Results 1 to 16 of 16
  1. #1

    Unhappy Mail log gets wired-- Is it DDoS

    Hi,

    My mail logs are getting wired. Kindly find below some samples :

    2013-10-30 01:02:12 SMTP connection from [86.97.167.249]:53207 I=[my server ip]:25 (TCP/IP connection count = 2)
    2013-10-30 01:02:15 SMTP connection from [120.61.201.10]:22402 I=[my server ip]:25 (TCP/IP connection count = 3)
    2013-10-30 01:02:16 SMTP syntax error in "\206\356\2451\005\306\211\254\371p\3719\360\0033\261\303f\363<\35368?\336)\243?\233\020eBNLdD\255\017\022GI\330BH&\237\362Is\004" H=triband-mum-120.61.201.10.mtnl.net.in [120.61.201.10]:22402 I=[my server ip]:25 unrecognized command
    2013-10-30 01:02:16 SMTP syntax error in "KV\305\267M\357|zO\264\206'Q=\205tR\336\353\214T\027C\216U"2\030\317\224\313jZT\374\264[\272\264\343^\342\266^`4\024\363b,\331.\335u\215\342g\247-1j \356p\3428Q\221\343\246R \360\375\260\313q\353\251\311r\322\377\330w<\222\367y;\306U|\305C\031~\256\261\270\177\301\005F\201d@\032\202\362\324\374\203\2533\223\205\026&\210\20 6\210.\217\207\254\260\204\211dT\325\222Q\037\006\214q\254\346\216\017r\025\221\223j\021\223}\227\332\224\215\376\357\226\205\211\322\230;\0366\232\26 7\255\026\240\256\203%\237\006\v\253\237\237m\302\240#j\300\241(\311\325\243\340]9\245\325\360\033\247\\376\365\035\037\347X\252\336\342\023\253Ry\370\254\362:%\257\v\232:\261E\025\253\265\307\021\251\266\222r?\270\006\030\021\271u >j\272>\251\265\273c" H=triband-mum-120.61.201.10.mtnl.net.in [120.61.201.10]:22402 I=[my server ip]:25 unrecognized command
    2013-10-30 01:02:16 SMTP syntax error in "\210\276\374\301\266\300\3167\342\301\273\207d\[email protected]<_\332\304\305\006\033\302\306\305\245\263?\326\233\257A\247q\321\3131n\317\314Y\356C\317\217\17 7\245\321\354\370AR\274Y\330S\203]QWF\250\320\330\241r\202\331\241\031\247R,\211\262\235\350}=\343\216\035"\343\240|7\345c\252\376]\341\367\247\351\253g+\353r[\244\356\344\237:d8b\276\257V\252\265\3638\324\367\367\342\002B\371\220Y\330\373\367\264\353\376G\322\232u\221z\032\001w\331\254x\325\363\236\321}\316 #\bf\251\236~\326\f\266\177\342\212\230\201f\207\313\rV\375,\204\002\037G\321\2323q\025\341-\356\026yd\267\027g\212|\033\336\257\306\035k\006<\036\340\234 \0374\006W"\017>\241"\270\262\213\233\326\326\325\234\263\370\311'\303\263\370*\277\343\275-\212\241m0\254\006\004\246\304Z\307\374\207\32023v\322r\255\310\017\001\261\022D\316\262\275rM?\277kIA\4zB.$vE\376\204\fG\251\035\355H\335<\026J\322?5 L>\344u\303r\177\023\305\251\007\272\307KY\016\310e\311 \324\300\243\322\324\233\307\034\315\005\353OW\273\177\263X\021\326C]\356\234\363^\330\311\274`g,\324a\334\302\270b\205\361\002d. Me"\201\343f\317\341yh\236B\020j{ \300km\006\276l\277?;n'1\006o\226b+\350>\217\364\351\314\353.tE{\017wz\2328x\220\265\237\357\250\347\266\373\f\021\200\364\352\032.\2026\037\253\202Aw A\205m\276\372\375\222\345 \210g<\353\210Q\325\252\001\320\302R\006\324"7\b\263\022\363\007\330\343\210\223t\254\271\224\340\325\243\016|\236\261\230\200\227\255\232{\323\211\03 61\270\357\237\300\032\007\241\252G\320\242Q\007\001\245\277\237\341\246\250\314\252\250\250\332\230!l\215\241\255r\271\037\256zl\333'w\261u(m\237\025 \264g\330\340\263w7\366\265" H=triband-mum-120.61.201.10.mtnl.net.in [120.61.201.10]:22402 I=[my server ip]:25 NULL character(s) present (shown as '?')
    2013-10-30 01:02:18 SMTP connection from ([10.0.1.6]) [96.51.193.247]:45988 I=[my server ip]:25 closed by QUIT
    2013-10-30 01:02:18 SMTP connection from [94.75.244.176]:59362 I=[my server ip]:25 (TCP/IP connection count = 3)
    2013-10-30 01:02:21 1VbNv9-0005w6-Uw
    2013-10-30 01:02:25 SMTP syntax error in "\312\371\274r\344\305\357rT\225\266\352\2253't\272\221"s\215\357\317\352 _D\351\307\367;sxapt\324]pt$_pt\324]Us\004^Us$_pt~\371\316sn+\243t\316 \317s\025*\210s\356)\210s>+\243tY*\210s\343\337\302th\352Pus\366\272sJ\366\272sL\366\272s\255+\033t/(\007t\002\206\264\353Z\365(\352/(\007t2(\007w|\315>u\351\216 !<\216 t\204\272`t<\216 t\274\216 t(\270at\217\265 \350\311\036]ud\300lt\373\351\255tm\300lto\300ltX.\244ue\224\275u`\224\275u\212\362\270t\227X\322t\032\255w\340\244\276\353t\246\276\353t\274\004n\352\225\031\233v \306\005\257\354\244Q\036u\257$\005u\204\202\262\354\236\345\313\354\322\214\036u\336\214\036u\240\222<v\236\222<v\313\3607u\371\276ju\345\274\353\352 \355\274ju\212\362\312u\212\362\312u\205\362\312u\377\210\235u\322\346Jv\f\357\367u \361\266v\234\342LwN\033\367u Kfw\3304[\341*\253\177w$\273\351u\322\257\177w'\273\351u\246\377\216\3534!\003v3!\204\353\033)!w\304{\262w\267\214\263\353\200\214\303\353 \342\313w\333" H=[41.76.168.10]:47937 I=[my server ip]:25 unrecognized command



