Frais installation utilisee comme SPAM relay?

Kamaluk · February 9, 2017, 10:59am

Bonjour,

mon francais n’est pas tres bon… mais je vais essayer parce que j’ai un probleme avec mon server.

J’ai installe yunohost hier - avec un user (YHUSER) et le programme Transmission.
Mais la connection de l’internet etait termine a 3:00.

Est-ce possible que mon serveur ait été utilisé pour le courrier SPAM Mail?

Il y a des tentatives de connexion par fil (mail.log)

Feb  8 19:44:48 MYSERVER postfix/smtpd[24246]: connect from wsip-24-234-54-82.lv.lv.cox.net[24.234.54.82]
Feb  8 19:44:49 MYSERVER postfix/smtpd[24246]: disconnect from wsip-24-234-54-82.lv.lv.cox.net[24.234.54.82]
Feb  8 19:45:37 MYSERVER postfix/master[14149]: terminating on signal 15
Feb  8 19:45:38 MYSERVER postfix/master[25578]: daemon started -- version 2.11.3, configuration /etc/postfix
Feb  8 19:45:38 MYSERVER dovecot: master: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
...
Feb  8 23:48:13 MYSERVER rmilter[26724]: <f7b3229704>; accepted connection from MYDOMAIN.LTD; client: 113.64.235.50:2375 ([113.64.235.50])
Feb  8 23:48:15 MYSERVER postfix/smtpd[29132]: warning: Illegal address syntax from unknown[113.64.235.50] in MAIL command: xo@ore.net
Feb  8 23:48:15 MYSERVER postfix/smtpd[29132]: lost connection after MAIL from unknown[113.64.235.50]
Feb  8 23:48:15 MYSERVER postfix/smtpd[29132]: disconnect from unknown[113.64.235.50]
Feb  8 23:48:16 MYSERVER postfix/smtpd[29132]: connect from unknown[113.64.235.50]
Feb  8 23:48:16 MYSERVER rmilter[26724]: <0d1e40c3d8>; accepted connection from MYDOMAIN.LTD; client: 113.64.235.50:3400 ([113.64.235.50])
Feb  8 23:48:18 MYSERVER postfix/smtpd[29132]: lost connection after AUTH from unknown[113.64.235.50]
Feb  8 23:48:18 MYSERVER postfix/smtpd[29132]: disconnect from unknown[113.64.235.50]
Feb  8 23:48:18 MYSERVER postfix/smtpd[29132]: connect from unknown[113.64.235.50]

(mail.warn)

Feb  8 19:58:19 MYSERVER dovecot: log: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Feb  8 23:48:15 MYSERVER postfix/smtpd[29132]: warning: Illegal address syntax from unknown[113.64.235.50] in MAIL command: xo@ore.net

Est-il normal qu’un YHUSER fonctionne comme root? (auth.log)

Feb  8 19:57:45 MYSERVER sudo:    admin : TTY=unknown ; PWD=/var/cache/yunohost/from_file/transmission_ynh-53248789250980/scrip$
Feb  8 19:57:45 MYSERVER sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb  8 19:57:45 MYSERVER sudo: pam_unix(sudo:session): session closed for user root
Feb  8 19:57:45 MYSERVER sudo: pam_unix(sudo:session): session closed for user admin
Feb  8 20:01:13 MYSERVER su[28782]: Successful su for YHUSER by root
Feb  8 20:01:13 MYSERVER su[28782]: + ??? root:YHUSER
Feb  8 20:01:13 MYSERVER su[28782]: pam_unix(su:session): session opened for user YHUSER by (uid=0)
Feb  8 20:01:13 MYSERVER su[28782]: pam_unix(su:session): session closed for user YHUSER
Feb  8 20:09:01 MYSERVER CRON[28792]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb  8 20:09:01 MYSERVER CRON[28792]: pam_unix(cron:session): session closed for user root

le syslog a multible activite de postfix

Feb  8 23:48:18 MYSERVER postfix/smtpd[29132]: connect from unknown[113.64.235.50]
Feb  8 23:48:18 MYSERVER rmilter[26724]: <3a4a60fb43>; accepted connection from MYDOMAIN.LTD; client: 113.64.235.50:2201 ([113.64.235.50])
Feb  8 23:48:20 MYSERVER postfix/smtpd[29132]: lost connection after AUTH from unknown[113.64.235.50]
Feb  8 23:48:20 MYSERVER postfix/smtpd[29132]: disconnect from unknown[113.64.235.50]

Maniack_Crudelis · February 9, 2017, 11:18am

Hello Kamaluk

I’m sorry but I don’t any answer for your problem.
I just want to tell you it’s not necessary to speak in french in this forum. You can use english if it’s more easy for you.

And, I’m very interesting by your problem, because I’ve also many strange log relative to mail. And I’m not able to decrypt them.

Bram · February 9, 2017, 11:28am

Hello,

Kamaluk:

Feb  8 23:48:16 MYSERVER postfix/smtpd[29132]: connect from unknown[113.64.235.50]
Feb  8 23:48:16 MYSERVER rmilter[26724]: &lt;0d1e40c3d8&gt;; accepted connection from MYDOMAIN.LTD; client: 113.64.235.50:3400 ([113.64.235.50])
Feb  8 23:48:18 MYSERVER postfix/smtpd[29132]: lost connection after AUTH from unknown[113.64.235.50]
Feb  8 23:48:18 MYSERVER postfix/smtpd[29132]: disconnect from unknown[113.64.235.50]

Regarding this part, I’ve done some research recently and it appears that this is very likely a scanning tool that just look if this port it open, it only connect/disconnect and doesn’t do anything. I’ve found reply on stackoverflow of people telling it’s “classical” to have this kind of activity in your logs.

A more traditional postfix log would have been way more verbose talking about successful authentication.

So, I think you don’t have to worry.

When you see cron:session it’s simply a crontab script that has runned (crontab is a software to periodically launch operations).