리눅스 분류
Sendmail 해킹 당한건지 봐주세요
작성자 정보
- Chong 작성
- 작성일
컨텐츠 정보
- 2,030 조회
- 0 추천
-
목록
본문
리눅스 초딩이 나름데로 열심히 노력해도 도대체 답이 안 나와서 이렇게 질<br />
문 드립니다. 일단 도움이 될만한 command 결과를 올립니다. maillog를 보면<br />
왜 admin1 이 자기 자신한테 멜을 보내는지 모르겠습니다. 그것때문인지 몰<br />
라도 sendmail이 엄청난 리소스를 차지해서 전체적인 웹 까지 느리게 합니<br />
다. 얼마전에 하루에 한번꼴로 sendmail이 다운 되길레 메일큐를 확 다 지웠<br />
습니다. 그랬더니 지금은 잘 돌아가는데, 근본적인 해결책을 찾아야 하기에... <br />
<br />
# top<br />
<br />
11:12:40 up 9 days, 23:07, 1 user, load average: 3.41, 3.46, 2.93<br />
113 processes: 111 sleeping, 2 running, 0 zombie, 0 stopped<br />
CPU states: cpu user nice system irq softirq iowait idle<br />
total 6.5% 0.0% 50.9% 0.0% 0.0% 0.0% 42.4%<br />
Mem: 741284k av, 726648k used, 14636k free, 0k shrd, 59488k buff<br />
326880k active, 290252k inactive<br />
Swap: 522104k av, 51172k used, 470932k free 448096k cached<br />
<br />
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND<br />
7143 root 16 0 7748 7544 2692 R 48.2 1.0 12:21 0 sendmail<br />
16907 root 16 0 7580 7388 2620 D 1.3 0.9 0:21 0 sendmail<br />
12 root 15 0 0 0 0 DW 0.7 0.0 39:49 0 kjournald<br />
19100 root 17 0 1244 1244 832 R 0.7 0.1 0:00 0 top<br />
606 root 15 0 544 524 472 D 0.1 0.0 9:40 0 syslogd<br />
1 root 16 0 456 432 400 S 0.0 0.0 0:12 0 init<br />
2 root 15 0 0 0 0 SW 0.0 0.0 0:00 0 keventd<br />
3 root 15 0 0 0 0 SW 0.0 0.0 0:00 0 kapmd<br />
4 root 34 19 0 0 0 SWN 0.0 0.0 0:00 0 ksoftirqd/0<br />
6 root 25 0 0 0 0 SW 0.0 0.0 0:00 0 bdflush<br />
5 root 15 0 0 0 0 SW 0.0 0.0 4:25 0 kswapd<br />
7 root 15 0 0 0 0 SW 0.0 0.0 0:00 0 kupdated<br />
8 root 22 0 0 0 0 SW 0.0 0.0 0:00 0 mdrecoveryd<br />
65 root 15 0 0 0 0 SW 0.0 0.0 0:00 0 khubd<br />
<br />
<br />
#tail -f /var/log/maillog<br />
<br />
May 30 11:21:18 admin1 sendmail[7143]: k4SIL3s9032123: to=<admin1@mydomain.com>, ctladdr=<admin1@mydomain.com> (502/502), delay=1+22:00:15, xdelay=00:00:00, mailer=local, pri=3811249, dsn=4.0.0, stat=Deferred: local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL<br />
May 30 11:21:18 admin1 sendmail[26480]: k4TKH3kx011932: to=<admin1@mydomain.com>, ctladdr=<admin1@mydomain.com> (502/502), delay=20:04:15, xdelay=00:00:00, mailer=local, pri=1651245, dsn=4.0.0, stat=Deferred: local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL<br />
May 30 11:21:18 admin1 sendmail[7143]: k4SIM4s9000673: to=<admin1@mydomain.com>, ctladdr=<admin1@mydomain.com> (502/502), delay=1+21:59:14, xdelay=00:00:00, mailer=local, pri=3811249, dsn=4.0.0, stat=Deferred: local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL<br />
May 30 11:21:18 admin1 sendmail[26480]: k4TKI2kx012760: to=<admin1@mydomain.com>, ctladdr=<admin1@mydomain.com> (502/502), delay=20:03:16, xdelay=00:00:00, mailer=local, pri=1651245, dsn=4.0.0, stat=Deferred: local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL<br />
May 30 11:21:18 admin1 sendmail[7143]: k4SIN3s9001659: to=<admin1@mydomain.com>, ctladdr=<admin1@mydomain.com> (502/502), delay=1+21:58:15, xdelay=00:00:00, mailer=local, pri=3811249, dsn=4.0.0, stat=Deferred: local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL<br />