    I receive this while I take the mail log #tail -f /var/log/exim_mainlog
    This is a webhosting server with centOS in it. We use exim. Is this a part of DDoS attach. I have checked and confirmed that the IP's change every time. I had contacted DC, But their DDoS protection IP filtering is some thing that I cannot afford now. Now I created a cron fob to execute the following command
    netstat -an | grep :25 | grep 'TIME_WAIT' | sort | awk '{print$5}' | awk -F ":" '{print $1}' | grep -v 0.0.0.0 | grep -v 127.0.0.1 |xargs -I {} csf -d {}
    But I know this is not going to help as the IP's change all the second. Any advice to stop this...

  2. #2
    Join Date
    Dec 2011
    Location
    Tulsa, OK
    Posts
    353
    Looks like someone is opening couple connections at a time and initiating a bunch of random commands on your server. For now drop all traffic on 25 and secure your server. What mail server are you running (postfix/exim/sendmail)?

    Are any other services being affected?
    OCOSA Communications | Since 2003
    http://www.ocosa.com
    Hosting, Connectivity, Professional Services

  3. #3
    It's more of a hacking attempt I think.
    If it was DDoS - it would take your "mail server" down completely.

  4. #4
    Thanks for the update
    We are using Exim as the mail service. The service is up and running fine. Is there any possible way to fix this.

  5. #5
    Join Date
    Feb 2012
    Posts
    238
    Hi,

    As @ocosa said "For now drop all traffic on 25 and secure your server."
    Implement a Firewall to port filtering , CSF, Fail2BAN
    WEBUZO - Single User Control Panel for your VPS/Cloud/Server (CentOS/Ubuntu)
    Install NGINX, Apache, MySQL, LAMP, LEMP, PHP, Java and 310+ popular scripts by a CLICK
    Email Server, Database Management, Domain Management, FTP Management, CSF, CRON

  6. #6
    We have CSF already been installed....
    We tried Dropping the port 25.. The attack was stopped for the time.. But as soon as we re-enabled the port the attack restarted.
    This is a web hosting server.. So Dropping the port 25 permanently is somthing not possible

  7. #7
    Is there any way I could filter this logs from the log file although its not the correct resolution for the issue

  8. #8
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,948
    PHP Code:
    # exigrep "syntax" /var/log/exim_rejectlog | exigrep "error" /var/log/exim_mainlog | less 
    ^^ this will at least give you a chance to filter out the legits and focus more on the errors you've been receiving lately.

    This almost reminds me of what happens when SAV is enabled and got hit with a bunch of bounces/deflects, creating backscatter. Do you have "Sender Verification Callouts" (a bit different from the standard "Sender Verification") enabled in your Exim configs?

    You can configure CSF to permblock an I.P. after a certain amount of errors. You can also set CSF to send an X-ARF (Abuse Reporting Format) report to the email of your choice when the flag is triggered.

    I've included the area of csf.conf to enable X-ARF as well as an example I got last night.

