Postfix hacked

Discussion in 'Server Operation' started by cvine, Aug 4, 2006.

  1. cvine

    cvine New Member

    Folks,

    I need some help urgently...

    I have a RH8 box that was recently hacked and now there is a problem for users sending email outside of the organization. Local mail delivery if fine.

    There was another issue with /var filling up but I moved the var/spool/postfix off to another partition with a lot more space available.


    from the maillog i found
    >>>>>>>>>>
    Aug 3 01:26:27 Server postfix/postfix-script: starting the Postfix mail system
    Aug 3 01:26:29 Server postfix/master[757]: daemon started
    Aug 2 15:26:29 Server postfix/nqmgr[784]: 4F5D66580D6: from=<[email protected]
    hangewestern.org.au>, size=523, nrcpt=2 (queue active)
    Aug 2 15:26:29 Server postfix/smtp[786]: fatal: unknown service: smtp/tcp
    Aug 2 15:26:30 Server postfix/nqmgr[784]: warning: premature end-of-input from
    private/smtp socket while reading input attribute name
    Aug 2 15:26:30 Server postfix/nqmgr[784]: warning: private/smtp socket: malform
    ed response
    Aug 2 15:26:30 Server postfix/nqmgr[784]: warning: transport smtp failure -- se
    e a previous warning/fatal/panic logfile record for the problem description
    Aug 3 01:26:30 Server postfix/master[757]: warning: process /usr/libexec/postfi
    x/smtp pid 786 exit status 1
    Aug 3 01:26:30 Server postfix/master[757]: warning: /usr/libexec/postfix/smtp:
    bad command startup -- throttling
    Aug 2 15:31:12 Server postfix/smtpd[973]: connect from unknown[203.12.160.113]
    Aug 2 15:31:12 Server postfix/smtpd[973]: 7043765818F: client=unknown[203.12.16
    0.113]
    <<<<<<<<<<<<

    can anyone provide me with some advice on what may have been done to the SMTP service and/or what I may be able to check to re-establish it

    Thanks in advance
     
  2. Ben

    Ben ISPConfig Developer ISPConfig Developer

    You didn't setup your machine from scratch after beeing hacked?!

    Anyway, about the smtp message: http://www.postfix.org/faq.html#noservice
    and I guess the following messages are linked with that error.
     
  3. cvine

    cvine New Member

    Fixed

    Hi Ben,

    Thanks for your reply. I also found that link independently and used the details to fix the problem. Seems as the "TheRougue" wanted to hide some activity!

    The box wasn't too badly hit and apart from another minor configuration change is now back to "normal"

    Thanks again

    Cheers
     
  4. sjau

    sjau Local Meanie Moderator

    if it was hacked you don't know what else is on there...
    My box was also hacked a couple of days ago hence I set it up again.
     

Share This Page