[Postfix-br] Servidor desligando e sendo listado no CBl

Quinta Novembro 28 10:37:22 BRST 2013

Bom dia pessoal....
Situacao tenho um servidor de e-mail que ontem ao meio-dia desligou
sozinho e a noite novamente...
Nos logs encontrei somente isso no secure que poderia indicar alguma problema:
01:23:44 mail sshd[2609]: Received signal 15; terminating.

Vi tambem que hoje o ip desse servidor estava listado na CBL com a razao:
"We have detected that this IP is NATting for, or is infected itself,
with a Linux (or possibly some other Unix-like system such as FreeBSD)
Trojan spam mailer script."

Segui algumas das indicações da pagina:
[root em mail ~]# lsof -i | grep smtp
master    2925    root   11u  IPv4   8844       TCP *:smtp (LISTEN)
master    2925    root   17u  IPv4   8855       TCP *:smtps (LISTEN)
smtpd     6872 postfix    6u  IPv4   8844       TCP *:smtp (LISTEN)
smtpd     8480 postfix    6u  IPv4   8965       TCP
localhost.localdomain:10025 (LISTEN)
smtpd     8698 postfix    6u  IPv4   8844       TCP *:smtp (LISTEN)
smtpd     8752 postfix    6u  IPv4   8844       TCP *:smtp (LISTEN)
smtpd     8767 postfix    6u  IPv4   8965       TCP
localhost.localdomain:10025 (LISTEN)
smtpd     8767 postfix    9u  IPv4  88016       TCP
localhost.localdomain:10025->localhost.localdomain:45660 (ESTABLISHED)

Usando o script findbot.pl(1) do site da CBL retornou alguma coisa com
o diretorio do webmail:
(1) - http://cbl.abuseat.org/findbot.pl

[root em mail ~]# perl findbot.pl
/home/postfixadmin-2.3.5/tests/simpletest/socket.php:
Suspicious(fsockopen):   return @fsockopen($host, $p
/home/postfixadmin-2.3.5/backup.php: Suspicious(shell_exec): e: $res =
shell_exec($cmd);
/var/www/html/roundcubemail/plugins/password/drivers/cpanel.php:
Suspicious(fsockopen): = fsockopen($this->ss
/var/www/html/roundcubemail/plugins/password/drivers/directadmin.php:
Suspicious(fsockopen): socket = @fsockopen( $this->r
/var/www/html/roundcubemail/plugins/database_attachments/database_attachments.php:
Suspicious(base64_decode): 'data'] = base64_decode($sql_arr[
/var/www/html/roundcubemail/program/include/rcube_session.php:
Suspicious(base64_decode): vars    = base64_decode($sql_arr[
/var/www/html/roundcubemail/program/include/rcube_imap_generic.php:
Suspicious(fsockopen): opened by fsockopen() wasn't
/var/www/html/roundcubemail/program/include/rcube_vcard.php:
Suspicious(base64_decode):    return base64_decode($value);
/var/www/html/roundcubemail/program/include/clisetup.php:
Suspicious(shell_exec): d = rtrim(shell_exec($command)
/var/www/html/roundcubemail/program/lib/Auth/SASL/CramMD5.php:
Suspicious(base64_decode): e already base64_decoded.
/var/www/html/roundcubemail/program/lib/Net/Socket.php:
Suspicious(fsockopen): kopen' : 'fsockopen';
/var/www/html/roundcubemail/program/lib/Net/SMTP.php:
Suspicious(EHLO): n sending EHLO or HELO.
/var/www/html/roundcubemail/config/main.inc.php: Suspicious(EHLO):
HELO' or 'EHLO' messages

Ja peguei esse servidor rodando, então não sei ao certo como foi feita
a instalacao e configuração dele.....