    PHP Code:
    # sending of X-ARF reports (see http://www.x-arf.org/specification.html). Only
    X_ARF "1"
    X_ARF_FROM "[email protected]"
    X_ARF_TO "[email protected]


    Example:

    The IP address 94.197.120.21 (GB/United Kingdom/94.197.120.21.threembb.co.uk) was found attacking eximsyntax on xenotron.***.com 1 times in the last 3600 seconds.

    Attached is an X-ARF report (see http://www.x-arf.org/specification.html) and the original log report that triggered this block.


    Reported-From: [email protected]***.com
    Report-ID: [email protected]***.com
    Category: abuse
    Report-Type: login-attack
    Service: eximsyntax
    User-Agent: csf v6.36
    Date: 2013-11-01T15:42:58-0700
    Source: 94.197.120.21
    Source-Type: IPv4
    Attachment: text/plain
    Schema-URL: http://www.x-arf.org/schema/abuse_lo...ack_0.1.0.json


    2013-11-01 15:42:55 SMTP call from 94.197.120.21.threembb.co.uk [94.197.120.21]:47710 dropped: too many syntax or protocol errors (last command was "?g?k?3?9???1??????xenotron.***.com?")


    | John Edel Jetfire Networks L.L.C. Trusted Hosting Solutions
    | Consistent, Reliable, Stable OpenVZ & KVM Virtual Private Servers
    | SpamWall AV & Full SMTP Filtering
    Now an SSLStore Titanium Partner!

  9. #9

    is that a software ?

    let me know if i can download logfile of my emails ?

  10. #10
    I am not sure what you are looking for.
    You could find the mail log at /var/log/exim_mainlog for exim.
    You could grep with the required mail id
    cat /var/log/exim_mainlog | grep '<mail id>'

    Sorry if you were not looking for this

    Regards,

  11. #11
    Join Date
    Dec 2009
    Posts
    58
    I'm getting hit with a similar attack right now. Definitely have seen an increase in distributed attacks lately. There are some large botnets out there. They aren't denial of service (though this exim attack is significantly increasing my server load) but for a month now I've been experiencing a distributed POST flood that doesn't let up. This exim attack is yet another distributed attack.

  12. #12
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,948
    How often do those messages repeat? It's been a while since I've seen one but there were a few times that I'd send an email from my smartphone (blackberry at the time) and I'd get encrypted syntax errors in my exim log like that. There may be something to change in your mail server configs. Have you made any specific adjustments to the Exim configuration?
    | John Edel Jetfire Networks L.L.C. Trusted Hosting Solutions
    | Consistent, Reliable, Stable OpenVZ & KVM Virtual Private Servers
    | SpamWall AV & Full SMTP Filtering
    Now an SSLStore Titanium Partner!

  13. #13
    Join Date
    Dec 2009
    Posts
    58
    for me I was getting them every few seconds.

  14. #14
    Quote Originally Posted by jfnllc View Post
    How often do those messages repeat? It's been a while since I've seen one but there were a few times that I'd send an email from my smartphone (blackberry at the time) and I'd get encrypted syntax errors in my exim log like that. There may be something to change in your mail server configs. Have you made any specific adjustments to the Exim configuration?

    No recent changes have been made on the exim configuration file.We had it configured by cPanel. The logs are repeating within seconds.

  15. #15
    Now I think the attackers are into the act.. I now need about 20 min's for logging into the server. But server load seems to be normal. But for ssh login it takes about 20 mins.

  16. #16
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,948
    I suppose you could stop Exim once you've logged in and see if things stabilize. I'd be cranking up the firewall then, to block the IPs with the cryptic syntax and send an X-ARF like I mentioned in my example. Should at least then start to filter out. You could also kick it up to cPanel support and see what they have to say.
    | John Edel Jetfire Networks L.L.C. Trusted Hosting Solutions
    | Consistent, Reliable, Stable OpenVZ & KVM Virtual Private Servers
    | SpamWall AV & Full SMTP Filtering
    Now an SSLStore Titanium Partner!

Similar Threads

  1. how to check the ddos attack log ?
    By ttgt in forum Hosting Security and Technology
    Replies: 16
    Last Post: 03-21-2012, 02:42 AM
  2. Mail log analyzer
    By Discoteca in forum Hosting Security and Technology
    Replies: 0
    Last Post: 10-24-2006, 05:06 PM
  3. mail log
    By orbitz in forum Hosting Security and Technology
    Replies: 1
    Last Post: 03-16-2006, 07:15 AM
  4. where is my mail log?
    By jireh in forum Hosting Security and Technology
    Replies: 2
    Last Post: 10-13-2005, 05:34 PM
  5. awstats mail.log
    By nightduke in forum Hosting Security and Technology
    Replies: 0
    Last Post: 07-26-2004, 06:09 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •