SMTU AUTH y usuario comprometido

Navega tus respuestas
0

Recientemente, he configurado dos envíos de correo habilitados para autenticación SMTP, y dentro de una semana y un mes, ambos se utilizaron para enviar correo no solicitado utilizando SMTP AUTH. Los atacantes actuaban desde diferentes IP y utilizaban diferentes usuarios, pero solo un usuario para cada servidor. Primero, pensé que algunos programas maliciosos solo escaneaban el disco de la víctima y obtenían su contraseña, pero cuando sucedió por segunda vez, pensé que ahora es improbable, porque el usuario afectado fue retirado hace mucho tiempo, se eliminó su buzón, es probable que los archivos de correo sean inexistentes o almacenado en algunos discos abandonados y / o archivados, existía solo en sasl2 DB.

He dejado caer al usuario comprometido. He intentado enviar un correo usando SMTP AUTH y un telnet, y parece que el servidor no retransmite el correo con SMTP AUTH vacío o incorrecto. He buscado cualquier CVE de sendmail o libsasl2; ambos tienen múltiples, pero ninguno reciente, ambos sistemas tenían parches de sendmail y libsasl2 en el momento de la violación.

Entonces, ¿hay alguna otra posibilidad de enviar correos que no conozca? La IP de uno de los servidores es 128.127.144.4, por lo que puede intentarlo en caso de que tenga una idea. Sí, probablemente sea una mala idea exponer un servidor afectado por algún error de seguridad en una comunidad, pero los atacantes ya lo han encontrado de todos modos, y todavía estoy viendo sus registros.

Aquí hay una sesión típica de SMTP: 

