix/qmgr[114]: CC8591A07BE: from=, size=3258, nrcpt=1 (queue active)
Jan 25 09:37:11 xserve postfix/smtp[14797]: 3DD101898F3: to=<jeschure@hargray.com>, relay=hargray.com.infoave.mail1.psmtp.com[64.18.4.10], delay=3893, status=sent (250 Thanks)
Jan 25 09:37:11 xserve postfix/qmgr[114]: C3CCA185DF2: removed
Jan 25 09:37:11 xserve postfix/qmgr[114]: 3DD101898F3: removed
Jan 25 09:37:11 xserve postfix/cleanup[25032]: D473A1A2F60: message-id=<20070125153710.D473A1A2F60@xserve.edit.oma>
Jan 25 09:37:11 xserve postfix/smtp[21451]: 3E6F718E940: to=<rentals@carolinabeachrealty.net>, relay=carolinabeachrealty.net[70.87.126.130], delay=3234, status=bounced (host carolinabeachrealty.net[70.87.126.130] said: 550-Verification failed for <curt@xserve.edit.oma> 550-unrouteable mail domain "xserve.edit.oma" 550 Sender verify failed (in reply to RCPT TO command))
Jan 25 09:37:11 xserve postfix/smtp[21331]: 3C6BA190AD5: to=<mbattag2@nycap.rr.com>, relay=clmboh-02.mgw.rr.com[65.24.7.15], delay=2999, status=bounced (host clmboh-02.mgw.rr.com[65.24.7.15] said: 553 #5.1.8 Domain of sender address <curt@xserve.edit.oma> does not exist (in reply to MAIL FROM command))
Jan 25 09:37:11 xserve postfix/pipe[25482]: C3D4517F99D: to=<curt@xserve.edit.oma>, relay=cyrus, delay=4943, status=sent (xserve.edit.oma)
Jan 25 09:37:11 xserve postfix/qmgr[114]: CC87018E8EB: from=<curt@xserve.edit.oma>, size=1402, nrcpt=1 (queue active)
Jan 25 09:37:11 xserve postfix/qmgr[114]: C3D4517F99D: removed
Jan 25 09:37:11 xserve postfix/smtp[20198]: 3DFE018E19B: to=<Kenya@dgrguns.com>, relay=addr-mx01.addr.com[38.113.244.145], delay=3333, status=bounced (host addr-mx01.addr.com[38.113.244.145] said: 553 5.1.8 <curt@xserve.edit.oma>... Domain of sender address curt@xserve.edit.oma does not exist (in reply to MAIL FROM command))
Jan 25 09:37:11 xserve postfix/smtp[19532]: 3EC27185A19: to=<mwland@fuse.net>, relay=mx3.fuse.net[216.68.8.213], delay=4397, status=bounced (host mx3.fuse.net[216.68.8.213] said: 553 xserve.edit.oma does not exist (in reply to end of DATA command))
Jan 25 09:37:11 xserve postfix/smtp[19457]: connect to bellsoputh.net[212.227.34.3]: Connection refused (port 25)
Jan 25 09:37:11 xserve postfix/qmgr[114]: 3EC7C18B9FA: removed
Jan 25 09:37:11 xserve postfix/smtp[19457]: 3EE0018AF5E: to=<PRose1103@bellsoputh.net>, relay=none, delay=3636, status=deferred (connect to bellsoputh.net[212.227.34.3]: Connection refused)
Jan 25 09:37:11 xserve postfix/smtp[20621]: 7770211B171: host desperate.cnchost.com[207.155.253.190] said: 450 <curt@xserve.edit.oma>: Sender address rejected: Domain not found (in reply to RCPT TO command)
