Off Topic - Can someone help?

Miguel Koren O'Brien de Lacy miguelk at konsultex.com.br
Thu Jan 3 10:53:12 GMT 2008 

I had a similar, mysterious problem like this a few years ago. What
happened is that the same server was running Apache and it was
configured improprely as a proxy by letting anyone use it as a proxy, so
some spam systems were detecting that and using Apache to send those
emails. I reconfigured Apache, following some guidelines from the Apache
web site and the problem went away. There are some emails from me about
this possibly in 2004 on this mailing list.

I had the "ProxyPass" directive on and this let the spammers use apache
as a route to sendmail.

Check for something like this in your apache log:

access_log:168.61.4.12 - - [08/Aug/2004:16:54:45 -0300] "POST
http://168.61.5.196:25/ HTTP/1.0" 200 2027

Maybe this can help you before you reinstall the OS.

Miguel

ajos1 at onion.demon.co.uk escreveu:
> -
>
> Off Topic - Can someone help?
>
> I am sending this for 2 reasons:
>
> (1) To let people know there might be something that they need to look out for...
>
> (2) I am hoping someone might tell me what I have got wrong with my system.
>
>
> I think I have a safe-ish system... (ie) not an open relay and so on... but TONIGHT all of a sudden something/someone is "suposably" able to relay.
>
>
> Hack example one is:  Sending from: dwkscy at yahoo.com to a2234455 at tomail.com.tw
>
> Hack example two is:  Sending from: okorfhzoaiadke at yahoo.com to zillions of people !!
>
> I tried telneting from a remote IP... and doing:  mail from: <a at yahoo.com>  and  rcpt to: <b at tomail.com.tw> .  And my system says that Relaying is denied...
>
> As a temporary stop... I have had to put this in my /etc/mail/access file
>
> /etc/mail/access
> ================
> To:tomail.com.tw     REJECT
>
>
> ###########
> #### Does anyone have a clue how I might be getting hacked???
> ###########
>
>
>
> [root at www log]# host -t mx tomail.com.tw
> ========================================
> tomail.com.tw mail is handled by 10 localhost.
>
>
>
> [root at www log]# grep -i 005955 maillog
> ======================================
> Jan  3 01:28:50 www sendmail[5955]: m031SgPv005955: from=<dwkscy at yahoo.com>, size=1658, class=0, nrcpts=1, msgid=<MESUDDUFSUEWDFVOVABXGNCN at yahoo.com>, bodytype=8BITMIME, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
> Jan  3 01:28:50 www sendmail[5955]: m031SgPv005955: to=<a2234455 at tomail.com.tw>, delay=00:00:02, mailer=esmtp, pri=31658, stat=queued
> Jan  3 01:28:53 www sendmail[5963]: m031SgPv005955: SYSERR(root): MX list for tomail.com.tw. points back to www.tbshs.herts.sch.uk
> Jan  3 01:28:53 www sendmail[5963]: m031SgPv005955: to=<a2234455 at tomail.com.tw>, delay=00:00:05, xdelay=00:00:00, mailer=esmtp, pri=121658, relay=tomail.com.tw., dsn=5.3.5, stat=Local configuration error
> Jan  3 01:28:53 www sendmail[5963]: m031SgPv005955: m031SrMj005963: DSN: Local configuration error
> Jan  3 01:29:03 www MailScanner[26370]: Logging message m031SgPv005955 to SQL 
> Jan  3 01:29:03 www MailScanner[5971]: m031SgPv005955: Logged to MailWatch SQL 
>
>
>
> [root at www log]# grep -i 008581 maillog
> ======================================
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: from=<okorfhzoaiadke at yahoo.com>, size=6253, class=0, nrcpts=51, msgid=<CYSGRANINJSFZUJCWXBWXXN at yahoo.com>, bodytype=8BITMIME, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<s6721 at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<siask at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<yuan0312 at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<acut at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<dzj at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<a45211 at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<yshs at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<jt10 at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<gl66 at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
>
> ==
> =====================================================================
> =
> = "I should have listened to myself earlier..."
> =
> =====================================================================
> =  Need help with: Parking Tickets, Bailiffs, Capita or HertsGrid???
> =  Call...    +44 8457 90 90 90    http://www.samaritans.org/
> =====================================================================
>   

-- 
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.

More information about the MailScanner mailing list