May 30 11:21:19 admin1 sendmail[26480]: k4TKJ4kx013715: to=<admin1@mydomain.com>, ctladdr=<admin1@mydomain.com> (502/502), delay=20:02:15, xdelay=00:00:01, mailer=local, pri=1651245, dsn=4.0.0, stat=Deferred: local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL<br />
May 30 11:21:19 admin1 sendmail[7143]: k4SIO3s9002758: to=<admin1@mydomain.com>, ctladdr=<admin1@mydomain.com> (502/502), delay=1+21:57:16, xdelay=00:00:00, mailer=local, pri=3811249, dsn=4.0.0, stat=Deferred: local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL<br />
May 30 11:21:19 admin1 sendmail[26480]: k4TKK7kx014629: to=<admin1@mydomain.com>, ctladdr=<admin1@mydomain.com> (502/502), delay=20:01:12, xdelay=00:00:00, mailer=local, pri=1651245, dsn=4.0.0, stat=Deferred: local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL<br />
<br />
#pstree -p -u -a<br />
<br />
|-sendmail,20379<br />
|-sendmail,720<br />
| |-sendmail,14433<br />
| |-sendmail,7143<br />
| | `-procmail,27401,admin1 -f admin1@mydomain.com -t -Y -a -d admin1<br />
| |-sendmail,26480<br />
| | `-procmail,27378,admin1 -f MAILER-DAEMON@mydomain.com -t -Y -a -d admin1<br />
| `-sendmail,16907<br />
| `-procmail,27380,admin1 -f MAILER-DAEMON@mydomain.com -t -Y -a -d admin1<br />
|-sendmail,729,smmsp<br />
|-snmpd,669 -Lsd -Lf /dev/null -p /var/run/snmpd -a<br />
|-spamd,644<br />
<br />
<br />
#find / -name '.forward' -exec cat {} ; -print<br />
<br />
/backup/local/synk/home/virtual/site1/fst/home/jere/.forward<br />
user1@mydomain.com<br />
/backup/local/synk/home/virtual/site1/fst/home/admin/.forward<br />
user1@mydomain.com<br />
/backup/local/synk/home/virtual/site1/fst/home/mydomain/.forward<br />
user1@mydomain.com<br />
/backup/local/synk/home/virtual/site3/fst/home/mydomain_2/.forward<br />
support.mailbox@mydomain_2.com, support.check@mydomain_2.com<br />
/backup/local/synk/home/virtual/site3/fst/home/support/.forward<br />
user1@mydomain.com<br />
/backup/local/synk/home/virtual/site6/fst/home/fsc/.forward<br />
user2@mydomain.com<br />
/backup/local/synk/home/virtual/site6/fst/home/mydomain/.forward<br />
j@i6cp.net <-- 모르는 주소<br />
/backup/local/synk/home/virtual/site6/fst/home/test/.forward<br />
<br />
/backup/local/synk/home/virtual/site7/fst/home/lists/.forward<br />
user1@mydomain.com<br />
/home/virtual/site1/fst/home/admin/.forward<br />
user1@mydomain.com<br />
/home/virtual/site1/fst/home/mydomain/.forward<br />
<br />
/home/virtual/site1/fst/home/jere/.forward<br />
user1@mydomain.com<br />
/home/virtual/site3/fst/home/mydomain_2/.forward<br />
support.mailbox@mydomain_2.com, support.check@mydomain_2.com<br />
/home/virtual/site3/fst/home/support/.forward<br />
user2@mydomain.com<br />
/home/virtual/site6/fst/home/mydomain/.forward<br />
j@i6cp.net <-- 모르는 주소<br />
/home/virtual/site6/fst/home/test/.forward<br />
user1@mydomain.com<br />
/home/virtual/site6/fst/home/fsc/.forward<br />
<br />
/home/virtual/site7/fst/home/lists/.forward<br />
<br />
<br />
만약 해킹을 당하고 있다면, 모르는 주소라고 해 놓은 이메일이 그 주인공인<br />
지.. forward에 자기 주소 올려 놓으면 어떻게 악용할 수 있는지도 궁금합니다.<br />
도움주세요..
