Postfix 已被黑客攻击,请帮忙

Postfix 已被黑客攻击,请帮忙

我安装了 postfix 和 dovecot,并设置了 SPF DKIM 和 DMARC,一切都运行顺利,直到我的 Linode 帐户报告使用率很高,检查后发现我的帐户中有大量垃圾邮件。我有关闭后缀。

注意事项:

  1. 邮件从我的域发出noidadeafsociety,但用户不是我创建的,这些是垃圾邮件发送者创建的虚构用户。

    sender_fullname: www-data
    sender: [email protected]
    

    我的mysql虚拟用户数据库中不存在上述用户。

  2. 请注意标头中指向 php 脚本的以下行

    X-PHP-Originating-Script: 33:isyfoyvr.php(1189) : runtime-created function(1) : eval()'d code(1) : eval()'d code
    
  3. 我无法通过端口 25 在服务器上远程或本地远程登录到我的 IP

postfix main.cf以下是我的文件的相关部分

smtp_tls_security_level = may
smtpd_tls_security_level = may

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = brahmaforces.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
#mydestination = $myhostname, brahmaforces.com, brahmaforces, localhost.localdomain, localhost, noidadeafsociety.org
mydestination = localhost

relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
message_size_limit = 31457280
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
#virtual_alias_maps = hash:/etc/postfix/virtual

#Append the following line for local mail delivery to all virtual domains listed inside the MySQL table.

virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf

policyd-spf_time_limit = 3600

以下是队列中的一个消息头:

$ sudo postcat -q A1E705E545
*** ENVELOPE RECORDS deferred/A/A1E705E545 ***
message_size:            2198             223               1               0            2198               0
message_arrival_time: Tue Oct 24 06:47:29 2017
create_time: Tue Oct 24 13:39:04 2017
named_attribute: rewrite_context=local
sender_fullname: www-data
sender: [email protected]
*** MESSAGE CONTENTS deferred/A/A1E705E545 ***
Received: by brahmaforces.com (Postfix, from userid 33)
    id A1E705E545; Tue, 24 Oct 2017 06:47:29 +0530 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=noidadeafsociety.org;
    s=201710; t=1508832544;
    bh=6CNiZnlc0CH/LHm0VunVcXnxzPy9g3UAgtmu7mN62Yw=;
    h=To:Subject:Date:From:From;
    b=IO42NgZb1I7qjGaAQJL/Y0Dc4Q6Mv9WOCTPjGcCpFOtw/hPB4cf+PJXoAYmUCoyFG
     DSgVv1SqBx/W35pLLIedqciQhEnTlxbJCxKox2d7mIlZz6Vg5ywYlMbgJ/fBsZB+hD
     kJThn9Hex9a9OEL1ERZW5v8bxFpg3QY+A9jeizmX7FhQ1nLYwv5iLDP4FT+Qn6Zu3i
     9aRWSraMF+YplLwpUqzLWecZqB+9tUZHNZpC6eMg+UHFwrSSXbdDMtcmRFDDmmKnmG
     H5pHBqz86blZ6Ohf/ndca3KUqN+mo249lbo/5rq5pYyOESDwxiYNQy8MvZa8WYqIA6
     tsh23D6Ei1eWw==
To: [email protected]
Subject: You're sleeping, and this program earns money!
X-PHP-Originating-Script: 33:isyfoyvr.php(1189) : runtime-created function(1) : eval()'d code(1) : eval()'d code
Date: Tue, 24 Oct 2017 06:47:29 +0530
From: "Justin F." <[email protected]>
Message-ID: <[email protected]>
X-Mailer: PHPMailer 5.2.23 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="b1_79a51f9aa51cafb7505a4c92abc93109"
Content-Transfer-Encoding: 8bit

This is a multi-part message in MIME format.

--b1_79a51f9aa51cafb7505a4c92abc93109
Content-Type: text/plain; charset=us-ascii

There's nothing wrong to dream about the money that would appear out of nowhere. No one would refuse such happiness. But a dream like this, anybody especially was not true... until recently.

A group of German scientists are able to invent a program that makes money and allows you to forget about work and enjoy life.

It can bring you riches in a few weeks! { http://www.sriplasticenterprises.com/reduce.php?utm_source=67ksjr2535&utm_medium=ygapipe66p&utm_campaign=9h2vb6lp17&utm_term=5t9tgb2h6h&utm_content=s4mdh3336q } Come on click on the link and learn more...


--b1_79a51f9aa51cafb7505a4c92abc93109
Content-Type: text/html; charset=us-ascii

<html>
<body>
There's nothing wrong to dream about the money that would appear out of nowhere. No one would refuse such happiness. But a dream like this, anybody especially was not true... until recently.<br>
<br>
A group of German scientists are able to invent a program that makes money and allows you to forget about work and enjoy life.<br>
<br>
It can bring you riches in a few weeks! <a href="http://www.sriplasticenterprises.com/reduce.php?utm_source=67ksjr2535&utm_medium=ygapipe66p&utm_campaign=9h2vb6lp17&utm_term=5t9tgb2h6h&utm_content=s4mdh3336q">Come on click on the link and learn more...</a><br>
</body>
</html>

答案1

后缀有不是被黑客攻击。该漏洞存在于isyfoyvr.php脚本中,允许代码注入。注入的代码正在发送电子邮件,并且由于 Postfix 看到的电子邮件来自本地主机它承认它们是合法的。

可能的快速修复

删除该isyfoyvr.php脚本,或设置其权限以使 Web 服务器无法执行它。然后重新启动。然后检查电子邮件是否已停止。

正确的解决方案

如果没有看到有问题的代码,就不可能确定isyfoyvr.php脚本中的确切问题。最简单的方法是返回您获取信息的地方并在那里寻求帮助。

该脚本可能下载了更大的木马,因此我建议您认真考虑擦除、重新安装并从上次已知的良好备份中恢复。

相关内容