On Wed, 2011-07-27 at 23:21 +0200, Jeroen Geilman wrote: > On 2011-07-27 23:10, Julian Opificius wrote: > > When I connect to my Postfix server using ssh from a remote location, > > postings show up as something like (suitably modified for security): > > > > Jul 27 15:50:35 winston postfix/smtpd[28303]: connect from > > localhost[127.0.0.1] > > Jul 27 15:50:36 winston postfix/smtpd[28303]: 57A5A220BA: > > client=localhost[127.0.0.1] > > Jul 27 15:50:36 winston postfix/cleanup[28315]: 57A5A220BA: > > message-id=<1311799778.2531.33.camel@progbox> > > Jul 27 15:50:36 winston postfix/qmgr[3964]: 57A5A220BA: > > from=<jo397...@example1.com>, size=517, nrcpt=1 (queue active) > > Jul 27 15:50:37 winston postfix/smtpd[28303]: disconnect from > > localhost[127.0.0.1] > > Jul 27 15:50:37 winston postfix/smtp[28319]: 57A5A220BA: > > to=<j_opific...@example2.org>, > > relay=mail.example2.org[aaa.bb.cc.ddd]:25, delay=1.7, > > delays=0.53/0.04/0.67/0.45, dsn=2.0.0, status=sent (250 2.0.0 Ok: qu > > eued as D5F07162B43) > > Jul 27 15:50:37 winston postfix/qmgr[3964]: 57A5A220BA: removed > > > > All that is good, works fine. > > > > The point to note is the: > > > > "connect from localhost[127.0.0.1]" part. > > > > Is there any other legitimate situation in which "connect from > > localhost[127.0.0.1]" is legitimate? I suspect my system is compromised > > (as opposed to my simply not having appropriate spam protections, etc in > > place). > > > > Here's an example of a "connect from localhost..." that I cannot justify > > or explain: > > > > Jul 27 15:46:54 winston postfix/smtpd[28230]: connect from > > localhost[127.0.0.1] > > Jul 27 15:46:54 winston postfix/smtpd[28230]: warning: Illegal address > > syntax from localhost[127.0.0.1] in MAIL command: > > <anntaylorloft@mhttps://app.cheetahmail.com/m/mailers/mailinail.anntaylorloft.com> > > Jul 27 15:46:55 winston postfix/smtpd[28230]: disconnect from > > localhost[127.0.0.1] > > SENDING SMTP mail to port 25 is not a privileged operation, so it could > be any user on the system running any kind of malware. > > That said, it is most often HTTP+PHP and/or FTP accounts that are > exploited to upload malicious code and run it locally; check your system > and daemon logs carefully! > > For example, exploited apache/PHP apps often leave tracks of executed > code in the apache error log (because they just don't care, and that's > where stdout goes) - that might give you a hint. > > On the other hand, if somebody compromised the system via SSH you should > audit the auth log for breakin attempts. > > I would strongly advise you to disconnect this system from the internet > until you can verify that you're not sending out spam - or worse. > > > > I confess I'm running Suse 9.1 and Postfix 2.5.5, so I'm looking for a > > justification to tear the system down and rebuild from scratch (as if I > > needed it), but a compromised system is much more serious. > >
Thanks, that's just the guidance I needed. I'm shutting the system down now until I can get to the bottom of this. Thanks also to Wietse - per your recommendation I'll look into web logs too. Going down for repairs :-( J.
