OVH Community, votre nouvel espace communautaire.

Help SPAM depuis mon VPS


Tchoulak
12/07/2014, 20h02
Citation Envoyé par fritz2cat
Ca provient de 127.0.0.1 que tu peux déjà enlever de [postfix/main.cf]trusted_networks si tu n'utilises pas cette méthode.

Tu as un script qui ouvre une session SMTP vers localhost.

Compare avec ton log apache heure/minute/seconde pour retrouver le script en question.
J'ai finis pas trouver après de longues heures de recherches.

J'utilise Wordpress avec l'extension MailPoet pour faire des newsletter.

Cette extension était victime d'une faille permettant d'uploader un fichier.

Un joli SpamBot PHP a donc été uploadé et appellé par un mignon hacker Russe à distance.

J'ai supprimé le fichier et mis à jour l'extension MailPoet qui venait de combler la faille.

Merci pour votre aide.

fritz2cat
12/07/2014, 19h04
Ca provient de 127.0.0.1 que tu peux déjà enlever de [postfix/main.cf]trusted_networks si tu n'utilises pas cette méthode.

Tu as un script qui ouvre une session SMTP vers localhost.

Compare avec ton log apache heure/minute/seconde pour retrouver le script en question.

Tchoulak
12/07/2014, 18h37
Je suis embêté car on envoi des SPAMS depuis mon VPS avec un de mes domaines a des destinataires externes.

Exemple de logs verbeux dans le mail.log :

Code:
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: connect from localhost.localdomain[127.0.0.1]
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: smtp_stream_setup: maxtime=300 enable_deadline=0
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: match_hostname: localhost.localdomain ~? 37.187.60.0/24
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: match_hostaddr: 127.0.0.1 ~? 37.187.60.0/24
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: match_hostname: localhost.localdomain ~? 127.0.0.0/8
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: match_hostaddr: 127.0.0.1 ~? 127.0.0.0/8
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: > localhost.localdomain[127.0.0.1]: 220  ESMTP Postfix (Debian/GNU)
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: xsasl_dovecot_server_create: SASL service=smtp, realm=(null)
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: name_mask: noanonymous
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: xsasl_dovecot_server_connect: Connecting
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: xsasl_dovecot_server_connect: auth reply: VERSION?1?1
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: xsasl_dovecot_server_connect: auth reply: MECH?PLAIN?plaintext
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: name_mask: plaintext
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: xsasl_dovecot_server_connect: auth reply: MECH?LOGIN?plaintext
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: name_mask: plaintext
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: xsasl_dovecot_server_connect: auth reply: SPID?28004
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: xsasl_dovecot_server_connect: auth reply: CUID?1
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: xsasl_dovecot_server_connect: auth reply: COOKIE?16f32f7481e319d253492228ac0fa5f6
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: xsasl_dovecot_server_connect: auth reply: DONE
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: xsasl_dovecot_server_mech_filter: keep mechanism: PLAIN
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: xsasl_dovecot_server_mech_filter: keep mechanism: LOGIN
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: watchdog_pat: 0x7fde543a9e50
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: < localhost.localdomain[127.0.0.1]: EHLO .com
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: match_list_match: localhost.localdomain: no match
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: match_list_match: 127.0.0.1: no match
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: > localhost.localdomain[127.0.0.1]: 250-
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: > localhost.localdomain[127.0.0.1]: 250-PIPELINING
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: > localhost.localdomain[127.0.0.1]: 250-SIZE 30720000
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: > localhost.localdomain[127.0.0.1]: 250-VRFY
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: > localhost.localdomain[127.0.0.1]: 250-ETRN
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: > localhost.localdomain[127.0.0.1]: 250-STARTTLS
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: > localhost.localdomain[127.0.0.1]: 250-AUTH PLAIN LOGIN
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: > localhost.localdomain[127.0.0.1]: 250-AUTH=PLAIN LOGIN
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: > localhost.localdomain[127.0.0.1]: 250-ENHANCEDSTATUSCODES
Jul 11 21:48:44 vpsXXXXXX postfix/smtpd[28002]: > localhost.localdomain[127.0.0.1]: 250-8BITMIME
Envoi d'un mail :

Code:
Jul 11 00:46:50 vpsXXXXXX postfix/pickup[26314]: 42620EA1058: uid=33 from=.com>
Jul 11 00:46:50 vpsXXXXXX postfix/cleanup[28354]: 42620EA1058: message-id=<20140710224650.42620EA1058@>
Jul 11 00:46:50 vpsXXXXXX postfix/qmgr[2895]: 42620EA1058: from=.com>, size=752, nrcpt=1 (queue active)
Jul 11 00:46:50 vpsXXXXXX postfix/smtp[28361]: 42620EA1058: to=, relay=mx.topaz.synacor.com[69.168.108.17]:25, delay=0.19, delays=0.06/0.02/0.04/0.07, dsn=5.7.1, status=bounced (host mx.topaz.synacor.com[69.168.108.17] said: 554 5.7.1 [P4] Message blocked due to spam content in the message. (in reply to end of DATA command))
Exemple complet de message :

Code:
root@vpsXXXXXX:/var/log$ postcat /var/spool/postfix/deferred/3/3E388EA1058
*** ENVELOPE RECORDS /var/spool/postfix/deferred/3/3E388EA1058 ***
message_size:             796             743               1               0             796
message_arrival_time: Sat Jul 12 12:58:23 2014
create_time: Sat Jul 12 12:58:23 2014
named_attribute: log_ident=3E388EA1058
named_attribute: rewrite_context=local
sender: lilly_howard@.com
named_attribute: log_client_name=localhost.localdomain
named_attribute: log_client_address=127.0.0.1
named_attribute: log_client_port=50109
named_attribute: log_message_origin=localhost.localdomain[127.0.0.1]
named_attribute: log_helo_name=.com
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=localhost.localdomain
named_attribute: reverse_client_name=localhost.localdomain
named_attribute: client_address=127.0.0.1
named_attribute: client_port=50109
named_attribute: helo_name=.com
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
warning_message_time: Thu Jan  1 01:00:00 1970
named_attribute: dsn_orig_rcpt=rfc822;hodgsonpeter408@yhoo.co.uk
original_recipient: hodgsonpeter408@yhoo.co.uk
recipient: hodgsonpeter408@yhoo.co.uk
*** MESSAGE CONTENTS /var/spool/postfix/deferred/3/3E388EA1058 ***
Received: from .com (localhost.localdomain [127.0.0.1])
	by  (Postfix) with ESMTP id 3E388EA1058
	for ; Sat, 12 Jul 2014 12:58:23 +0200 (CEST)
Date: Sat, 12 Jul 2014 12:58:23 +0200
From: "Lilly Howard" .com>
Reply-To:"Lilly Howard" .com>
Message-ID: .com>
To: hodgsonpeter408@yhoo.co.uk
Subject: Fw:  Haha, Bikini babe shows pussy
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit




*** HEADER EXTRACTED /var/spool/postfix/deferred/3/3E388EA1058 ***
named_attribute: encoding=8bit
*** MESSAGE FILE END /var/spool/postfix/deferred/3/3E388EA1058 ***
L'entête du mail ne précise pas si c'est envoyé depuis un script PHP, les tests que j'ai fait semblent montrer que je ne suis pas un Open Relay SMTP, du coup je n'arrive pas à trouver qui envoie ces SPAM et si vous voulez bien j'aurais bien besoin d'un coup de main.