Hey all,

I have a home linux server set up for a couple of months now, since yesterday I've been noticing a lot of disk activity So i checked my logs an noticed that the server has sent thousands of mails through postfix/imap ... Im pretty sure its spamming. Weirdest thing now, I have tried to stop the mail daemons , and it will only let me stop postfix, while imap,imaps,ipop3 and pop3s all return an unrecognized service error... Did i get hacked or what?

I thought I had a secure setup... through iptables and only allowing ssh through non-root user on local lan, few running services, etc...

any way i can fix this without reinstalling? and if i do, how do i prevent this ?

tail /var/log/maillog

Apr 20 00:39:26 aluna postfix/qmgr[2069]: C31E012196D: from=<>, size=8704, nrcpt=1 (queue active)
Apr 20 00:39:26 aluna postfix/smtp[14803]: connect to clmboh-01.mgw.rr.com[65.24.7.10]: server refused to talk to me: 550-clmboh-mx-01.mgw.rr.com 550 ERROR: Mail Refused - server.ip - See http://security.rr.com/cgi-bin/block-lookup?server.ip (port 25)
Apr 20 00:39:26 aluna postfix/qmgr[2069]: C59A31222A9: from=<>, size=31822, nrcpt=1 (queue active)
Apr 20 00:39:26 aluna postfix/smtp[14901]: 0CFF41220C1: enabling PIX <CRLF>.<CRLF> workaround for mailproxy.dinanet.net.co[200.89.224.244]
Apr 20 00:39:26 aluna postfix/smtp[14857]: CEE3C79E01: to=<hvactech@visto.com>, relay=none, delay=37608, status=deferred (connect to relayb2.corp.visto.com[208.49.234.36]: server refused to talk to me: 554 Service unavailable; Client host [server.ip] blocked using sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=server.ip )
Apr 20 00:39:26 aluna postfix/smtp[14846]: C56D4121CAF: to=<mesoderm@hutchcity.com>, relay=none, delay=38783, status=deferred (connect to smtpip02.hutchcity.com[210.0.255.220]: server refused to talk to me: 554 smtpip02.hutchcity.com )
Apr 20 00:39:26 aluna postfix/smtp[14773]: C93C4121EBB: host sinamx.sina.com.cn[202.108.3.188] said: 450 4.7.1 Client host rejected: cannot find your hostname, [server.ip] (in reply to RCPT TO command)
Apr 20 00:39:26 aluna postfix/smtp[14773]: C93C4121EBB: host sinamx.sina.com.cn[202.108.3.188] said: 450 4.7.1 Client host rejected: cannot find your hostname, [server.ip] (in reply to RCPT TO command)
Apr 20 00:39:26 aluna postfix/smtp[14850]: C5F4F121DFA: to=<anncom@gateway.net>, relay=none, delay=38577, status=deferred (connect to gateway.net[149.174.33.10]: Connection timed out)
Apr 20 00:39:26 aluna postfix/smtp[14788]: CECA879EC8: to=<lindsay@tecjewelers.com>, relay=mail.tecjewelers.com[66.235.192.60], delay=36759, status=deferred (host mail.tecjewelers.com[66.235.192.60] said: 451 http://dsbl.org/listing?server.ip (in reply to RCPT TO command))
Apr 20 00:39:26 aluna postfix/qmgr[2069]: C800578D00: from=<>, size=9705, nrcpt=1 (queue active)



Its being doing that for 2 days now, Imagine the log filesize...

Just in case, services the server is running: apache,postfix,imap,mysql,squid,dhcp,ssh,samba & iptables

edit: doing some reading I found out that this could be the proxy server relaying emails? If so, why cant i seem to stop the services?

Don't try stopping services through your distro's tools; try just killing processes. If someone has compromised your box and is sending spams through it, then they won't have registered their process in your distro's tools, so those tools won't recognize the services you're trying to stop. (top will let you kill processes; make sure you're root though.)

That'll give you a temporary reprieve -- it sounds like you may have been backdoored somehow. And if you have, it's really hard to recover from that kind of thing: the best bet is to just reinstall and restore known-good data from your backups.

(Alternately, it may be someone on your internal network that's been backdoored, and is sending mails through that host. Doesn't sound like it based on the disk activity, but it is possible.)

Also, if you haven't configured your mail server properly, then it might just be an open relay; someone may be sending spam to it, and having it forward the spam on to the outside user that they're targeting.

Im about to get a new (free) :) hard drive for the server, so Im definitely reinstalling fedora for the time being postfix is disabled, now how do I prevent this sort of thing from happening again? I really like my own mail server running.

I followed the mail setup instructions from here (http://www.howtoforge.com/perfect_setup_fedora_core_4_p4) thought it was secure enough ... is it?

Hello anmaxp,

I am running a web server using Apache on FC4. For security reasons it serves static HTML only - no dynamic content, no CGIs, no server side includes, no email.

Here are some tips for securing FC and Apache:

Center (sic) for Internet Security Linux scanner (www.cisecurity.com)
[gives your server a rating out of 10 - FC gets about 5.6 out of the box,
I have hardened my server to around 9.8]

Bastille analysis and hardening software
[complementary to the CIS stuff mentioned above, with a nice GUI
interface]

rkhunter and chkrootkit for root kit detection

AIDE for host-based intrusion detection, with the executable,
configuration file and databases on removable media (I just installed in
the default location, then moved the critical stuff to my memory stick
and created symlinks).

Center (still sic) for Internet Security Apache scanner and documentation
[really good information for hardening Apache]

Among other things, Apache should be compiled from source to ensure
the latest version, and so that only the modules you really require are
present (this is recommended by the CIS stuff). Additionally, you should
use Apache modules mod_security (for application firewalling), and
mod_evasive (to provide protection against denial of service attacks).

In addition to the normal firewalling, set up your IP tables so that only
related / established traffic is allowed OUT of the server - if someone
gets to a non-root user prompt, they won't be able to ftp out to
download rootkits etc.

To further frustrate hackers attempts to download / install
malicious code, 'chmod 700' the following executables that are
owned by root (where present on your server):

make, gcc, g++, any other compilers that are present
ssh, sftp, scp
telnet, rsh, rcp, rlogin, ftp (and variants)
curl, wget (commonly used in hacking exploits, these appeared in my
mod_security log very early on)
gopher, kermit, fetch
[there are some others, but these are a good start]

I also performed a 'chmod go-rwx' for /usr/local and all files and
directories beneath (I didn't install Apache under /usr/local,
or this step would have broken it).

Perform regular scans from a remote server with the following tools to
check for any vulnerabilities:

nessus
SARA
nmap
nikto

Perhaps consider installing snort and base to provide intrusion
detection / prevention.

I hope that this is helpful :-)

Regards,
Hugh