[Samba] pickup/maildrop being used to spam through my machine.

L.P.H. van Belle belle at bazuin.nl
Tue Jun 13 08:40:55 UTC 2017 

Looks to me your  server is hacked through the webserver of website. 
Stop apache, flush the postfix queue, are there new mails entering you postfix queue? 
If not, hunt down the leak, if it does, its not apache2 ;-/ 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: HomerWSmith at lightlink.com 
> [mailto:owner-postfix-users at postfix.org] Namens Homer Wilson Smith
> Verzonden: dinsdag 13 juni 2017 10:29
> Aan: postfix-users at postfix.org
> Onderwerp: pickup/maildrop being used to spam through my machine.
> 
> 
>      Running postfix 2.3.3 CentOS 5.x
> 
>      This is a simple apache 2 web server running postfix for 
> incoming mail for shell users on the same server.  Very low 
> key, almost no traffic, outside is not allowed to connect to 
> the postfix on this machine.
> 
>       This machine's only handles shell users on the its own 
> domain, adore.lightlink.com and mail addressed or forward to 
> it from our other real mail servers that talk to the outside world.
> 
>       Suddenly I am find adore's mailq queue filled with 
> spam, each having a pickup line in the logs, but no 
> indication where it comes from, probably the web server as 
> the from username is apache, but so far no corellation 
> between web logs and time stamp on pickup line.
> 
>       This machine is also running an innd news server if it 
> makes any difference, innd 2.x
> 
>      Can someone tell me about possible injection routes into 
> the maildrop directory and how to stop it if I can't find the 
> web page doing it.
> 
>      Thanks  Homer
> 
> Jun 12 05:26:16 adore2 postfix/pickup[14251]: E39582B000C: 
> uid=48 from=<apache> Jun 12 05:26:17 adore2 
> postfix/pickup[14251]: F23D62B000F: uid=48 from=<apache> Jun 
> 12 05:26:17 adore2 postfix/pickup[14251]: 099E82B0028: uid=48 
> from=<apache> Jun 12 05:26:17 adore2 postfix/pickup[14251]: 
> 2169C2B0038: uid=48 from=<apache> Jun 12 05:26:17 adore2 
> postfix/pickup[14251]: 260E32B0065: uid=48 from=<apache> Jun 
> 12 05:26:17 adore2 postfix/pickup[14251]: 2AB902B007D: uid=48 
> from=<apache> Jun 12 05:26:17 adore2 postfix/pickup[14251]: 
> 325422B0080: uid=48 from=<apache> Jun 12 05:26:17 adore2 
> postfix/pickup[14251]: 3AC572B0095: uid=48 from=<apache> Jun 
> 12 05:26:17 adore2 postfix/pickup[14251]: 3D0A32B00B8: uid=48 
> from=<apache> Jun 12 05:26:17 adore2 postfix/pickup[14251]: 
> 417DD2B00BD: uid=48 from=<apache> Jun 12 05:26:17 adore2 
> postfix/pickup[14251]: 4728B2B00CA: uid=48 from=<apache> Jun 
> 12 05:26:17 adore2 postfix/pickup[14251]: 4FE062B00D2: uid=48 
> from=<apache> Jun 12 05:26:17 adore2 postfix/pickup[14251]: 
> 89BB02B00DD: uid=48 from=<apache> Jun 12 05:26:17 adore2 
> postfix/pickup[14251]: A53092B00E3: uid=48 from=<apache> Jun 
> 12 05:26:17 adore2 postfix/pickup[14251]: BEAB72B00E7: uid=48 
> from=<apache> Jun 12 05:26:17 adore2 postfix/pickup[14251]: 
> CA9F42B00EC: uid=48 from=<apache> ... on and on and on thousands etc.
> 
>

More information about the samba mailing list