今日、私のsendmailサービスは、さまざまなアドレスに電子メールを送信し始めました。
/ var/spool/mail:
From [email protected] Fri Jan 30 22:15:30 2015
Return-Path: <[email protected]>
Received: from localhost (localhost)
by noxcommunity.com (8.13.8/8.13.8) id t0ULFUje031918;
Fri, 30 Jan 2015 22:15:30 +0100
Date: Fri, 30 Jan 2015 22:15:30 +0100
From: Mail Delivery Subsystem <[email protected]>
Message-Id: <[email protected]>
To: [email protected]
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="t0ULFUje031918.1422652530/noxcommunity.com"
Subject: Postmaster notify: see transcript for details
Auto-Submitted: auto-generated (postmaster-notification)
This is a MIME-encapsulated message
--t0ULFUje031918.1422652530/noxcommunity.com
The original message was received at Fri, 30 Jan 2015 22:15:30 +0100
from localhost.localdomain [127.0.0.1]
with id t0ULFUje031916
----- The following addresses had permanent fatal errors -----
<s@s>
(reason: 550 Host unknown)
----- Transcript of session follows -----
550 5.1.2 <s@s>... Host unknown (Name server: s: Host not found)
550 5.1.1 <[email protected]>... User unknown
--t0ULFUje031918.1422652530/noxcommunity.com
Content-Type: message/delivery-status
Reporting-MTA: dns; noxcommunity.com
Received-From-MTA: DNS; localhost.localdomain
Arrival-Date: Fri, 30 Jan 2015 22:15:30 +0100
Final-Recipient: RFC822; s@s
Action: failed
Status: 5.1.2
Remote-MTA: DNS; s
Diagnostic-Code: SMTP; 550 Host unknown
Last-Attempt-Date: Fri, 30 Jan 2015 22:15:30 +0100
--t0ULFUje031918.1422652530/noxcommunity.com
Content-Type: message/rfc822
Return-Path: <[email protected]>
Received: from noxcommunity.com (localhost.localdomain [127.0.0.1])
by noxcommunity.com (8.13.8/8.13.8) with ESMTP id t0ULFUje031916
for <s@s>; Fri, 30 Jan 2015 22:15:30 +0100
Received: (from root@localhost)
by noxcommunity.com (8.13.8/8.13.8/Submit) id t0ULFUNT031915;
Fri, 30 Jan 2015 22:15:30 +0100
Date: Fri, 30 Jan 2015 22:15:30 +0100
Message-Id: <[email protected]>
To: s@s
Subject: Facebook
X-PHP-Originating-Script: 0:eb.php
From: "[email protected]" <[email protected]>
Content-Type: text/html
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
<meta http-equiv="Content-Type" content="text/html; charset=unicode">
<meta name="Generator" content="Microsoft SafeHTML"><title>Message body</title><bgsound src="http://email_open_log_pic.php?mid=424e194G221be96cG696b3afG2f&s=a"></bgsound><table width="98%" border="0" cellspacing="0" cellpadding="40"><tbody><tr><td bgcolor="#f7f7f7" width="100%" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif"><table cellpadding="0" cellspacing="0" border="0" width="620"><tbody><tr><td style="background:#3b5998;color:#FFFFFF;font-weight:bold;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:4px 8px;vertical-align:middle;font-size:16px;letter-spacing:-0.03em;text-align:left"><a style="color:#FFFFFF;text-decoration:none" href="http://goo.gl/QdWtIJ" target="_blank"><span style="color:#FFFFFF">facebook</span></a></td><td style="background:#3b5998;color:#FFFFFF;font-weight:bold;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:4px 8px;vertical-align:middle;font-size:11px;text-align:right"></td></tr><tr><td colspan="2" style="background-color:#FFFFFF;border-bottom:1px solid #3b5998;border-left:1px solid #CCCCCC;border-right:1px solid #CCCCCC;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:15px" valign="top"><table width="100%"><tbody><tr><td width="470px" style="font-size:12px" valign="top" align="left"><div style="margin-bottom:15px;font-size:12px"></div><div style="margin-bottom:15px"><span style="color:#111111;font-size:14px;font-weight:bold;">A friend tagged you in a photo</span></div><div style="margin-bottom:15px"><div style="border-bottom:1px solid #ccc;line-height:5px"> </div><br><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td style="padding:5px"></td></tr><tr><td width="150" style="font-size:11px;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:0px 5px 10px 0px"><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td valign="top" style="padding-right:5px"><a href="http://goo.gl/QdWtIJ" style="col!