egrep '187.111.57.236|w3CJ14gL016656' maillog.0
Apr 13 00:01:04 elf rmilter[1493]: <1002b962b6>; accepted connection from elf.hq.norma.perm.ru; client: 187.111.57.236:40595 ([187.111.57.236])
Apr 13 00:01:07 elf sm-mta[16656]: AUTH=server, relay=[187.111.57.236], authid=alex, mech=PLAIN, bits=0
Apr 13 00:01:10 elf rmilter[1493]: <1002b962b6>; mlfi_data: queue id: <w3CJ14gL016656>
Apr 13 00:01:12 elf opendkim[1961]: w3CJ14gL016656: can't parse From: header value ' alex'
Apr 13 00:01:12 elf sm-mta[16656]: w3CJ14gL016656: from=<alex>, size=334, class=0, nrcpts=1, msgid=<ndshcfz-60v0pd-50@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:01:12 elf rmilter[1493]: <1002b962b6>; msg done: queue_id: <w3CJ14gL016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (1 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:01:14 elf sm-mta[16728]: w3CJ14gL016656: to=<[email protected]>, delay=00:00:05, xdelay=00:00:02, mailer=esmtp, pri=30334, relay=cluster5.eu.messagelabs.com. [85.158.136.83], dsn=5.0.0, stat=Service unavailable
Apr 13 00:01:14 elf sm-mta[16728]: w3CJ14gL016656: w3CJ1EgK016728: DSN: Service unavailable
Apr 13 00:01:18 elf sm-mta[16656]: w3CJ14gN016656: from=<alex>, size=408, class=0, nrcpts=2, msgid=<EDCDCC98-B8B6-F39C-966D-807F6D1EB512@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:01:26 elf rmilter[1493]: <8c0b950267>; msg done: queue_id: <w3CJ14gN016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (2 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:01:32 elf sm-mta[16656]: w3CJ14gP016656: from=<alex>, size=433, class=0, nrcpts=2, msgid=<DF473463.5B8BE96E6707637A@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:01:35 elf rmilter[1493]: <1e60121bd1>; msg done: queue_id: <w3CJ14gP016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (2 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:01:40 elf sm-mta[16656]: w3CJ14gR016656: from=<alex>, size=352, class=0, nrcpts=1, msgid=<5rnocqr-7cbfza-4B@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:01:40 elf rmilter[1493]: <2566fbec9b>; msg done: queue_id: <w3CJ14gR016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (1 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:01:46 elf sm-mta[16656]: w3CJ14gT016656: from=<alex>, size=376, class=0, nrcpts=2, msgid=<nqa3edbggmlregbxzpp6s2gq.1238156633123@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:01:46 elf rmilter[1493]: <424091d28a>; msg done: queue_id: <w3CJ14gT016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (2 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:01:51 elf sm-mta[16656]: w3CJ14gV016656: from=<alex>, size=348, class=0, nrcpts=1, msgid=<g863qm7-nqfvlu-E6@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:01:59 elf rmilter[1493]: <24f70a9e90>; msg done: queue_id: <w3CJ14gV016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (1 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:02:05 elf sm-mta[16656]: w3CJ14gX016656: from=<alex>, size=387, class=0, nrcpts=2, msgid=<6qf0ejm-9zz62l-D9@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:02:05 elf rmilter[1493]: <99ffc4b437>; msg done: queue_id: <w3CJ14gX016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (2 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:02:10 elf sm-mta[16656]: w3CJ14gZ016656: from=<alex>, size=408, class=0, nrcpts=1, msgid=<C6AAC86D.0240677@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:02:10 elf rmilter[1493]: <f77b77d04f>; msg done: queue_id: <w3CJ14gZ016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (1 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:02:15 elf sm-mta[16656]: w3CJ14gb016656: from=<alex>, size=413, class=0, nrcpts=1, msgid=<C51C7275.3715C09DDFEBC27A@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:02:15 elf rmilter[1493]: <a5da79ba76>; msg done: queue_id: <w3CJ14gb016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (1 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:02:20 elf sm-mta[16656]: w3CJ14gd016656: from=<alex>, size=412, class=0, nrcpts=1, msgid=<A219E6DE-C17F-8C8E-2EED-6C11324F4856@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:02:26 elf rmilter[1493]: <d299e12ce5>; msg done: queue_id: <w3CJ14gd016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (1 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:02:32 elf sm-mta[16656]: w3CJ14gf016656: from=<alex>, size=459, class=0, nrcpts=2, msgid=<AC390E75-91F7-0748-98FC-08407D78C8D1@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:02:35 elf rmilter[1493]: <9924362f7a>; msg done: queue_id: <w3CJ14gf016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (2 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:02:41 elf sm-mta[16656]: w3CJ14gh016656: from=<alex>, size=359, class=0, nrcpts=2, msgid=<gxkj6otgb3u7fgog77dl029g.1300223824295@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:02:41 elf rmilter[1493]: <749b441efb>; msg done: queue_id: <w3CJ14gh016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (2 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:02:46 elf sm-mta[16656]: w3CJ14gj016656: from=<alex>, size=386, class=0, nrcpts=2, msgid=<w0dgjl1-yp38y1-B3@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:02:47 elf rmilter[1493]: <e8d8dcc43b>; msg done: queue_id: <w3CJ14gj016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (2 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:02:52 elf sm-mta[16656]: w3CJ14gl016656: from=<alex>, size=432, class=0, nrcpts=2, msgid=<32D7901C-5F09-E45D-42CA-ACF50859F4CA@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:02:56 elf rmilter[1493]: <32f5cc689b>; msg done: queue_id: <w3CJ14gl016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (2 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:03:01 elf sm-mta[16656]: w3CJ14gn016656: from=<alex>, size=390, class=0, nrcpts=1, msgid=<18B59E3D-8DE4-7F11-36C1-2135E903A2FB@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:03:08 elf rmilter[1493]: <d74707f221>; msg done: queue_id: <w3CJ14gn016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (1 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:03:13 elf sm-mta[16656]: w3CJ14gp016656: from=<alex>, size=343, class=0, nrcpts=1, msgid=<fo2xzb80ox1ljkrotbe28j4i.1151459227245@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:03:14 elf rmilter[1493]: <8dfcbdfa8e>; msg done: queue_id: <w3CJ14gp016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (1 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:03:18 elf sm-mta[16656]: w3CJ14gr016656: from=<alex>, size=395, class=0, nrcpts=1, msgid=<A3EB3BE1-8E1A-4345-0E04-CE7600F9B204@>, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]
Apr 13 00:03:28 elf rmilter[1493]: <7fa30f7963>; msg done: queue_id: <w3CJ14gr016656>; message id: <>; ip: 187.111.57.236; from: <alex>; rcpt: <[email protected]> (1 total); user: alex; spam scan: skipped, whitelisted; virus scan: clean; dkim: not signed, ignored
Apr 13 00:04:41 elf sm-mta[16656]: w3CJ14gt016656: collect: unexpected close on connection from [187.111.57.236], sender=<alex>
Apr 13 00:04:41 elf sm-mta[16656]: w3CJ14gt016656: from=<alex>, size=52, class=0, nrcpts=1, proto=ESMTPA, daemon=elf-as-mta, relay=[187.111.57.236]

Actualización: fue la instalación de roundcube obsoleta.

    
pregunta drookie 14.04.2018 - 09:03
fuente

1 respuesta

1
$ telnet 128.127.144.4 smtp
Trying 128.127.144.4...
Connected to 128.127.144.4.
Escape character is '^]'.
220 elf.hq.norma.perm.ru ESMTP Sendmail 8.15.2/8.15.2; Sat, 14 Apr 2018 12:16:42 +0500 (YEKT)
ehlo yue
250-elf.hq.norma.perm.ru Hello ip-xxxxxxxxxx.net [58.xxx.xxx.xxx], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE 100000000
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
quit

Estás ofreciendo CRAM y DIGEST, lo que significa que estás almacenando contraseñas de texto simple (o su equivalente) en algún lugar. tal vez la lista ha sido comprometida?

Está ofreciendo LOGIN y PLAIN sobre conexiones no seguras, tal vez la contraseña fue detectada por la inspección de paquetes en un enrutador comprometido.

O simplemente podrían haberlo adivinado, veo que hay muchas conjeturas.

    
respondido por el Jasen 14.04.2018 - 09:27
fuente

Lea otras preguntas en las etiquetas

OWASP ZAP: Infinite Redirect Loop agregando infinitamente un valor a una cookie ¿El protocolo de BitTorrent expone la dirección IP de mi casa, incluso a través de VPN / Tor?