Jan 25 09:37:11 xserve postfix/qmgr[114]: CC8861902D1: from=<curt@xserve.edit.oma>, size=1402, nrcpt=1 (queue active)
Jan 25 09:37:12 xserve postfix/cleanup[24724]: E09E31A2F6E: message-id=<20070125153710.E09E31A2F6E@xserve.edit.oma>
Jan 25 09:37:12 xserve postfix/cleanup[25032]: 3FF301A2F71: message-id=<20070125153712.3FF301A2F71@xserve.edit.oma>
Jan 25 09:37:12 xserve postfix/cleanup[25254]: 3FBA01A2F70: message-id=<20070125153712.3FBA01A2F70@xserve.edit.oma>
Jan 25 09:37:12 xserve postfix/qmgr[114]: CC89B19B678: from=, size=3356, nrcpt=1 (queue active)
Jan 25 09:37:12 xserve postfix/cleanup[25369]: 41C211A2F73: message-id=<20070125153712.41C211A2F73@xserve.edit.oma>
Jan 25 09:37:12 xserve postfix/pickup[21037]: 404E21A2F72: uid=1027 from=<curt>
Jan 25 09:37:12 xserve postfix/cleanup[24939]: 404E21A2F72: message-id=<20070125153358.404E21A2F72@xserve.edit.oma>
Jan 25 09:37:12 xserve postfix/qmgr[114]: 42FDBFFE78: from=<curt@xserve.edit.oma>, size=1391, nrcpt=1 (queue active)
Jan 25 09:37:12 xserve postfix/qmgr[114]: 3DF511885D4: removed
Jan 25 09:37:12 xserve postfix/qmgr[114]: 3DFE018E19B: removed
Jan 25 09:37:12 xserve postfix/qmgr[114]: 3E6F718E940: removed
Jan 25 09:37:13 xserve postfix/qmgr[114]: 3EC27185A19: removed
Jan 25 09:37:13 xserve postfix/pipe[25222]: C3D99185D1D: to=<curt@xserve.edit.oma>, relay=cyrus, delay=4224, status=sent (xserve.edit.oma)
Jan 25 09:37:13 xserve postfix/pickup[21037]: 7A22C1A2F7A: uid=1027 from=<curt>
Jan 25 09:37:13 xserve postfix/cleanup[25032]: 7A22C1A2F7A: message-id=<20070125153315.7A22C1A2F7A@xserve.edit.oma>
Jan 25 09:37:13 xserve postfix/smtp[29658]: 3EE7B1884AB: to=<smwhitson@cox.net>, relay=mx.east.cox.net[68.1.17.3], delay=4022, status=bounced (host mx.east.cox.net[68.1.17.3] said: 550 <curt@xserve.edit.oma> sender rejected (in reply to MAIL FROM command))
Jan 25 09:37:13 xserve postfix/qmgr[114]: CC8A61A253B: from=<curt@xserve.edit.oma>, size=1400, nrcpt=1 (queue active)
Jan 25 09:37:13 xserve postfix/qmgr[114]: C3D99185D1D: removed
Jan 25 09:37:13 xserve postfix/pickup[21037]: AEBE21A2F82: uid=1027 from=<curt>
Jan 25 09:37:13 xserve postfix/cleanup[25254]: AEBE21A2F82: message-id=<20070125153351.AEBE21A2F82@xserve.edit.oma>
Jan 25 09:37:13 xserve postfix/qmgr[114]: CC8AC199C39: from=<curt@xserve.edit.oma>, size=1395, nrcpt=1 (queue active)
Jan 25 09:37:13 xserve postfix/cleanup[25369]: B789C1A2F83: message-id=<20070125153713.B789C1A2F83@xserve.edit.oma>

