mail.info 中通过 postfix/smtpd 发现可疑活动 - 可能是病毒或黑客攻击？

Question

攻击者来自

xxx@yyy ~ $ host phpwzym.com
phpwzym.com has address 95.140.38.3
phpwzym.com mail is handled by 10 95.140.39.1010.

xxx@yyy ~ $ whois 95.140.38.3
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '95.140.38.0 - 95.140.38.255'

% Abuse contact for '95.140.38.0 - 95.140.38.255' is '[email protected]'

inetnum:        95.140.38.0 - 95.140.38.255
netname:        TERATRADE-NET
descr:          VPS SERVERS
country:        HU
admin-c:        TK6395-RIPE
tech-c:         TK6395-RIPE
status:         ASSIGNED PA
mnt-by:         KGY-MNT
mnt-by:         TK6395-MNT
mnt-routes:     TK6395-MNT
created:        2015-03-10T11:12:04Z
last-modified:  2015-05-21T19:34:36Z
source:         RIPE # Filtered

role:           Teratrade Kft
address:        Hungary
address:        1123 Budapest
address:        Nagyt�t�nyi �t 190.
phone:          +36303654560
abuse-mailbox:  [email protected]
nic-hdl:        TK6395-RIPE
mnt-by:         TK6395-MNT
created:        2015-03-12T16:01:42Z
last-modified:  2015-03-17T14:48:56Z
source:         RIPE # Filtered

Teratrade还允许创建虚假的 DNS 记录

phpwzym.com mail is handled by 10 95.140.39.1010.

使用防火墙，您可以阻止来自此host或来自此的访问network

UFW

sudo ufw enable

# for host
sudo ufw deny from 95.140.39.xxx

# for network
sudo ufw deny from 95.140.39.xxx/24

# allow all other to connect on port 25 aka smtp port
sudo ufw allow 25

# allow other port's 
sudo ufw allow 110 # pop3 port
sudo ufw allow xxx # for xxx port

您现在看不到任何连接，因为邮件正在排队等待投递。

Postfix 中清空队列的命令是

sudo postsuper -d ALL

Answer 1

攻击者来自

xxx@yyy ~ $ host phpwzym.com
phpwzym.com has address 95.140.38.3
phpwzym.com mail is handled by 10 95.140.39.1010.

xxx@yyy ~ $ whois 95.140.38.3
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '95.140.38.0 - 95.140.38.255'

% Abuse contact for '95.140.38.0 - 95.140.38.255' is '[email protected]'

inetnum:        95.140.38.0 - 95.140.38.255
netname:        TERATRADE-NET
descr:          VPS SERVERS
country:        HU
admin-c:        TK6395-RIPE
tech-c:         TK6395-RIPE
status:         ASSIGNED PA
mnt-by:         KGY-MNT
mnt-by:         TK6395-MNT
mnt-routes:     TK6395-MNT
created:        2015-03-10T11:12:04Z
last-modified:  2015-05-21T19:34:36Z
source:         RIPE # Filtered

role:           Teratrade Kft
address:        Hungary
address:        1123 Budapest
address:        Nagyt�t�nyi �t 190.
phone:          +36303654560
abuse-mailbox:  [email protected]
nic-hdl:        TK6395-RIPE
mnt-by:         TK6395-MNT
created:        2015-03-12T16:01:42Z
last-modified:  2015-03-17T14:48:56Z
source:         RIPE # Filtered

Teratrade还允许创建虚假的 DNS 记录

phpwzym.com mail is handled by 10 95.140.39.1010.

使用防火墙，您可以阻止来自此host或来自此的访问network

UFW

sudo ufw enable

# for host
sudo ufw deny from 95.140.39.xxx

# for network
sudo ufw deny from 95.140.39.xxx/24

# allow all other to connect on port 25 aka smtp port
sudo ufw allow 25

# allow other port's 
sudo ufw allow 110 # pop3 port
sudo ufw allow xxx # for xxx port

您现在看不到任何连接，因为邮件正在排队等待投递。

Postfix 中清空队列的命令是

sudo postsuper -d ALL

mail.info 中通过 postfix/smtpd 发现可疑活动 - 可能是病毒或黑客攻击？

答案1

相关内容