Mi sendmail comenzó a enviar correo no deseado; ¿Qué está causando que lo haga? [cerrado]

3

Hoy, mi servicio sendmail comenzó a enviar correos electrónicos a varias direcciones.

/ var / spool / mail:

From [email protected]  Fri Jan 30 22:15:30 2015
Return-Path: <[email protected]>
Received: from localhost (localhost)
    by noxcommunity.com (8.13.8/8.13.8) id t0ULFUje031918;
    Fri, 30 Jan 2015 22:15:30 +0100
Date: Fri, 30 Jan 2015 22:15:30 +0100
From: Mail Delivery Subsystem <[email protected]>
Message-Id: <[email protected]>
To: [email protected]
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
    boundary="t0ULFUje031918.1422652530/noxcommunity.com"
Subject: Postmaster notify: see transcript for details
Auto-Submitted: auto-generated (postmaster-notification)

This is a MIME-encapsulated message

--t0ULFUje031918.1422652530/noxcommunity.com

The original message was received at Fri, 30 Jan 2015 22:15:30 +0100
from localhost.localdomain [127.0.0.1]
with id t0ULFUje031916

   ----- The following addresses had permanent fatal errors -----
<s@s>
    (reason: 550 Host unknown)

   ----- Transcript of session follows -----
550 5.1.2 <s@s>... Host unknown (Name server: s: host not found)
550 5.1.1 <[email protected]>... User unknown

--t0ULFUje031918.1422652530/noxcommunity.com
Content-Type: message/delivery-status

Reporting-MTA: dns; noxcommunity.com
Received-From-MTA: DNS; localhost.localdomain
Arrival-Date: Fri, 30 Jan 2015 22:15:30 +0100

Final-Recipient: RFC822; s@s
Action: failed
Status: 5.1.2
Remote-MTA: DNS; s
Diagnostic-Code: SMTP; 550 Host unknown
Last-Attempt-Date: Fri, 30 Jan 2015 22:15:30 +0100

--t0ULFUje031918.1422652530/noxcommunity.com
Content-Type: message/rfc822

Return-Path: <[email protected]>
Received: from noxcommunity.com (localhost.localdomain [127.0.0.1])
    by noxcommunity.com (8.13.8/8.13.8) with ESMTP id t0ULFUje031916
    for <s@s>; Fri, 30 Jan 2015 22:15:30 +0100
Received: (from root@localhost)
    by noxcommunity.com (8.13.8/8.13.8/Submit) id t0ULFUNT031915;
    Fri, 30 Jan 2015 22:15:30 +0100
Date: Fri, 30 Jan 2015 22:15:30 +0100
Message-Id: <[email protected]>
To: s@s
Subject: Facebook
X-PHP-Originating-Script: 0:eb.php
From: "[email protected]" <[email protected]>
Content-Type: text/html

<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
<meta http-equiv="Content-Type" content="text/html; charset=unicode">
<meta name="Generator" content="Microsoft SafeHTML"><title>Message body</title><bgsound src="http://email_open_log_pic.php?mid=424e194G221be96cG696b3afG2f&amp;s=a"></bgsound><tablewidth="98%" border="0" cellspacing="0" cellpadding="40"><tbody><tr><td bgcolor="#f7f7f7" width="100%" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif"><table cellpadding="0" cellspacing="0" border="0" width="620"><tbody><tr><td style="background:#3b5998;color:#FFFFFF;font-weight:bold;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:4px 8px;vertical-align:middle;font-size:16px;letter-spacing:-0.03em;text-align:left"><a style="color:#FFFFFF;text-decoration:none" href="http://goo.gl/QdWtIJ" target="_blank"><span style="color:#FFFFFF">facebook</span></a></td><td style="background:#3b5998;color:#FFFFFF;font-weight:bold;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:4px 8px;vertical-align:middle;font-size:11px;text-align:right"></td></tr><tr><td colspan="2" style="background-color:#FFFFFF;border-bottom:1px solid #3b5998;border-left:1px solid #CCCCCC;border-right:1px solid #CCCCCC;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:15px" valign="top"><table width="100%"><tbody><tr><td width="470px" style="font-size:12px" valign="top" align="left"><div style="margin-bottom:15px;font-size:12px"></div><div style="margin-bottom:15px"><span style="color:#111111;font-size:14px;font-weight:bold;">A friend tagged you in a photo</span></div><div style="margin-bottom:15px"><div style="border-bottom:1px solid #ccc;line-height:5px">&nbsp;</div><br><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td style="padding:5px"></td></tr><tr><td width="150" style="font-size:11px;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:0px 5px 10px 0px"><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td valign="top" style="padding-right:5px"><a href="http://goo.gl/QdWtIJ" style="col!
 or:#3b59
98;text-decoration:none" target="_blank"><img style="border:0px none" alt="Chris Thomas" src="https://fbstatic-a.akamaihd.net/rsrc.php/v2/yo/r/UlIqmHJn-SK.gif"width="50" height="50"></a></td><td valign="top"><span style="font-size:11px;color:#999;padding:0px 0px 10px 0px"><span style="font-size:11px;color:#3B5998;font-weight:bold"><a href="http://goo.gl/QdWtIJ" style="color:#3B5998;text-decoration:none;font-size:11px" target="_blank">Chris Thomas</a></span><br></span></td></tr></tbody></table></td></tr></tbody></table><div style="border-bottom:1px solid #ccc;line-height:5px">&nbsp;</div><br></div><div style="margin-bottom:15px">Thanks,<br>
The Facebook Team</div></td><td valign="top" width="150" style="padding-left:15px" align="left"><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td style="padding:10px;background-color:#fff9d7;border-left:1px solid #e2c822;border-right:1px solid #e2c822;border-top:1px solid #e2c822;border-bottom:1px solid #e2c822"><div style="margin-bottom:15px;font-size:12px"></div><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td style="border-width:1px;border-style:solid;border-color:#3b6e22 #3b6e22 #2c5115;background-color:#69a74e"><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td style="font-size:11px;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:4px 10px 5px;border-top:1px solid #95bf82"><a href="http://goo.gl/QdWtIJ" style="color:#fff;text-decoration:none;font-weight:bold;font-size:13px" target="_blank">View photo</a></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table><br><table cellspacing="0" cellpadding="0" style="border-collapse:collapse;width:100%"><tbody><tr><td style="padding:10px;background-color:#fff9d7;border-left:1px solid #e2c822;border-right:1px solid #e2c822;border-top:1px solid #e2c822;border-bottom:1px solid #e2c822"><div style="font-weight:bold;margin-bottom:2px;font-size:11px">To view this friend profile photo, go to:</div><a href="http://goo.gl/QdWtIJ" style="color:#3b5998;text-decoration:none;font-size:11px" target="_blank">http://www.facebook.com/n/?reqs.php&amp;mid=424e194G221be96cG696b3afG2f&amp;bcode=M6l2wBWw&amp;[email protected]</a></td></tr></tbody></table><span style=""><img src="http://www.facebook.com/email_open_log_pic.php?mid=424e194G221be96cG696b3afG2f"style="border:0;width:1px;height:1px"><bgsound src="http://www.facebook.com/email_open_log_pic.php?mid=424e194G221be96cG696b3afG2f&amp;s=a"></bgsound></span></td></tr><tr><tdcolspan="2" style="color:#999999;padding:10px;font-size:12p!
 x;font-f
amily:'lucida grande', tahoma, verdana, arial, sans-serif">If you don't want to receive these emails from Facebook in the future, please follow the link below to unsubscribe.
http://www.facebook.com/o.php?k=7042bb&amp;u=572254572&amp;mid=424e194G221be96cG696b3afG2f
Facebook, Inc. P.O. Box 10005, Palo Alto, CA 94303</td></tr></tbody></table></td></tr></tbody></table>                    </body>
</html>

maillog:

Jan 30 22:15:30 vm2745 sendmail[31911]: t0ULFTv1031911: [email protected], delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=35539, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (t0ULFTVJ031912 Message accepted for delivery)
Jan 30 22:15:30 vm2745 sendmail[31915]: t0ULFUNT031915: [email protected], size=5525, class=0, nrcpts=1, msgid=<[email protected]>, relay=root@localhost
Jan 30 22:15:30 vm2745 sendmail[31916]: t0ULFUje031916: from=<[email protected]>, size=5760, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Jan 30 22:15:30 vm2745 sendmail[31915]: t0ULFUNT031915: to=s@s, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=35525, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (t0ULFUje031916 Message accepted for delivery)
Jan 30 22:15:30 vm2745 sendmail[31918]: t0ULFUje031916: to=<s@s>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=125760, relay=s, dsn=5.1.2, stat=Host unknown (Name server: s: host not found)
Jan 30 22:15:30 vm2745 sendmail[31918]: t0ULFUje031916: to=<[email protected]>, delay=00:00:00, mailer=local, pri=125760, dsn=5.1.1, stat=User unknown
Jan 30 22:15:30 vm2745 sendmail[31918]: t0ULFUje031916: t0ULFUje031918: postmaster notify: User unknown
Jan 30 22:15:30 vm2745 sendmail[31914]: STARTTLS=client, relay=gmail-smtp-in.l.google.com., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128
Jan 30 22:15:30 vm2745 sendmail[31918]: t0ULFUje031918: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=36970, dsn=2.0.0, stat=Sent
Jan 30 22:15:30 vm2745 sendmail[31919]: t0ULFUFv031919: [email protected], size=5525, class=0, nrcpts=1, msgid=<[email protected]>, relay=root@localhost
Jan 30 22:15:30 vm2745 sendmail[31914]: t0ULFTVJ031912: to=<[email protected]>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=125774, relay=gmail-smtp-in.l.google.com. [74.125.136.26], dsn=5.0.0, stat=Service unavailable
Jan 30 22:15:30 vm2745 sendmail[31914]: t0ULFTVJ031912: to=<[email protected]>, delay=00:00:00, mailer=local, pri=125774, dsn=5.1.1, stat=User unknown
Jan 30 22:15:30 vm2745 sendmail[31914]: t0ULFTVJ031912: t0ULFUVJ031914: postmaster notify: User unknown
Jan 30 22:15:30 vm2745 sendmail[31910]: STARTTLS=client, relay=mta5.am0.yahoodns.net., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128
Jan 30 22:15:30 vm2745 sendmail[31921]: t0ULFUrk031921: from=<[email protected]>, size=5760, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Jan 30 22:15:31 vm2745 sendmail[31914]: t0ULFUVJ031914: to=root, delay=00:00:01, xdelay=00:00:00, mailer=local, pri=36998, dsn=2.0.0, stat=Sent
Jan 30 22:15:31 vm2745 sendmail[31919]: t0ULFUFv031919: to=s@s, delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=35525, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (t0ULFUrk031921 Message accepted for delivery)
Jan 30 22:15:31 vm2745 sendmail[31924]: t0ULFUrk031921: to=<s@s>, delay=00:00:01, xdelay=00:00:00, mailer=esmtp, pri=125760, relay=s, dsn=5.1.2, stat=Host unknown (Name server: s: host not found)
Jan 30 22:15:31 vm2745 sendmail[31924]: t0ULFUrk031921: to=<[email protected]>, delay=00:00:01, mailer=local, pri=125760, dsn=5.1.1, stat=User unknown
Jan 30 22:15:31 vm2745 sendmail[31924]: t0ULFUrk031921: t0ULFVrk031924: postmaster notify: User unknown
Jan 30 22:15:31 vm2745 sendmail[31924]: t0ULFVrk031924: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=36970, dsn=2.0.0, stat=Sent
Jan 30 22:15:33 vm2745 sendmail[31910]: t0ULFT2n031908: to=<[email protected]>, delay=00:00:04, xdelay=00:00:04, mailer=esmtp, pri=125778, relay=mta5.am0.yahoodns.net. [98.138.112.38], dsn=5.0.0, stat=Service unavailable
Jan 30 22:15:33 vm2745 sendmail[31910]: t0ULFT2n031908: to=<[email protected]>, delay=00:00:04, mailer=local, pri=125778, dsn=5.1.1, stat=User unknown
Jan 30 22:15:33 vm2745 sendmail[31910]: t0ULFT2n031908: t0ULFX2n031910: postmaster notify: User unknown
Jan 30 22:15:33 vm2745 sendmail[31910]: t0ULFX2n031910: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=37006, dsn=2.0.0, stat=Sent

Y los correos electrónicos similares aparecen casi cada segundo.

Estoy totalmente desconcertado por esto, ¿qué lo está causando?

    
pregunta IllidanS4 31.01.2015 - 14:27
fuente

1 respuesta

3

Parece que su servidor ha sido pirateado, posiblemente a través de un servidor web que ejecuta software PHP. El encabezado de sendmail contiene la siguiente línea incriminatoria:

X-PHP-Originating-Script: 0:eb.php

indica que el correo electrónico se genera usando un script PHP con el nombre de archivo eb.php . El 0 indica que el script es ejecutado por un usuario root, lo que podría significar que se está realizando un trabajo cron para iniciar el script cada minuto.

El contenido del correo electrónico es una falsificación de la notificación de Facebook:

Sipasaselmouseporencimadelenlace,mostraríaunaURLacortadaalojadaporGooglequeprobablementeredirigiríaacualquierpersonaquerecibauncorreoelectrónicodesdetuservidoraunsitioquecontengamalwareophishingparatuinformacióndeiniciodesesiónenFacebook.

Actualizar:

Dadoqueelpiratainformáticoyahaobtenidoaccesoderootasuservidor,eliminarelscriptinclusosilograencontrarlonoseríadegranayudaporque:

  1. podríahaberseinstaladounapuertatraseraparaqueelpiratainformáticovuelvaydeshagasuesfuerzoderecuperación
  2. losprocesospodríanmodificarseparafrustrarsuesfuerzoporcazarmaliciososScriptsquesecreanydestruyensobrelamarcha
  3. nohayformadeasegurarsedequesuservidoresté100%desinfectado

Loquedebehaceresreinstalarelservidoralaúltimaversiónyrestaurarelcontenidodelaúltimacopiadeseguridadválida.Puedeencontrarmásinformaciónsobrecómotratarconunservidorcomprometido aquí .

    
respondido por el Question Overflow 31.01.2015 - 18:01
fuente

Lea otras preguntas en las etiquetas