And here is the contents of the email that was being sent:

From: MAILER-DAEMON@xserve.edit.oma (Mail Delivery System)
Date: January 25, 2007 7:58:02 AM CST
To: curt@xserve.edit.oma
Subject: Undelivered Mail Returned to Sender

This is the Postfix program at host xserve.edit.oma.

I'm sorry to have to inform you that your message could not be
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The Postfix program

<edited forpost@aol.com>: host mailin-01.mx.aol.com[205.188.156.185] said: 550
REQUESTED ACTION NOT TAKEN: DNS FAILURE (in reply to MAIL FROM command)
Reporting-MTA: dns; xserve.edit.oma
X-Postfix-Queue-ID: 103D81570CF
X-Postfix-Sender: rfc822; curt@xserve.edit.oma
Arrival-Date: Thu, 25 Jan 2007 07:15:45 -0600 (CST)

Final-Recipient: rfc822; edited forpost@aol.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host mailin-01.mx.aol.com[205.188.156.185] said:
550 REQUESTED ACTION NOT TAKEN: DNS FAILURE (in reply to MAIL FROM command)

From: service101@bankofamerica.com <service101@bankofamerica.com>
Date: January 25, 2007 7:15:45 AM CST
To: edited forpost@aol.com
Subject: Bank of America Service Please Update Your Profile - Personal Information Error

Dear Bank of America Customer,

During our regularly scheduled account maintenance and verification procedures,
we have detected a slight error in your account information.
To securely confirm your personal information please click on the link bellow:

http://www.bankofamerica.com/sas/sitekey/profile/step1.htm

Confirm Your Bank of America Account and SiteKey now to enjoy the benefits of
online banking and finance to avoid identity theft and fraudulent activities on
your account.

Note: We will be upgrading our yearly SSL EncryptedServer to prevent fraudulent
activity.

© 2007 Bank of America Corporation. All rights reserved.

If you need more of the log or another log please let me know. So I have a few questions:

1) What exactly is going on? Is my server some type of zombie machine sending out emails?

2) I have port 25 blocked on my firewall - doesn't this mean my computer can't be an open relay?

3) How can I stop it?

Any help would be greatly appreciated.

Quad G5, Mac OS X (10.4.8)

Posted on Jan 25, 2007 9:47 AM

Reply

Answer 1

pterobyte

Level 6

11,098 points

Jan 25, 2007 9:56 AM in response to Brent Hilgenkamp

From your log excerpt, these mails are indeed originating from your server.

This could have several reasons:
- An infected Windows client on your network.
- A rogue script on your server
- Your mail server is an open relay

Please post the unmodifed output of "postconf -n".

Reply

Answer 2

Jan 25, 2007 10:11 AM in response to pterobyte

xserve:~ brent$ postconf -n
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug peerlevel = 2
enable serveroptions = yes
html_directory = no
inet_interfaces = localhost
mail_owner = postfix
mailbox sizelimit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message sizelimit = 0
mydomain = xserve.edit.oma
mydomain_fallback = localhost
myhostname = xserve.edit.oma
mynetworks = 127.0.0.1/32,192.168.1.200/32,192.168.2.1/32
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd tls_keyfile =
unknown local_recipient_rejectcode = 550
xserve:~ brent$

Reply

Answer 3

Jan 25, 2007 10:13 AM in response to Brent Hilgenkamp

Also, if it is a Windows machine on my network, can I find out which IP address on the network has done it?

Reply

Answer 4

Jan 25, 2007 10:16 AM in response to Brent Hilgenkamp

Brent,

1. I agree with pterobyte - it looks like your server needs to be checked. You should also check Curt's machine thoroughly.

Is this a straight Mac network or is it mixed?

Is your network set up for remote access to desktops - does Curt, for example work remotely from home? If so, you'll need to secure the outside machines used for remote access to your network, as well.

What does your traffic sniffer tell you about the origin of the emails?

2. Not necessarily, but from your log snippets it looks like an inside job.

3. Stop postfix and have a pro fix your configuration and clean your network.
(You could experiment with a technology called "memos" for intraoffice traffic. I've hear that it can be effective. - Wink, wink, nudge, nudge...)

-Wayne

Reply

Answer 5

Jan 25, 2007 10:21 AM in response to pterobyte

pterobyte,

Out of interest, if a server has been compromised by a hacker with a rogue script, where and what should we be looking for? Or is this too vague a question?

Reply

Answer 6

pterobyte

Level 6

11,098 points

Jan 25, 2007 10:33 AM in response to Brent Hilgenkamp

Brent,

allthough I believe the messages come from the inside, your configuration is wide open and should be tightened.

You say you blocked port 25 at the firewall level. Your logs say you didn't. Postfix comunicates on port 25. Since there are obvious signs of comunication with the outside in your logs, this equates to port 25 not being shut.

As far as whose PC it may be.... Curt sort of sticks out in your logs 😉 (unless this is faked as well). If not look at your mail.log. It should be all in there.

And.. as Wayne said. Shut you mail server down until you sort it or get help in getting it sorted.

Alex

P.S. @Simon: There is no generic answer to that.