or:#3b59
98;text-decoration:none" target="_blank"><img style="border:0px none" alt="Chris Thomas" src="https://fbstatic-a.akamaihd.net/rsrc.php/v2/yo/r/UlIqmHJn-SK.gif" width="50" height="50"></a></td><td valign="top"><span style="font-size:11px;color:#999;padding:0px 0px 10px 0px"><span style="font-size:11px;color:#3B5998;font-weight:bold"><a href="http://goo.gl/QdWtIJ" style="color:#3B5998;text-decoration:none;font-size:11px" target="_blank">Chris Thomas</a></span><br></span></td></tr></tbody></table></td></tr></tbody></table><div style="border-bottom:1px solid #ccc;line-height:5px"> </div><br></div><div style="margin-bottom:15px">Thanks,<br>
The Facebook Team</div></td><td valign="top" width="150" style="padding-left:15px" align="left"><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td style="padding:10px;background-color:#fff9d7;border-left:1px solid #e2c822;border-right:1px solid #e2c822;border-top:1px solid #e2c822;border-bottom:1px solid #e2c822"><div style="margin-bottom:15px;font-size:12px"></div><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td style="border-width:1px;border-style:solid;border-color:#3b6e22 #3b6e22 #2c5115;background-color:#69a74e"><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td style="font-size:11px;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:4px 10px 5px;border-top:1px solid #95bf82"><a href="http://goo.gl/QdWtIJ" style="color:#fff;text-decoration:none;font-weight:bold;font-size:13px" target="_blank">View photo</a></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table><br><table cellspacing="0" cellpadding="0" style="border-collapse:collapse;width:100%"><tbody><tr><td style="padding:10px;background-color:#fff9d7;border-left:1px solid #e2c822;border-right:1px solid #e2c822;border-top:1px solid #e2c822;border-bottom:1px solid #e2c822"><div style="font-weight:bold;margin-bottom:2px;font-size:11px">To view this friend profile photo, go to:</div><a href="http://goo.gl/QdWtIJ" style="color:#3b5998;text-decoration:none;font-size:11px" target="_blank">http://www.facebook.com/n/?reqs.php&mid=424e194G221be96cG696b3afG2f&bcode=M6l2wBWw&[email protected]</a></td></tr></tbody></table><span style=""><img src="http://www.facebook.com/email_open_log_pic.php?mid=424e194G221be96cG696b3afG2f" style="border:0;width:1px;height:1px"><bgsound src="http://www.facebook.com/email_open_log_pic.php?mid=424e194G221be96cG696b3afG2f&s=a"></bgsound></span></td></tr><tr><td colspan="2" style="color:#999999;padding:10px;font-size:12p!
x;font-f
amily:'lucida grande', tahoma, verdana, arial, sans-serif">If you don't want to receive these emails from Facebook in the future, please follow the link below to unsubscribe.
http://www.facebook.com/o.php?k=7042bb&u=572254572&mid=424e194G221be96cG696b3afG2f
Facebook, Inc. P.O. Box 10005, Palo Alto, CA 94303</td></tr></tbody></table></td></tr></tbody></table> </body>
</html>
メールログ:
Jan 30 22:15:30 vm2745 sendmail[31911]: t0ULFTv1031911: [email protected], delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=35539, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (t0ULFTVJ031912 Message accepted for delivery)
Jan 30 22:15:30 vm2745 sendmail[31915]: t0ULFUNT031915: [email protected], size=5525, class=0, nrcpts=1, msgid=<[email protected]>, relay=root@localhost
Jan 30 22:15:30 vm2745 sendmail[31916]: t0ULFUje031916: from=<[email protected]>, size=5760, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Jan 30 22:15:30 vm2745 sendmail[31915]: t0ULFUNT031915: to=s@s, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=35525, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (t0ULFUje031916 Message accepted for delivery)
