我正在运行一个带有虚拟用户/别名的 dovecot/postfix 服务器。根据以下工具http://www.mailradar.com/openrelay/我没有任何开放中继。但是,我的系统日志中出现了很多记录,这让我认为正在访问一些不应该访问的内容。以下是我的系统日志的一部分(当然,自我识别信息已更改):
Feb 18 10:13:42 server1 postfix/pickup[3995]: 1A6413627F: uid=33 from=<www-data>
Feb 18 10:13:42 server1 postfix/cleanup[3826]: 1A6413627F: message-id=<[email protected]>
Feb 18 10:13:42 server1 opendkim[4285]: 1A6413627F: no signing table match for '[email protected]'
Feb 18 10:13:42 server1 opendkim[4285]: 1A6413627F: no signature data
Feb 18 10:13:42 server1 postfix/qmgr[4479]: 1A6413627F: from=<[email protected]>, size=2153, nrcpt=1 (queue active)
Feb 18 10:13:43 server1 postfix/smtp[4007]: 1A6413627F: to=<[email protected]>, relay=mxs.mail.ru[217.69.139.150]:25, delay=1.9, delays=0.01/0/0.77/1.1, dsn=2.0.0, status=sent (250 OK id=1aWRD5-0005o9-J0)
Feb 18 10:13:43 server1 postfix/qmgr[4479]: 1A6413627F: removed
Feb 18 10:13:54 server1 postfix/pickup[3995]: 5CF523627F: uid=33 from=<www-data>
Feb 18 10:13:54 server1 postfix/cleanup[3826]: 5CF523627F: message-id=<[email protected]>
Feb 18 10:13:54 server1 opendkim[4285]: 5CF523627F: no signing table match for '[email protected]'
Feb 18 10:13:54 server1 opendkim[4285]: 5CF523627F: no signature data
Feb 18 10:13:54 server1 postfix/qmgr[4479]: 5CF523627F: from=<[email protected]>, size=2158, nrcpt=1 (queue active)
Feb 18 10:13:55 server1 kernel: iptables denied: IN=eth0 OUT= MAC=a3:5d:83:43:56:f1:97:d4:35:6f:48:b9:08:00 SRC=45.33.58.84 DST=216.58.192.14 LEN=73 TOS=0x00 PREC=0x00 TTL=63 ID=45696 PROTO=UDP SPT=53 DPT=51450 LEN=53
Feb 18 10:13:55 server1 postfix/smtp[3982]: 5CF523627F: to=<[email protected]>, relay=mxs.mail.ru[217.69.139.150]:25, delay=1.6, delays=0.01/0/0.55/1, dsn=2.0.0, status=sent (250 OK id=1aWRDH-0003yi-IS)
Feb 18 10:13:55 server1 postfix/qmgr[4479]: 5CF523627F: removed
Feb 18 10:14:02 server1 postfix/pickup[3995]: A72D73627F: uid=33 from=<www-data>
Feb 18 10:14:02 server1 postfix/cleanup[3826]: A72D73627F: message-id=<[email protected]>
Feb 18 10:14:02 server1 opendkim[4285]: A72D73627F: no signing table match for '[email protected]'
Feb 18 10:14:02 server1 opendkim[4285]: A72D73627F: no signature data
Feb 18 10:14:02 server1 postfix/qmgr[4479]: A72D73627F: from=<[email protected]>, size=2172, nrcpt=1 (queue active)
Feb 18 10:14:02 server1 postfix/smtp[4002]: A72D73627F: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[2607:f8b0:400e:c03::1b]:25, delay=0.24, delays=0.01/0/0.09/0.14, dsn=2.0.0, status=sent (250 2.0.0 OK 1455812042 u6si8951789par.57 - gsmtp)
Feb 18 10:14:02 server1 postfix/qmgr[4479]: A72D73627F: removed
Feb 18 10:14:44 server1 kernel: iptables denied: IN=eth0 OUT= MAC=a3:5d:83:43:56:f1:97:d4:35:6f:f2:a4:08:00 SRC=181.194.185.98 DST=216.58.192.14 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=33433 DF PROTO=TCP SPT=54753 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
Feb 18 10:14:47 server1 kernel: iptables denied: IN=eth0 OUT= MAC=a3:5d:83:43:56:f1:97:d4:35:6f:f2:a4:08:00 SRC=181.194.185.98 DST=216.58.192.14 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=33434 DF PROTO=TCP SPT=54753 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
Feb 18 10:14:53 server1 kernel: iptables denied: IN=eth0 OUT= MAC=a3:5d:83:43:56:f1:97:d4:35:6f:f2:a4:08:00 SRC=181.194.185.98 DST=216.58.192.14 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=33435 DF PROTO=TCP SPT=54753 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
Feb 18 10:15:01 server1 /USR/SBIN/CRON[4054]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Feb 18 10:15:02 server1 postfix/pickup[3995]: CDA813627F: uid=33 from=<www-data>
Feb 18 10:15:02 server1 postfix/cleanup[3826]: CDA813627F: message-id=<[email protected]>
Feb 18 10:15:02 server1 opendkim[4285]: CDA813627F: no signing table match for '[email protected]'
Feb 18 10:15:02 server1 opendkim[4285]: CDA813627F: no signature data
Feb 18 10:15:02 server1 postfix/qmgr[4479]: CDA813627F: from=<[email protected]>, size=2141, nrcpt=1 (queue active)
Feb 18 10:15:03 server1 postfix/smtp[4007]: CDA813627F: host mta6.am0.yahoodns.net[98.138.112.35] said: 421 4.7.0 [GL01] Message from (216.58.192.14) temporarily deferred - 4.16.50. Please refer to http://postmaster.yahoo.com/errors/postmaster-21.html (in reply to MAIL FROM command)
Feb 18 10:15:03 server1 postfix/smtp[4007]: CDA813627F: lost connection with mta6.am0.yahoodns.net[98.138.112.35] while sending RCPT TO
Feb 18 10:15:04 server1 postfix/smtp[4007]: CDA813627F: to=<[email protected]>, relay=mta6.am0.yahoodns.net[66.196.118.34]:25, delay=1.3, delays=0.02/0/0.49/0.77, dsn=2.0.0, status=sent (250 ok dirdel)
Feb 18 10:15:04 server1 postfix/qmgr[4479]: CDA813627F: removed
知道问题是什么吗?
答案1
这些消息来自运行您的 Web 服务器及其 Web 应用程序的用户 ID。简而言之,您的网站已被黑客入侵,并被用来发送垃圾邮件。