문 드립니다. 일단 도움이 될만한 command 결과를 올립니다. maillog를 보면<br />
왜 admin1 이 자기 자신한테 멜을 보내는지 모르겠습니다. 그것때문인지 몰<br />
라도 sendmail이 엄청난 리소스를 차지해서 전체적인 웹 까지 느리게 합니<br />
다. 얼마전에 하루에 한번꼴로 sendmail이 다운 되길레 메일큐를 확 다 지웠<br />
습니다. 그랬더니 지금은 잘 돌아가는데, 근본적인 해결책을 찾아야 하기에... <br />
<br />
# top<br />
<br />
11:12:40 up 9 days, 23:07, 1 user, load average: 3.41, 3.46, 2.93<br />
113 processes: 111 sleeping, 2 running, 0 zombie, 0 stopped<br />
CPU states: cpu user nice system irq softirq iowait idle<br />
total 6.5% 0.0% 50.9% 0.0% 0.0% 0.0% 42.4%<br />
Mem: 741284k av, 726648k used, 14636k free, 0k shrd, 59488k buff<br />
326880k active, 290252k inactive<br />
Swap: 522104k av, 51172k used, 470932k free 448096k cached<br />
<br />
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND<br />
7143 root 16 0 7748 7544 2692 R 48.2 1.0 12:21 0 sendmail<br />
16907 root 16 0 7580 7388 2620 D 1.3 0.9 0:21 0 sendmail<br />
12 root 15 0 0 0 0 DW 0.7 0.0 39:49 0 kjournald<br />
19100 root 17 0 1244 1244 832 R 0.7 0.1 0:00 0 top<br />
606 root 15 0 544 524 472 D 0.1 0.0 9:40 0 syslogd<br />
1 root 16 0 456 432 400 S 0.0 0.0 0:12 0 init<br />
2 root 15 0 0 0 0 SW 0.0 0.0 0:00 0 keventd<br />
3 root 15 0 0 0 0 SW 0.0 0.0 0:00 0 kapmd<br />
4 root 34 19 0 0 0 SWN 0.0 0.0 0:00 0 ksoftirqd/0<br />
6 root 25 0 0 0 0 SW 0.0 0.0 0:00 0 bdflush<br />
5 root 15 0 0 0 0 SW 0.0 0.0 4:25 0 kswapd<br />
7 root 15 0 0 0 0 SW 0.0 0.0 0:00 0 kupdated<br />
8 root 22 0 0 0 0 SW 0.0 0.0 0:00 0 mdrecoveryd<br />
65 root 15 0 0 0 0 SW 0.0 0.0 0:00 0 khubd<br />
<br />
<br />
#tail -f /var/log/maillog<br />
<br />
May 30 11:21:18 admin1 sendmail[7143]: k4SIL3s9032123: to=<admin1@mydomain.com>, ctladdr=<admin1@mydomain.com> (502/502), delay=1+22:00:15, xdelay=00:00:00, mailer=local, pri=3811249, dsn=4.0.0, stat=Deferred: local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL<br />
May 30 11:21:18 admin1 sendmail[26480]: k4TKH3kx011932: to=<admin1@mydomain.com>, ctladdr=<admin1@mydomain.com> (502/502), delay=20:04:15, xdelay=00:00:00, mailer=local, pri=1651245, dsn=4.0.0, stat=Deferred: local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL<br />
May 30 11:21:18 admin1 sendmail[7143]: k4SIM4s9000673: to=<admin1@mydomain.com>, ctladdr=<admin1@mydomain.com> (502/502), delay=1+21:59:14, xdelay=00:00:00, mailer=local, pri=3811249, dsn=4.0.0, stat=Deferred: local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL<br />
May 30 11:21:18 admin1 sendmail[26480]: k4TKI2kx012760: to=<admin1@mydomain.com>, ctladdr=<admin1@mydomain.com> (502/502), delay=20:03:16, xdelay=00:00:00, mailer=local, pri=1651245, dsn=4.0.0, stat=Deferred: local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL<br />
May 30 11:21:18 admin1 sendmail[7143]: k4SIN3s9001659: to=<admin1@mydomain.com>, ctladdr=<admin1@mydomain.com> (502/502), delay=1+21:58:15, xdelay=00:00:00, mailer=local, pri=3811249, dsn=4.0.0, stat=Deferred: local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL<br />