Reply

Answer 7

Jan 25, 2007 10:35 AM in response to ParentalUnit

I am more experienced with Windows machines and know what to look for if something like this happens. What do I need to look for on Curt's machine? Will it be a process that seems out of the ordinary? I had him log out and the emails kept coming or going depending on how you look at it. Should I have him completely shut down his machine to see if it still happens?

The network is somewhat mixed, but all of the Macs access the OS X server for directory information, internet gateway, files, etc. and all of the windows machines access the Windows server for directory information and file access, but any machine on both networks can talk to each other.

There a few employees who access the Windows server through remote desktop, but Curt is not one of them.

I do not have a packet sniffer installed right now. I will do this to see where the origin is.

Do you have more info on this memos application? A quick google search gave me a lot of wrong hits.

Reply

Answer 8

pterobyte

Level 6

11,098 points

Jan 25, 2007 10:40 AM in response to Brent Hilgenkamp

I am more experienced with Windows machines and know
what to look for if something like this happens. What
do I need to look for on Curt's machine?

I'd think it's probably something a virus and spyware scanner will be able to find.

Will it be a
process that seems out of the ordinary? I had him log
out and the emails kept coming or going depending on
how you look at it.

Are you sure these weren't messages that were already in the queue?

Should I have him completely shut
down his machine to see if it still happens?

If you don't expect anything important to be in your mail queue, shut down Curt's machine for a moment and delete the queue.
To do so issue "sudo postsuper -d ALL"
That will make it easier to trace things.

Reply

Answer 9

Jan 25, 2007 10:40 AM in response to pterobyte

I should clarify about the port blocking. The server itself has it's firewall completely open. I will change this. But the router I use between the internet and the network here has port 25 blocked, as does my ISP. I used the Shield's Up test from grc.com to check, and even opening port 25 on my router firewall, it still said it was stealth.

Reply

Answer 10

Jan 25, 2007 10:43 AM in response to pterobyte

P.S. @Simon: There is no generic answer to that.

Yeah, I thought so.

I actually implemented your "Front Line Spam Defence" yesterday managed to drop the CPU usage considerably on our Mail Server.

Thanks for that and all your replies to other posts that I find whenever I search for a problem I'm having at the time.

Reply

Answer 11

pterobyte

Level 6

11,098 points

Jan 25, 2007 10:45 AM in response to Brent Hilgenkamp

I should clarify about the port blocking. The server
itself has it's firewall completely open. I will
change this. But the router I use between the
internet and the network here has port 25 blocked, as
does my ISP. I used the Shield's Up test from grc.com
to check, and even opening port 25 on my router
firewall, it still said it was stealth.

Just look at the log extract in your first post. It's full of IP numbers your server talked to. Unless those are all your IPs (this is a purely rethorical question), your server is comunicating to the outside world on port 25. No doubt whatsoever.

Reply

Answer 12

Jan 25, 2007 10:49 AM in response to pterobyte

I saw that and didn't understand how it was happening. If the port is blocked, can it still send on 25?

Reply

Answer 13

pterobyte

Level 6

11,098 points

Jan 25, 2007 10:54 AM in response to Brent Hilgenkamp

If port 25 is properly blocked, no! That's the purpose of blocking ports.

Once again, your port is open, whether you believe it or not 😉

Check your firewall and make sure it is blocked in BOTH directions for your OS X mail server.

Since you are not using your OS X mail server for outgoing mail, you probably use another server or have your clients connect to an outside server, so make sure those machines can get passed port 25 if needed.

Reply

Answer 14

Jan 25, 2007 10:57 AM in response to Brent Hilgenkamp

Brent,

Do you know how to check for rootkits?
Yes, you should look for unknown startup processes and anonymous
processes.
And, yes, you should have him shut down completely.
Unplug his machine from the network and happy hunting.

-Wayne

The "memo" technology has many implementations. Most of them are either
useless or counterproductive (much like email and IM). The most highly
developed and dangerous form of this technology was developed for the
Department of Defense, and is implemented as a regulation (as opposed to
field manual form). For the US Army, the full implementation of the "memo"
technology is found in AR 25-50 which has, ironically, been released for
public use (like the internet).

Reply

Answer 15

Jan 25, 2007 11:09 AM in response to ParentalUnit

No, I don't know how to check for rootkits

Reply