On 19/10/2020 20:50, Rich Wales wrote: > John Fawcett wrote: > >> One thing I would suggest looking at is if there is a web server running >> on the same host it may be allowing email to be injected into postfix >> via smtp on the loopback interface using some scripting language like >> php or others. > I suppose that's possible. > > I spent some time last night cleaning up old stuff from the server in > question -- and also rebooting the box for good measure -- so the > problem *might* just go away at this point. > > Before I can say anything more about this, unfortunately, I'll probably > need to wait for another incident similar to the preceding ones, and try > to capture more evidence while the problem is ongoing. If it never > happens again, then maybe it was the fault of an old PHP web page which > I have removed. > > If the problem were in fact due to a hijacked PHP page, btw, would this > necessarily require the page to be using e-mail or TCP connections > already for its own legitimate purposes, but being co-opted by a hacker > to nefarious ends? Or could *any* PHP script theoretically be infected > in a way that would cause this misbehaviour? > > Rich Wales > ri...@richw.org
Sorry not to be able to give a definitive answer. Typical mail injection via php will use a script that already calls the php mail function or similar functions that open the smtp connection. But there are other attack vectors that are possible that allow hackers to gain the privileges of the web server user. The web server user is often allowed to inject mail to localhost without any authentication (under the permit_mynetworks syntax in postfix main.cf). John