May 30 11:21:19 admin1 sendmail[26480]: k4TKJ4kx013715: to=<admin1@mydomain.com>, ctladdr=<admin1@mydomain.com> (502/502), delay=20:02:15, xdelay=00:00:01, mailer=local, pri=1651245, dsn=4.0.0, stat=Deferred: local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL<br />
May 30 11:21:19 admin1 sendmail[7143]: k4SIO3s9002758: to=<admin1@mydomain.com>, ctladdr=<admin1@mydomain.com> (502/502), delay=1+21:57:16, xdelay=00:00:00, mailer=local, pri=3811249, dsn=4.0.0, stat=Deferred: local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL<br />
May 30 11:21:19 admin1 sendmail[26480]: k4TKK7kx014629: to=<admin1@mydomain.com>, ctladdr=<admin1@mydomain.com> (502/502), delay=20:01:12, xdelay=00:00:00, mailer=local, pri=1651245, dsn=4.0.0, stat=Deferred: local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL<br />
<br />
#pstree -p -u -a<br />
<br />
|-sendmail,20379<br />
|-sendmail,720<br />
| |-sendmail,14433<br />
| |-sendmail,7143<br />
| | `-procmail,27401,admin1 -f admin1@mydomain.com -t -Y -a -d admin1<br />
| |-sendmail,26480<br />
| | `-procmail,27378,admin1 -f MAILER-DAEMON@mydomain.com -t -Y -a -d admin1<br />
| `-sendmail,16907<br />
| `-procmail,27380,admin1 -f MAILER-DAEMON@mydomain.com -t -Y -a -d admin1<br />
|-sendmail,729,smmsp<br />
|-snmpd,669 -Lsd -Lf /dev/null -p /var/run/snmpd -a<br />
|-spamd,644<br />
<br />
<br />
#find / -name '.forward' -exec cat {} ; -print<br />
<br />
/backup/local/synk/home/virtual/site1/fst/home/jere/.forward<br />
user1@mydomain.com<br />
/backup/local/synk/home/virtual/site1/fst/home/admin/.forward<br />
user1@mydomain.com<br />
/backup/local/synk/home/virtual/site1/fst/home/mydomain/.forward<br />
user1@mydomain.com<br />
/backup/local/synk/home/virtual/site3/fst/home/mydomain_2/.forward<br />
support.mailbox@mydomain_2.com, support.check@mydomain_2.com<br />
/backup/local/synk/home/virtual/site3/fst/home/support/.forward<br />
user1@mydomain.com<br />
/backup/local/synk/home/virtual/site6/fst/home/fsc/.forward<br />
user2@mydomain.com<br />
/backup/local/synk/home/virtual/site6/fst/home/mydomain/.forward<br />
j@i6cp.net <-- 모르는 주소<br />
/backup/local/synk/home/virtual/site6/fst/home/test/.forward<br />
<br />
/backup/local/synk/home/virtual/site7/fst/home/lists/.forward<br />
user1@mydomain.com<br />
/home/virtual/site1/fst/home/admin/.forward<br />
user1@mydomain.com<br />
/home/virtual/site1/fst/home/mydomain/.forward<br />
<br />
/home/virtual/site1/fst/home/jere/.forward<br />
user1@mydomain.com<br />
/home/virtual/site3/fst/home/mydomain_2/.forward<br />
support.mailbox@mydomain_2.com, support.check@mydomain_2.com<br />
/home/virtual/site3/fst/home/support/.forward<br />
user2@mydomain.com<br />
/home/virtual/site6/fst/home/mydomain/.forward<br />
j@i6cp.net <-- 모르는 주소<br />
/home/virtual/site6/fst/home/test/.forward<br />
user1@mydomain.com<br />
/home/virtual/site6/fst/home/fsc/.forward<br />
<br />
/home/virtual/site7/fst/home/lists/.forward<br />
<br />
<br />
만약 해킹을 당하고 있다면, 모르는 주소라고 해 놓은 이메일이 그 주인공인<br />
지.. forward에 자기 주소 올려 놓으면 어떻게 악용할 수 있는지도 궁금합니다.<br />
도움주세요..
관련자료
-
이전
-
다음
댓글 0
등록된 댓글이 없습니다.
