Hey,
I set up a fresh install of yunohost yesterday, with one user and transmission installed - and my provider shut it down around 3:00 after some wired network activity (online.net).
Is it possible that my server was used as a mail proxy? For SPAM or something?
Around 19:44 some wired login attempts show up in the mail.log:
Feb 8 19:44:48 MYSERVER postfix/smtpd[24246]: connect from wsip-24-234-54-82.lv.lv.cox.net[24.234.54.82]
Feb 8 19:44:49 MYSERVER postfix/smtpd[24246]: disconnect from wsip-24-234-54-82.lv.lv.cox.net[24.234.54.82]
Feb 8 19:45:37 MYSERVER postfix/master[14149]: terminating on signal 15
Feb 8 19:45:38 MYSERVER postfix/master[25578]: daemon started -- version 2.11.3, configuration /etc/postfix
Feb 8 19:45:38 MYSERVER dovecot: master: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
...
Feb 8 23:48:13 MYSERVER rmilter[26724]: <f7b3229704>; accepted connection from MYDOMAIN.LTD; client: 113.64.235.50:2375 ([113.64.235.50])
Feb 8 23:48:15 MYSERVER postfix/smtpd[29132]: warning: Illegal address syntax from unknown[113.64.235.50] in MAIL command: xo@ore.net
Feb 8 23:48:15 MYSERVER postfix/smtpd[29132]: lost connection after MAIL from unknown[113.64.235.50]
Feb 8 23:48:15 MYSERVER postfix/smtpd[29132]: disconnect from unknown[113.64.235.50]
Feb 8 23:48:16 MYSERVER postfix/smtpd[29132]: connect from unknown[113.64.235.50]
Feb 8 23:48:16 MYSERVER rmilter[26724]: <0d1e40c3d8>; accepted connection from MYDOMAIN.LTD; client: 113.64.235.50:3400 ([113.64.235.50])
Feb 8 23:48:18 MYSERVER postfix/smtpd[29132]: lost connection after AUTH from unknown[113.64.235.50]
Feb 8 23:48:18 MYSERVER postfix/smtpd[29132]: disconnect from unknown[113.64.235.50]
Feb 8 23:48:18 MYSERVER postfix/smtpd[29132]: connect from unknown[113.64.235.50]
and nearly around midnight the server seems to get a Mail? (from the mail.warn)
Feb 8 19:58:19 MYSERVER dovecot: log: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Feb 8 23:48:15 MYSERVER postfix/smtpd[29132]: warning: Illegal address syntax from unknown[113.64.235.50] in MAIL command: xo@ore.net
the auth.log shows some root activity by the user i added through the admin interface on yunohost, but maybe that is normal for the user?:
Feb 8 19:57:45 MYSERVER sudo: admin : TTY=unknown ; PWD=/var/cache/yunohost/from_file/transmission_ynh-53248789250980/scrip$
Feb 8 19:57:45 MYSERVER sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb 8 19:57:45 MYSERVER sudo: pam_unix(sudo:session): session closed for user root
Feb 8 19:57:45 MYSERVER sudo: pam_unix(sudo:session): session closed for user admin
Feb 8 20:01:13 MYSERVER su[28782]: Successful su for YHUSER by root
Feb 8 20:01:13 MYSERVER su[28782]: + ??? root:YHUSER
Feb 8 20:01:13 MYSERVER su[28782]: pam_unix(su:session): session opened for user YHUSER by (uid=0)
Feb 8 20:01:13 MYSERVER su[28782]: pam_unix(su:session): session closed for user YHUSER
Feb 8 20:09:01 MYSERVER CRON[28792]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 8 20:09:01 MYSERVER CRON[28792]: pam_unix(cron:session): session closed for user root
syslog has a lot of postfix activity
Feb 8 23:48:18 MYSERVER postfix/smtpd[29132]: connect from unknown[113.64.235.50]
Feb 8 23:48:18 MYSERVER rmilter[26724]: <3a4a60fb43>; accepted connection from MYDOMAIN.LTD; client: 113.64.235.50:2201 ([113.64.235.50])
Feb 8 23:48:20 MYSERVER postfix/smtpd[29132]: lost connection after AUTH from unknown[113.64.235.50]
Feb 8 23:48:20 MYSERVER postfix/smtpd[29132]: disconnect from unknown[113.64.235.50]