Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

Sun, 24 Apr 2022 05:06:59 -0700 

On Sun, Apr 24, 2022 at 01:19:49PM +0200, Michael Grimm wrote:

> This time the maillog files are unedited (besides my local hostnames),
> thus showing the real IPs. Some do resolve, some not.
> 
> I reported in my first post that all those 'signal 11' events were
> headed by 'BARE NEWLINE' entries.  Today, while editing these files, I
> ran over a different pattern triggering 'signal 11' without a heading
> 'BARE NEWLINE' entries.
> 
> Two entries with 'mstshash=Domain' PREGREET patterns:
> 
> Apr 19 03:49:08 <mail.info> mx2.lan postfix/postscreen[17604]: CONNECT from 
> [94.232.41.27]:48273 to [10.1.1.1]:25
> Apr 19 03:49:08 <mail.info> mx2.lan postfix/postscreen[17604]: PREGREET 44 
> after 0 from [94.232.41.27]:48273: 
> \003\000\000,'\340\000\000\000\000\000Cookie: 
> mstshash=Domain\r\n\001\000\b\000\003\000\000\000
> Apr 19 03:49:08 <mail.info> mx2.lan postfix/postscreen[17604]: CONNECT from 
> [94.232.41.27]:48397 to [10.1.1.1]:25
> Apr 19 03:49:08 <mail.info> mx2.lan postfix/postscreen[17604]: PREGREET 44 
> after 0 from [94.232.41.27]:48397: 
> \003\000\000,'\340\000\000\000\000\000Cookie: 
> mstshash=Domain\r\n\001\000\b\000\003\000\000\000
> Apr 19 03:49:08 <mail.warn> mx2.lan postfix/master[7359]: warning: process 
> /usr/local/libexec/postfix/postscreen pid 17604 killed by signal 11

These are Microsoft RDP packets, from an IP address in Moscow.

    inetnum:        94.232.40.0 - 94.232.47.255
    country:        RU
    org:            ORG-DP125-RIPE
    source:         RIPE

    organisation:   ORG-DP125-RIPE
    org-name:       Dmitriy Panchenko
    org-type:       OTHER
    address:        Shirokaya street 1, bld. 4, apt. 15
    address:        127282, Moscow, Russian Federation

Looks some machines on this network are part of a botnet...

> Mar 25 03:43:17 <mail.info> mx2.lan postfix/postscreen[5463]: CONNECT from 
> [89.248.165.24]:61384 to [10.1.1.1]:25
> Mar 25 03:43:17 <mail.info> mx2.lan postfix/postscreen[5463]: PREGREET 47 
> after 0 from [89.248.165.24]:61384: 
> \003\000\000/*\340\000\000\000\000\000Cookie: 
> mstshash=Administr\r\n\001\000\b\000\003\000\000\000
> Mar 25 03:43:17 <mail.warn> mx2.lan postfix/master[2645]: warning: process 
> /usr/local/libexec/postfix/postscreen pid 5463 killed by signal 11
> 
> No idea what is going on here.

Is this with UTF8 enabled or disabled?

-- 
    Viktor.

Reply via email to