Jan 30 22:15:30 vm2745 sendmail[31918]: t0ULFUje031916: to=<s@s>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=125760, relay=s, dsn=5.1.2, stat=Host unknown (Name server: s: Host not found)
Jan 30 22:15:30 vm2745 sendmail[31918]: t0ULFUje031916: to=<[email protected]>, delay=00:00:00, mailer=local, pri=125760, dsn=5.1.1, stat=User unknown
Jan 30 22:15:30 vm2745 sendmail[31918]: t0ULFUje031916: t0ULFUje031918: postmaster notify: User unknown
Jan 30 22:15:30 vm2745 sendmail[31914]: STARTTLS=client, relay=gmail-smtp-in.l.google.com., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128
Jan 30 22:15:30 vm2745 sendmail[31918]: t0ULFUje031918: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=36970, dsn=2.0.0, stat=Sent
Jan 30 22:15:30 vm2745 sendmail[31919]: t0ULFUFv031919: [email protected], size=5525, class=0, nrcpts=1, msgid=<[email protected]>, relay=root@localhost
Jan 30 22:15:30 vm2745 sendmail[31914]: t0ULFTVJ031912: to=<[email protected]>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=125774, relay=gmail-smtp-in.l.google.com. [74.125.136.26], dsn=5.0.0, stat=Service unavailable
Jan 30 22:15:30 vm2745 sendmail[31914]: t0ULFTVJ031912: to=<[email protected]>, delay=00:00:00, mailer=local, pri=125774, dsn=5.1.1, stat=User unknown
Jan 30 22:15:30 vm2745 sendmail[31914]: t0ULFTVJ031912: t0ULFUVJ031914: postmaster notify: User unknown
Jan 30 22:15:30 vm2745 sendmail[31910]: STARTTLS=client, relay=mta5.am0.yahoodns.net., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128
Jan 30 22:15:30 vm2745 sendmail[31921]: t0ULFUrk031921: from=<[email protected]>, size=5760, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Jan 30 22:15:31 vm2745 sendmail[31914]: t0ULFUVJ031914: to=root, delay=00:00:01, xdelay=00:00:00, mailer=local, pri=36998, dsn=2.0.0, stat=Sent
Jan 30 22:15:31 vm2745 sendmail[31919]: t0ULFUFv031919: to=s@s, delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=35525, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (t0ULFUrk031921 Message accepted for delivery)
Jan 30 22:15:31 vm2745 sendmail[31924]: t0ULFUrk031921: to=<s@s>, delay=00:00:01, xdelay=00:00:00, mailer=esmtp, pri=125760, relay=s, dsn=5.1.2, stat=Host unknown (Name server: s: Host not found)
Jan 30 22:15:31 vm2745 sendmail[31924]: t0ULFUrk031921: to=<[email protected]>, delay=00:00:01, mailer=local, pri=125760, dsn=5.1.1, stat=User unknown
Jan 30 22:15:31 vm2745 sendmail[31924]: t0ULFUrk031921: t0ULFVrk031924: postmaster notify: User unknown
Jan 30 22:15:31 vm2745 sendmail[31924]: t0ULFVrk031924: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=36970, dsn=2.0.0, stat=Sent
Jan 30 22:15:33 vm2745 sendmail[31910]: t0ULFT2n031908: to=<[email protected]>, delay=00:00:04, xdelay=00:00:04, mailer=esmtp, pri=125778, relay=mta5.am0.yahoodns.net. [98.138.112.38], dsn=5.0.0, stat=Service unavailable
Jan 30 22:15:33 vm2745 sendmail[31910]: t0ULFT2n031908: to=<[email protected]>, delay=00:00:04, mailer=local, pri=125778, dsn=5.1.1, stat=User unknown
Jan 30 22:15:33 vm2745 sendmail[31910]: t0ULFT2n031908: t0ULFX2n031910: postmaster notify: User unknown
Jan 30 22:15:33 vm2745 sendmail[31910]: t0ULFX2n031910: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=37006, dsn=2.0.0, stat=Sent
そして、同様のメールがほぼ毎秒送信されます。
私はこれについて完全に困惑しています、何が原因ですか?
PHPソフトウェアを実行しているWebサーバーを介して、サーバーがハッキングされたようです。sendmailヘッダーには次の問題のある行が含まれています:
X-PHP-Originating-Script: 0:eb.php
PHPスクリプトとファイル名eb.php
を使用して電子メールが生成されることを示します。0
は、スクリプトがrootユーザーによって実行されることを示します。つまり、cronジョブスクリプトを毎分開始するために実行されています。
メールの内容はFacebook通知のなりすましです:
リンクの上にマウスを置くと、Googleがホストする短縮されたURLが表示され、サーバーからメールを受信するすべての人がマルウェアをホストするサイトにリダイレクトしたり、Facebookログインの詳細情報をフィッシングしたりする可能性があります。
更新:
ハッカーはすでにサーバーへのルートアクセス権を取得しているため、スクリプトを見つけても、スクリプトを削除してもあまり役に立ちません。
サーバーを最新バージョンに再インストールし、最後の適切なバックアップからコンテンツを復元する必要があります。侵害されたサーバーに対処する方法についての詳細情報 here を見つけることができます。