[Postfix-br] Servidor desligando e sendo listado no CBl
Marcos Jost Silveira
marcos.jost em gmail.com
Quinta Novembro 28 10:37:22 BRST 2013
Bom dia pessoal....
Situacao tenho um servidor de e-mail que ontem ao meio-dia desligou
sozinho e a noite novamente...
Nos logs encontrei somente isso no secure que poderia indicar alguma problema:
01:23:44 mail sshd[2609]: Received signal 15; terminating.
Vi tambem que hoje o ip desse servidor estava listado na CBL com a razao:
"We have detected that this IP is NATting for, or is infected itself,
with a Linux (or possibly some other Unix-like system such as FreeBSD)
Trojan spam mailer script."
Segui algumas das indicações da pagina:
[root em mail ~]# lsof -i | grep smtp
master 2925 root 11u IPv4 8844 TCP *:smtp (LISTEN)
master 2925 root 17u IPv4 8855 TCP *:smtps (LISTEN)
smtpd 6872 postfix 6u IPv4 8844 TCP *:smtp (LISTEN)
smtpd 8480 postfix 6u IPv4 8965 TCP
localhost.localdomain:10025 (LISTEN)
smtpd 8698 postfix 6u IPv4 8844 TCP *:smtp (LISTEN)
smtpd 8752 postfix 6u IPv4 8844 TCP *:smtp (LISTEN)
smtpd 8767 postfix 6u IPv4 8965 TCP
localhost.localdomain:10025 (LISTEN)
smtpd 8767 postfix 9u IPv4 88016 TCP
localhost.localdomain:10025->localhost.localdomain:45660 (ESTABLISHED)
Usando o script findbot.pl(1) do site da CBL retornou alguma coisa com
o diretorio do webmail:
(1) - http://cbl.abuseat.org/findbot.pl
[root em mail ~]# perl findbot.pl
/home/postfixadmin-2.3.5/tests/simpletest/socket.php:
Suspicious(fsockopen): return @fsockopen($host, $p
/home/postfixadmin-2.3.5/backup.php: Suspicious(shell_exec): e: $res =
shell_exec($cmd);
/var/www/html/roundcubemail/plugins/password/drivers/cpanel.php:
Suspicious(fsockopen): = fsockopen($this->ss
/var/www/html/roundcubemail/plugins/password/drivers/directadmin.php:
Suspicious(fsockopen): socket = @fsockopen( $this->r
/var/www/html/roundcubemail/plugins/database_attachments/database_attachments.php:
Suspicious(base64_decode): 'data'] = base64_decode($sql_arr[
/var/www/html/roundcubemail/program/include/rcube_session.php:
Suspicious(base64_decode): vars = base64_decode($sql_arr[
/var/www/html/roundcubemail/program/include/rcube_imap_generic.php:
Suspicious(fsockopen): opened by fsockopen() wasn't
/var/www/html/roundcubemail/program/include/rcube_vcard.php:
Suspicious(base64_decode): return base64_decode($value);
/var/www/html/roundcubemail/program/include/clisetup.php:
Suspicious(shell_exec): d = rtrim(shell_exec($command)
/var/www/html/roundcubemail/program/lib/Auth/SASL/CramMD5.php:
Suspicious(base64_decode): e already base64_decoded.
/var/www/html/roundcubemail/program/lib/Net/Socket.php:
Suspicious(fsockopen): kopen' : 'fsockopen';
/var/www/html/roundcubemail/program/lib/Net/SMTP.php:
Suspicious(EHLO): n sending EHLO or HELO.
/var/www/html/roundcubemail/config/main.inc.php: Suspicious(EHLO):
HELO' or 'EHLO' messages
Ja peguei esse servidor rodando, então não sei ao certo como foi feita
a instalacao e configuração dele.....
More information about the Postfix-br
mailing list