postfix mail server infected ?

trafdev trafdev at mail.ru
Sat Nov 24 18:08:27 UTC 2012 

Hi. I've a dedicated stand-alone FreeBSD server:
 > uname -a
FreeBSD trafd-website-freebsd 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: 
Tue Jun 12 02:52:29 UTC 2012 
root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

Server has one external interface (re0) with IP 206.239.112.241 and 
postfix service installed on 25 port.

Yesterday I've noticed huge amount of emails sending out:

Nov 24 00:00:37 trafd-website-freebsd postfix/smtpd[37230]: connect from 
f116.sd.com[206.239.112.241]
Nov 24 00:00:37 trafd-website-freebsd postfix/qmgr[40324]: 73F7D1365D: 
from=<wkktxh at f116.sd.com>, size=1211, nrcpt=10 (queue active)
Nov 24 00:00:37 trafd-website-freebsd postfix/error[37366]: 75ECA134F2: 
to=<reco.motos at yahoo.com.br>, relay=none, delay=25715, 
delays=25715/0.02/0/0.12, dsn=4.7.0, status=deferred (delivery 
temporarily suspended: host mta7.am0.yahoodns.net[66.94.236.34] refused 
to talk to me: 421 4.7.0 [TS01] Messages from 206.239.112.241 
temporarily deferred due to user complaints - 4.16.55.1; see 
http://postmaster.yahoo.com/421-ts01.html)
Nov 24 00:00:37 trafd-website-freebsd postfix/error[37368]: 794A911711: 
to=<tayd at yahoo.com.br>, relay=none, delay=29716, 
delays=29716/0.05/0/0.05, dsn=4.7.0, status=deferred (delivery 
temporarily suspended: host mta7.am0.yahoodns.net[66.94.236.34] refused 
to talk to me: 421 4.7.0 [TS01] Messages from 206.239.112.241 
temporarily deferred due to user complaints - 4.16.55.1; see 
http://postmaster.yahoo.com/421-ts01.html)
Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36699]: E559512F49: 
to=<luziarodrigues757 at terra.com.br>, 
relay=vip-us-br-mx.terra.com[208.84.244.133]:25, delay=26077, 
delays=26075/1/0.59/0.31, dsn=4.7.1, status=deferred (host 
vip-us-br-mx.terra.com[208.84.244.133] said: 450 4.7.1 You've exceeded 
your sending limit to this domain. (in reply to end of DATA command))
Nov 24 00:00:37 trafd-website-freebsd postfix/error[37370]: 7C45D18E5D: 
to=<a925er at yahoo.com.br>, relay=none, delay=6984, 
delays=6984/0.02/0/0.04, dsn=4.7.0, status=deferred (delivery 
temporarily suspended: host mta7.am0.yahoodns.net[66.94.236.34] refused 
to talk to me: 421 4.7.0 [TS01] Messages from 206.239.112.241 
temporarily deferred due to user complaints - 4.16.55.1; see 
http://postmaster.yahoo.com/421-ts01.html)
Nov 24 00:00:37 trafd-website-freebsd postfix/qmgr[40324]: 73E8118E53: 
from=<t9zir at f116.sd.com>, size=1143, nrcpt=10 (queue active)
Nov 24 00:00:37 trafd-website-freebsd postfix/smtpd[37153]: 93E1020413: 
client=f116.sd.com[206.239.112.241]
Nov 24 00:00:37 trafd-website-freebsd postfix/error[37367]: 74A511A5BF: 
to=<duscherer1 at yahoo.com.br>, relay=none, delay=5587, 
delays=5587/0/0/0.18, dsn=4.7.0, status=deferred (delivery temporarily 
suspended: host mta7.am0.yahoodns.net[66.94.236.34] refused to talk to 
me: 421 4.7.0 [TS01] Messages from 206.239.112.241 temporarily deferred 
due to user complaints - 4.16.55.1; see 
http://postmaster.yahoo.com/421-ts01.html)
Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36698]: E7898134D0: 
to=<gvfg at terra.com.br>, relay=vip-us-br-mx.terra.com[208.84.244.133]:25, 
conn_use=4, delay=25728, delays=25726/1.1/0.06/0.4, dsn=4.7.1, 
status=deferred (host vip-us-br-mx.terra.com[208.84.244.133] said: 450 
4.7.1 You've exceeded your sending limit to this domain. (in reply to 
end of DATA command))
Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36226]: 7BE421F989: 
to=<elc.moura at bol.com.br>, relay=mx3.bol.com.br[200.147.36.13]:25, 
delay=339, delays=339/0/0.49/0.24, dsn=4.7.1, status=deferred (host 
mx3.bol.com.br[200.147.36.13] said: 450 4.7.1 <elc.moura at bol.com.br>: 
Recipient address rejected: MX-BOL-04 - Too many messages, try again 
later. (in reply to RCPT TO command))

Where f116.sd.com[206.239.112.241] is an IP and host assigned for 
external interface (re0).

Due to "permit_mynetworks" policy enabled in postfix conf mail was 
sending out without authentication. However all externally connected 
clients were rejected which is proper and expected behavior:

Nov 24 19:31:04 trafd-website-freebsd postfix/smtpd[65618]: connect from 
a2-starfury4.uol.com.br[200.147.33.227]
Nov 24 19:31:05 trafd-website-freebsd postfix/smtpd[65618]: NOQUEUE: 
reject: RCPT from a2-starfury4.uol.com.br[200.147.33.227]: 550 5.1.1 
<pehw at f116.sd.com>: Recipient address rejected: User unknown in virtual 
mailbox table; from=<> to=<pehw at f116.sd.com> proto=ESMTP 
helo=<mx.uol.com.br>
Nov 24 19:31:05 trafd-website-freebsd postfix/smtpd[65618]: disconnect 
from a2-starfury4.uol.com.br[200.147.33.227]

Then, I've tried:

$cmd 001 deny all from any to me dst-port 25 in via re0
$cmd 002 deny all from any to me dst-port 25 out via re0

and cleaned local mail queue with
postsuper -d ALL

This didn't changed anything - server continued to send huge amount of 
emails.

However restrictions on lo0:
$cmd 001 deny all from any to me dst-port 25 in via lo0
$cmd 002 deny all from any to me dst-port 25 out via lo0

did the trick - emailing had stopped. So by fact - problem solved, but 
the real reason wasn't not found.

I've launched clamav and f-prot scans - nothing suspicious found.

The main question I have - how it's possible on stand-alone dedicated 
server - who and how is connecting on behalf of it's own ext ip and uses 
local interface to send emails? Is this possible to do from outside, or 
server was infected from inside?

More information about the freebsd-hackers mailing list